From owner-freebsd-questions@FreeBSD.ORG Fri May 20 16:32:51 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B0B4A16A4CE for ; Fri, 20 May 2005 16:32:51 +0000 (GMT) Received: from mail1.simplenet.com (mailer.simplenet.com [209.132.1.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 43E6343D5A for ; Fri, 20 May 2005 16:32:49 +0000 (GMT) (envelope-from tt-list@simplenet.com) Received: from [192.168.1.106] (24.25.210.244) by mail1.simplenet.com (7.0.016) (authenticated as tt@simplenet.com) id 428DA76C00000761; Fri, 20 May 2005 09:32:42 -0700 Message-ID: <428E112B.3040305@simplenet.com> Date: Fri, 20 May 2005 09:32:43 -0700 From: Tim Traver User-Agent: Mozilla Thunderbird 1.0 - [MOOX M3] (Windows/20041208) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Ted Mittelstaedt References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: bsd Subject: Re: PAWS security vulnerability X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 May 2005 16:32:51 -0000 Ted, you just can't stop being a dickhead, can you ??? I admitted what I did wrong (unlike you), and yes, I posted this to the wrong list. Big deal. A lot of things get posted to this list that are a thousand times worse. Get off your high horse, and maybe use some manners instead of barking orders at everyone. I don't know which is worse. Trolls, or those that scream troll at the drop of a hat. Tim. Ted Mittelstaedt wrote: >Tim, > >In my first e-mail I said: > >"If it works I would submit it to the FreeBSD security list" > >OK., so I see how you might have misinterpreted that. But the sentence "if >it works you would submit it to the >FreeBSD security list" isn't grammatically correct. > >In my second e-mail I said: > >"I told you to post the patch and info to the appropriate FreeBSD security >lists, and you aren't the least bit interested in doing what I told you" > >On the index page of http://www.freebsd.org there is a link called "FAQ" > >On that page is a link called "Security" > >On that page is the text: > >"...This point and others are often discussed on the mailing lists, >particularly the FreeBSD security mailing list...." > >with a link to the appropriate mailing list. > >I find it real hard to believe you use FreeBSD on hundreds of servers and >are unaware of the appropriate >forum to post security questions. The general freebsd questions mailing >list is not this place. You should >have known this before you even posted your first question. Reading >instructions for products that you use >is not optional, it is mandatory, and FreeBSD's instructions are on the >website. > >You posted your query in the wrong forum, you got a patch in response which >is far more than you should have >got, you were directed, hinting at first, forcibly at second, to go to the >appropriate forum to post the patch, the results of the patch, and your >security questions. You still, as far as I know, have not done this. > >So, OK maybe your not a troll and I assumed wrong. But I will point out >that you said absolutely nothing >in your first post about who you are, what you are doing, why you even give >a shit about this issue. If you >had simply opened your first post with "I was shown this vulnerability by >our network security person >and I have to respond to him in some fashion" or something like that, it >would have gone a long way towards >establishing credibility as to why you cared about this. If even better you >had done a bit of research and >said "well the vulnerability shows that OpenBSD already patched for this, >maybe FreeBSD should" or if >even better than that you had said "I looked at the OpenBSD patch and it's >really simple, could we use >it on FreeBSD" that would have done a lot to establishing that you were at >least willing to offer help and >assistance. > >Instead, reread your second post - you not once offered to do anything, not >even apply the patch to see >if it compiled, all you did is ask for yet more research to be done for you. > >Well we all are busy, you don't have a lock on that, buddy. > >Apply the patch. If the FreeBSD system doesn't panic then the patch isn't >grossly wrong. If you do not >have a test system then don't apply it. Either way, just take the patch to >the appropriate FreeBSD security forum >and post it with "some asshole on questions told me to apply this in results >of >is this the right way to fix it?" > >As I said, IF you are a fucking troll then you WOULDN'T do the above. That >means that if you WOULD do the >above then you AREN'T a fucking troll. You still have a chance to redeem >yourself. Do it! > >FreeBSD is for adults, not kids. Kids want the adults to do all their >homework for them. Adults at least >try to do the homework, then call for help when they are stuck. Look at >your first 2 posts again and >put yourself in my shoes - do those posts make you look like an adult, or a >whiny kid wanting someone >to do his homework for him? > >Ted > > -----Original Message----- > From: Tim Traver [mailto:tt-list@simplenet.com] > Sent: Thursday, May 19, 2005 11:24 PM > To: Ted Mittelstaedt > Cc: bsd > Subject: Re: PAWS security vulnerability > > > Ted, > > I don't know your experience lately with people on this or any other list, >but that last personal attack was WAY out of line. I am not a Troll, nor >have I ever been one. I use freeBSD extensively on hundreds of servers, but >I am not a FreeBSD source contributor. > > Yes, I was shown this "vulnerability" by our network security person, read >it over, and thought that it might be a legitimate exploit. I even picked up >on the fact that Microsoft had already patched it in the service pack 2, >which may mean that it was under wraps for a while, and was suspicious. So, >after doing a little research on the net myself and not finding much, I >decided to post something to the list to see if anyone had heard anything >about it, and if the FreeBSD commiters were working on a possible patch. > > Maybe I wrote my post wrong, but it didn't deserve you biting my fucking >head off. > > Now, you'll probably start in on "well, if you run that many servers, then >why don't you know what you're doing?". I do know what I'm doing. I would >very well be able to apply your patch,and compile a new system. Problem is, >I'm afraid I don't quite understand the vulnerability enough to properly >test what it is supposed to fix... > > I would first need a way to break it, and then after applying your patch, >verify that I couldn't break it any longer. If I knew how to break it, then >I would be a better programmer than you, which I am not, and have never >claimed to be. From the description of the issue, it sounds like a single >cleverly made TCP packet with a bogus timestamp on it could take down ALL of >the TCP commections to that machine. > > To quote the article : > "A large value is set by the attacker as the packet timestamp. When the >target computer processes this packet, the internal timer is updated to the >large attacker supplied value. This causes all other valid packets that are >received subsequent to an attack to be dropped as they are deemed to be too >old, or invalid." > > That sounds like it is pretty serious to me. One packet takes down ALL TCP >services to the machine. You make it sound like its no big deal...Is it >valid ? I don't know. I never claimed to know. I wasn't crying wolf here, >just asking... > > So, my statement of "I'm not sure I have the ability to test out your >patch." should really have been, "I don't have the knowledge enough of the >vulnerability to test whether or not your patch works." > > And I would hardly consider "If it works, I would submit it to the >security list" as some sort of command that I was supposed to follow. After >reading that email, I thought that you were going to submit it to the >security list. After all, its your fucking patch. > > I am slowly working my way into the community, and would love to help with >these kind of things. But, like many other busy sys admins, I don't have a >whole lot of spare time to work on things like this. Yes, if it was a >serious problem enough to where I had to have a patch right away, I might >have to devote some work time and give it a try for the team. I'm not sure >that I know how serious it is, as I've already stated that I don't fully >understand the supposed "vulnerability". > > I hardly made any kind of desparate demands for someone to quickly make me >a patch. You might want to go re-read those posts... > > I can understand why you may have suspected troll because of the vague >questions, but man, you flew off the handle awefully quick. Maybe you just >need a vacation. > > You bashed OpenBSD for their knee jerk reactions, and I think you just >made a big one... > > Tim. > > > > > Ted Mittelstaedt wrote: >Hi Tim, > > If you don't have the ability to test out the patch then LEARN! > > As the advisory said "no known exploits have been released" I also >noticed that the only 2 vendors listed as implementing a fix were >Cisco and Microsoft. And Microsoft was NOT on the problem list for >ANY of their patched OSs. I would therefore assume that the release >of this so-called vulnerability was carefully timed to take place >AFTER Microsoft had got it's ass covered, to make them look good, >and everyone else look bad. I continue therefore to assume that this >is a political security hole, not an actual security hole. > > OpenBSD is well known for knee-jerk reactions to real and supposed >security holes, so it's not surprising they released a patch right away >- of course, little good that did them since this advisory trashed them >anyway. But knee jerk reactions don't always take all variables into >account. > > I rewrite their patch because it was simple and easy to apply to the >FreeBSD source - but I did not write the networking code in FreeBSD and >have no idea if it is correct, or if OpenBSD even wrote the fix properly, >or if in fact this is a real vulnerability that anyone needs to be >concerned about. In theory, any flat-key lock can be picked in less >than a minute (I've seen it done that fast, and done it myself somewhat >more slowly) but that does not stop millions of them from being sold >at Home Depot every year. If people went to a different type of lock >that was much harder to pick then the burglar might not break in >by picking the lock - but instead by kicking in the door which has >the side effect of destroying the door and frame, and there's a couple >thousand bucks lost right there fixing that - and if all the burgler >does is steal a $200 TV set, then your better off with the pickable lock. >The point is that any change in the networking code >may have side effects that are worse than the problem. > > I posted the patch in order to head off a big long dumbass trashing >discussion, because I suspected you were trolling - but I was willing >to give you the benefit of the doubt. If you were really >concerned - such as if you worked for some company that had some >stick-up-their-ass security officer that was bigger than his britches, >and you had to have a fix RIGHT NOW - then this would have allowed you >to apply the patch to shut up the bigger-than-britches security officer >so you could continue about your business. In the meantime then the >networking and security group could have had discussion about the >PROPER way to handle this. Probably that's this patch, but maybe not. > > Now I find what? Well, it surely looks to me like I just spoiled >your troll, so your going to pretend it was no big deal, make a lame-ass >excuse about how you really didn't need the patch anyway and can't >apply it because your incompetent, and fade into the woodwork. I told >you to post the patch and info to the appropriate FreeBSD security lists, >and you aren't the least bit interested in doing what I told you. Why - >because you were only interested in this silly hypothetical PAWS exploit >as long as nobody could say "FreeBSD has a fix, shut up and apply it", >so you can go urinate on the parade here. Now I just handed you a >urinal, and your going to run away and pee on someone else. > > I don't want to see a fucking thing more from you unless it's: > >"Guys, I DID WHAT I WAS TOLD TO DO and went to the FreeBSD security and >networking >mailing lists and posted what I was given and this is what they said" > > If you aren't willing to lift a finger to do that, your a fucking >troll. Don't waste anyone else's time here. Next time you ask for code, >you better check out the going hourly rate for custom programming. > >Ted > > -----Original Message----- >From: owner-freebsd-questions@freebsd.org >[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Tim Traver >Sent: Thursday, May 19, 2005 1:27 PM >To: Ted Mittelstaedt >Cc: bsd >Subject: Re: PAWS security vulnerability >Importance: Low > > >Ted, > >thanks for taking a look at this. I'm not sure I have the ability to >test out your patch. Maybe someone else on this fine list can ? > >But this sounds like a pretty severe DOS issue that seems to be >relatively simple to implement. > >Do you know if the 5.x branch is affected by this as well ? > >Tim. > > >Ted Mittelstaedt wrote: > > Hi Tim, > > Here is a slight mod of the OpenBSD patch for OpenBSD 3.6 > that has been > rewritten for FreeBSD 4.11. YMMV If it works I would submit > it to the > FreeBSD >security list. The only change I made is OpenBSD defines "tiflags" >FreeBSD defines >"thflags" I assume they are the same thing. The file is in >/usr/src/sys/netinet > >Turning off the timestamps would be a good way to make your network go >slow. > >*** tcp_input.c.original Thu May 19 11:52:30 2005 >--- tcp_input.c Thu May 19 12:00:14 2005 >*************** >*** 976,984 **** >--- 976,992 ---- > * record the timestamp. > * NOTE that the test is modified according > to the latest > * proposal of the tcplw@cray.com list (Braden >1993/04/26). >+ * NOTE2 additional check added as a result of PAWS >vulnerability >+ * documented in Cisco security notice >cisco-sn-20050518-tcpts >+ * from OpenBSD patch for OpenBSD 3.6 015_tcp.patch > */ > if ((to.to_flags & TOF_TS) != 0 && > SEQ_LEQ(th->th_seq, tp->last_ack_sent)) { >+ if (SEQ_LEQ(tp->last_ack_sent, > th->th_seq + tlen > + >+ ((thflags & (TH_SYN|TH_FIN)) != 0))) >+ tp->ts_recent = to.to_tsval; >+ else >+ tp->ts_recent = 0; > tp->ts_recent_age = ticks; > tp->ts_recent = to.to_tsval; > } > >Ted > > > > -----Original Message----- >From: owner-freebsd-questions@freebsd.org >[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Tim Traver >Sent: Thursday, May 19, 2005 10:09 AM >To: bsd >Subject: PAWS security vulnerability > > >Hi all, > >ok, this article was just published about a PAWS TCP DOS >vulnerability, >and lists freeBSD 4.x as affected. > >http://www.securityfocus.com/bid/13676/info/ > >Does anyone know how to turn the TCP timestamps off on FreeBSD 4.x ? > >and is 5.4 affected too ? > >Tim. > >_______________________________________________ >freebsd-questions@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to >"freebsd-questions-unsubscribe@freebsd.org" > > > > > _______________________________________________ >freebsd-questions@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to >"freebsd-questions-unsubscribe@freebsd.org" > > > >_______________________________________________ >freebsd-questions@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > >