From owner-freebsd-security Thu Jul 4 08:00:21 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA01048 for security-outgoing; Thu, 4 Jul 1996 08:00:21 -0700 (PDT) Received: from irs.inf.tu-dresden.de (irs.inf.tu-dresden.de [141.76.1.17]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id IAA01006 for ; Thu, 4 Jul 1996 08:00:04 -0700 (PDT) Received: by irs.inf.tu-dresden.de (8.6.12/8.6.12-s1) id QAA23324; Thu, 4 Jul 1996 16:59:56 +0200 Date: Thu, 4 Jul 1996 16:59:56 +0200 Message-Id: <199607041459.QAA23324@irs.inf.tu-dresden.de> To: freebsd-security@freebsd.org Subject: [der Mouse ] Re: portmapper dangers From: hohmuth@inf.tu-dresden.de (Michael Hohmuth) Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Given the recent OpenBSD flame war in comp.unix.bsd.*.misc and some recent posting by der Mouse in the Bugtraq mailing list (included below), I'm led to believe that the OpenBSD version of `portmap' has silently had some security bugs fixed. Would someone from the FreeBSD crew go and check out the diffs (ftp.openbsd.org)? (I can't do that myself as I possess some ignorance wrt NFS, `portmap' and all that stuff.) I've had some email dialog with der Mouse; he's offered to provide anyone going into this with any details I can't supply, which probably means he will provide you with all the details as I don't have any. :) Michael -- Email: hohmuth@inf.tu-dresden.de WWW: http://www.inf.tu-dresden.de/~mh1/ ------- Start of forwarded message ------- From: der Mouse Subject: Re: portmapper dangers To: Multiple recipients of list BUGTRAQ Date: Mon, 1 Jul 1996 14:09:48 -0400 Reply-To: Bugtraq List Approved-By: ALEPH1@UNDERGROUND.ORG Approved-By: der Mouse Message-ID: <199607011809.OAA05268@Collatz.McRCIM.McGill.EDU> Sender: Bugtraq List >> The dangers, according to the code changes I saw, [...] > So I assume the person you've been corresponding with has found a way > to exploit that in some novel, clever way? [...] Not to be > argumentative, but the fact that you can do unauthenticated sets and > unsets has been documented ever since the O'Reilly RPC book came out > (read the appendices). > And as far as I can tell, if outsiders don't have access to your > portmapper a la portmap3, they still can't do a set or an unset. Has > your associate found a way around Mr. Venema's access control? I don't know what the hell he's found. He told me he had found portmap bugs, bad ones that he almost had to break binary compatbility to fix. I asked about revealing them, he said he didn't want to 'cause 8lgm got so badly flamed for giving out bug info. I offered to anonymize him and take any heat myself, he refused saying he'd want credit. I found an udpated portmap.c up for anonymous ftp, diffed it against other sources I had access to, and came up with the info I posted. The closest source I had handy to diff against (ie, smallest diffs) was the NetBSD source; based on that, I believe 4.4 is probably vulnerable as well. This then made me think that probably Venema's code was also open, which matched well with some other remarks my informant made (I specifically asked about the Venema code). I suppose I should have checked, but searching out and reading Venema's code looked like more time than was worth investing. (Of course, as it turned out...sigh.) Then he wigged out, telling me I acted irresponsibly because now he had a SunOS machine he couldn't protect, that I missed half-a-dozen important aspects of it, that all I'd done was to draw attention to portmap bugs from black hats with nothing better to do than pore over portmap looking for them. Yeah, well, I've got a whole lab full of SunOS machines I want to protect too. I can't base my actions on things I know nothing about, and he refused to tell me what the holes were, leading me to believe his reasons for secrecy were not wanting to get flamed, not because they were hard to fix. So I did what I could to find out what I could, since if he won't tell me what I need to protect my machines, I'm damn well going to do my best to search out the information on my own. His attitude seems to be that if his machines are locked down tight the rest of the world can go to hell for all he cares. I don't feel that way, which is why I posted here instead of just deducing what I could and then keeping quiet, especially since what I did find was easy for an admin to fix, by running a modern portmapper. (Interestingly, he did say that my message was forwarded to him. This means that he isn't on bugtraq, but that someone was who was close enough to the events to recognize who my unnamed informant was. I wonder what that person's motivations were.) His last letter was burbling about holding me personally responsible if his machines got cracked in the next few weeks. At this point, the only reason I have to think that the other holes even _exist_ is that this guy has a history that demonstrates lots of technical skill, so he's not likely to be too far wrong. And yes, I know this message is bound to provoke further attention directed at portmap. I don't like the thought that this probably means more cracked systems, possibly even some of the ones I'm supposedly protecting, but the attention is unavoidable given the discussion, and at least _something_ good may come out of it if it ends up provoking widespread exploitation of the holes (assuming I'm right that they exist); that appears to be the one thing that makes vendors actually _fix_ holes. der Mouse mouse@collatz.mcrcim.mcgill.edu 01 EE 31 F6 BB 0C 34 36 00 F3 7C 5A C1 A0 67 1D ------- End of forwarded message -------