Date: Sat, 04 Oct 1997 07:39:24 -0700 From: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca> To: freebsd-security@freebsd.org Cc: security-officer@freebsd.org Subject: Changed Setuid Binary Message-ID: <199710041439.HAA14172@cwsys.cwent.com>
next in thread | raw e-mail | index | archive | help
Below is a portion of the output from the daily security check from one of
my 2.2.2R (+published security patches) boxes. You'll notice that a
sendmail binary's last modification date has changed. I've compared this
binary with one on my other FreeBSD-2.2.2 (+published security patches) box
at home. After comparing it using cmp and verifying the compare with md5,
the binary did not change, only the last modification date did.
I remember seeing this before on 2.1.x, though I cannot remember seeing it
on 2.0.5. I also remember seeing some discussion on this list about this
strange phenomenon on this list some time ago. The explanation for the
problem at that time had something to do with the paging routines in FreeBSD
at the time. From the output below you will notice that the date last
modified stamp for sendmail has changed. At the time that this binary's
modification stamp was changed I was running a CPU intensive
non-nonsuid program and had just terminated a PPP connection to my place of
employment.
Sendmail does not run as a daemon on this machine. SMTP is handled by
Obtuse Systems SMTP daemon, smtpd. Their smtpfwdd daemon periodically calls
(fork/exec) sendmail to process their queue and sendmail is periodically run
out of cron to process its queue. At the time the only thing that sendmail
was doing was (extracted from root's crontab entry):
5/30 * * * * /usr/sbin/sendmail -q
Is there any possibility that this is the same bug discussed 6 to 12 months
ago on this list? Or could this be related to cron exec()ing sendmail at
the time and FreeBSD modifying the mtime when sendmail was executed by cron?
Even though the binary did not change, the changed mtime still has some
security implications as there is no way one can know for sure whether a
binary was changed by an unauthorized person or whether FreeBSD just decided
to change it itself.
Any thoughts or ideas?
Regards, Phone: (250)387-8437
Cy Schubert Fax: (250)387-5766
UNIX Support OV/VM: BCSC02(CSCHUBER)
ITSD BITNET: CSCHUBER@BCSC02.BITNET
Government of BC Internet: cschuber@uumail.gov.bc.ca
Cy.Schubert@gems8.gov.bc.ca
"Quit spooling around, JES do it."
------- Forwarded Message
Delivery-Date: Sat, 04 Oct 1997 02:05:54 -0700
Return-Path: root
Received: (from root@localhost) by cwsys.cwent.com (8.8.7/8.6.10) id CAA08384 for root; Sat, 4 Oct 1997 02:00:02 -0700 (PDT)
Date: Sat, 4 Oct 1997 02:00:02 -0700 (PDT)
From: Charlie Root <root>
Message-Id: <199710040900.CAA08384@cwsys.cwent.com>
Subject: cwsys security check output
checking setuid files and devices:
cwsys setuid diffs:
85d84
< -rws--x--x 1 root bin 139264 Apr 25 07:13:32 1997 /usr/local/bin/ssh
96,98c95,97
< -r-s--x--x 3 root bin 290816 Aug 9 00:59:19 1997 /usr/local/etc/sendmail/8.8.7/mailq
< -r-s--x--x 3 root bin 290816 Aug 9 00:59:19 1997 /usr/local/etc/sendmail/8.8.7/newaliases
< -r-s--x--x 3 root bin 290816 Aug 9 00:59:19 1997 /usr/local/etc/sendmail/8.8.7/sendmail
- ---
> -r-s--x--x 3 root bin 290816 Oct 2 17:05:03 1997 /usr/local/etc/sendmail/8.8.7/mailq
> -r-s--x--x 3 root bin 290816 Oct 2 17:05:03 1997 /usr/local/etc/sendmail/8.8.7/newaliases
> -r-s--x--x 3 root bin 290816 Oct 2 17:05:03 1997 /usr/local/etc/sendmail/8.8.7/sendmail
checking for uids of 0:
root 0
toor 0
cwsys kernel log messages:
> ia. All rights reserved.
>
> FreeBSD 2.2.2-RELEASE #0: Sun Sep 7 08:55:21 PDT 1997
> root@cwsys:/opt/usr_src/sys/compile/CWSYS
> CPU: Pentium (119.75-MHz 586-class CPU)
> Origin = "GenuineIntel" Id = 0x52c Stepping=12
> Features=0x1bf<FPU,VME,DE,PSE,TSC,MSR,MCE,CX8>
> real memory = 33554432 (32768K bytes)
> avail memory = 30597120 (29880K bytes)
> Probing for devices on PCI bus 0:
> chip0 <Intel 82437VX PCI cache memory controller> rev 2 on pci0:0
> chip1 <Intel 82371SB PCI-ISA bridge> rev 1 on pci0:7:0
> chip2 <Intel 82371SB IDE interface> rev 0 on pci0:7:1
> vga0 <VGA-compatible display device> rev 84 int a irq 9 on pci0:20
> Probing for devices on the ISA bus:
> sc0 at 0x60-0x6f irq 1 on motherboard
> sc0: VGA color <16 virtual consoles, flags=0x0>
> ed0 at 0x280-0x29f irq 5 maddr 0xd8000 msize 16384 on isa
> ed0: address 00:00:c0:eb:b1:4a, type WD8013EPC (16 bit)
> sio0 at 0x3f8-0x3ff irq 4 on isa
> sio0: type 16550A
> sio1 at 0x2f8-0x2ff irq 3 on isa
> sio1: type 16550A
> lpt0 at 0x378-0x37f irq 7 on isa
> lpt0: Interrupt-driven port
> lp0: TCP/IP capable interface
> fdc0 at 0x3f0-0x3f7 irq 6 drq 2 on isa
> fdc0: NEC 72065B
> fd0: 1.44MB 3.5in
> fd1: 1.2MB 5.25in
> wdc0 at 0x1f0-0x1f7 irq 14 on isa
> wdc0: unit 0 (wd0): <WDC AC22100H>
> wd0: 2014MB (4124736 sectors), 4092 cyls, 16 heads, 63 S/T, 512 B/S
> wdc1 at 0x170-0x177 irq 15 on isa
> wdc1: unit 0 (wd2): <WDC AC22500L>
> wd2: 2441MB (4999680 sectors), 4960 cyls, 16 heads, 63 S/T, 512 B/S
> aha0 at 0x330-0x333 irq 11 drq 5 on isa
> aha0 waiting for scsi devices to settle
> (aha0:0:0): "QUANTUM LIGHTNING 730S 241E" type 0 fixed SCSI 2
> sd0(aha0:0:0): Direct-Access 699MB (1431760 512 byte sectors)
> (aha0:2:0): "PLEXTOR CD-ROM PX-4XCH 1.22" type 5 removable SCSI 2
> cd0(aha0:2:0): CD-ROM can't get the size
> (aha0:4:0): "ARCHIVE Python 28388-XXX 5.45" type 1 removable SCSI 2
> st0(aha0:4:0): Sequential-Access density code 0x13, drive empty
> (aha0:6:0): "IOMEGA ZIP 100 D.09" type 0 removable SCSI 2
> sd1(aha0:6:0): Direct-Access
> sd1(aha0:6:0): ILLEGAL REQUEST asc:24,0 Invalid field in CDB
> sd1 could not mode sense (4). Using ficticious geometry
>
> sd1(aha0:6:0): NOT READY asc:3a,0 Medium not present
> sd1: could not get size
> 0MB (0 512 byte sectors)
> 1 3C5x9 board(s) on ISA found at 0x300
> ep0 at 0x300-0x30f irq 10 on isa
> ep0: aui/utp/bnc[*BNC*] address 00:60:97:d3:32:3e
> npx0 on motherboard
> npx0: INT 16 interface
------- End of Forwarded Message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199710041439.HAA14172>