From owner-freebsd-security@FreeBSD.ORG Mon Nov 20 00:34:28 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7F4CB16A40F for ; Mon, 20 Nov 2006 00:34:28 +0000 (UTC) (envelope-from eol1@yahoo.com) Received: from web51913.mail.yahoo.com (web51913.mail.yahoo.com [206.190.48.76]) by mx1.FreeBSD.org (Postfix) with SMTP id CB20F43E60 for ; Mon, 20 Nov 2006 00:32:15 +0000 (GMT) (envelope-from eol1@yahoo.com) Received: (qmail 51892 invoked by uid 60001); 20 Nov 2006 00:32:11 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=CxbbI/a4bBfatYoULrjKzVNXcC7tZkR0dDXW0RKXv/wP37/1eQrvFB3L4wvcKfWgIahJyCtPoaRSpxgA8GIFqhh2DChQwC2MbdI6CvDWO5B/qcg0LYCCcY5YWOxcjUH39sbZZ0v1TUIY42E7dQRA1PHGHgJ4Qt/D2nR0gVki2Ck=; X-YMail-OSG: C358hBIVM1kAQKtO.OOWrwG3t63W_AVLq4rwjcrWvmTFMj.7FCgNBeC4DsoBojN5pnD1Nutxf4gSzUjwCTJ.n2t31l6vCoN_RfFmHgT7yXwIDl.Hsi4pJGGS_5sP0oRS0FNkJNKF8WsH7VM- Received: from [85.25.4.93] by web51913.mail.yahoo.com via HTTP; Sun, 19 Nov 2006 16:32:11 PST Date: Sun, 19 Nov 2006 16:32:11 -0800 (PST) From: Peter Thoenen To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Message-ID: <556824.51538.qm@web51913.mail.yahoo.com> X-Mailman-Approved-At: Mon, 20 Nov 2006 01:30:04 +0000 Subject: OPIE + single user mode X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: eol1@yahoo.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Nov 2006 00:34:28 -0000 Hallo all, Have a problem and while OPIE seems to be the solution, not sure it will work. The issue here is the only way I can access my remote box in single user mode is via telnetting to a termserv I have setup that connects to the FBSD servers serial port. Problem of course being that to log on to FBSD in single user mode I have to provide the root password in the clear. What I would like to do is force single user root logon to use OPIE (or even better, just single user root, NOT multiuser root or via su) Prob is I can't find any syntax that supports this and OPIE seems only for access via the network (man opieaccess) .. not actually console or physical server access. Ideas? -Peter From owner-freebsd-security@FreeBSD.ORG Mon Nov 20 07:17:46 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3E99116A416 for ; Mon, 20 Nov 2006 07:17:46 +0000 (UTC) (envelope-from zhaotongyi@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.225]) by mx1.FreeBSD.org (Postfix) with ESMTP id 45C3F43D4C for ; Mon, 20 Nov 2006 07:17:31 +0000 (GMT) (envelope-from zhaotongyi@gmail.com) Received: by wx-out-0506.google.com with SMTP id s18so1472934wxc for ; Sun, 19 Nov 2006 23:17:44 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:mime-version:content-type; b=CYNURtxHhTQDDKTs7VeAIsGJEXmpAvhOizp9jBgOlsYZQga/2JdftQYXsq7uXKkDjYWt8VMGlxePEXfrbzMrvSAxjUL9xOk86x4cKqbCWog7XTwimEF+128odLgk9x5MvsLX9eEAhiA+XigDcLNbxNOl7L1TXvBr5em5xksBdww= Received: by 10.90.81.14 with SMTP id e14mr2962193agb.1164007064828; Sun, 19 Nov 2006 23:17:44 -0800 (PST) Received: by 10.90.102.7 with HTTP; Sun, 19 Nov 2006 23:17:44 -0800 (PST) Message-ID: <380d4510611192317g3c9e415al61494e5979b3f282@mail.gmail.com> Date: Mon, 20 Nov 2006 15:17:44 +0800 From: "Zhao Tongyi" To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-net@freebsd.org Subject: which windows software can communicate with ipsec(racoon)? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Nov 2006 07:17:46 -0000 I have tested cisco vpn software,found build the phase ONE successfully,but phase two can't build up. Anyone have advice?? From owner-freebsd-security@FreeBSD.ORG Mon Nov 20 07:32:38 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5676B16A40F; Mon, 20 Nov 2006 07:32:38 +0000 (UTC) (envelope-from nik@optim.com.ru) Received: from mail.optim-mol.cemu.ru (mail.optim-mol.cemu.ru [83.102.188.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4E20E43D6B; Mon, 20 Nov 2006 07:32:22 +0000 (GMT) (envelope-from nik@optim.com.ru) Received: from [192.168.2.254] (user-0cet49q.cable.mindspring.com [24.238.145.58]) (authenticated bits=0) by mail.optim-mol.cemu.ru (8.13.8/8.13.8) with ESMTP id kAK7WR6n048664 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 20 Nov 2006 10:32:31 +0300 (MSK) (envelope-from nik@optim.com.ru) Message-ID: <45615A05.6060009@optim.com.ru> Date: Mon, 20 Nov 2006 01:32:21 -0600 From: Nikolay Mirin Organization: =?UTF-8?B?0J7Qn9Ci0JjQnA==?= User-Agent: Thunderbird 1.5.0.8 (Windows/20061025) MIME-Version: 1.0 To: freebsd-security@freebsd.org, freebsd-net@freebsd.org References: <380d4510611192317g3c9e415al61494e5979b3f282@mail.gmail.com> In-Reply-To: <380d4510611192317g3c9e415al61494e5979b3f282@mail.gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-92.8 required=5.0 tests=RCVD_IN_DSBL, RCVD_IN_NJABL_DUL,RCVD_IN_NJABL_PROXY,RCVD_IN_SORBS_DUL,SPF_FAIL, USER_IN_WHITELIST autolearn=disabled version=3.1.6 X-Spam-Checker-Version: SpamAssassin 3.1.6 (2006-10-03) on mail.optim-mol.cemu.ru Cc: Subject: Re: which windows software can communicate with ipsec(racoon)? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Nov 2006 07:32:38 -0000 You don't need extra software for 2000&XP. Just define IPSec policies properly. Zhao Tongyi said the following on 20.11.2006 1:17: > I have tested cisco vpn software,found build the phase ONE > successfully,but > phase two can't build up. > Anyone have advice?? > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Mon Nov 20 13:46:05 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 28DAC16A403 for ; Mon, 20 Nov 2006 13:46:05 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9077243D75 for ; Mon, 20 Nov 2006 13:45:36 +0000 (GMT) (envelope-from des@des.no) Received: from tim.des.no (localhost [127.0.0.1]) by spam.des.no (Postfix) with ESMTP id C6DC92085; Mon, 20 Nov 2006 14:45:45 +0100 (CET) X-Spam-Tests: AWL X-Spam-Learn: disabled X-Spam-Score: 0.0/3.0 X-Spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-25) on tim.des.no Received: from dwp.des.no (des.no [80.203.243.180]) by tim.des.no (Postfix) with ESMTP id B9DBE2083; Mon, 20 Nov 2006 14:45:45 +0100 (CET) Received: by dwp.des.no (Postfix, from userid 1001) id 8939FB85E; Mon, 20 Nov 2006 14:45:45 +0100 (CET) From: des@des.no (Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?=) To: eol1@yahoo.com References: <556824.51538.qm@web51913.mail.yahoo.com> Date: Mon, 20 Nov 2006 14:45:45 +0100 In-Reply-To: <556824.51538.qm@web51913.mail.yahoo.com> (Peter Thoenen's message of "Sun, 19 Nov 2006 16:32:11 -0800 (PST)") Message-ID: <861wnykz92.fsf@dwp.des.no> User-Agent: Gnus/5.110004 (No Gnus v0.4) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: OPIE + single user mode X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Nov 2006 13:46:05 -0000 Peter Thoenen writes: > What I would like to do is force single user root logon to use OPIE (or > even better, just single user root, NOT multiuser root or via su) You can't; the password prompt for single user mode is implemented in init and is not configurable. Besides, OPIE needs write access to the key file to work properly. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Thu Nov 23 21:37:02 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E208F16A412; Thu, 23 Nov 2006 21:37:02 +0000 (UTC) (envelope-from dwmalone@maths.tcd.ie) Received: from salmon.maths.tcd.ie (salmon.maths.tcd.ie [134.226.81.11]) by mx1.FreeBSD.org (Postfix) with SMTP id A434343D45; Thu, 23 Nov 2006 21:36:22 +0000 (GMT) (envelope-from dwmalone@maths.tcd.ie) Received: from walton.maths.tcd.ie ([134.226.81.10] helo=walton.maths.tcd.ie) by salmon.maths.tcd.ie with SMTP id ; 23 Nov 2006 21:36:57 +0000 (GMT) Date: Thu, 23 Nov 2006 21:36:56 +0000 From: David Malone To: "O. Hartmann" Message-ID: <20061123213656.GA26275@walton.maths.tcd.ie> References: <45656A3B.6000000@zedat.fu-berlin.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <45656A3B.6000000@zedat.fu-berlin.de> User-Agent: Mutt/1.5.6i Sender: dwmalone@maths.tcd.ie Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org, FreeBSD Stable Subject: Re: UFS Bug: FreeBSD 6.1/6.2/7.0: MOKB-08-11-2006, CVE-2006-5824, MOKB-03-11-2006, CVE-2006-5679 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Nov 2006 21:37:03 -0000 On Thu, Nov 23, 2006 at 10:30:35AM +0100, O. Hartmann wrote: > Is for these UFS bugs in FreeBSD since 6.1 a fix uderway? > > See: > > http://projects.info-pull.com/mokb/ > > MOKB-08-11-2006,CVE-2006-5824, MOKB-03-11-2006,CVE-2006-5679 These two bugs both seem to involve mounting deliberately corrupted UFS file systems. I'm not sure that many people allow this. To be honest, I'm surprised that they only list two bugs of this sort - UFS wasn't designed to be robust to working with accidently corrupted filesystems, let alone ones corrupted maliciously! The usual response of UFS to a corrupted filesystem is to panic. I'm guessing it would have been easier to do: grep panic /usr/src/sys/ufs/*/*.c to find a load of these bugs, rather than writing a fuzzing tool ;-) (That's not to say that it isn't worth improving things, it's just likely to be a large amount of work to fix this in a way that actually makes things better.) David. From owner-freebsd-security@FreeBSD.ORG Thu Nov 23 23:42:25 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6D80C16A412 for ; Thu, 23 Nov 2006 23:42:25 +0000 (UTC) (envelope-from josh@tcbug.org) Received: from sccrmhc14.comcast.net (sccrmhc14.comcast.net [63.240.77.84]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5CC3743D53 for ; Thu, 23 Nov 2006 23:41:46 +0000 (GMT) (envelope-from josh@tcbug.org) Received: from gimpy (c-24-118-173-219.hsd1.mn.comcast.net[24.118.173.219]) by comcast.net (sccrmhc14) with ESMTP id <2006112323421801400me73se>; Thu, 23 Nov 2006 23:42:24 +0000 From: Josh Paetzel To: freebsd-security@freebsd.org Date: Thu, 23 Nov 2006 17:42:00 -0600 User-Agent: KMail/1.9.4 References: <45656A3B.6000000@zedat.fu-berlin.de> <20061123213656.GA26275@walton.maths.tcd.ie> In-Reply-To: <20061123213656.GA26275@walton.maths.tcd.ie> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200611231742.01418.josh@tcbug.org> Cc: David Malone , "O. Hartmann" Subject: Re: UFS Bug: FreeBSD 6.1/6.2/7.0: MOKB-08-11-2006, CVE-2006-5824, MOKB-03-11-2006, CVE-2006-5679 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Nov 2006 23:42:25 -0000 On Thursday 23 November 2006 15:36, David Malone wrote: > On Thu, Nov 23, 2006 at 10:30:35AM +0100, O. Hartmann wrote: > > Is for these UFS bugs in FreeBSD since 6.1 a fix uderway? > > > > See: > > > > http://projects.info-pull.com/mokb/ > > > > MOKB-08-11-2006,CVE-2006-5824, MOKB-03-11-2006,CVE-2006-5679 > > These two bugs both seem to involve mounting deliberately corrupted > UFS file systems. I'm not sure that many people allow this. To be > honest, I'm surprised that they only list two bugs of this sort - > UFS wasn't designed to be robust to working with accidently > corrupted filesystems, let alone ones corrupted maliciously! > > The usual response of UFS to a corrupted filesystem is to panic. > I'm guessing it would have been easier to do: > > grep panic /usr/src/sys/ufs/*/*.c > > to find a load of these bugs, rather than writing a fuzzing tool > ;-) > > (That's not to say that it isn't worth improving things, it's just > likely to be a large amount of work to fix this in a way that > actually makes things better.) > > David. Out of the box you need to be root to mount things. Once you have root access to a box you don't need silly things like this to crash it. If you've gone out of your way to configure your box in such a way that a non-root user can mount arbitrary UFS filesystems then they certainly don't need to waste their time with buffer-overflows and the like. They can simply mount a filesystem with any number of SUID root binaries on it and have their way with the box. Either way, while it's senseless to argue that the buffer overflows don't exist, anyone in a positiion to actually exploit them doesn't need them to be malicious. -- Thanks, Josh Paetzel From owner-freebsd-security@FreeBSD.ORG Fri Nov 24 09:44:46 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6C45416A416 for ; Fri, 24 Nov 2006 09:44:46 +0000 (UTC) (envelope-from jostreff@mobikom.com) Received: from mail.classic-bg.net (87-126-29-101.btc-net.bg [87.126.29.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7774143D5A for ; Fri, 24 Nov 2006 09:44:03 +0000 (GMT) (envelope-from jostreff@mobikom.com) Received: (qmail 4262 invoked by uid 1002); 24 Nov 2006 09:44:41 -0000 Received: from 212.5.128.74 by classic.classic-bg.net (envelope-from , uid 89) with qmail-scanner-1.25 (f-prot: 4.6.6/3.16.14. spamassassin: 3.1.7. Clear:RC:1(212.5.128.74):. Processed in 0.262848 secs); 24 Nov 2006 09:44:41 -0000 X-Qmail-Scanner-Mail-From: jostreff@mobikom.com via classic.classic-bg.net X-Qmail-Scanner: 1.25 (Clear:RC:1(212.5.128.74):. Processed in 0.262848 secs) Received: from unknown (HELO ?212.5.128.74?) (jordan@ostreff.info@212.5.128.74) by 192.168.1.2 with ESMTPA; 24 Nov 2006 09:44:41 -0000 Message-ID: <4566BF05.7030500@mobikom.com> Date: Fri, 24 Nov 2006 11:44:37 +0200 From: Jordan Ostreff User-Agent: Thunderbird 1.5.0.8 (Windows/20061025) MIME-Version: 1.0 References: <380d4510611192317g3c9e415al61494e5979b3f282@mail.gmail.com> <45615A05.6060009@optim.com.ru> In-Reply-To: <45615A05.6060009@optim.com.ru> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, freebsd-net@freebsd.org Subject: Re: which windows software can communicate with ipsec(racoon)? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Nov 2006 09:44:46 -0000 Cisco VPN uses by default udp communication not TCP - maybe this is related to your problem. Nikolay Mirin wrote: > You don't need extra software for 2000&XP. > Just define IPSec policies properly. > > Zhao Tongyi said the following on 20.11.2006 1:17: >> I have tested cisco vpn software,found build the phase ONE >> successfully,but >> phase two can't build up. >> Anyone have advice?? >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to >> "freebsd-security-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Fri Nov 24 10:46:51 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9199A16A407; Fri, 24 Nov 2006 10:46:51 +0000 (UTC) (envelope-from lupe@lupe-christoph.de) Received: from buexe.b-5.de (buexe.b-5.de [84.19.0.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2873143D5A; Fri, 24 Nov 2006 10:46:09 +0000 (GMT) (envelope-from lupe@lupe-christoph.de) Received: from antalya.lupe-christoph.de (antalya.lupe-christoph.de [172.17.0.9]) by buexe.b-5.de (8.13.4/8.13.4/b-5/buexe-3.6.3) with ESMTP id kAOAkmWd013070; Fri, 24 Nov 2006 11:46:48 +0100 Received: from localhost (localhost [127.0.0.1]) by antalya.lupe-christoph.de (Postfix) with ESMTP id 456DB34528; Fri, 24 Nov 2006 11:46:43 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at lupe-christoph.de Received: from antalya.lupe-christoph.de ([127.0.0.1]) by localhost (antalya.lupe-christoph.de [127.0.0.1]) (amavisd-new, port 10024) with LMTP id iX0L9HyYhHM4; Fri, 24 Nov 2006 11:46:39 +0100 (CET) Received: by antalya.lupe-christoph.de (Postfix, from userid 1000) id 4FB4C34527; Fri, 24 Nov 2006 11:46:39 +0100 (CET) Date: Fri, 24 Nov 2006 11:46:39 +0100 To: Jordan Ostreff Message-ID: <20061124104639.GB11099@lupe-christoph.de> Mail-Followup-To: Jordan Ostreff , freebsd-security@freebsd.org, freebsd-net@freebsd.org References: <380d4510611192317g3c9e415al61494e5979b3f282@mail.gmail.com> <45615A05.6060009@optim.com.ru> <4566BF05.7030500@mobikom.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4566BF05.7030500@mobikom.com> User-Agent: Mutt/1.5.13 (2006-08-11) From: lupe@lupe-christoph.de (Lupe Christoph) Cc: freebsd-security@freebsd.org, freebsd-net@freebsd.org Subject: Re: which windows software can communicate with ipsec(racoon)? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Nov 2006 10:46:51 -0000 On Friday, 2006-11-24 at 11:44:37 +0200, Jordan Ostreff wrote: > Cisco VPN uses by default udp communication not TCP - maybe this is > related to your problem. IPSec normally uses AH and ESP which are protocols in the same layer as UDP and TCP. The protocol numbers are 51 and 50. If a firewall blocks all protocols besides UDP and TCP, and filters those protocols by ports, you can only use UDP encapsulation. I never tried to do this with FreeBSD, though. Dunno if the kernel can do that. I didn't find such a thing in the setkey manpage on 5.3. It mentions TCP, though. HTH, Lupe Christoph -- | You know we're sitting on four million pounds of fuel, one nuclear | | weapon and a thing that has 270,000 moving parts built by the lowest | | bidder. Makes you feel good, doesn't it? | | Rockhound in "Armageddon", 1998, about the Space Shuttle | From owner-freebsd-security@FreeBSD.ORG Fri Nov 24 11:10:03 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6250B16A407; Fri, 24 Nov 2006 11:10:03 +0000 (UTC) (envelope-from e-masson@kisoft-services.com) Received: from mallaury.nerim.net (smtp-105-friday.noc.nerim.net [62.4.17.105]) by mx1.FreeBSD.org (Postfix) with ESMTP id 19D2643D55; Fri, 24 Nov 2006 11:09:21 +0000 (GMT) (envelope-from e-masson@kisoft-services.com) Received: from srvbsdnanssv.interne.kisoft-services.com (kisoft.net1.nerim.net [62.212.107.51]) by mallaury.nerim.net (Postfix) with ESMTP id 9299C4F454; Fri, 24 Nov 2006 12:09:53 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by srvbsdnanssv.interne.kisoft-services.com (Postfix) with ESMTP id 9C013C843; Fri, 24 Nov 2006 12:09:58 +0100 (CET) X-Virus-Scanned: amavisd-new at interne.kisoft-services.com Received: from srvbsdnanssv.interne.kisoft-services.com ([127.0.0.1]) by localhost (srvbsdnanssv.interne.kisoft-services.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N6T4ZFRyRAUW; Fri, 24 Nov 2006 12:09:52 +0100 (CET) Received: by srvbsdnanssv.interne.kisoft-services.com (Postfix, from userid 1001) id 41E2EC825; Fri, 24 Nov 2006 12:09:52 +0100 (CET) To: "Zhao Tongyi" From: Eric Masson In-Reply-To: <380d4510611192317g3c9e415al61494e5979b3f282@mail.gmail.com> (Zhao Tongyi's message of "Mon, 20 Nov 2006 15:17:44 +0800") References: <380d4510611192317g3c9e415al61494e5979b3f282@mail.gmail.com> X-Operating-System: FreeBSD 6.1-RELEASE-p10 i386 Date: Fri, 24 Nov 2006 12:09:52 +0100 Message-ID: <86ejrt9k3j.fsf@srvbsdnanssv.interne.kisoft-services.com> User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.5-b27 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: freebsd-security@freebsd.org, freebsd-net@freebsd.org Subject: Re: which windows software can communicate with ipsec(racoon)? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Nov 2006 11:10:03 -0000 "Zhao Tongyi" writes: Hi, > I have tested cisco vpn software,found build the phase ONE successfully,but > phase two can't build up. Probably a setup problem, I've been able to setup l2tp/ipsec tunnels between an XP box and a FreeBSD 6.1-RELEASE box (ipsec-tools racoon-0.6.x) > Anyone have advice?? Depending on what you need, maybe this software could help you : http://shrew.net/?page=software -- j ai ete sur le site et j ai decouvert le programme. a quel niveau y a til un probleme? Merci d eclairer ma lanterne. si je pouvais ne pas etre traiter de gugusse, ce serait tres gentil de votre part... -+- phjl in GNU : S'il te plait monsieur, dessine moi un neuneu -+- From owner-freebsd-security@FreeBSD.ORG Fri Nov 24 20:05:30 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7C15316A407 for ; Fri, 24 Nov 2006 20:05:30 +0000 (UTC) (envelope-from lboehne@damogran.de) Received: from cthulhu.zoidberg.org (zoidberg.org [213.133.99.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8B8E143D6E for ; Fri, 24 Nov 2006 20:04:40 +0000 (GMT) (envelope-from lboehne@damogran.de) Received: from [192.168.2.100] (dslb-084-063-015-126.pools.arcor-ip.net [::ffff:84.63.15.126]) (AUTH: PLAIN kasperle, TLS: TLSv1/SSLv3,256bits,AES256-SHA) by cthulhu.zoidberg.org with esmtp; Fri, 24 Nov 2006 21:05:10 +0100 id 0401DC6B.45675076.00002D9B Message-ID: <4567504E.6040601@damogran.de> Date: Fri, 24 Nov 2006 21:04:30 +0100 From: Lutz Boehne User-Agent: Thunderbird 1.5.0.8 (X11/20061120) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <45656A3B.6000000@zedat.fu-berlin.de> <20061123213656.GA26275@walton.maths.tcd.ie> <200611231742.01418.josh@tcbug.org> In-Reply-To: <200611231742.01418.josh@tcbug.org> X-Enigmail-Version: 0.94.1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: UFS Bug: FreeBSD 6.1/6.2/7.0: MOKB-08-11-2006, CVE-2006-5824, MOKB-03-11-2006, CVE-2006-5679 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Nov 2006 20:05:30 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Out of the box you need to be root to mount things. Once you have > root access to a box you don't need silly things like this to crash > it. > > If you've gone out of your way to configure your box in such a way > that a non-root user can mount arbitrary UFS filesystems then they > certainly don't need to waste their time with buffer-overflows and > the like. They can simply mount a filesystem with any number of SUID > root binaries on it and have their way with the box. > > Either way, while it's senseless to argue that the buffer overflows > don't exist, anyone in a positiion to actually exploit them doesn't > need them to be malicious. I do quite not agree with your analysis. Firstly, if you set the vfs.usermount sysctl to 1, users can mount any filesystem from a device they have read access to to any directory they own, _but_ if the user does so, FreeBSD will automatically mount that filesystem nosuid. So the intent is to give a local user the possibilty to mount a filesystem without gaining full control over the machine. Secondly, why would people go out of their way to set that sysctl to 1? I can see this happen in environments where users are not supposed to have full control over their desktop machines, but where they need to transfer data to/from USB flash drives. Thirdly, while I'm talking about desktop machines, many desktop Linux distributions are configured such they will _automatically_ mount USB media once those are plugged in (and pop up an icon on the KDE or GNOME desktop). It's only a matter of time until such functionality will be available on FreeBSD (maybe it already is?) and widely used on desktop machines (e.g. on Laptops, in Internet Cafes), as it seems to be quite user friendly. On such machines an attacker would not even need a local user account. While one might say that these attack scenarios all require physical access (and we all know that physical access is game over, right;)), simply plugging in a USB memory device is much more inconspicious than other "physical" attacks, like rebooting a box into single user mode (which one could additionally secure with a password prompt). Lutz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFZ1BIDbEkl9DbWrYRApJxAJ9sZu//5ZtoHTeX2YMaLn53n1PN0gCgifcB Qh6fl46dcLqkLW+9gRrLV3Y= =6jiY -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Nov 24 20:15:46 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CAC4316A49E for ; Fri, 24 Nov 2006 20:15:46 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from mx00.pub.collaborativefusion.com (mx00.pub.collaborativefusion.com [206.210.89.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id 502B843D60 for ; Fri, 24 Nov 2006 20:15:02 +0000 (GMT) (envelope-from wmoran@collaborativefusion.com) Received: from working (c-71-60-174-60.hsd1.pa.comcast.net [71.60.174.60]) (AUTH: LOGIN wmoran, TLS: TLSv1/SSLv3,256bits,AES256-SHA) by wingspan with esmtp; Fri, 24 Nov 2006 15:15:44 -0500 id 00056407.456752F0.000103B9 Date: Fri, 24 Nov 2006 15:15:43 -0500 From: Bill Moran To: Lutz Boehne Message-Id: <20061124151543.03f06b19.wmoran@collaborativefusion.com> In-Reply-To: <4567504E.6040601@damogran.de> References: <45656A3B.6000000@zedat.fu-berlin.de> <20061123213656.GA26275@walton.maths.tcd.ie> <200611231742.01418.josh@tcbug.org> <4567504E.6040601@damogran.de> Organization: Collaborative Fusion Inc. X-Mailer: Sylpheed version 2.2.9 (GTK+ 2.10.6; i386-portbld-freebsd6.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: UFS Bug: FreeBSD 6.1/6.2/7.0: MOKB-08-11-2006, CVE-2006-5824, MOKB-03-11-2006, CVE-2006-5679 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Nov 2006 20:15:47 -0000 On Fri, 24 Nov 2006 21:04:30 +0100 Lutz Boehne wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Out of the box you need to be root to mount things. Once you have > > root access to a box you don't need silly things like this to crash > > it. > > > > If you've gone out of your way to configure your box in such a way > > that a non-root user can mount arbitrary UFS filesystems then they > > certainly don't need to waste their time with buffer-overflows and > > the like. They can simply mount a filesystem with any number of SUID > > root binaries on it and have their way with the box. > > > > Either way, while it's senseless to argue that the buffer overflows > > don't exist, anyone in a positiion to actually exploit them doesn't > > need them to be malicious. > > I do quite not agree with your analysis. > > Firstly, if you set the vfs.usermount sysctl to 1, users can mount any > filesystem from a device they have read access to to any directory they > own, _but_ if the user does so, FreeBSD will automatically mount that > filesystem nosuid. So the intent is to give a local user the possibilty > to mount a filesystem without gaining full control over the machine. > > Secondly, why would people go out of their way to set that sysctl to 1? > I can see this happen in environments where users are not supposed to > have full control over their desktop machines, but where they need to > transfer data to/from USB flash drives. > > Thirdly, while I'm talking about desktop machines, many desktop Linux > distributions are configured such they will _automatically_ mount USB > media once those are plugged in (and pop up an icon on the KDE or GNOME > desktop). It's only a matter of time until such functionality will be > available on FreeBSD (maybe it already is?) and widely used on desktop > machines (e.g. on Laptops, in Internet Cafes), as it seems to be quite > user friendly. On such machines an attacker would not even need a local > user account. > > While one might say that these attack scenarios all require physical > access (and we all know that physical access is game over, right;)), > simply plugging in a USB memory device is much more inconspicious than > other "physical" attacks, like rebooting a box into single user mode > (which one could additionally secure with a password prompt). I don't think anyone is arguing whether or not this is a bug. It is. I will argue, however, that it does not constitute a security flaw, which is what the MOKB folks claim. If a user has the ability to graft untrusted filesystems onto the filesystem tree, that user is in one of a few scenerios: 1) They are root or equivalent. 2) They have physical access to the machine. 3) They are working on a machine that is secured incorrectly. If #1, then it's a mute point, as root can DOS a machine without any kernel bugs. If #2, it's a mute point, as physical access bypasses any software security anyway. And #3 is a mute point, since any system can be configured to be insecure by a properly skilled idiot, and the kernel hackers can't be expected to program around idiotic sysadmins. So, yes, it is a bug that needs to be fixed. But I don't see it as a security issue. -Bill From owner-freebsd-security@FreeBSD.ORG Fri Nov 24 20:41:14 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6A7DD16A407 for ; Fri, 24 Nov 2006 20:41:14 +0000 (UTC) (envelope-from erikt@midgard.homeip.net) Received: from ch-smtp01.sth.basefarm.net (ch-smtp01.sth.basefarm.net [80.76.149.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id 67A3C43D45 for ; Fri, 24 Nov 2006 20:40:30 +0000 (GMT) (envelope-from erikt@midgard.homeip.net) Received: from c83-253-29-241.bredband.comhem.se ([83.253.29.241]:59020 helo=falcon.midgard.homeip.net) by ch-smtp01.sth.basefarm.net with smtp (Exim 4.63) (envelope-from ) id 1GnhrD-000087-5w for freebsd-security@freebsd.org; Fri, 24 Nov 2006 21:41:12 +0100 Received: (qmail 49446 invoked from network); 24 Nov 2006 21:41:11 +0100 Received: from owl.midgard.homeip.net (10.1.5.7) by falcon.midgard.homeip.net with SMTP; 24 Nov 2006 21:41:11 +0100 Received: (qmail 3473 invoked by uid 1001); 24 Nov 2006 21:41:11 +0100 Date: Fri, 24 Nov 2006 21:41:11 +0100 From: Erik Trulsson To: Bill Moran Message-ID: <20061124204111.GA3431@owl.midgard.homeip.net> Mail-Followup-To: Bill Moran , Lutz Boehne , freebsd-security@freebsd.org References: <45656A3B.6000000@zedat.fu-berlin.de> <20061123213656.GA26275@walton.maths.tcd.ie> <200611231742.01418.josh@tcbug.org> <4567504E.6040601@damogran.de> <20061124151543.03f06b19.wmoran@collaborativefusion.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In-Reply-To: <20061124151543.03f06b19.wmoran@collaborativefusion.com> User-Agent: Mutt/1.5.13 (2006-08-11) X-Scan-Result: No virus found in message 1GnhrD-000087-5w. X-Scan-Signature: ch-smtp01.sth.basefarm.net 1GnhrD-000087-5w a9ea1fcfc165f12aab0b203c5f90e26e Cc: freebsd-security@freebsd.org, Lutz Boehne Subject: Re: UFS Bug: FreeBSD 6.1/6.2/7.0: MOKB-08-11-2006, CVE-2006-5824, MOKB-03-11-2006, CVE-2006-5679 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Nov 2006 20:41:14 -0000 On Fri, Nov 24, 2006 at 03:15:43PM -0500, Bill Moran wrote: > On Fri, 24 Nov 2006 21:04:30 +0100 > Lutz Boehne wrote: >=20 > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > >=20 > > > Out of the box you need to be root to mount things. Once you have=20 > > > root access to a box you don't need silly things like this to crash= =20 > > > it. > > >=20 > > > If you've gone out of your way to configure your box in such a way=20 > > > that a non-root user can mount arbitrary UFS filesystems then they=20 > > > certainly don't need to waste their time with buffer-overflows and=20 > > > the like. They can simply mount a filesystem with any number of SUID= =20 > > > root binaries on it and have their way with the box. > > >=20 > > > Either way, while it's senseless to argue that the buffer overflows= =20 > > > don't exist, anyone in a positiion to actually exploit them doesn't= =20 > > > need them to be malicious. > >=20 > > I do quite not agree with your analysis. > >=20 > > Firstly, if you set the vfs.usermount sysctl to 1, users can mount any > > filesystem from a device they have read access to to any directory they > > own, _but_ if the user does so, FreeBSD will automatically mount that > > filesystem nosuid. So the intent is to give a local user the possibilty > > to mount a filesystem without gaining full control over the machine. > >=20 > > Secondly, why would people go out of their way to set that sysctl to 1? > > I can see this happen in environments where users are not supposed to > > have full control over their desktop machines, but where they need to > > transfer data to/from USB flash drives. > >=20 > > Thirdly, while I'm talking about desktop machines, many desktop Linux > > distributions are configured such they will _automatically_ mount USB > > media once those are plugged in (and pop up an icon on the KDE or GNOME > > desktop). It's only a matter of time until such functionality will be > > available on FreeBSD (maybe it already is?) and widely used on desktop > > machines (e.g. on Laptops, in Internet Cafes), as it seems to be quite > > user friendly. On such machines an attacker would not even need a local > > user account. > >=20 > > While one might say that these attack scenarios all require physical > > access (and we all know that physical access is game over, right;)), > > simply plugging in a USB memory device is much more inconspicious than > > other "physical" attacks, like rebooting a box into single user mode > > (which one could additionally secure with a password prompt). >=20 > I don't think anyone is arguing whether or not this is a bug. It is. >=20 > I will argue, however, that it does not constitute a security flaw, which > is what the MOKB folks claim. If a user has the ability to graft untrust= ed > filesystems onto the filesystem tree, that user is in one of a few scener= ios: > 1) They are root or equivalent. > 2) They have physical access to the machine. > 3) They are working on a machine that is secured incorrectly. >=20 > If #1, then it's a mute point, as root can DOS a machine without any kern= el > bugs. If #2, it's a mute point, as physical access bypasses any software > security anyway. That is not really true. =20 *Unlimited* physical access can get you around any software security, but an attacker often does not have unlimited physical access. =20 Take for example public computers in a library or an internet caf=E9 or similar (or just a computer room in a school.) A user there can probably try to mount a CD-ROM or a floppy or a USB-stick without anybody noticing or caring much if they do notice. If that same user were instead to remove the case to put in his own harddisk to use as a boot device, then it is very likely that somebody will investigate what said user is doing. There is also the fact to consider that the more powerful attack vectors that physical access opens up tend to take a bit of time to use. If it takes 10 minutes to open a case and modify the innards then it is not possible to get access undetected while the rightful user goes to another room to fetch something (for example.) If it takes 10 seconds to mount an USB stick and get root through some filesystem bug then you can do it while somebodys back is turned. The time it takes to mount an attack is very important in many cases to determine if an attack is actually feasible or not. > And #3 is a mute point, since any system can be configured > to be insecure by a properly skilled idiot, and the kernel hackers can't = be > expected to program around idiotic sysadmins. >=20 > So, yes, it is a bug that needs to be fixed. But I don't see it as a sec= urity > issue. It is a security issue, but perhaps not one of the most critical ones (in particular it does not allow remote breakins which are generally the most worrisome kind.) --=20 Erik Trulsson ertr1013@student.uu.se From owner-freebsd-security@FreeBSD.ORG Fri Nov 24 21:04:16 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2555716A412 for ; Fri, 24 Nov 2006 21:04:16 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from mx00.pub.collaborativefusion.com (mx00.pub.collaborativefusion.com [206.210.89.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6622443D46 for ; Fri, 24 Nov 2006 21:03:14 +0000 (GMT) (envelope-from wmoran@collaborativefusion.com) Received: from working (c-71-60-174-60.hsd1.pa.comcast.net [71.60.174.60]) (AUTH: LOGIN wmoran, TLS: TLSv1/SSLv3,256bits,AES256-SHA) by wingspan with esmtp; Fri, 24 Nov 2006 16:03:57 -0500 id 00056426.45675E3D.00010644 Date: Fri, 24 Nov 2006 16:03:56 -0500 From: Bill Moran To: Erik Trulsson Message-Id: <20061124160356.2c215381.wmoran@collaborativefusion.com> In-Reply-To: <20061124204111.GA3431@owl.midgard.homeip.net> References: <45656A3B.6000000@zedat.fu-berlin.de> <20061123213656.GA26275@walton.maths.tcd.ie> <200611231742.01418.josh@tcbug.org> <4567504E.6040601@damogran.de> <20061124151543.03f06b19.wmoran@collaborativefusion.com> <20061124204111.GA3431@owl.midgard.homeip.net> Organization: Collaborative Fusion Inc. X-Mailer: Sylpheed version 2.2.9 (GTK+ 2.10.6; i386-portbld-freebsd6.2) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, Lutz Boehne Subject: Re: UFS Bug: FreeBSD 6.1/6.2/7.0: MOKB-08-11-2006, CVE-2006-5824, MOKB-03-11-2006, CVE-2006-5679 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Nov 2006 21:04:16 -0000 On Fri, 24 Nov 2006 21:41:11 +0100 Erik Trulsson wrote: > On Fri, Nov 24, 2006 at 03:15:43PM -0500, Bill Moran wrote: > > On Fri, 24 Nov 2006 21:04:30 +0100 > > Lutz Boehne wrote: > >=20 > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA1 > > >=20 > > > > Out of the box you need to be root to mount things. Once you have= =20 > > > > root access to a box you don't need silly things like this to crash= =20 > > > > it. > > > >=20 > > > > If you've gone out of your way to configure your box in such a way= =20 > > > > that a non-root user can mount arbitrary UFS filesystems then they= =20 > > > > certainly don't need to waste their time with buffer-overflows and= =20 > > > > the like. They can simply mount a filesystem with any number of SU= ID=20 > > > > root binaries on it and have their way with the box. > > > >=20 > > > > Either way, while it's senseless to argue that the buffer overflows= =20 > > > > don't exist, anyone in a positiion to actually exploit them doesn't= =20 > > > > need them to be malicious. > > >=20 > > > I do quite not agree with your analysis. > > >=20 > > > Firstly, if you set the vfs.usermount sysctl to 1, users can mount any > > > filesystem from a device they have read access to to any directory th= ey > > > own, _but_ if the user does so, FreeBSD will automatically mount that > > > filesystem nosuid. So the intent is to give a local user the possibil= ty > > > to mount a filesystem without gaining full control over the machine. > > >=20 > > > Secondly, why would people go out of their way to set that sysctl to = 1? > > > I can see this happen in environments where users are not supposed to > > > have full control over their desktop machines, but where they need to > > > transfer data to/from USB flash drives. > > >=20 > > > Thirdly, while I'm talking about desktop machines, many desktop Linux > > > distributions are configured such they will _automatically_ mount USB > > > media once those are plugged in (and pop up an icon on the KDE or GNO= ME > > > desktop). It's only a matter of time until such functionality will be > > > available on FreeBSD (maybe it already is?) and widely used on desktop > > > machines (e.g. on Laptops, in Internet Cafes), as it seems to be quite > > > user friendly. On such machines an attacker would not even need a loc= al > > > user account. > > >=20 > > > While one might say that these attack scenarios all require physical > > > access (and we all know that physical access is game over, right;)), > > > simply plugging in a USB memory device is much more inconspicious than > > > other "physical" attacks, like rebooting a box into single user mode > > > (which one could additionally secure with a password prompt). > >=20 > > I don't think anyone is arguing whether or not this is a bug. It is. > >=20 > > I will argue, however, that it does not constitute a security flaw, whi= ch > > is what the MOKB folks claim. If a user has the ability to graft untru= sted > > filesystems onto the filesystem tree, that user is in one of a few scen= erios: > > 1) They are root or equivalent. > > 2) They have physical access to the machine. > > 3) They are working on a machine that is secured incorrectly. > >=20 > > If #1, then it's a mute point, as root can DOS a machine without any ke= rnel > > bugs. If #2, it's a mute point, as physical access bypasses any softwa= re > > security anyway. >=20 > That is not really true. =20 >=20 > *Unlimited* physical access can get you around any > software security, but an attacker often does not have unlimited physical > access. =20 >=20 > Take for example public computers in a library or an internet caf=E9 > or similar (or just a computer room in a school.) A user there can proba= bly > try to mount a CD-ROM or a floppy or a USB-stick without anybody noticing= or > caring much if they do notice. If that same user were instead to remove = the > case to put in his own harddisk to use as a boot device, then it is very > likely that somebody will investigate what said user is doing. An attacker could insert a Knoppix or FreeSBIE disk and get better access t= han this bug will give him. The bug doesn't give any privilidges, it simply ca= uses a kernel panic. But let's say a user _does_ attempt to exploit this. He inserts a malicious jump drive, mounts and the system panics. He can then ... what? What has been accomplished? The system boots back up and, if he desires, he can pan= ic it again and again until somebody notices. So what? I think a lot of people forget that a kernel panic is an intentional action that the kernel takes to protect itself from possible damage. Anything that causes a kernel panic is not a security flaw, it's a security _FEATURE_ as the programming bug can not be used for further exploit the system. So, the fact that the system panics demonstrates that there _is_no_security_problem= _. The system intentionally shuts itself down to protect itself. > There is also the fact to consider that the more powerful attack vectors > that physical access opens up tend to take a bit of time to use. > If it takes 10 minutes to open a case and modify the innards then it is n= ot > possible to get access undetected while the rightful user goes to another > room to fetch something (for example.) If it takes 10 seconds to mount an > USB stick and get root through some filesystem bug then you can do it whi= le > somebodys back is turned. True. But you can't get root through that filesystem bug, you can only pan= ic the system, so your point isn't relevent. > > And #3 is a mute point, since any system can be configured > > to be insecure by a properly skilled idiot, and the kernel hackers can'= t be > > expected to program around idiotic sysadmins. > >=20 > > So, yes, it is a bug that needs to be fixed. But I don't see it as a s= ecurity > > issue. >=20 > It is a security issue, but perhaps not one of the most critical ones (in > particular it does not allow remote breakins which are generally the most > worrisome kind.) I still disagree. As stated in the alert, the bug causes a kernel panic. = There is no root access provided by the bug, so it doesn't give you any more of a security problem than pressing the power button or pulling the cord from th= e wall would. -Bill From owner-freebsd-security@FreeBSD.ORG Fri Nov 24 21:24:48 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C08DC16A407 for ; Fri, 24 Nov 2006 21:24:48 +0000 (UTC) (envelope-from lboehne@damogran.de) Received: from cthulhu.zoidberg.org (zoidberg.org [213.133.99.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 50F4843D6D for ; Fri, 24 Nov 2006 21:24:03 +0000 (GMT) (envelope-from lboehne@damogran.de) Received: from [192.168.2.100] (dslb-084-063-015-126.pools.arcor-ip.net [::ffff:84.63.15.126]) (AUTH: PLAIN kasperle, TLS: TLSv1/SSLv3,256bits,AES256-SHA) by cthulhu.zoidberg.org with esmtp; Fri, 24 Nov 2006 22:24:45 +0100 id 0700594C.4567631E.00005D1F Message-ID: <456762FC.90108@damogran.de> Date: Fri, 24 Nov 2006 22:24:12 +0100 From: Lutz Boehne User-Agent: Thunderbird 1.5.0.8 (X11/20061120) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <45656A3B.6000000@zedat.fu-berlin.de> <20061123213656.GA26275@walton.maths.tcd.ie> <200611231742.01418.josh@tcbug.org> <4567504E.6040601@damogran.de> <20061124151543.03f06b19.wmoran@collaborativefusion.com> <20061124204111.GA3431@owl.midgard.homeip.net> <20061124160356.2c215381.wmoran@collaborativefusion.com> In-Reply-To: <20061124160356.2c215381.wmoran@collaborativefusion.com> X-Enigmail-Version: 0.94.1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: UFS Bug: FreeBSD 6.1/6.2/7.0: MOKB-08-11-2006, CVE-2006-5824, MOKB-03-11-2006, CVE-2006-5679 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Nov 2006 21:24:48 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [It's just a panic] I was so transfixed on Josh stating that the attacker could as well just mount a filesystem with suid root binaries and how that would be more useful than a buffer overflow in the filesystem driver. I totally missed the fact that we were talking about two bugs where the kernel deliberately called panic() ;). So in this case I'd agree that the panic() is undesirable, but not really a security issue. Lutz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFZ2L5DbEkl9DbWrYRAus0AJwPEkX240mVIWme//LzHw210kUzKQCffFv1 6KGhWX9L0kzuMxk+JR+GyCg= =RSll -----END PGP SIGNATURE-----