From owner-freebsd-security  Mon Jul 28 11:34:20 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id LAA23451
          for security-outgoing; Mon, 28 Jul 1997 11:34:20 -0700 (PDT)
Received: from cyrus.watson.org (robert@cyrus.watson.org [207.86.4.20])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA23426
          for <security@FreeBSD.ORG>; Mon, 28 Jul 1997 11:34:14 -0700 (PDT)
Received: from localhost (robert@localhost)
	by cyrus.watson.org (8.8.5/8.8.5) with SMTP id OAA03855;
	Mon, 28 Jul 1997 14:33:50 -0400 (EDT)
Date: Mon, 28 Jul 1997 14:33:49 -0400 (EDT)
From: Robert Watson <robert@cyrus.watson.org>
Reply-To: Robert Watson <robert+freebsd@cyrus.watson.org>
To: Vincent Poy <vince@mail.MCESTATE.COM>
cc: Tomasz Dudziak <loco@onyks.wszib.poznan.pl>, security@FreeBSD.ORG,
        "[Mario1-]" <mario1@PrimeNet.Com>, JbHunt <johnnyu@accessus.net>
Subject: Re: security hole in FreeBSD
In-Reply-To: <Pine.BSF.3.95.970728111326.3844N-100000@mail.MCESTATE.COM>
Message-ID: <Pine.BSF.3.95q.970728142652.3342F-100000@cyrus.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Mon, 28 Jul 1997, Vincent Poy wrote:

> On Mon, 28 Jul 1997, Robert Watson wrote:
> 
> =)> =)There was a security hole some time ago in perl that allowed local users
> =)> =)to gain root access... That's probably the way he got root access...
> =)> =)I would check my binaries, sup and recompile.
> =)> 
> =)> 	Hmmm, I supped the perl from the most recent ports tree and also
> =)> all the binaries are about 2 months old from the -current tree.  I thought
> =)> the security hole was way before that.  What I didn't get is how did he
> =)> get access to the second system (earth) when he doesn't have a account
> =)> there in the first place?
> =)
> =)I'd be tempted to look in all the normal places -- sendmail, etc.  What
> =)daemons were running on the machine?  Any web server processes?  Also, I'd
> =)heavily suspect that he sniffed a password if no encrypted telnet/ssh is
> =)in use..  Any use of NIS going on?  Also, .rhosts arrangements can be
> =)extremely unhappy if we already know (s)he is messing with DNS entries.
> 
> 	sendmail is running as well as apache httpd...  ftpd, telnetd, and
> ircd.  No NIS.   ALl I know was he managed to changed everyone's .rhosts
> file when it doesn't exist originally and the contents just had:
> + +
> in it.

This guy sounds like either he has good tools, or good experience.  For
safety's sake, I'd guess the latter.  All he needed was one sniffed
password to get on the system, and then you may be stuck with known holes
in application software.  Most of the security problems I've seen have
started with a sniffed password, but this comes from dormitory experience
:).  

Your best hope at this point is to shut down the system, boot on a floppy
with a CDROM mounted, and then do a strategic MD5 checksum of all binaries
and check for changes.  If you're running STABLE, your best bet may be to
sup down differences, but to reinstall the binaries necessary to support
the cvsup stuff from CDROM, as well as system kernel and /bin, /sbin, etc.
If he's made enough changes to zap syslog, netstat, login-stuff, I
wouldn't trust any other tools on the system currently.


  Robert N Watson 

Junior, Logic+Computation, Carnegie Mellon University  http://www.cmu.edu/
Network Security Research, Trusted Information Systems http://www.tis.com/
Network Administrator, SafePort Network Services  http://www.safeport.com/
robert@fledge.watson.org   rwatson@tis.com  http://www.watson.org/~robert/