From owner-freebsd-security@FreeBSD.ORG Mon Mar 23 00:09:13 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 134381065670; Mon, 23 Mar 2009 00:09:13 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id F26208FC19; Mon, 23 Mar 2009 00:09:12 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n2N09Cpn065233; Mon, 23 Mar 2009 00:09:12 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n2N09C3N065231; Mon, 23 Mar 2009 00:09:12 GMT (envelope-from security-advisories@freebsd.org) Date: Mon, 23 Mar 2009 00:09:12 GMT Message-Id: <200903230009.n2N09C3N065231@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-09:06.ktimer X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Mar 2009 00:09:14 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-09:06.ktimer Security Advisory The FreeBSD Project Topic: Local privilege escalation Category: core Module: kern Announced: 2009-03-23 Affects: FreeBSD 7.x Corrected: 2009-03-23 00:00:50 UTC (RELENG_7, 7.2-PRERELEASE) 2009-03-23 00:00:50 UTC (RELENG_7_1, 7.1-RELEASE-p4) 2009-03-23 00:00:50 UTC (RELENG_7_0, 7.0-RELEASE-p11) CVE Name: CVE-2009-1041 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background In FreeBSD 7.0, support was introduced for per-process timers as defined in the POSIX realtime extensions. This allows a process to have a limited number of timers running at once, with various actions taken when each timer reaches zero. II. Problem Description An integer which specifies which timer a process wishes to operate upon is not properly bounds-checked. III. Impact An unprivileged process can overwrite an arbitrary location in kernel memory. This could be used to change the user ID of the process (in order to "become root"), to escape from a jail, or to bypass security mechanisms in other ways. IV. Workaround No workaround is available, but systems without untrusted local users are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE, or to the RELENG_7_1 or RELENG_7_0 security branch dated after the correction date. 2) To patch your present system: The following patch has been verified to apply to FreeBSD 7.0 and 7.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-09:06/ktimer.patch # fetch http://security.FreeBSD.org/patches/SA-09:06/ktimer.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_7 src/sys/kern/kern_time.c 1.142.2.3 RELENG_7_1 src/UPDATING 1.507.2.13.2.7 src/sys/conf/newvers.sh 1.72.2.9.2.8 src/sys/kern/kern_time.c 1.142.2.2.2.2 RELENG_7_0 src/UPDATING 1.507.2.3.2.15 src/sys/conf/newvers.sh 1.72.2.5.2.15 src/sys/kern/kern_time.c 1.142.4.1 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/7/ r190301 releng/7.1/ r190301 releng/7.0/ r190301 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1041 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-06:09.ktimer.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iEYEARECAAYFAknG0hQACgkQFdaIBMps37JA4gCfaznvIWKB/AU0cv6ojZUhheD4 MuYAnAp3wuz3E7gIX6VK7PeUVnPp/41o =MPIX -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Mon Mar 23 00:22:26 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id 5A4E81065853 for ; Mon, 23 Mar 2009 00:22:26 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from xps.daemonology.net (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx2.freebsd.org (Postfix) with SMTP id EF9D5152227 for ; Mon, 23 Mar 2009 00:18:38 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: (qmail 40913 invoked from network); 23 Mar 2009 00:18:38 -0000 Received: from unknown (HELO xps.daemonology.net) (127.0.0.1) by localhost with SMTP; 23 Mar 2009 00:18:38 -0000 Message-ID: <49C6D55D.1010309@freebsd.org> Date: Sun, 22 Mar 2009 17:18:37 -0700 From: FreeBSD Security Officer Organization: FreeBSD Project User-Agent: Thunderbird 2.0.0.17 (X11/20081002) MIME-Version: 1.0 To: freebsd security X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Security advisory scheduling X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: security-officer@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Mar 2009 00:22:27 -0000 Just to head off any complaints: Yes, a security advisory just went out, and yes, I do know that Monday morning (for UTC and further east) / Sunday afternoon (west of UTC) is not the most convenient time for you to be patching systems. Unfortunately, this issue was announced publicly at CanSecWest -- unlike most security issues, we didn't get any advance notice of this. When issues have not yet been publicly announced we try to aim to send out advisories on Wednesdays; but in cases like this when an issue is already public we don't want to delay any more than necessary. -- Colin Percival Security Officer, FreeBSD | freebsd.org | The power to serve Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid From owner-freebsd-security@FreeBSD.ORG Tue Mar 24 07:14:47 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 84EAA106566B for ; Tue, 24 Mar 2009 07:14:47 +0000 (UTC) (envelope-from james.technew@gmail.com) Received: from mail-gx0-f176.google.com (mail-gx0-f176.google.com [209.85.217.176]) by mx1.freebsd.org (Postfix) with ESMTP id 406A48FC24 for ; Tue, 24 Mar 2009 07:14:46 +0000 (UTC) (envelope-from james.technew@gmail.com) Received: by gxk24 with SMTP id 24so2038732gxk.19 for ; Tue, 24 Mar 2009 00:14:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=4j3eLPIkDghub3awboXuFlvSK4Yee023eJqbxWEEQHo=; b=gTFcnLpMWsAIf4Y3RQXV5IS2LPJdecWr8Fl1C15ehl0n9ydhV6waB+Fsg6SDPMMzJ7 8Cbb+UZ1xCj/ZYWxtkSi9evLybq++daHcBSsIFJlzeFvqctx5kbdgWVpJlv5nv6Ahm+Y WdNZUP2Wodpo8AOS842ziSwQPnqzrkjDQ9PMo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=esLGqMixgNaCFYKkf+6Bi0uodfwyYNFyeY4osQdAZvd9M7qoPH4aIhTT2CmMsi/uDA 7Qa4JC87QVTLBMnz7WYIBFH6nl/0HNwptaAjfVBZK8ChRVsYIVhIKT+EjFAI+1Cs9dNI Dcq4fvCPuarPcdKncOkUsNIgenN5d+DhHKcv0= MIME-Version: 1.0 Received: by 10.114.95.12 with SMTP id s12mr5373386wab.223.1237877770190; Mon, 23 Mar 2009 23:56:10 -0700 (PDT) Date: Tue, 24 Mar 2009 14:56:10 +0800 Message-ID: From: James Chang To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: DNS of FreeBSD.org been Attacked!? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Mar 2009 07:14:47 -0000 Dear all, I found some strange DNS query result these days. Show the strange result as following :< C:\Documents and Settings\Administrator>nslookup ftp11.tw.freebsd.org 168.95.1.1 Server: dns.hinet.net Address: 168.95.1.1 Name: ftp11.tw.freebsd.org.com.tw Address: 82.98.86.170 C:\Documents and Settings\Administrator>nslookup ftp6.tw.freebsd.org 168.95.1.1 Server: dns.hinet.net Address: 168.95.1.1 Name: ftp6.tw.freebsd.org.com.tw Address: 82.98.86.170 Both ftp6.tw.freebsd.org and ftp11.tw.freebsd.org has the same IP adderess, and this IP address seems belong to a malice domain! Could anyone have good idea? From owner-freebsd-security@FreeBSD.ORG Tue Mar 24 08:16:35 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 15564106566C for ; Tue, 24 Mar 2009 08:16:35 +0000 (UTC) (envelope-from ueda@netforest.ad.jp) Received: from kiku.netforest.co.jp (kiku.netforest.co.jp [218.45.16.40]) by mx1.freebsd.org (Postfix) with ESMTP id AF5208FC1E for ; Tue, 24 Mar 2009 08:16:34 +0000 (UTC) (envelope-from ueda@netforest.ad.jp) Received: (qmail 82589 invoked by uid 1020); 24 Mar 2009 16:49:53 +0900 Received: from sumire.netforest.co.jp (HELO [10.0.7.102]) (SubmissionBy:ueda@[218.45.16.38]) (envelope-sender ) by kiku.netforest.co.jp (qmail-ldap-1.03) with AES128-SHA encrypted SMTP for ; 24 Mar 2009 16:49:53 +0900 Date: Tue, 24 Mar 2009 16:49:53 +0900 From: "UEDA Hiroyuki" To: freebsd-security@freebsd.org In-Reply-To: References: Message-Id: <20090324164644.A697.5F3C430A@netforest.ad.jp> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver. 2.50.03 [ja] Subject: Re: DNS of FreeBSD.org been Attacked!? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Mar 2009 08:16:35 -0000 Hello, > C:\Documents and Settings\Administrator>nslookup ftp11.tw.freebsd.org 168.95.1.1 > > Server: dns.hinet.net > Address: 168.95.1.1 > > Name: ftp11.tw.freebsd.org.com.tw ^^^^^^^^ You seem to nslookup "ftp11.tw.freebsd.org.COM.TW". If it's right, > Address: 82.98.86.170 is correct as follows: $ dig A ftp11.tw.freebsd.org.com.tw ; <<>> DiG 9.2.4 <<>> A ftp11.tw.freebsd.org.com.tw ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53400 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ftp11.tw.freebsd.org.com.tw. IN A ;; ANSWER SECTION: ftp11.tw.freebsd.org.com.tw. 600 IN A 82.98.86.170 So you had better check your PC's settings. BTW, a wild card record(*.org.com.tw) is probably used. For example, I got same results with following queries: $ dig A foo.bar.freebsd.org.com.tw $ dig A foo.bar.org.com.tw $ dig A foo.org.com.tw Best regards. ----- UEDA Hiroyuki Netforest Inc., JAPAN From owner-freebsd-security@FreeBSD.ORG Tue Mar 24 08:52:16 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5B1BE1065679 for ; Tue, 24 Mar 2009 08:52:16 +0000 (UTC) (envelope-from bc@default.rs) Received: from smtp2.default.rs (anarki.default.rs [87.237.201.134]) by mx1.freebsd.org (Postfix) with ESMTP id 9337C8FC1E for ; Tue, 24 Mar 2009 08:52:15 +0000 (UTC) (envelope-from bc@default.rs) Received: (qmail 76232 invoked by uid 89); 24 Mar 2009 08:25:31 -0000 Received: from goldfish.yubc.net (HELO ?212.124.160.35?) (bc@default.rs@212.124.160.35) by smtp2.default.rs with AES256-SHA encrypted SMTP; 24 Mar 2009 08:25:31 -0000 Message-ID: <49C898FC.3010107@default.rs> Date: Tue, 24 Mar 2009 09:25:32 +0100 From: =?UTF-8?B?Qm9nZGFuIMSGdWxpYnJr?= User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20090324164644.A697.5F3C430A@netforest.ad.jp> In-Reply-To: <20090324164644.A697.5F3C430A@netforest.ad.jp> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Tue, 24 Mar 2009 11:27:26 +0000 Subject: Re: DNS of FreeBSD.org been Attacked!? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Mar 2009 08:52:16 -0000 UEDA Hiroyuki wrote: > Hello, > > >> C:\Documents and Settings\Administrator>nslookup ftp11.tw.freebsd.org 168.95.1.1 >> >> Server: dns.hinet.net >> Address: 168.95.1.1 >> >> Name: ftp11.tw.freebsd.org.com.tw > ^^^^^^^^ > You seem to nslookup "ftp11.tw.freebsd.org.COM.TW". If it's right, > >> Address: 82.98.86.170 > > is correct as follows: > > $ dig A ftp11.tw.freebsd.org.com.tw > > ; <<>> DiG 9.2.4 <<>> A ftp11.tw.freebsd.org.com.tw > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53400 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;ftp11.tw.freebsd.org.com.tw. IN A > > ;; ANSWER SECTION: > ftp11.tw.freebsd.org.com.tw. 600 IN A 82.98.86.170 > > So you had better check your PC's settings. > > > BTW, a wild card record(*.org.com.tw) is probably used. For example, I > got same results with following queries: > > $ dig A foo.bar.freebsd.org.com.tw > $ dig A foo.bar.org.com.tw > $ dig A foo.org.com.tw > An epic fail guy ;> From owner-freebsd-security@FreeBSD.ORG Tue Mar 24 17:51:34 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7A3411065672 for ; Tue, 24 Mar 2009 17:51:34 +0000 (UTC) (envelope-from cliftonr@lava.net) Received: from outgoing01.lava.net (cake.lava.net [IPv6:2001:1888:0:1:230:48ff:fe5b:3b50]) by mx1.freebsd.org (Postfix) with ESMTP id E6EC38FC13 for ; Tue, 24 Mar 2009 17:51:33 +0000 (UTC) (envelope-from cliftonr@lava.net) Received: from malasada.lava.net (malasada.lava.net [64.65.64.17]) by outgoing01.lava.net (Postfix) with ESMTP id 13013D033E; Tue, 24 Mar 2009 07:51:33 -1000 (HST) Received: by malasada.lava.net (Postfix, from userid 102) id A21EF153882; Tue, 24 Mar 2009 07:51:32 -1000 (HST) Date: Tue, 24 Mar 2009 07:51:32 -1000 From: Clifton Royston To: James Chang Message-ID: <20090324175131.GB14702@lava.net> Mail-Followup-To: James Chang , freebsd-security@freebsd.org References: <20090324120024.159DE10656D7@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20090324120024.159DE10656D7@hub.freebsd.org> User-Agent: Mutt/1.4.2.2i Cc: freebsd-security@freebsd.org Subject: Re: DNS of FreeBSD.org been Attacked!? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Mar 2009 17:51:35 -0000 On Tue, Mar 24, 2009 at 12:00:24PM +0000, freebsd-security-request@freebsd.org wrote: > Date: Tue, 24 Mar 2009 14:56:10 +0800 > From: James Chang > Subject: DNS of FreeBSD.org been Attacked!? > To: freebsd-security@freebsd.org > Message-ID: > > Content-Type: text/plain; charset=ISO-8859-1 > > Dear all, > > I found some strange DNS query result these days. > > Show the strange result as following :< > > C:\Documents and Settings\Administrator>nslookup ftp11.tw.freebsd.org 168.95.1.1 > > Server: dns.hinet.net > Address: 168.95.1.1 > > Name: ftp11.tw.freebsd.org.com.tw > Address: 82.98.86.170 Correct the configuration of your Windows machine (under Connection Properties -> TCP/IP properties -> Advanced -> DNS -> "Append these DNS suffixes", so that ".com.tw" is not appended as your domain by default. Otherwise, things won't work well for you. This is in no way a FreeBSD issue. -- Clifton -- Clifton Royston -- cliftonr@iandicomputing.com / cliftonr@lava.net President - I and I Computing * http://www.iandicomputing.com/ Custom programming, network design, systems and network consulting services