From owner-freebsd-security@FreeBSD.ORG Thu Aug 12 19:01:40 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0108510656A7 for ; Thu, 12 Aug 2010 19:01:40 +0000 (UTC) (envelope-from snabb@epipe.com) Received: from tiktik.epipe.com (tiktik.epipe.com [IPv6:2001:470:8940:10::1]) by mx1.freebsd.org (Postfix) with ESMTP id 94F328FC18 for ; Thu, 12 Aug 2010 19:01:39 +0000 (UTC) Received: from tiktik.epipe.com (tiktik.epipe.com [IPv6:2001:470:8940:10::1]) by tiktik.epipe.com (8.14.4/8.14.4) with ESMTP id o7CJ1cj4044635 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 12 Aug 2010 19:01:38 GMT (envelope-from snabb@epipe.com) X-DKIM: Sendmail DKIM Filter v2.8.3 tiktik.epipe.com o7CJ1cj4044635 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=epipe.com; s=default; t=1281639699; x=1282244499; bh=XGMMSIBaks1XzmVQ1QCK/+IQWw86iSeSGwKni9YVBjE=; h=Date:From:To:cc:Subject:In-Reply-To:Message-ID:References: MIME-Version:Content-Type; b=DG3yfwu8DPcUxPa25uAsFFChubr1+xiR3ZT5CHwCVq2HXFRT0TRvFq44hx1anrzBO vj3TXdV8ojqTKtQDtXPAh0dP1j814n1Khs7gyYGn/BVZ5t5swMS7uwploa/6yfJaz1 0DUh5fGnQE5hZ+8UUtnH98B2+7EADo1UqhQVhymY= Date: Thu, 12 Aug 2010 19:01:38 +0000 (UTC) From: Janne Snabb To: Mike Tancsa In-Reply-To: <201008121302.o7CD2BJv044208@lava.sentex.ca> Message-ID: References: <201008121302.o7CD2BJv044208@lava.sentex.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-security@freebsd.org Subject: Re: ~/.login_conf mechanism is flawed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Aug 2010 19:01:40 -0000 On Thu, 12 Aug 2010, Mike Tancsa wrote: > Are there any other tricks / work around people have implemented ? MACs ? Binary patch libutil: 1. cd /lib 2. perl -pi.bak -e 's!\.login_conf!../.noexist!;' libutil.so.* 3. /etc/rc.d/sshd restart ; /etc/rc.d/ftpd restart The above binary patch makes the login procedure to look for a file called ".noexist" one level up from the user's home directory. If that directory is not writable by the user (as is typically), the patch will protect you from the potential vulnerability (by disabling user-specific capabilities processing). (Yes, you can use perl regular expressions to do binary patches. They do not seem to break anything in the binary data. I have been doing similar things for years. sed is not robust for this purpose. Obviously you will break everything if the replacement string is not of the same length as the original.) I was looking at the lib/libc/db code today for some time. valgrind reports several out-of-allocated-space accesses when db functions are given a malicious .db file (__getbuf_crash_suspicious.db from HI-TECH's mail attachment for example). The code is somewhat complicated to understand, as I am not familiar with it, thus no real solution (from me at least). -- Janne Snabb / EPIPE Communications snabb@epipe.com - http://epipe.com/