From owner-freebsd-security@FreeBSD.ORG Sun Sep 10 03:29:04 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 399B916A403 for ; Sun, 10 Sep 2006 03:29:04 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id B538D43D58 for ; Sun, 10 Sep 2006 03:29:02 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by py-out-1112.google.com with SMTP id o67so1431193pye for ; Sat, 09 Sep 2006 20:29:02 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=dUevRXLxtqTsI7yNPWn4ifLi9drhQWwUECKE5q84S4EtbhssCX5psHPcpp1SYnV9YqIMLuxatWpyLQx33Z4br8I+zLdLPcHU7p97KbZiXhWBshs9AE1EFGrH6NGrws47O0DW0EGQFW2Hc2Pg6JyaPPJ8n1rsIqlTdize1FwfcPo= Received: by 10.35.106.15 with SMTP id i15mr6675978pym; Sat, 09 Sep 2006 20:29:02 -0700 (PDT) Received: by 10.35.34.3 with HTTP; Sat, 9 Sep 2006 20:29:02 -0700 (PDT) Message-ID: Date: Sat, 9 Sep 2006 22:29:02 -0500 From: "Travis H." To: "Bigby Findrake" In-Reply-To: <20060908101441.V90396@home.ephemeron.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20060908101441.V90396@home.ephemeron.org> X-Mailman-Approved-At: Sun, 10 Sep 2006 11:23:31 +0000 Cc: freebsd-security@freebsd.org Subject: Re: comments on handbook chapter X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Sep 2006 03:29:04 -0000 On 9/8/06, Bigby Findrake wrote: > That's how I interpret that passage from the handbook - that you should > detect *and* prevent. I'm not clear on how anyone is interpreting that > passage to suggest that unequal weight should be given to one side or the > other (detection vs. prevention). The above passage all but says, "don't > do X because that will interfere with Y." I just don't see that advice as > advocating imbalance. Well, I think "one of the single most" is a somewhat strange turn of the phrase anyway. Which is it, one of many, or single? Anyway, he seems to be advocating /not/ hardening your system, so that the opponent can get in using an attack vector you know about, and which is easily detected. What if root runs a binary before the change gets detected? What if they alter the integrity database before the integrity check gets run? Ooops. There are plenty of ways to detect things without deliberately leaving known security holes hoping they'll be exploited by the first script-kiddie or worm that rooted your box. And if an access failure for a protection mechanism was auditable then every prevention would be a detection gratis. > In those cases, where you're hit by attacks that you didn't know existed, > the importance of detection probably rises. In fact, in the case of > attacks (and possibly vectors) that you weren't aware of, I would argue > that detection can be a prerequisite of prevention. Depends on what you mean by "didn't know existed". There are ways to prevent some 0-days, such as anomaly detection. There are some misuse-detection systems that can be given patterns general enough to catch derivatives of known attacks (I have a pretty good one that can catch most x86 stack overflows). And there are honeypots, that you can use to analyze your opponent's techniques. There are network forensic packages like sguil, that can provide valuable information either proactively (monitor all network traffic) or reactively (for analysis of how the attack got in). > But in the > cases where you cannot remove or mitigate the attack vector (eg. because > to do so would interfere with availability vs security), it seems to me > that prevention needs detection. Yes, I can agree with this, but my strategy is: Prevent if you can. An ounce of prevention is worth a pound of cure. Detect if you can't. Monitoring is boring and takes lots of time that could be used more productively. It's all sunk costs. -- "If you're not part of the solution, you're part of the precipitate." Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/ GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 From owner-freebsd-security@FreeBSD.ORG Mon Sep 11 16:17:50 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.ORG Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3EDA016A40F for ; Mon, 11 Sep 2006 16:17:50 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id E756243D66 for ; Mon, 11 Sep 2006 16:17:46 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (nunefe@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id k8BGHdqH072687; Mon, 11 Sep 2006 18:17:45 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.4/8.13.1/Submit) id k8BGHdE9072686; Mon, 11 Sep 2006 18:17:39 +0200 (CEST) (envelope-from olli) Date: Mon, 11 Sep 2006 18:17:39 +0200 (CEST) Message-Id: <200609111617.k8BGHdE9072686@lurza.secnetix.de> From: Oliver Fromme To: freebsd-security@FreeBSD.ORG, arne_woerner@yahoo.com In-Reply-To: <20060908175046.71795.qmail@web30313.mail.mud.yahoo.com> X-Newsgroups: list.freebsd-security User-Agent: tin/1.8.0-20051224 ("Ronay") (UNIX) (FreeBSD/4.11-STABLE (i386)) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Mon, 11 Sep 2006 18:17:45 +0200 (CEST) Cc: Subject: Re: comments on handbook chapter X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-security@FreeBSD.ORG, arne_woerner@yahoo.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Sep 2006 16:17:50 -0000 R. B. Riddick wrote: > Bigby Findrake wrote: > > Travis H. wrote: > > > Wouldn't it be better to detect /and/ prevent an attempt to change the > > > system binaries? > > > > That's how I interpret that passage from the handbook - that you should > > detect *and* prevent. I'm not clear on how anyone is interpreting that > > passage to suggest that unequal weight should be given to one side or the > > other (detection vs. prevention). The above passage all but says, "don't > > do X because that will interfere with Y." I just don't see that advice as > > advocating imbalance. > > > Hmm... > > I think, this "schg flag"-thing should be done to all files, but invisible to a > potential attacker... <-- PROTECTION There's no need to make it "invisible". First, it wouldn't add anything to the protection. And second, it could be called a case of "security by obscurity". > When some attacker tries to get write access to that file or to move that file > around or so, it should result in a log message (like "BAD SU on ...")... <-- > DETECTION (I think one of the first messages in this thread suggested that > already...) That can be done with the AUDIT framework that has recently been MFCed to 6-stable. > And removing that flag shouldn't be possible so easy, too. What do you mean, "so easy"? It's not easy. The flag can only be removed if security level < 1. Once the system is running at >= 1, lowering the security level requires a reboot. Please see the init(8) manual page for details. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "I invented Ctrl-Alt-Delete, but Bill Gates made it famous." -- David Bradley, original IBM PC design team From owner-freebsd-security@FreeBSD.ORG Wed Sep 13 09:54:49 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1790716A40F for ; Wed, 13 Sep 2006 09:54:49 +0000 (UTC) (envelope-from arne_woerner@yahoo.com) Received: from web30307.mail.mud.yahoo.com (web30307.mail.mud.yahoo.com [209.191.69.69]) by mx1.FreeBSD.org (Postfix) with SMTP id 6C58943D49 for ; Wed, 13 Sep 2006 09:54:48 +0000 (GMT) (envelope-from arne_woerner@yahoo.com) Received: (qmail 86528 invoked by uid 60001); 13 Sep 2006 09:54:47 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=IyDVc6BYeDT2TgXcQDXeL7Y0Q3Ya17HQK+iCZoj18vnEzF1q9z4KN9ybkGbtFD26cyK6suwXLn7KkhiMoZb/PbcZXO1iHCT+WBByGaJPz/jyb0ncau/TbtjjkoMx1DqA6dxdAvSOijcwd+u4Wn89tbDb20IXdOG2qOA3RSc0iQw= ; Message-ID: <20060913095447.86526.qmail@web30307.mail.mud.yahoo.com> Received: from [213.54.84.148] by web30307.mail.mud.yahoo.com via HTTP; Wed, 13 Sep 2006 02:54:47 PDT Date: Wed, 13 Sep 2006 02:54:47 -0700 (PDT) From: "R. B. Riddick" To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: ports / www/linux-seamonkey / flashplugin vulnerability X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Sep 2006 09:54:49 -0000 Hi! Since linux-flashplugin7 r63 is vulnerable according to http://vuxml.FreeBSD.org/7c75d48c-429b-11db-afae-000c6ec775d9.html isn't www/linux-seamonkey vulerable, too (it seems to include 7 r25)? Bye Arne __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From owner-freebsd-security@FreeBSD.ORG Wed Sep 13 11:54:14 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1119716A527 for ; Wed, 13 Sep 2006 11:54:14 +0000 (UTC) (envelope-from remko@freebsd.org) Received: from caelis.elvandar.org (caelis.elvandar.org [217.148.169.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id A200E43D45 for ; Wed, 13 Sep 2006 11:54:13 +0000 (GMT) (envelope-from remko@freebsd.org) Received: from localhost (caelis.elvandar.org [217.148.169.59]) by caelis.elvandar.org (Postfix) with ESMTP id E5A2692FE0A; Wed, 13 Sep 2006 13:54:12 +0200 (CEST) Received: from caelis.elvandar.org ([217.148.169.59]) by localhost (caelis.elvandar.org [217.148.169.59]) (amavisd-new, port 10024) with ESMTP id 16032-08; Wed, 13 Sep 2006 13:54:12 +0200 (CEST) Message-ID: <4507F16E.5070905@FreeBSD.org> Date: Wed, 13 Sep 2006 13:54:22 +0200 From: Remko Lodder User-Agent: Thunderbird 1.5.0.5 (Macintosh/20060719) MIME-Version: 1.0 To: "R. B. Riddick" References: <20060913095447.86526.qmail@web30307.mail.mud.yahoo.com> In-Reply-To: <20060913095447.86526.qmail@web30307.mail.mud.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by the elvandar.org maildomain X-Mailman-Approved-At: Wed, 13 Sep 2006 12:10:50 +0000 Cc: freebsd-security@freebsd.org Subject: Re: ports / www/linux-seamonkey / flashplugin vulnerability X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: remko@FreeBSD.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Sep 2006 11:54:14 -0000 R. B. Riddick wrote: > Hi! > > Since linux-flashplugin7 r63 is vulnerable according to > http://vuxml.FreeBSD.org/7c75d48c-429b-11db-afae-000c6ec775d9.html > isn't www/linux-seamonkey vulerable, too (it seems to include 7 r25)? > > Bye > Arne > Hi Arne, We will look into this asap and give you proper feedback when we have it. Thanks for the notice! Cheers, Remko on behalf of The FreeBSD Security Team -- Kind regards, Remko Lodder ** remko@elvandar.org FreeBSD ** remko@FreeBSD.org /* Quis custodiet ipsos custodes */ From owner-freebsd-security@FreeBSD.ORG Wed Sep 13 21:14:34 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 02B7916A40F for ; Wed, 13 Sep 2006 21:14:34 +0000 (UTC) (envelope-from simon@zaphod.nitro.dk) Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 93CD843D45 for ; Wed, 13 Sep 2006 21:14:33 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: from zaphod.nitro.dk (unknown [192.168.3.39]) by mx.nitro.dk (Postfix) with ESMTP id EA3FB32F9B8; Wed, 13 Sep 2006 21:14:31 +0000 (UTC) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id B61201141D; Wed, 13 Sep 2006 23:14:31 +0200 (CEST) Date: Wed, 13 Sep 2006 23:14:31 +0200 From: "Simon L. Nielsen" To: "R. B. Riddick" Message-ID: <20060913211430.GD988@zaphod.nitro.dk> References: <20060913095447.86526.qmail@web30307.mail.mud.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060913095447.86526.qmail@web30307.mail.mud.yahoo.com> User-Agent: Mutt/1.5.11 Cc: freebsd-security@freebsd.org Subject: Re: ports / www/linux-seamonkey / flashplugin vulnerability X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Sep 2006 21:14:34 -0000 On 2006.09.13 02:54:47 -0700, R. B. Riddick wrote: > Hi! > > Since linux-flashplugin7 r63 is vulnerable according to > http://vuxml.FreeBSD.org/7c75d48c-429b-11db-afae-000c6ec775d9.html > isn't www/linux-seamonkey vulerable, too (it seems to include 7 r25)? I just had a look at it, and I can't see flash in it anywhere? I checked the pkg-plist and "about:plugins" when installed. Where do you see that it's included? -- Simon L. Nielsen FreeBSD Security Team From owner-freebsd-security@FreeBSD.ORG Wed Sep 13 21:36:47 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2A3CD16A407 for ; Wed, 13 Sep 2006 21:36:47 +0000 (UTC) (envelope-from arne_woerner@yahoo.com) Received: from web30308.mail.mud.yahoo.com (web30308.mail.mud.yahoo.com [209.191.69.70]) by mx1.FreeBSD.org (Postfix) with SMTP id 5B11E43D45 for ; Wed, 13 Sep 2006 21:36:46 +0000 (GMT) (envelope-from arne_woerner@yahoo.com) Received: (qmail 78191 invoked by uid 60001); 13 Sep 2006 21:36:45 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=T5f+8rDuzUvMKd+UzF87EIPd5y6BtE6RjWpPF+9DS//6uDqXD4PuzvUu9G5xhci4couyShEsL2HCZDwNf9s+I8IzZfjbLDamMhNOBDIfz10O9Q9NN3GsnSDebDhJf9nY8LZSOPBvUR5FmKuomu5lgejr9I84EQPe8dIjVtAKhyA= ; Message-ID: <20060913213645.78189.qmail@web30308.mail.mud.yahoo.com> Received: from [213.54.84.148] by web30308.mail.mud.yahoo.com via HTTP; Wed, 13 Sep 2006 14:36:45 PDT Date: Wed, 13 Sep 2006 14:36:45 -0700 (PDT) From: "R. B. Riddick" To: freebsd-security@freebsd.org In-Reply-To: <20060913211430.GD988@zaphod.nitro.dk> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: Re: ports / www/linux-seamonkey / flashplugin vulnerability X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Sep 2006 21:36:47 -0000 --- "Simon L. Nielsen" wrote: > On 2006.09.13 02:54:47 -0700, R. B. Riddick wrote: > > Hi! > > > > Since linux-flashplugin7 r63 is vulnerable according to > > http://vuxml.FreeBSD.org/7c75d48c-429b-11db-afae-000c6ec775d9.html > > isn't www/linux-seamonkey vulerable, too (it seems to include 7 r25)? > > I just had a look at it, and I can't see flash in it anywhere? I > checked the pkg-plist and "about:plugins" when installed. > > Where do you see that it's included? > Ohoh... :-) I do not remember how I installed it... I found a ~/.mozilla/plugins/libflashplayer.so... I dont know who installed it there (hopefully it was me)... I thought flashplugin would be a part of seamonkey... Sorry for the misleading information... -Arne __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com