Date: Tue, 4 Feb 1997 16:44:57 -0600 (CST) From: Karl Denninger <karl@Mcs.Net> To: jkh@time.cdrom.com (Jordan K. Hubbard) Cc: karl@Mcs.Net, current@freebsd.org Subject: Re: Question: 2.1.7? Message-ID: <199702042244.QAA03172@Jupiter.Mcs.Net> In-Reply-To: <28520.855095305@time.cdrom.com> from "Jordan K. Hubbard" at Feb 4, 97 02:28:25 pm
next in thread | previous in thread | raw e-mail | index | archive | help
> > Anyone who would like a copy of Jordan's email to me in which he says > > "you're smoking crack" is welcome to ask. > > Oh good, let's take this to -current where it belongs. NOT. This > is the last of this thread we'll see here. It absolutely does belong on -current. Your attitude is a huge part of the problem Jordan. That's the facts. As were your emails to me about how you were glad I was on the phone so you couldn't cuss me out in person. > And, just for the record, > what I said to Karl was: > > Do what you will, Karl, but frankly I think you're smoking crack on > this one if you don't somehow see it as possible that someone could > install a release, make some changes to secure it and THEN turn on the > ethernet connection to the outside world. You've taken on a > > Karl clearly doesn't understand this as a euphemism for "you don't > know WTF you're saying", which is as I meant it. > > Karl also says: > > > 1) 2.1.6 needs to be PULLED, along with STABLE in any binary > > distribution kits. Yes, this means destroying CDs and deleting > > it from FTP servers. Immediately, as in today. > > ... Yep. I believe it does. As in right now. Look. Setlocale() is a horrid mess of spaghetti. It has NO BUSINESS being executed in anything that is SUID or in which EUID=0 until the spaghetti is fixed. Period. As I pointed out in my last email here, "at" is yet another offender which is running as root. It calls setlocale(). Fix to libc or no, at() is also vulnerable for the SAME REASON. I can get it to dump core even WITH the fixed libraries, which means that the only reason it didn't get me a root shell is that I have the offsets wrong. Wow, that's cosmic -- it should take me all of a half-hour to play with the script a bit and get "#" out of it. Folks, please, please WAKE THE HELL UP and smell the coffee. The "overrun the stack" game has been known as a common attack point now for well over a year. strcpy()s have NO PLACE in a privileged program. Period. No place at all. You can whine about how I'm being unreasonable, but the fact is that I don't trust privileged code which uses strcpy, and with good cause. There have only been a few HUNDRED exploits made possible by that poor coding practice. A zero-level sanity check on commits should be to refuse any which could be executed from an SUID process if the string "strcpy" appears in the commit in any way or form. Its simply unnecessary. Let's add strcat and the other unbounded varients to this as well -- including sprintf. > And further suggests that he will now happily post about our security > flaws to every newsgroup in creation in order to force such an action. Jordan, you have a case here where the entire distribution that is on the FTP site is bleeding from the arteries, the bad guys ALREADY HAVE the exploit in their hands because Tom Ptaeck posted it to the isp-security list in Chicago (which goes to ANYONE who wants on it) AS WELL AS the Freebsd-security list and *HE* became aware of it second-hand -- which means the exploit is in ACTIVE USE. EVERY 2.1.6 system out there right now is vulnerable. Every single one. Lots of them were installed from binary distributions and a boatload are going to be violated within hours, if they haven't been already. > Oh yes, Karl is indeed being a reasonable man about all of this. A > well-known paragon of diplomacy, our Mr. Denninger is, and it is for > this reason that I suggested we'd all be a lot happier to see his > retreating back. It has nothing to do with intolerance of a > dissenting opinion, it has to do with intolerance of Karl himself. Balderdash. You think you can sit on this. Why not pull the releases until you can FIX THE PROBLEM and post a fix-kit and/or a 2.1.7 release? What's the problem Jordan? Why won't you wake the hell up and do something responsible with regards to this issue? > > Is it time yet for someone else to set up yet ANOTHER source tree and > > development branch for FreeBSD? > > You do whatever you feel you have to do, Karl. Just go away. You're > an annoying pest. > Jordan I'm about to get a lot more annoying Jordan. You're being irresponsible in the extreme here. Its unwarranted, and a huge black mark on the face of the FreeBSD development effort, which I have generally liked and applauded for quite some time. This kind of "bury the problem until we get around to fixing it, and then we'll tell people about it" is equivalent to saying "oh, its no big deal". In some cases you're right -- its no big deal. In THIS case you're wrong -- the exploit is both trivial and published, as well as in ACTIVE use. It also is damnedly hard to plug given all the places that it occurs. AGAIN, FOLKS, LET ME REPEAT IT: "at" is vulnerable unless you patch out the setlocale() call. ALL 2.1.6 systems are vulnerable unless you change crt0() and/or fix setlocale(), and the second option is a MESS. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | 99 Analog numbers, 77 ISDN, Web servers $75/mo Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ Fax: [+1 773 248-9865] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702042244.QAA03172>