From owner-freebsd-security  Mon Jul 28 13:46:34 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id NAA01616
          for security-outgoing; Mon, 28 Jul 1997 13:46:34 -0700 (PDT)
Received: from cyrus.watson.org (robert@cyrus.watson.org [207.86.4.20])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA01606
          for <security@FreeBSD.ORG>; Mon, 28 Jul 1997 13:46:27 -0700 (PDT)
Received: from localhost (robert@localhost)
	by cyrus.watson.org (8.8.5/8.8.5) with SMTP id QAA04126;
	Mon, 28 Jul 1997 16:46:01 -0400 (EDT)
Date: Mon, 28 Jul 1997 16:46:01 -0400 (EDT)
From: Robert Watson <robert@cyrus.watson.org>
Reply-To: Robert Watson <robert+freebsd@cyrus.watson.org>
To: Vincent Poy <vince@mail.MCESTATE.COM>
cc: Tomasz Dudziak <loco@onyks.wszib.poznan.pl>, security@FreeBSD.ORG,
        "[Mario1-]" <mario1@primenet.com>, JbHunt <johnnyu@accessus.net>
Subject: Re: security hole in FreeBSD
In-Reply-To: <Pine.BSF.3.95.970728123635.3844m-100000@mail.MCESTATE.COM>
Message-ID: <Pine.BSF.3.95q.970728164333.3342J-100000@cyrus.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Mon, 28 Jul 1997, Vincent Poy wrote:

> On Mon, 28 Jul 1997, Robert Watson wrote:
> 
> 	Yep, sniffing would work but can they actually sniff outside of
> the network?

Well, once you have one host, you have all the hosts on the same ethernet
segment.  Typically, though, problems with sniffing occur on college dorm
networks, which run large numbers of less-well-managed Linux/etc hosts.
This may be an increasing problem on Cable-modem networks, which I
understand work something like Ethernet, in that they are broadcast
networks for a local segment.  Also, who is to say that occasionally
routers or ISP machines don't get broken into, and sniffing occurs?  Any
of your users could be logging in from an untrusted network, so in essense
you are relying on that network to be secure as well as your own.

> =)Your best hope at this point is to shut down the system, boot on a floppy
> =)with a CDROM mounted, and then do a strategic MD5 checksum of all binaries
> =)and check for changes.  If you're running STABLE, your best bet may be to
> =)sup down differences, but to reinstall the binaries necessary to support
> =)the cvsup stuff from CDROM, as well as system kernel and /bin, /sbin, etc.
> =)If he's made enough changes to zap syslog, netstat, login-stuff, I
> =)wouldn't trust any other tools on the system currently.
> 
> 	Not even a rebuild of -current after cvs?

Well, the problem is, I could easily replace cvs with a script that does
cvs, then installs my security hole again. :)

 Robert N Watson

Junior, Logic+Computation, Carnegie Mellon University  http://www.cmu.edu/
Network Security Research, Trusted Information Systems http://www.tis.com/
Network Administrator, SafePort Network Services  http://www.safeport.com/
robert@fledge.watson.org   rwatson@tis.com  http://www.watson.org/~robert/