From owner-freebsd-security@FreeBSD.ORG Sun Oct 5 15:33:46 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8622FC39 for ; Sun, 5 Oct 2014 15:33:46 +0000 (UTC) Received: from mail-wg0-f47.google.com (mail-wg0-f47.google.com [74.125.82.47]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1528A402 for ; Sun, 5 Oct 2014 15:33:45 +0000 (UTC) Received: by mail-wg0-f47.google.com with SMTP id x13so4735455wgg.6 for ; Sun, 05 Oct 2014 08:33:38 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=5VH1TwCpjoWepC+slrtfZ4mDCND3756XOc/wgBYc+2Y=; b=ZRA5aYE1JgzdICsFMIu/9LeHNl/Q6hXuMWLSM010rdKDOfMZwRyb4b8XyEwk2DW4Cz 0Z2JtM6DqVXSTyQ0gLf+ohcevCrznxJpJJT/eRM/sUFUpmRDXkhR9DzO05ujegMPETzX +ZYevkSjqGgGRMSez1tFs0uBdXu5r1N01G5H9E18JxZJ4x3aj9SH+zSF+4F8LBa/AOQr IK5ZI++hHk+42+VcuqglghbOn8Gp1UMKkSSig2dgn48iE9hsjbjSO+Dl9Er8Lwyk0h0a fdLhEI+cV/bvwxyH/dUj6PaRVjYhzYUmHE9Cmh5RHiFmglsj+4nXCszXIrxPzH0a5HGh 9D/Q== X-Gm-Message-State: ALoCoQlSE4ytCm52i5HnLCaS/uTPlQ8NYPNH1tji9ei2+LHP/wBANn56fZGFQanwYnv/HK+43wIx MIME-Version: 1.0 X-Received: by 10.194.246.2 with SMTP id xs2mr22338672wjc.33.1412523218315; Sun, 05 Oct 2014 08:33:38 -0700 (PDT) Received: by 10.27.94.16 with HTTP; Sun, 5 Oct 2014 08:33:38 -0700 (PDT) In-Reply-To: References: Date: Sun, 5 Oct 2014 11:33:38 -0400 Message-ID: Subject: Re: remote host accepts loose source routed IP packets From: el kalin To: freebsd-net , freebsd-users@freebsd.org, freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Oct 2014 15:33:46 -0000 should is submit this as a bug? On Sun, Oct 5, 2014 at 2:04 AM, el kalin wrote: > hi again=E2=80=A6 i have disabled the icmp pings=E2=80=A6 same result..= . > > currently: > > /etc/pf.conf: > > tcp_in =3D "{ www, https }" > udp =3D "{ domain, ntp, snmp }" > ping =3D "echoreq" > > set skip on lo > scrub in > antispoof for xn0 inet > block in all > pass out all keep state > pass out inet proto udp from any to any port 33433 >< 33626 keep state > pass proto udp to any port $dup > ### pass inet proto icmp all icmp-type $ping keep state > pass in inet proto tcp to any port $tcp_in flags S/SAF synproxy state > pass proto tcp to any port ssh > > > # sysctl -a | grep sourceroute > net.inet.ip.sourceroute: 0 > net.inet.ip.accept_sourceroute: 0 > > in /etc/defaults/rc.conf: > > forward_sourceroute=3D"NO" > accept_sourceroute=3D"NO" > > > what am i missing? this is pretty important=E2=80=A6. > > thanks=E2=80=A6.. > > > > On Sat, Oct 4, 2014 at 11:46 PM, el kalin wrote: > >> >> hi all=E2=80=A6 >> >> i'm setting up a freebsd 10 on aws (amazon) to be as secure as possible= =E2=80=A6 >> i used openvas to scan it and pretty much everything is fine except this= : >> >> "The remote host accepts loose source routed IP packets. >> The feature was designed for testing purpose. >> An attacker may use it to circumvent poorly designed IP filtering >> and exploit another flaw. However, it is not dangerous by itself. >> Solution: >> drop source routed packets on this host or on other ingress >> routers or firewalls." >> >> there is no "other ingress routers or firewalls." except the AWS >> "security group" which only has open ports 80, 443 and 22 and allICMP fo= r >> pinging... >> >> on the instance itself i have this already set up... >> >> in /etc/sysctl.conf i have: >> >> net.inet.ip.accept_sourceroute=3D0 >> >> in /etc/derfaults/rc.conf i got: >> >> accept_sourceroute=3D"NO" >> >> >> # sysctl -a | grep accept_sourceroute >> net.inet.ip.accept_sourceroute: 0 >> >> i also have a pf enabled locally pretty much with the same ports as the >> security group. can i use pf to drop those packets? >> >> how do i drop the source routed packets? >> without this i can't pass a pci scan=E2=80=A6 >> >> thanks... >> >> >> > From owner-freebsd-security@FreeBSD.ORG Sun Oct 5 15:58:11 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9849836F for ; Sun, 5 Oct 2014 15:58:11 +0000 (UTC) Received: from mail-qa0-f44.google.com (mail-qa0-f44.google.com [209.85.216.44]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 585B4858 for ; Sun, 5 Oct 2014 15:58:10 +0000 (UTC) Received: by mail-qa0-f44.google.com with SMTP id x12so2664171qac.31 for ; Sun, 05 Oct 2014 08:58:04 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=OhTgb16ZmqLQ5T0PKQWHC8gghfSEwilujIzu6lk+XQU=; b=ehJWsnUtQNTSrnciiPcgoXDZnLrD2/7Z61PvpZd4EQgVBPeLgYby84hGK7qZAJo1jB HD9op+Fdjw1qdFr2EUptDW2tLSJ40cAKCyyR8zUjWmpzHXkGEphoD22CwNFHy9TV2Dvk p1TcN/GL4T1D1E5uLbV4XRKIVd0pnsExJfpWqaKo3Pz3wrYfD7hk/28mUOeHJkoCx1uw WCKHoFMgR5vlVWfbEhoSoA0MqugjBQ39ZdzgankQUXvWWolwlw0vpt9KxQCymoU+he6t ZlnReer3v6ncFS/pwhnWRvLa9t6HnnryyzpdPcZJKisN0Qb7chw30CHFqi7Io94hg3Mz mA0g== X-Gm-Message-State: ALoCoQlcS4qhzrGzkg07LEGwsp68LKujFs12ri3ENUWmwRi002mBkRpccdocJEpyCZjFW6/SxJbT MIME-Version: 1.0 X-Received: by 10.224.26.146 with SMTP id e18mr3217109qac.96.1412524683994; Sun, 05 Oct 2014 08:58:03 -0700 (PDT) Received: by 10.140.95.193 with HTTP; Sun, 5 Oct 2014 08:58:03 -0700 (PDT) In-Reply-To: References: Date: Sun, 5 Oct 2014 08:58:03 -0700 Message-ID: Subject: Re: remote host accepts loose source routed IP packets From: Brandon Vincent To: el kalin Content-Type: text/plain; charset=UTF-8 Cc: freebsd-net , freebsd-users@freebsd.org, freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Oct 2014 15:58:11 -0000 On Sun, Oct 5, 2014 at 8:33 AM, el kalin wrote: > should is submit this as a bug? Can you first try adding "set block-policy return" to pf.conf? OpenVAS might be assuming that a lack of response from your system to source routed packets is an acknowledgement that it is accepting them. Brandon Vincent From owner-freebsd-security@FreeBSD.ORG Sun Oct 5 17:14:53 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A10E33BE for ; Sun, 5 Oct 2014 17:14:53 +0000 (UTC) Received: from mail-wi0-f170.google.com (mail-wi0-f170.google.com [209.85.212.170]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 354F0F74 for ; Sun, 5 Oct 2014 17:14:52 +0000 (UTC) Received: by mail-wi0-f170.google.com with SMTP id hi2so4973997wib.5 for ; Sun, 05 Oct 2014 10:14:50 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=fG6YcLWAmkpBG9NQ+wYB3GHaoXppelKGl9XA9Zjxh0M=; b=mReCWiknlyZzx0VjiaseGJDrOmXPjJZMN1ZYjBv6p4D/KPe1ZrNTrxiMxkWoZ0ET53 c+o8V4S0EYJn/2RRAFDfxNkTTutzxfGAfSyfq+7sd+vxLtR15ATw+TjvW6Y6YGttYLwH Dvs/omWk0cZN2BqmtS1Z0pnuHz58cmTWXAnw3GNxdH2MdbQqPZ25CkB6kwGtbS48xh1o QoBy5tOrlz/jkepilhQiul6UfSJWMX4Zl0Rbd1K+J3bRAtkz+4kYTb7P2qwqigc/WpYy FpWvuy4x0KrDGxDbMhhlwd3v59pjjVN+KSvOLLBrTWIvvFFT2PSTVnW0cFFqXfw59ljY Elfg== X-Gm-Message-State: ALoCoQlgeHz0cZblJZN1WeqinW3lgRUkT0NOc24rQX17QltsU5t6GfP6QLwpogsLdElhX4VF+ifc MIME-Version: 1.0 X-Received: by 10.180.184.225 with SMTP id ex1mr2696270wic.22.1412528972129; Sun, 05 Oct 2014 10:09:32 -0700 (PDT) Received: by 10.27.94.16 with HTTP; Sun, 5 Oct 2014 10:09:32 -0700 (PDT) In-Reply-To: References: Date: Sun, 5 Oct 2014 13:09:32 -0400 Message-ID: Subject: Re: remote host accepts loose source routed IP packets From: el kalin To: Brandon Vincent Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: freebsd-net , freebsd-users@freebsd.org, freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Oct 2014 17:14:53 -0000 thanks brandon=E2=80=A6 but that didn't help=E2=80=A6. i still get the same result=E2=80=A6 i guess i'd report this as a bug=E2=80=A6 On Sun, Oct 5, 2014 at 11:58 AM, Brandon Vincent wrote: > On Sun, Oct 5, 2014 at 8:33 AM, el kalin wrote: > > should is submit this as a bug? > > Can you first try adding "set block-policy return" to pf.conf? OpenVAS > might be assuming that a lack of response from your system to source > routed packets is an acknowledgement that it is accepting them. > > Brandon Vincent > From owner-freebsd-security@FreeBSD.ORG Sun Oct 5 19:21:35 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7D88885F for ; Sun, 5 Oct 2014 19:21:35 +0000 (UTC) Received: from mail-wg0-f48.google.com (mail-wg0-f48.google.com [74.125.82.48]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0CA5AE20 for ; Sun, 5 Oct 2014 19:21:34 +0000 (UTC) Received: by mail-wg0-f48.google.com with SMTP id k14so3701782wgh.19 for ; Sun, 05 Oct 2014 12:21:27 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=ffPf4DGvsYl+wy3jOVUQPVL19LtXif+aw2VNnCRc7ic=; b=Fh7EVOiVs6LAZwdTSJWSfd1u6lx2Y1uQIaKjcmpJk7rTObFFzuXnU1Gw3gA7gN0AQi l61H2XLAN14RhdoreGSIu5KkEHlF18ETn+drkrllkayToJK6wdGl3VEVjU2QEpovXK2E pXc9VkFk+oiXXrkduzUtm4/PAhhcA7ebpjCdEU0ygy4MvfLROkSsIF6LHPlUc2/dicVg wuYn9Nk/0IKrmsqe94kE66LSqtcegLijuuggE66Uu0iuZPLSLB0GbJXeGgV9brP5pHW4 z+PGXRuRmzapWKAWaOeusXrdhp/ztbX2qIV1v4xAVayIYM57FM2c4pYWaK4Qc4LhoVa/ tszg== X-Gm-Message-State: ALoCoQlTdQdjwesTj2lR37DV/c7QUMLO6a5hnvfaqPuFWVCiuxI0njLer3c4S8ELgs0CIYMwHSKt MIME-Version: 1.0 X-Received: by 10.194.92.116 with SMTP id cl20mr24569442wjb.101.1412536887208; Sun, 05 Oct 2014 12:21:27 -0700 (PDT) Received: by 10.27.94.16 with HTTP; Sun, 5 Oct 2014 12:21:27 -0700 (PDT) In-Reply-To: References: Date: Sun, 5 Oct 2014 15:21:27 -0400 Message-ID: Subject: Re: remote host accepts loose source routed IP packets From: el kalin To: Brandon Vincent , Colin Percival Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: freebsd-net , freebsd-users@freebsd.org, freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Oct 2014 19:21:35 -0000 ok.. this is getting a bit ridiculous=E2=80=A6 just did a brand new install of the freebsd 9.3 aim on amazon=E2=80=A6 with nothing installed on it and only ssh open i get the same result when scanning with openvas: "Summary: The remote host accepts loose source routed IP packets. The feature was designed for testing purpose. An attacker may use it to circumvent poorly designed IP filtering and exploit another flaw. However, it is not dangerous by itself. Solution: drop source routed packets on this host or on other ingress routers or firewalls.' and by default: # sysctl -a | grep accept_sourceroute net.inet.ip.accept_sourceroute: 0 thing is the other machine - the bsd 10 - was scanned with the sameopen vas setup and with a service called hackerguardian offered by a compony called comodo. they sell that service as a pci compliance scan. both machines are non compliant according to both the openvas scan and the hackerguardian one=E2=80=A6 i can't be done with this job if i can't pass the pci scan=E2=80=A6 i'd appreciate any help=E2=80=A6 thanks... now what? On Sun, Oct 5, 2014 at 1:09 PM, el kalin wrote: > thanks brandon=E2=80=A6 but that didn't help=E2=80=A6. > > i still get the same result=E2=80=A6 > > i guess i'd report this as a bug=E2=80=A6 > > > On Sun, Oct 5, 2014 at 11:58 AM, Brandon Vincent > wrote: > >> On Sun, Oct 5, 2014 at 8:33 AM, el kalin wrote: >> > should is submit this as a bug? >> >> Can you first try adding "set block-policy return" to pf.conf? OpenVAS >> might be assuming that a lack of response from your system to source >> routed packets is an acknowledgement that it is accepting them. >> >> Brandon Vincent >> > > From owner-freebsd-security@FreeBSD.ORG Sun Oct 5 20:52:27 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2E8E6A9C for ; Sun, 5 Oct 2014 20:52:27 +0000 (UTC) Received: from mail-wi0-f177.google.com (mail-wi0-f177.google.com [209.85.212.177]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B35239C3 for ; Sun, 5 Oct 2014 20:52:26 +0000 (UTC) Received: by mail-wi0-f177.google.com with SMTP id fb4so2908131wid.4 for ; Sun, 05 Oct 2014 13:52:24 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=CuYTVZCEY3nuAypXPh48UTpdngNh3a/NuY+IXOhhb8s=; b=hKhwwSSi9yw6/56KD7b5JUitMDXELkfkmL8KxXo70HR8cd/IYPg1cMo6R2ohCYJqjY jU2fk8pbAIJToWEnY8OJHtjyLj3upsrMrcus4HcTI5lxQczjqC5Gfv5IfYX7U1px4E25 OUzELxjiH/2oy4Kxm1xOoc54vl1K6C8p7bStwiOzIhbW6mF1yKe9BB1BOaiz2JCUbJdM koMGftkQRFAhphyTeNTLRvq0Iv+m5xC3oSRAHvGDhnN5JaMS/n49xQgfRF5sTwKTKay0 SVuRMnsgIobc3PEiMzP2MXXePLnLQuXhMKHX7cr/mgIE76wjjSUg8frD7cGGvQAuHhXV 1A3A== X-Gm-Message-State: ALoCoQld3Uu8ADw9+UiscmWc6t/EqpDenUKe+edIHexwPZbmd+9KzHB1MNd0vh9xh65cE9JS6Yxg MIME-Version: 1.0 X-Received: by 10.180.76.37 with SMTP id h5mr14766054wiw.22.1412540542072; Sun, 05 Oct 2014 13:22:22 -0700 (PDT) Received: by 10.27.94.16 with HTTP; Sun, 5 Oct 2014 13:22:22 -0700 (PDT) In-Reply-To: References: Date: Sun, 5 Oct 2014 16:22:22 -0400 Message-ID: Subject: Re: remote host accepts loose source routed IP packets From: el kalin To: Brandon Vincent , Colin Percival Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: freebsd-net , freebsd-users@freebsd.org, freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Oct 2014 20:52:27 -0000 hmmm=E2=80=A6 could it be openvas?! just installed netbsd 6.1.4 aim i found on the aws community aims list=E2= =80=A6 same thing.. just the possibility of both openvas and the hackarguardian service being both wrong is a bit too much of a coincidence for me=E2=80=A6 any thoughts? On Sun, Oct 5, 2014 at 3:21 PM, el kalin wrote: > ok.. this is getting a bit ridiculous=E2=80=A6 > > just did a brand new install of the freebsd 9.3 aim on amazon=E2=80=A6 > > with nothing installed on it and only ssh open i get the same result when > scanning with openvas: > > "Summary: > The remote host accepts loose source routed IP packets. > The feature was designed for testing purpose. > An attacker may use it to circumvent poorly designed IP filtering > and exploit another flaw. However, it is not dangerous by itself. > Solution: > drop source routed packets on this host or on other ingress > routers or firewalls.' > > and by default: > # sysctl -a | grep accept_sourceroute > net.inet.ip.accept_sourceroute: 0 > > thing is the other machine - the bsd 10 - was scanned with the sameopen > vas setup and with a service called hackerguardian offered by a compony > called comodo. they sell that service as a pci compliance scan. both > machines are non compliant according to both the openvas scan and the > hackerguardian one=E2=80=A6 > > i can't be done with this job if i can't pass the pci scan=E2=80=A6 > > i'd appreciate any help=E2=80=A6 > > thanks... > > > now what? > > > > > > > On Sun, Oct 5, 2014 at 1:09 PM, el kalin wrote: > >> thanks brandon=E2=80=A6 but that didn't help=E2=80=A6. >> >> i still get the same result=E2=80=A6 >> >> i guess i'd report this as a bug=E2=80=A6 >> >> >> On Sun, Oct 5, 2014 at 11:58 AM, Brandon Vincent > > wrote: >> >>> On Sun, Oct 5, 2014 at 8:33 AM, el kalin wrote: >>> > should is submit this as a bug? >>> >>> Can you first try adding "set block-policy return" to pf.conf? OpenVAS >>> might be assuming that a lack of response from your system to source >>> routed packets is an acknowledgement that it is accepting them. >>> >>> Brandon Vincent >>> >> >> > From owner-freebsd-security@FreeBSD.ORG Sun Oct 5 22:24:25 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 26A7D1DC for ; Sun, 5 Oct 2014 22:24:25 +0000 (UTC) Received: from mail-qg0-f52.google.com (mail-qg0-f52.google.com [209.85.192.52]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D50F3364 for ; Sun, 5 Oct 2014 22:24:24 +0000 (UTC) Received: by mail-qg0-f52.google.com with SMTP id q108so3045138qgd.11 for ; Sun, 05 Oct 2014 15:24:17 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=eEDz4giwue9VhfcVCvqrYJI1pvhseDvTLztlrb2APzs=; b=btkM4lg2qU1f8KX5VL1FWUAxfiMNV7D9oTH+DEjVbktDqXyE2iZBu41/TzBqMOtxRd 3WBUwbxJZnBVaYHLoa1rwftpCXfqygwokz4EaIpO97u/deUVSHYH/dr04D2jmXEWqxQS jEtZsQWx5O8mzuq88DRSfRAjkQHA9K8HgXW/s50Fb/h3Gv6El0l+Lr/sIlrcdFQA/YqG aRHa81czr0mbedia/iazkMr2VWVC7CLPjBuhIGzkPtdKUXnIWpUE7d77uQkVm0sYWhOH vKZXAGjQOlBAFg335j7HYhz+iDCGsC4LzpSiecUM6txEfBjZHN7S9StfSuz77lGWo/dd TkwA== X-Gm-Message-State: ALoCoQnsG+Vs/0bxeyowCncKuEEBJH6N+klv9LVSg7Xr9y4+m8BZ35Y1omag7kPCqsaVedcs6LYr MIME-Version: 1.0 X-Received: by 10.140.32.36 with SMTP id g33mr22560779qgg.57.1412547857924; Sun, 05 Oct 2014 15:24:17 -0700 (PDT) Received: by 10.140.95.193 with HTTP; Sun, 5 Oct 2014 15:24:17 -0700 (PDT) In-Reply-To: References: Date: Sun, 5 Oct 2014 15:24:17 -0700 Message-ID: Subject: Re: remote host accepts loose source routed IP packets From: Brandon Vincent To: Adrian Chadd Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-net , el kalin , freebsd-users@freebsd.org, Colin Percival , freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Oct 2014 22:24:25 -0000 On Sun, Oct 5, 2014 at 2:39 PM, Adrian Chadd wrote: > All accept_sourceroute does is prevent the stack from forwarding > source routed packets. If it's destined locally then it's still > accepted. Out of curiosity, isn't "net.inet.ip.accept_sourceroute" supposed to reject incoming source routed packets? On 5 October 2014 13:22, el kalin wrote: > hmmm=E2=80=A6 could it be openvas?! OpenVAS is a fork of Nessus from when it was open source. HackerGuardian seems to use Nessus as the chief scanning engine. Brandon Vincent From owner-freebsd-security@FreeBSD.ORG Sun Oct 5 21:40:00 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 484E7446; Sun, 5 Oct 2014 21:40:00 +0000 (UTC) Received: from mail-wg0-x22d.google.com (mail-wg0-x22d.google.com [IPv6:2a00:1450:400c:c00::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 63CACE59; Sun, 5 Oct 2014 21:39:59 +0000 (UTC) Received: by mail-wg0-f45.google.com with SMTP id m15so5102854wgh.28 for ; Sun, 05 Oct 2014 14:39:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=qmq0KGmznDJEZR5UsstdQ+O1itetFOfOCV0DlaAc0aM=; b=Z5vHLGPi1DKqxmdNjK6ji/1bryAv1bhO5Cc7XZVidoHz70t9Q7EJMVdKI2fC9OWbEI GIJAi2TXXodGA2TyMW7XSRKkuXN7iYyEKPg7DWktKh/ZzPiMMv5qErNThB5xfbMMrIzC xOSEYa9zBN44bQ5BmUkRnMkMaN9hBOpID/0h/V3OoNQROGftyYDqnF5+7HSXEqm4wF3U Sh3PzFOygEQqj71utcRR2CkEZI9pyFD4qsLn8xG5hUUAEolywm5Hrd1QmbdASE41z9U+ 2ds8higw1/TGy6VaZ/i0r9AoETxo6/k57PfMvvVROxbPUJ1CD+0Jm+W7f9gQE0H8Ufpn 8S+Q== MIME-Version: 1.0 X-Received: by 10.180.97.98 with SMTP id dz2mr14918530wib.26.1412545197757; Sun, 05 Oct 2014 14:39:57 -0700 (PDT) Sender: adrian.chadd@gmail.com Received: by 10.216.106.136 with HTTP; Sun, 5 Oct 2014 14:39:57 -0700 (PDT) In-Reply-To: References: Date: Sun, 5 Oct 2014 14:39:57 -0700 X-Google-Sender-Auth: x2K3Vud6rqBYuU5eggVo3Ou6nEM Message-ID: Subject: Re: remote host accepts loose source routed IP packets From: Adrian Chadd To: el kalin Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Sun, 05 Oct 2014 22:55:46 +0000 Cc: freebsd-security@freebsd.org, freebsd-net , freebsd-users@freebsd.org, Colin Percival , Brandon Vincent X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Oct 2014 21:40:00 -0000 Hi, Can you please get a packet capture of what it's sending and what it's receiving? All accept_sourceroute does is prevent the stack from forwarding source routed packets. If it's destined locally then it's still accepted. You could try crafting an ipfw rule to filter out packets with these options set: from man ipfw: ipoptions spec Matches packets whose IPv4 header contains the comma separated list of options specified in spec. The supported IP options a= re: ssrr (strict source route), lsrr (loose source route), rr (rec= ord packet route) and ts (timestamp). The absence of a particular option may be denoted with a `!'. something like: 1 deny ip from any to any ipoptions ssrr,lsrr,rr 65000 allow ip from any to any -a On 5 October 2014 13:22, el kalin wrote: > hmmm=E2=80=A6 could it be openvas?! > > just installed netbsd 6.1.4 aim i found on the aws community aims list=E2= =80=A6 > same thing.. > > just the possibility of both openvas and the hackarguardian service being > both wrong is a bit too much of a coincidence for me=E2=80=A6 > > any thoughts? > > > > > On Sun, Oct 5, 2014 at 3:21 PM, el kalin wrote: > >> ok.. this is getting a bit ridiculous=E2=80=A6 >> >> just did a brand new install of the freebsd 9.3 aim on amazon=E2=80=A6 >> >> with nothing installed on it and only ssh open i get the same result whe= n >> scanning with openvas: >> >> "Summary: >> The remote host accepts loose source routed IP packets. >> The feature was designed for testing purpose. >> An attacker may use it to circumvent poorly designed IP filtering >> and exploit another flaw. However, it is not dangerous by itself. >> Solution: >> drop source routed packets on this host or on other ingress >> routers or firewalls.' >> >> and by default: >> # sysctl -a | grep accept_sourceroute >> net.inet.ip.accept_sourceroute: 0 >> >> thing is the other machine - the bsd 10 - was scanned with the sameopen >> vas setup and with a service called hackerguardian offered by a compony >> called comodo. they sell that service as a pci compliance scan. both >> machines are non compliant according to both the openvas scan and the >> hackerguardian one=E2=80=A6 >> >> i can't be done with this job if i can't pass the pci scan=E2=80=A6 >> >> i'd appreciate any help=E2=80=A6 >> >> thanks... >> >> >> now what? >> >> >> >> >> >> >> On Sun, Oct 5, 2014 at 1:09 PM, el kalin wrote: >> >>> thanks brandon=E2=80=A6 but that didn't help=E2=80=A6. >>> >>> i still get the same result=E2=80=A6 >>> >>> i guess i'd report this as a bug=E2=80=A6 >>> >>> >>> On Sun, Oct 5, 2014 at 11:58 AM, Brandon Vincent >> > wrote: >>> >>>> On Sun, Oct 5, 2014 at 8:33 AM, el kalin wrote: >>>> > should is submit this as a bug? >>>> >>>> Can you first try adding "set block-policy return" to pf.conf? OpenVAS >>>> might be assuming that a lack of response from your system to source >>>> routed packets is an acknowledgement that it is accepting them. >>>> >>>> Brandon Vincent >>>> >>> >>> >> > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Mon Oct 6 06:17:34 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5AF6D6EA for ; Mon, 6 Oct 2014 06:17:34 +0000 (UTC) Received: from mail-wg0-f52.google.com (mail-wg0-f52.google.com [74.125.82.52]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DDDE4344 for ; Mon, 6 Oct 2014 06:17:33 +0000 (UTC) Received: by mail-wg0-f52.google.com with SMTP id a1so5620518wgh.35 for ; Sun, 05 Oct 2014 23:17:26 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=OEqOrOrmnl348YeegQyST0ZiiNIRMkCncBrSWAamF0s=; b=N/1rjOEkMcvlWxB78JCjPLrDmRKkI8iLqi8cZ/IW1v4TOZ8W57j4WVObrtW1gg4RlK 1B8LUTboIfaU2NeUu5MqURPQ3HcvtmNtquc1gCR2/gxCefafqNgnD06hbQedmKJi8p6O jRKQL5gm49rLnzNPie1plb82iEDRB4kA/boapaQNQpfqUnfQoHD+JFhxMCfRccY5LKm4 UYw5dCVyo3E/1/+bzNu5cqgCywHtkZjh4hFh20vZ9kXBihOIqVtx6huHJozYIXLeLWmZ r/yzBtLspB/jO870qZLKW9di6VDjFlnw2H/mxIuk49nhk0sc4x+NHqqMkBC7P4hckRE7 hHCQ== X-Gm-Message-State: ALoCoQm4yKVlKtPqObThViVBObYbcdYEdbJ5Ter2YnTs3H5aHDUR0xT8yWNqKYTZuARzR/yoLkzS MIME-Version: 1.0 X-Received: by 10.194.246.2 with SMTP id xs2mr26357122wjc.33.1412576245906; Sun, 05 Oct 2014 23:17:25 -0700 (PDT) Received: by 10.27.94.16 with HTTP; Sun, 5 Oct 2014 23:17:25 -0700 (PDT) In-Reply-To: References: Date: Mon, 6 Oct 2014 02:17:25 -0400 Message-ID: Subject: Re: remote host accepts loose source routed IP packets From: el kalin To: Brandon Vincent Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: freebsd-net , Adrian Chadd , freebsd-users@freebsd.org, Colin Percival , freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Oct 2014 06:17:34 -0000 On Sun, Oct 5, 2014 at 6:24 PM, Brandon Vincent wrote: > On Sun, Oct 5, 2014 at 2:39 PM, Adrian Chadd wrote: > > All accept_sourceroute does is prevent the stack from forwarding > > source routed packets. If it's destined locally then it's still > > accepted. > > Out of curiosity, isn't "net.inet.ip.accept_sourceroute" supposed to > reject incoming source routed packets? that was my understanding too. as far a forwarding - have it off too: # sysctl -a | grep forwa kern.smp.forward_signal_enabled: 1 net.inet.ip.forwarding: 0 net.inet.ip.fastforwarding: 0 net.inet6.ip6.forwarding: 0 > > On 5 October 2014 13:22, el kalin wrote: > > hmmm=E2=80=A6 could it be openvas?! > > OpenVAS is a fork of Nessus from when it was open source. > HackerGuardian seems to use Nessus as the chief scanning engine. i'm aware of those. i used to use Nessus when it was open and did pre scanning for pci with it on freebsd 7 and 8 and everything was fine. now this is really mind boggling=E2=80=A6. i can't imagine that both freebsd 9 an 10 and also netbsd 6 will have this "vulnerability" which according to the information that the hackerguardian (nessus?!) suggest to read points to links from 2002. unless it has to do with virtualization somehow. am i the first person ever to try to get pci compliant on bsd on aws?! i did report this as a false positive to hackerguardian on friday. haven't heard from them since. but i'm not holding my breath=E2=80=A6 > > Brandon Vincent > From owner-freebsd-security@FreeBSD.ORG Mon Oct 6 06:24:13 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 222E7B3F; Mon, 6 Oct 2014 06:24:13 +0000 (UTC) Received: from mail-wg0-x22f.google.com (mail-wg0-x22f.google.com [IPv6:2a00:1450:400c:c00::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2AA35619; Mon, 6 Oct 2014 06:24:12 +0000 (UTC) Received: by mail-wg0-f47.google.com with SMTP id x13so5609947wgg.6 for ; Sun, 05 Oct 2014 23:24:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=/YA8yMSP4Int3LA7Kn2SwulM0Qmj45lf4vgFaMkbEaU=; b=d59a83fy9RO7xCC4SpKZtp+4a8GYOg2g9CSr/z4X8XMYFt7NXLPDXhuwaL38LMAwNa upqrBUgKP9ryHJut3UftKmDjiVBCMAyCS83nSqz6po2PnEXuP2EW4TNCW4N8dYW6PCbU 7rRGgqFjklb21fZ+0KrcyTO80MlNDSFy9FVakHjCyCF7IXvOCHPc5J+NF5CzwQT5fiaF ltz3JzsvED6rv2LndyGkq1IfVNR6Attyj6ouXE/92tptoL6wd2h+3eF8K15gnmhInCi5 E8Mz6UXOC6wDbN0NHb3afyeyI4EBFpa2jWzfJoVzgeGkrwRMgyJa4Z4ihGjGlYIThvP4 ikKg== MIME-Version: 1.0 X-Received: by 10.194.157.230 with SMTP id wp6mr27408459wjb.15.1412576650395; Sun, 05 Oct 2014 23:24:10 -0700 (PDT) Sender: adrian.chadd@gmail.com Received: by 10.216.106.136 with HTTP; Sun, 5 Oct 2014 23:24:10 -0700 (PDT) In-Reply-To: References: Date: Sun, 5 Oct 2014 23:24:10 -0700 X-Google-Sender-Auth: XuPU46rKcwBzVUM0gswP46xnHTU Message-ID: Subject: Re: remote host accepts loose source routed IP packets From: Adrian Chadd To: el kalin Content-Type: text/plain; charset=UTF-8 X-Mailman-Approved-At: Mon, 06 Oct 2014 11:17:15 +0000 Cc: freebsd-security@freebsd.org, freebsd-net , Colin Percival , Brandon Vincent X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Oct 2014 06:24:13 -0000 Hi, I'm just going off what I saw in the code. Maybe the code changed and the bug was introduced. I suggest: (a) use ipfw to filter them for now; and (b) file a PR (https://bugs.freebsd.org/submit/) so it's not forgotten. Thanks! -a From owner-freebsd-security@FreeBSD.ORG Mon Oct 6 11:54:42 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 06477E6B; Mon, 6 Oct 2014 11:54:42 +0000 (UTC) Received: from fmailhost02.isp.att.net (fmailhost02.isp.att.net [207.115.11.52]) by mx1.freebsd.org (Postfix) with ESMTP id E74ADE55; Mon, 6 Oct 2014 11:54:41 +0000 (UTC) Received: from ace.nina.org (adsl-74-178-47-88.gnv.bellsouth.net[74.178.47.88]) by isp.att.net (frfwmhc02) with SMTP id <20141006114833H0200jmfn1e>; Mon, 6 Oct 2014 11:48:33 +0000 X-Originating-IP: [74.178.47.88] Date: Mon, 6 Oct 2014 07:48:23 -0400 (EDT) From: Frank Seltzer X-X-Sender: frank_s@Ace.nina.org To: freebsd-ports@freebsd.org, freebsd-security@freebsd.org Subject: Rkhunter Message-ID: User-Agent: Alpine 2.11 (BSF 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-Mailman-Approved-At: Mon, 06 Oct 2014 12:30:49 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Oct 2014 11:54:42 -0000 Is rkhunter still actively maintained? I run it nightly and I can't remember the last time there was an update to any of the database files. Thanks, Frank From owner-freebsd-security@FreeBSD.ORG Mon Oct 6 12:38:12 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E53B6248 for ; Mon, 6 Oct 2014 12:38:12 +0000 (UTC) Received: from new1-smtp.messagingengine.com (new1-smtp.messagingengine.com [66.111.4.221]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B679C353 for ; Mon, 6 Oct 2014 12:38:12 +0000 (UTC) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by gateway2.nyi.internal (Postfix) with ESMTP id D4A4C766 for ; Mon, 6 Oct 2014 08:32:48 -0400 (EDT) Received: from web6 ([10.202.2.216]) by compute1.internal (MEProxy); Mon, 06 Oct 2014 08:32:48 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:x-sasl-enc:from:to :mime-version:content-transfer-encoding:content-type:in-reply-to :references:subject:date; s=smtpout; bh=kFwKxJFUHjA0C0008PMZEW4A Q74=; b=t6QvyDSltqOTkwALk4rClupJGd5ts4gQ9cuppiCs0NwLiJOPjzr+UG1/ ZbKLsYm6pEsFWhQmHIEuUqhrYZsVT9jK3lXZ+jBp0jfM5YttGKBh2lqJAihXArMq TivJZlwOw8w0CtCBHzxvGaSQtcUFmz0oCXdO4fHn3G2jAxGx8w0= Received: by web6.nyi.internal (Postfix, from userid 99) id 9F86C9803FD; Mon, 6 Oct 2014 08:32:48 -0400 (EDT) Message-Id: <1412598768.313812.175628729.57362B93@webmail.messagingengine.com> X-Sasl-Enc: 0hMqTRx1eN8IYrAJ7sCapte17CCXf5STYHzK5JJg8RJL 1412598768 From: Mark Felder To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-257eafe9 In-Reply-To: References: Subject: Re: Rkhunter Date: Mon, 06 Oct 2014 07:32:48 -0500 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Oct 2014 12:38:13 -0000 On Mon, Oct 6, 2014, at 06:48, Frank Seltzer wrote: > Is rkhunter still actively maintained? I run it nightly and I can't > remember the last time there was an update to any of the database files. > The main project appears to be only updated once or twice a year. I don't know how frequently the database files are released. http://rkhunter.cvs.sourceforge.net/viewvc/rkhunter/rkhunter/files/CHANGELOG From owner-freebsd-security@FreeBSD.ORG Mon Oct 6 12:35:55 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A8212EB8; Mon, 6 Oct 2014 12:35:55 +0000 (UTC) Received: from huppa.tuxaco.net (tuxaco.net [IPv6:2001:41d0:1:66c1::1]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 715C832D; Mon, 6 Oct 2014 12:35:54 +0000 (UTC) Received: by huppa.tuxaco.net (Postfix, from userid 1001) id EA61A22876; Mon, 6 Oct 2014 14:35:52 +0200 (CEST) Date: Mon, 6 Oct 2014 14:35:52 +0200 From: Philippe =?iso-8859-1?Q?Aud=E9oud?= To: Frank Seltzer Subject: Re: Rkhunter Message-ID: <20141006123552.GA64711@tuxaco.net> References: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-Mailman-Approved-At: Mon, 06 Oct 2014 12:57:33 +0000 Cc: freebsd-security@freebsd.org, freebsd-ports@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Oct 2014 12:35:55 -0000 On Mon, 06 Oct 2014, Frank Seltzer wrote: > Is rkhunter still actively maintained? I run it nightly and I can't=20 > remember the last time there was an update to any of the database files. >=20 > Thanks, > Frank Hello, $ svn log security/rkhunter r364732 | cs | 2014-08-12 20:31:26 +0200 (Tue, 12 Aug 2014) | 8 lines - unbreak - added some FreeBSD defaults regarding SSH - made port more PREFIX aware - changed maintainer PR: 191842 Submitted by: Gerard J. Cerchio and Lukasz Wasikowski (maintainer) It's the last update. You can mail maintainer to ask him if an update is planned. Regards, --=20 Philippe Aud=E9oud From owner-freebsd-security@FreeBSD.ORG Mon Oct 6 14:36:02 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 63A061E2; Mon, 6 Oct 2014 14:36:02 +0000 (UTC) Received: from mail.freebsd.systems (unknown [IPv6:2001:6a0:1cb::b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 162DC34D; Mon, 6 Oct 2014 14:36:01 +0000 (UTC) Received: from mail.freebsd.systems (mail.freebsd.systems [IPv6:2001:6a0:1cb::b]) by mail.freebsd.systems (Postfix) with ESMTP id 5E37271D; Mon, 6 Oct 2014 16:35:57 +0200 (CEST) X-Virus-Scanned: amavisd-new at freebsd.systems Received: from mail.freebsd.systems ([IPv6:2001:6a0:1cb::b]) by mail.freebsd.systems (scan.freebsd.systems [IPv6:2001:6a0:1cb::b]) (amavisd-new, port 10026) with ESMTP id FIHGTqb26V3c; Mon, 6 Oct 2014 16:35:57 +0200 (CEST) Received: from [192.168.138.100] (unknown [194.181.86.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.freebsd.systems (Postfix) with ESMTPSA id A3BF9719; Mon, 6 Oct 2014 16:35:56 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=wasikowski.net; s=default; t=1412606156; bh=7NioaPkl4HC2txqLYBTuGIjVHfLsUfoANL4oPfZhXzU=; h=Date:From:To:CC:References:In-Reply-To; b=MwW9q8bbeNRMXIRYGea/0Ha4LfwoeV3TlYww2395KE9JVVtpC4UQ/jMdc/+gLzZnH SFq8ZZMBWwZwWt4PCW9GUqo+aQcXcWl5FVIWwBRFj1882UN5yLYd0LA1zUSO32RY0x cHY/ZLUiPlS1r1CpwmN4sRvG7MBxvU5mgW2eWCqEoF+bjh5+OuwgAtQsz4lVzkHNpR BVudPhEGGJZwo3BhAfj6l3zeD0AXpteyHTWsquFog2DjJGW0Rzn6ff1U84JTwPpPyq k4Uaaz6uYWKOlPoIvqfy83riYKnFJ2ahjdEHXSnGUYkRb7VnQnXZKRi1muf5+63oCS qyohEpBReTSyw== Message-ID: <5432A8CC.7040904@wasikowski.net> Date: Mon, 06 Oct 2014 16:35:56 +0200 From: =?UTF-8?B?xYF1a2FzeiBXxIVzaWtvd3NraQ==?= User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 To: =?UTF-8?B?UGhpbGlwcGUgQXVkw6lvdWQ=?= , Frank Seltzer Subject: Re: Rkhunter References: <20141006123552.GA64711@tuxaco.net> In-Reply-To: <20141006123552.GA64711@tuxaco.net> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org, freebsd-ports@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Oct 2014 14:36:02 -0000 W dniu 2014-10-06 o 14:35, Philippe Audéoud pisze: > On Mon, 06 Oct 2014, Frank Seltzer wrote: > >> Is rkhunter still actively maintained? I run it nightly and I can't >> remember the last time there was an update to any of the database files. >> >> Thanks, >> Frank > > Hello, > > $ svn log security/rkhunter > r364732 | cs | 2014-08-12 20:31:26 +0200 (Tue, 12 Aug 2014) | 8 lines > > - unbreak > - added some FreeBSD defaults regarding SSH > - made port more PREFIX aware > - changed maintainer > > PR: 191842 > Submitted by: Gerard J. Cerchio and Lukasz Wasikowski (maintainer) > > > It's the last update. You can mail maintainer to ask him if an update is > planned. I'm port maintainter, not rkhunter itself, so I can't say if there are any updates planned. Look at http://rkhunter.sourceforge.net/ for rkhunter developers. -- best regards, Lukasz Wasikowski From owner-freebsd-security@FreeBSD.ORG Mon Oct 6 19:56:44 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 426A7221; Mon, 6 Oct 2014 19:56:44 +0000 (UTC) Received: from land.berklix.org (land.berklix.org [144.76.10.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C654DF84; Mon, 6 Oct 2014 19:56:43 +0000 (UTC) Received: from mart.js.berklix.net (p57BCF751.dip0.t-ipconnect.de [87.188.247.81]) (authenticated bits=128) by land.berklix.org (8.14.5/8.14.5) with ESMTP id s96JrR8v034603; Mon, 6 Oct 2014 19:53:30 GMT (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by mart.js.berklix.net (8.14.3/8.14.3) with ESMTP id s96JuL3A080791; Mon, 6 Oct 2014 21:56:21 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.7/8.14.7) with ESMTP id s96Ju8S3089675; Mon, 6 Oct 2014 21:56:20 +0200 (CEST) (envelope-from jhs@berklix.com) Message-Id: <201410061956.s96Ju8S3089675@fire.js.berklix.net> To: freebsd-usb@freebsd.org Subject: BadUSB - On Accessories that Turn Evil, by Karsten Nohl + Jakob Lell From: "Julian H. Stacey" Organization: http://berklix.com BSD Linux Unix Consultants, Munich Germany User-agent: EXMH on FreeBSD http://www.berklix.com/free/ X-URL: http://www.berklix.com/~jhs/cv/ Date: Mon, 06 Oct 2014 21:56:08 +0200 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Oct 2014 19:56:44 -0000 Hi freebsd-usb@freebsd.org, (I suggest replies to usb@) cc: freebsd-security@freebsd.org FYI Ref. article on BadUSB pan OS (non FreeBSD specific) security loophole http://www.bbc.com/news/technology-29475566 Dated 6 October 2014 Last updated at 15:29 GMT I found https://github.com/search?utf8=%E2%9C%93&q=BadUSB Then viewed https://www.youtube.com/watch?v=nuruzFqMgIw ( Which BTW plays nicely inc. sound on FreeBSD-9.2-RELEASE + firefox without any flash installed (certainly no ports/graphics/gnash) A fascinating video by Lecturers Karsten Nohl & Jacob Lell at Black Hat USA 2014, Run time 44:30 ) (PS for non native English spekers on this global list, dont worry if you find Jacob's accent hard, Karsten resumes for last 3rd, listen on :-) It seems USB controllers (8041 or so based) can first masquerade one device, then pause & masquerade another device type. This is an OS independent security list. Lecturers includes both demo of an MS to Linux contamination, & consideration of other scenarios. A predominant USB controller manufacturer in Taipei was not happy. The lecturers didn't discuss MS or Linux or Android smart phone protection schemes (except to allude to the danger of someone saying "Can I plug in my smart phone to your PC to charge it ?". It can't be ignored as a smart phone exploit: the demo wasn't with a smart phone but a `dumb' stick. One can't get some protection by checking for sernum connecting, as devd shows: - my USB to PS2 adapter (vendor=0x04b4 product=0x8081) emits sernum="" - my real USB "Havit" keyboard (vendor=0x1241 product=0x1203) emits sernum="" For FreeBSD, I guess for serious security, every new device that is connected & recognised by /sbin/devd should in future be personaly authorised by a human ! One can no longer trust what reports itself to be eg a keyboard to actually Be a keyboard, etc. /usr/src/etc/devd/*.conf & my own .conf do Not meet that awkward security requirement... yet. I guess we'll need a couple of hooks that support Yes/No, one from cli & one for within X11. There's no security warning section in http://en.wikipedia.org/wiki/Flash_memory Cheers, Julian -- Julian Stacey, BSD Linux Unix'78 C Sys Eng Consultant Munich http://berklix.com Indent previous with "> ". Interleave reply paragraphs like a play script. Send plain text, not quoted-printable, HTML, base64, or multipart/alternative. ShellShock - http://www.berklix.com/~jhs/bash/ From owner-freebsd-security@FreeBSD.ORG Mon Oct 6 20:01:21 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 76A603D7; Mon, 6 Oct 2014 20:01:21 +0000 (UTC) Received: from mail-wg0-x22b.google.com (mail-wg0-x22b.google.com [IPv6:2a00:1450:400c:c00::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E0AAF11B; Mon, 6 Oct 2014 20:01:20 +0000 (UTC) Received: by mail-wg0-f43.google.com with SMTP id m15so7570203wgh.14 for ; Mon, 06 Oct 2014 13:01:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=12LhHdCodqNdCZzJJBBKhxHZ5o3z60E2t7LWV4mla28=; b=nozrCWQUPvIapfcInki/4nWBAooH8GvYr3cG8b31OJguE7QLpVoLxCQpRgtGJrdt/S i5lZBSUheCX9sI3t4xyQ+mt/kpDWw+iH+AhrWhoE6mThVQ+f5iYjXryFdCZabGA3FqQD GY8itapJKC0iWs2Bem1rUydeWqfiRGa4eTOx4eO46V4qWU6HVXkhbZadOw1tkxD3xjMP WFloPWg8sJOhfnNtaJGD22kgRG2XoHPEfKeHveRVdbak4qxCVEGqNK5KHGh3jAJYG8gA JNzMhlQi9q07ACvDl/IiideBDD4DxDR0fAQjqNfaql/Dx9ivctCka04vIfKmppNDTg8j V2Jw== MIME-Version: 1.0 X-Received: by 10.194.93.193 with SMTP id cw1mr33308829wjb.50.1412625679170; Mon, 06 Oct 2014 13:01:19 -0700 (PDT) Received: by 10.27.52.144 with HTTP; Mon, 6 Oct 2014 13:01:19 -0700 (PDT) In-Reply-To: <201410061956.s96Ju8S3089675@fire.js.berklix.net> References: <201410061956.s96Ju8S3089675@fire.js.berklix.net> Date: Mon, 6 Oct 2014 22:01:19 +0200 Message-ID: Subject: Re: BadUSB - On Accessories that Turn Evil, by Karsten Nohl + Jakob Lell From: Oliver Pinter To: "Julian H. Stacey" , HardenedBSD Developers Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-security@freebsd.org, freebsd-usb@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Oct 2014 20:01:21 -0000 fwd to HardenedBSD Developers On 10/6/14, Julian H. Stacey wrote: > Hi freebsd-usb@freebsd.org, (I suggest replies to usb@) > cc: freebsd-security@freebsd.org FYI > > Ref. article on BadUSB pan OS (non FreeBSD specific) security loophole > http://www.bbc.com/news/technology-29475566 > Dated 6 October 2014 Last updated at 15:29 GMT > > I found https://github.com/search?utf8=%E2%9C%93&q=BadUSB > > Then viewed https://www.youtube.com/watch?v=nuruzFqMgIw > ( Which BTW plays nicely inc. sound on FreeBSD-9.2-RELEASE > + firefox without any flash installed (certainly no > ports/graphics/gnash) > > A fascinating video by Lecturers Karsten Nohl & Jacob Lell at Black Hat > USA 2014, Run time 44:30 ) > (PS for non native English spekers on this global list, dont worry if > you find Jacob's accent hard, Karsten resumes for last 3rd, listen on :-) > > It seems USB controllers (8041 or so based) can first masquerade > one device, then pause & masquerade another device type. This is > an OS independent security list. Lecturers includes both demo of > an MS to Linux contamination, & consideration of other scenarios. > A predominant USB controller manufacturer in Taipei was not happy. > > The lecturers didn't discuss MS or Linux or Android smart phone > protection schemes (except to allude to the danger of someone saying > "Can I plug in my smart phone to your PC to charge it ?". > > It can't be ignored as a smart phone exploit: the demo wasn't with a > smart phone but a `dumb' stick. > > One can't get some protection by checking for sernum connecting, as devd > shows: > - my USB to PS2 adapter (vendor=0x04b4 product=0x8081) emits sernum="" > - my real USB "Havit" keyboard (vendor=0x1241 product=0x1203) emits > sernum="" > > For FreeBSD, > I guess for serious security, every new device that is connected > & recognised by /sbin/devd should in future be personaly authorised > by a human ! One can no longer trust what reports itself to be > eg a keyboard to actually Be a keyboard, etc. > > /usr/src/etc/devd/*.conf & my own .conf do Not meet that awkward > security requirement... yet. I guess we'll need a couple of hooks > that support Yes/No, one from cli & one for within X11. > > There's no security warning section in > http://en.wikipedia.org/wiki/Flash_memory > > Cheers, > Julian > -- > Julian Stacey, BSD Linux Unix'78 C Sys Eng Consultant Munich > http://berklix.com > Indent previous with "> ". Interleave reply paragraphs like a play > script. > Send plain text, not quoted-printable, HTML, base64, or > multipart/alternative. > ShellShock - http://www.berklix.com/~jhs/bash/ > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Mon Oct 6 20:30:09 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 63ED9E14; Mon, 6 Oct 2014 20:30:09 +0000 (UTC) Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222]) by mx1.freebsd.org (Postfix) with ESMTP id 227D23EC; Mon, 6 Oct 2014 20:30:08 +0000 (UTC) Received: from critter.freebsd.dk (unknown [192.168.60.3]) by phk.freebsd.dk (Postfix) with ESMTP id 9B5CA1598; Mon, 6 Oct 2014 20:30:01 +0000 (UTC) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.14.9/8.14.9) with ESMTP id s96KU0pH066234; Mon, 6 Oct 2014 20:30:01 GMT (envelope-from phk@phk.freebsd.dk) To: "Julian H. Stacey" Subject: Re: BadUSB - On Accessories that Turn Evil, by Karsten Nohl + Jakob Lell In-reply-to: <201410061956.s96Ju8S3089675@fire.js.berklix.net> From: "Poul-Henning Kamp" References: <201410061956.s96Ju8S3089675@fire.js.berklix.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <66232.1412627400.1@critter.freebsd.dk> Content-Transfer-Encoding: quoted-printable Date: Mon, 06 Oct 2014 20:30:00 +0000 Message-ID: <66233.1412627400@critter.freebsd.dk> Cc: freebsd-security@freebsd.org, freebsd-usb@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Oct 2014 20:30:09 -0000 -------- In message <201410061956.s96Ju8S3089675@fire.js.berklix.net>, "Julian H. S= tacey " writes: >For FreeBSD, > I guess for serious security, every new device that is connected > & recognised by /sbin/devd should in future be personaly authorised > by a human ! One can no longer trust what reports itself to be > eg a keyboard to actually Be a keyboard, etc. "no longer" ? When you could you *ever* trust a USB device about anything ? -- = Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe = Never attribute to malice what can adequately be explained by incompetence= . From owner-freebsd-security@FreeBSD.ORG Mon Oct 6 20:48:20 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8E0E763A; Mon, 6 Oct 2014 20:48:20 +0000 (UTC) Received: from mail.turbocat.net (mail.turbocat.net [IPv6:2a01:4f8:d16:4514::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 508D5826; Mon, 6 Oct 2014 20:48:20 +0000 (UTC) Received: from laptop015.home.selasky.org (cm-176.74.213.204.customer.telag.net [176.74.213.204]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail.turbocat.net (Postfix) with ESMTPSA id AD4C01FE022; Mon, 6 Oct 2014 22:48:17 +0200 (CEST) Message-ID: <5433000E.7000404@selasky.org> Date: Mon, 06 Oct 2014 22:48:14 +0200 From: Hans Petter Selasky User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0 MIME-Version: 1.0 To: Poul-Henning Kamp , "Julian H. Stacey" Subject: Re: BadUSB - On Accessories that Turn Evil, by Karsten Nohl + Jakob Lell References: <201410061956.s96Ju8S3089675@fire.js.berklix.net> <66233.1412627400@critter.freebsd.dk> In-Reply-To: <66233.1412627400@critter.freebsd.dk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Mon, 06 Oct 2014 21:28:45 +0000 Cc: freebsd-security@freebsd.org, freebsd-usb@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Oct 2014 20:48:20 -0000 On 10/06/14 22:30, Poul-Henning Kamp wrote: > -------- > In message <201410061956.s96Ju8S3089675@fire.js.berklix.net>, "Julian H. Stacey > " writes: > >> For FreeBSD, >> I guess for serious security, every new device that is connected >> & recognised by /sbin/devd should in future be personaly authorised >> by a human ! One can no longer trust what reports itself to be >> eg a keyboard to actually Be a keyboard, etc. > > "no longer" ? > > When you could you *ever* trust a USB device about anything ? > Hi, You should not assume you can trust hardware :-) Especially removable hardware. It is possible to add a sysctl to halt the probing of USB devices, so that USB devices can only be detached from the system. The problem is that if the main input is a USB keyboard and that goes away, you have no easy way to recover your system ... Anyway, USB 2.0 and 1.0 are broadcast based, and technically one device might highjack the traffic of another one. --HPS From owner-freebsd-security@FreeBSD.ORG Tue Oct 7 22:37:00 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 985F9FA0; Tue, 7 Oct 2014 22:37:00 +0000 (UTC) Received: from land.berklix.org (land.berklix.org [144.76.10.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 27236ACE; Tue, 7 Oct 2014 22:36:59 +0000 (UTC) Received: from mart.js.berklix.net (p5DCBCF45.dip0.t-ipconnect.de [93.203.207.69]) (authenticated bits=128) by land.berklix.org (8.14.5/8.14.5) with ESMTP id s97MXfdr003288; Tue, 7 Oct 2014 22:33:41 GMT (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by mart.js.berklix.net (8.14.3/8.14.3) with ESMTP id s97MaaLo089296; Wed, 8 Oct 2014 00:36:36 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.7/8.14.7) with ESMTP id s97Ma56M051223; Wed, 8 Oct 2014 00:36:23 +0200 (CEST) (envelope-from jhs@berklix.com) Message-Id: <201410072236.s97Ma56M051223@fire.js.berklix.net> To: Hans Petter Selasky Subject: Re: BadUSB - On Accessories that Turn Evil, by Karsten Nohl + Jakob Lell From: "Julian H. Stacey" Organization: http://berklix.com BSD Unix Linux Consultants, Munich Germany User-agent: EXMH on FreeBSD http://berklix.com/free/ X-URL: http://www.berklix.com In-reply-to: Your message "Mon, 06 Oct 2014 22:48:14 +0200." <5433000E.7000404@selasky.org> Date: Wed, 08 Oct 2014 00:36:05 +0200 Cc: freebsd-security@freebsd.org, Poul-Henning Kamp , freebsd-usb@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Oct 2014 22:37:00 -0000 Hi Hans Petter Selasky wrote: > On 10/06/14 22:30, Poul-Henning Kamp wrote: > > -------- > > In message <201410061956.s96Ju8S3089675@fire.js.berklix.net>, "Julian H. Stacey > > " writes: > > > >> For FreeBSD, > >> I guess for serious security, every new device that is connected > >> & recognised by /sbin/devd should in future be personaly authorised > >> by a human ! One can no longer trust what reports itself to be > >> eg a keyboard to actually Be a keyboard, etc. > > > > "no longer" ? > > > > When you could you *ever* trust a USB device about anything ? Yes. Can't even trust a memory stick, even when avoiding a reboot, even when not mounting it. > Hi, > > You should not assume you can trust hardware :-) Especially removable > hardware. Yes. That lecture has fortified my lapsed paranoia ;-) > It is possible to add a sysctl to halt the probing of USB devices, so > that USB devices can only be detached from the system. Good idea. Would provide more protection than my idea of some confirm Yes/No command called from devd attach, (as a BadUSB device could masquerade a keyboard device to say Yes). sysctl -a -d | grep device | rev | sort | rev | more shows nothing, so I guess it would be nice if someone wrote such a sysctl. > The problem is > that if the main input is a USB keyboard and that goes away, you have no > easy way to recover your system ... Yes, sometimes some users wouldn't want to enable that sysctl, but it would allow considerable protection for others. I think it would be good to have, just a question of which default state at boot, inhibit off I guess, as now (least suprise). > Anyway, USB 2.0 and 1.0 are broadcast based, and technically one device > might highjack the traffic of another one. So a sysctl would provide more safety, but still not be totaly safe, best we can do I guess. The end of the lecture alluded to this masquerading possibility, that devices had no ID encryption key to prevent it, (& in some cases not even a serial number). Cheers, Julian -- Julian Stacey, BSD Linux Unix C Sys Eng Consultant Munich http://berklix.com Indent previous with "> ". Interleave reply paragraphs like a play script. Send plain text, not quoted-printable, HTML, base64, or multipart/alternative. From owner-freebsd-security@FreeBSD.ORG Wed Oct 8 07:03:36 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E127DBCC; Wed, 8 Oct 2014 07:03:36 +0000 (UTC) Received: from mail.turbocat.net (heidi.turbocat.net [88.198.202.214]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9F17E12F; Wed, 8 Oct 2014 07:03:36 +0000 (UTC) Received: from laptop015.home.selasky.org (cm-176.74.213.204.customer.telag.net [176.74.213.204]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail.turbocat.net (Postfix) with ESMTPSA id 6A47E1FE022; Wed, 8 Oct 2014 09:03:33 +0200 (CEST) Message-ID: <5434E1C3.9090605@selasky.org> Date: Wed, 08 Oct 2014 09:03:31 +0200 From: Hans Petter Selasky User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0 MIME-Version: 1.0 To: "Julian H. Stacey" Subject: Re: BadUSB - On Accessories that Turn Evil, by Karsten Nohl + Jakob Lell References: <201410072236.s97Ma56M051223@fire.js.berklix.net> In-Reply-To: <201410072236.s97Ma56M051223@fire.js.berklix.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 08 Oct 2014 11:12:13 +0000 Cc: freebsd-security@freebsd.org, Poul-Henning Kamp , freebsd-usb@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Oct 2014 07:03:37 -0000 Hi, Can you test the following kernel patch and give some feedback: https://svnweb.freebsd.org/changeset/base/272733 After the patch you will get something like: hw.usb.disable_enumeration: 0 dev.uhub.0.disable_enumeration: 0 dev.uhub.1.disable_enumeration: 0 ... which is also settable through /boot/loader.conf (tunable) --HPS From owner-freebsd-security@FreeBSD.ORG Wed Oct 8 20:01:04 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 055B7D97; Wed, 8 Oct 2014 20:01:04 +0000 (UTC) Received: from land.berklix.org (land.berklix.org [144.76.10.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 60AAA3D4; Wed, 8 Oct 2014 20:01:03 +0000 (UTC) Received: from mart.js.berklix.net (p5DCBD7F1.dip0.t-ipconnect.de [93.203.215.241]) (authenticated bits=128) by land.berklix.org (8.14.5/8.14.5) with ESMTP id s98IwfxH059028; Wed, 8 Oct 2014 18:58:41 GMT (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by mart.js.berklix.net (8.14.3/8.14.3) with ESMTP id s98J1aA1095608; Wed, 8 Oct 2014 21:01:37 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.7/8.14.7) with ESMTP id s98J160W019899; Wed, 8 Oct 2014 21:01:24 +0200 (CEST) (envelope-from jhs@berklix.com) Message-Id: <201410081901.s98J160W019899@fire.js.berklix.net> To: Hans Petter Selasky Subject: Re: BadUSB - On Accessories that Turn Evil, by Karsten Nohl + Jakob Lell From: "Julian H. Stacey" Organization: http://berklix.com BSD Unix Linux Consultants, Munich Germany User-agent: EXMH on FreeBSD http://berklix.com/free/ X-URL: http://www.berklix.com In-reply-to: Your message "Wed, 08 Oct 2014 09:03:31 +0200." <5434E1C3.9090605@selasky.org> Date: Wed, 08 Oct 2014 21:01:06 +0200 Cc: freebsd-security@freebsd.org, Poul-Henning Kamp , freebsd-usb@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Oct 2014 20:01:04 -0000 Hans Petter Selasky wrote: > Hi, > > Can you test the following kernel patch and give some feedback: > > https://svnweb.freebsd.org/changeset/base/272733 > > After the patch you will get something like: > > hw.usb.disable_enumeration: 0 > dev.uhub.0.disable_enumeration: 0 > dev.uhub.1.disable_enumeration: 0 > ... > > which is also settable through /boot/loader.conf (tunable) Thanks, Quick work ! I downloaded, but before use, I ran a make world as my current was maybe a week or 2 old, I made a new generic kernel with CTM src-cur.11644.gz ie (latest CVS as supplied by CTM) But src/ make all failed so I ran make world, which also failed: ------------------- /usr/obj/usr/src/tmp/usr/include/dev/usb/usb.h:154:16: note: forward declaration of 'struct usb_device_request' typedef struct usb_device_request usb_device_request_t; ^ 19 errors generated. *** Error code 1 Stop. make[4]: stopped in /usr/src/lib/libusbhid ------------------- In parallel to make world I applied your patches to make & that failed: -------- /sys/amd64/compile/GENERIC ../../../dev/usb/usbdi.h:301:5: warning: 'USB_HAVE_COMPAT_LINUX' is not defined, evaluates to 0 [-Wundef] #if USB_HAVE_COMPAT_LINUX ^ 2 warnings generated. mkdep: compile failed *** Error code 1 Stop. make: stopped in /usr/src/sys/amd64/compile/GENERIC -------- But that may be because my system is pehaps a couple of weeks old or so. The latest generic src/ kernel booted OK FreeBSD lapr.js.berklix.net 11.0-CURRENT FreeBSD 11.0-CURRENT #1: Wed Oct 8 17:26:13 CEST 2014 jhs@lapr.js.berklix.net:/usr/src/sys/amd64/compile/GENERIC amd64 (though I noticed a named: lock order reversal that I will ignore) When I can get src/ to build (I'm using make -k all now :-), I'll go back to compiling GENERIC kernel with your changeset/base/272733 Cheers, Julian -- Julian Stacey, BSD Linux Unix C Sys Eng Consultant Munich http://berklix.com Indent previous with "> ". Interleave reply paragraphs like a play script. Send plain text, not quoted-printable, HTML, base64, or multipart/alternative. From owner-freebsd-security@FreeBSD.ORG Wed Oct 8 23:47:44 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B5103CAD; Wed, 8 Oct 2014 23:47:44 +0000 (UTC) Received: from land.berklix.org (land.berklix.org [144.76.10.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5B5ADF7A; Wed, 8 Oct 2014 23:47:43 +0000 (UTC) Received: from mart.js.berklix.net (pD9FBFE44.dip0.t-ipconnect.de [217.251.254.68]) (authenticated bits=128) by land.berklix.org (8.14.5/8.14.5) with ESMTP id s98NiJ6F069561; Wed, 8 Oct 2014 23:44:19 GMT (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by mart.js.berklix.net (8.14.3/8.14.3) with ESMTP id s98NlFra097023; Thu, 9 Oct 2014 01:47:15 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.7/8.14.7) with ESMTP id s98NkjW3025396; Thu, 9 Oct 2014 01:47:03 +0200 (CEST) (envelope-from jhs@berklix.com) Message-Id: <201410082347.s98NkjW3025396@fire.js.berklix.net> To: Hans Petter Selasky , freebsd-security@freebsd.org, Poul-Henning Kamp , freebsd-usb@freebsd.org Subject: Re: BadUSB - On Accessories that Turn Evil, by Karsten Nohl + Jakob Lell From: "Julian H. Stacey" Organization: http://berklix.com BSD Unix Linux Consultants, Munich Germany User-agent: EXMH on FreeBSD http://berklix.com/free/ X-URL: http://www.berklix.com In-reply-to: Your message "Wed, 08 Oct 2014 21:01:06 +0200." <201410081901.s98J160W019899@fire.js.berklix.net> Date: Thu, 09 Oct 2014 01:46:44 +0200 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Oct 2014 23:47:44 -0000 Hi Hans etc "Julian H. Stacey" wrote: > Hans Petter Selasky wrote: > > Hi, > > > > Can you test the following kernel patch and give some feedback: > > > > https://svnweb.freebsd.org/changeset/base/272733 I'm now on latest current with src & sys/ GENERIC /usr/src/.ctm_status # src-cur 11645 This time I downloaded your files properly (last time I was severely distracted & made a silly mistake) > > After the patch you will get something like: > > hw.usb.disable_enumeration: 0 > > dev.uhub.0.disable_enumeration: 0 > > dev.uhub.1.disable_enumeration: 0 > > ... sysctl -a | grep enumeration hw.usb.disable_enumeration: 0 dev.uhub.0.disable_enumeration: 0 dev.uhub.1.disable_enumeration: 0 dev.uhub.2.disable_enumeration: 0 dev.uhub.3.disable_enumeration: 0 dev.uhub.4.disable_enumeration: 0 sysctl -d hw.usb.disable_enumeration hw.usb.disable_enumeration: Set to disable all USB device enumeration. sysctl -d dev.uhub.4.disable_enumeration dev.uhub.4.disable_enumeration: Set to disable enumeration on this USB HUB. usbconfig ugen0.1: at usbus0, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (0mA) ugen1.1: at usbus1, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (0mA) ugen0.2: at usbus0, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (0mA) ugen1.2: at usbus1, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (0mA) ugen0.3: <1.3M WebCam XPA2535XY> at usbus0, cfg=255 md=HOST spd=HIGH (480Mbps) pwr=OFF (500mA) ugen1.3: at usbus1, cfg=0 md=HOST spd=LOW (1.5Mbps) pwr=ON (100mA) ugen1.4: at usbus1, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (100mA) Inserted a WLAN stick usbconfig ugen1.5: <802.11 n WLAN Ralink> at usbus1, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=ON (450mA) ifconfig -a shows run0 & wlan0 Removed WLAN stick sysctl dev.uhub.4.disable_enumeration=1 Added WLAN stick ifconfig -a No run0 & wlan0 Added WLAN stick on different direct PC socket: ifconfig -a Shows run0 & wlan0 usbconfig ugen0.1: at usbus0, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (0mA) ugen1.1: at usbus1, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (0mA) ugen0.2: at usbus0, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (0mA) ugen1.2: at usbus1, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (0mA) ugen0.3: <1.3M WebCam XPA2535XY> at usbus0, cfg=255 md=HOST spd=HIGH (480Mbps) pwr=OFF (500mA) ugen1.3: at usbus1, cfg=0 md=HOST spd=LOW (1.5Mbps) pwr=ON (100mA) ugen1.4: at usbus1, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (100mA) ugen1.5: <802.11 n WLAN Ralink> at usbus1, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=ON (450mA) Great ! Seems to work. (Though I need to read up on how major & minor of ugen relate to the digit in eg 4.disable_enumeration) > > which is also settable through /boot/loader.conf (tunable) Good, I hope/presume loader.conf gets run before any USB, cos I recall lecturer Karsten Nohl pointing out one could get BadUSB taking up residence in USB controller chips inside a PC, ie for a built in mouse or web cam, so one would need to turn off enumeration earlier than when first external USB approaches to connect. I've reported back on BBC news form: Ref. your 6 October 2014 Last updated at 15:29 GMT http://www.bbc.com/news/technology-29475566 The www.FreeBSD.org project (a Unix OS similar to Linux) took just 2 days to develop & test a free solution. http://lists.freebsd.org/pipermail/freebsd-usb/2014-October/013304.html Well done, Thanks Hans! Cheers, Julian -- Julian Stacey, BSD Linux Unix C Sys Eng Consultant Munich http://berklix.com Indent previous with "> ". Interleave reply paragraphs like a play script. Send plain text, not quoted-printable, HTML, base64, or multipart/alternative. From owner-freebsd-security@FreeBSD.ORG Thu Oct 9 06:27:52 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 60C1DEE3; Thu, 9 Oct 2014 06:27:52 +0000 (UTC) Received: from mail.turbocat.net (mail.turbocat.net [IPv6:2a01:4f8:d16:4514::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E0DB4B75; Thu, 9 Oct 2014 06:27:51 +0000 (UTC) Received: from laptop015.home.selasky.org (cm-176.74.213.204.customer.telag.net [176.74.213.204]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail.turbocat.net (Postfix) with ESMTPSA id 9D9F21FE022; Thu, 9 Oct 2014 08:27:48 +0200 (CEST) Message-ID: <54362AE2.90501@selasky.org> Date: Thu, 09 Oct 2014 08:27:46 +0200 From: Hans Petter Selasky User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0 MIME-Version: 1.0 To: "Julian H. Stacey" , freebsd-security@freebsd.org, Poul-Henning Kamp , freebsd-usb@freebsd.org Subject: Re: BadUSB - On Accessories that Turn Evil, by Karsten Nohl + Jakob Lell References: <201410082347.s98NkjW3025396@fire.js.berklix.net> In-Reply-To: <201410082347.s98NkjW3025396@fire.js.berklix.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Thu, 09 Oct 2014 11:17:32 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Oct 2014 06:27:52 -0000 Hi Julian, On 10/09/14 01:46, Julian H. Stacey wrote: > Hi Hans etc > "Julian H. Stacey" wrote: >> Hans Petter Selasky wrote: >>> Hi, >>> >>> Can you test the following kernel patch and give some feedback: >>> >>> https://svnweb.freebsd.org/changeset/base/272733 > > I'm now on latest current with src & sys/ GENERIC > /usr/src/.ctm_status # src-cur 11645 > > This time I downloaded your files properly > (last time I was severely distracted & made a silly mistake) > >>> After the patch you will get something like: >>> hw.usb.disable_enumeration: 0 >>> dev.uhub.0.disable_enumeration: 0 >>> dev.uhub.1.disable_enumeration: 0 >>> ... > > sysctl -a | grep enumeration > hw.usb.disable_enumeration: 0 > dev.uhub.0.disable_enumeration: 0 > dev.uhub.1.disable_enumeration: 0 > dev.uhub.2.disable_enumeration: 0 > dev.uhub.3.disable_enumeration: 0 > dev.uhub.4.disable_enumeration: 0 > > sysctl -d hw.usb.disable_enumeration > hw.usb.disable_enumeration: Set to disable all USB device enumeration. > > sysctl -d dev.uhub.4.disable_enumeration > dev.uhub.4.disable_enumeration: Set to disable enumeration on this USB HUB. > > usbconfig > ugen0.1: at usbus0, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (0mA) > ugen1.1: at usbus1, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (0mA) > ugen0.2: at usbus0, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (0mA) > ugen1.2: at usbus1, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (0mA) > ugen0.3: <1.3M WebCam XPA2535XY> at usbus0, cfg=255 md=HOST spd=HIGH (480Mbps) pwr=OFF (500mA) > ugen1.3: at usbus1, cfg=0 md=HOST spd=LOW (1.5Mbps) pwr=ON (100mA) > ugen1.4: at usbus1, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (100mA) > > > Great ! Seems to work. > > (Though I need to read up on how major & minor of ugen relate to > the digit in eg 4.disable_enumeration) > > >>> which is also settable through /boot/loader.conf (tunable) > > Good, > I hope/presume loader.conf gets run before any USB, cos I recall > lecturer Karsten Nohl pointing out one could get BadUSB taking up > residence in USB controller chips inside a PC, ie for a built in > mouse or web cam, so one would need to turn off enumeration earlier > than when first external USB approaches to connect. Yes, if set by the loader.conf, you will only see the RootHUB after boot. To get devices back after enabling enumeration again, you will need to reset the HUBs: usbconfig -d X.1 reset For example. BTW: I've added some exceptions, that existing devices can be detached, suspend/resumed and reset while the enumeration is disabled. https://svnweb.freebsd.org/changeset/base/272807 > > I've reported back on BBC news form: > Ref. your > 6 October 2014 Last updated at 15:29 GMT > http://www.bbc.com/news/technology-29475566 > > The www.FreeBSD.org project (a Unix OS similar to Linux) > took just 2 days to develop & test a free solution. > http://lists.freebsd.org/pipermail/freebsd-usb/2014-October/013304.html > Can you also test that patch? Thank you! --HPS From owner-freebsd-security@FreeBSD.ORG Thu Oct 9 13:59:32 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 38352ABF; Thu, 9 Oct 2014 13:59:32 +0000 (UTC) Received: from mail-wg0-x22f.google.com (mail-wg0-x22f.google.com [IPv6:2a00:1450:400c:c00::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A195A6F; Thu, 9 Oct 2014 13:59:31 +0000 (UTC) Received: by mail-wg0-f47.google.com with SMTP id x13so1353274wgg.18 for ; Thu, 09 Oct 2014 06:59:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=u1g4OuKlLu+d5ix3yj+yrwWFCyVDYSCAmvxHTz2TgNA=; b=DvI8k/Sh6jJZeD2L0HvLIyY6pE2RzqDt+BkBXcMY7tBLVnR69micDmfaPpGpGZ3AI2 p5YXW12V4Y18vhyORQbVRTMkaievc3PV8yxbhh5Htf06o42bSEAmLWkSaOjiK0lEeW+m N9AzJDObIWm7n/h8OBcZcH/eZ/N0Pk8GL1dIfklV/UDnR611WTmXopQzqBSnRg2kcvQb 1deLRfkR4RD7JesyqCO6OnHbTvgZ5KhNY2Sw+I4bRj44oE1gDGGSnJ5qD7G4SLg/KxZ0 LvE+VGZcGm2pT7+9zKDEutFziskUtbPJxDrTMTDylmWNsrKXYNOHJoH8tB3M0UbewadD MMtQ== MIME-Version: 1.0 X-Received: by 10.180.83.134 with SMTP id q6mr41544839wiy.12.1412863168472; Thu, 09 Oct 2014 06:59:28 -0700 (PDT) Received: by 10.27.214.7 with HTTP; Thu, 9 Oct 2014 06:59:28 -0700 (PDT) In-Reply-To: <54362AE2.90501@selasky.org> References: <201410082347.s98NkjW3025396@fire.js.berklix.net> <54362AE2.90501@selasky.org> Date: Thu, 9 Oct 2014 15:59:28 +0200 Message-ID: Subject: Re: BadUSB - On Accessories that Turn Evil, by Karsten Nohl + Jakob Lell From: Oliver Pinter To: Hans Petter Selasky Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-security@freebsd.org, "Julian H. Stacey" , Poul-Henning Kamp , freebsd-usb@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Oct 2014 13:59:32 -0000 On 10/9/14, Hans Petter Selasky wrote: > Hi Julian, > > On 10/09/14 01:46, Julian H. Stacey wrote: >> Hi Hans etc >> "Julian H. Stacey" wrote: >>> Hans Petter Selasky wrote: >>>> Hi, >>>> >>>> Can you test the following kernel patch and give some feedback: >>>> >>>> https://svnweb.freebsd.org/changeset/base/272733 >> >> I'm now on latest current with src & sys/ GENERIC >> /usr/src/.ctm_status # src-cur 11645 >> >> This time I downloaded your files properly >> (last time I was severely distracted & made a silly mistake) >> >>>> After the patch you will get something like: >>>> hw.usb.disable_enumeration: 0 >>>> dev.uhub.0.disable_enumeration: 0 >>>> dev.uhub.1.disable_enumeration: 0 >>>> ... >> >> sysctl -a | grep enumeration >> hw.usb.disable_enumeration: 0 >> dev.uhub.0.disable_enumeration: 0 >> dev.uhub.1.disable_enumeration: 0 >> dev.uhub.2.disable_enumeration: 0 >> dev.uhub.3.disable_enumeration: 0 >> dev.uhub.4.disable_enumeration: 0 >> >> sysctl -d hw.usb.disable_enumeration >> hw.usb.disable_enumeration: Set to disable all USB device enumeration. >> >> sysctl -d dev.uhub.4.disable_enumeration >> dev.uhub.4.disable_enumeration: Set to disable enumeration on this USB >> HUB. >> >> usbconfig >> ugen0.1: at usbus0, cfg=0 md=HOST spd=HIGH (480Mbps) >> pwr=SAVE (0mA) >> ugen1.1: at usbus1, cfg=0 md=HOST spd=HIGH (480Mbps) >> pwr=SAVE (0mA) >> ugen0.2: at usbus0, cfg=0 md=HOST spd=HIGH >> (480Mbps) pwr=SAVE (0mA) >> ugen1.2: at usbus1, cfg=0 md=HOST spd=HIGH >> (480Mbps) pwr=SAVE (0mA) >> ugen0.3: <1.3M WebCam XPA2535XY> at usbus0, cfg=255 md=HOST spd=HIGH >> (480Mbps) pwr=OFF (500mA) >> ugen1.3: at usbus1, cfg=0 >> md=HOST spd=LOW (1.5Mbps) pwr=ON (100mA) >> ugen1.4: at usbus1, cfg=0 md=HOST spd=HIGH >> (480Mbps) pwr=SAVE (100mA) >> > >> >> Great ! Seems to work. >> >> (Though I need to read up on how major & minor of ugen relate to >> the digit in eg 4.disable_enumeration) >> >> >>>> which is also settable through /boot/loader.conf (tunable) >> >> Good, >> I hope/presume loader.conf gets run before any USB, cos I recall >> lecturer Karsten Nohl pointing out one could get BadUSB taking up >> residence in USB controller chips inside a PC, ie for a built in >> mouse or web cam, so one would need to turn off enumeration earlier >> than when first external USB approaches to connect. > > Yes, if set by the loader.conf, you will only see the RootHUB after boot. > > To get devices back after enabling enumeration again, you will need to > reset the HUBs: > > usbconfig -d X.1 reset > > For example. > > BTW: I've added some exceptions, that existing devices can be detached, > suspend/resumed and reset while the enumeration is disabled. Can we somehow improve this change, to powering down the ports/hubs which has the enumeration disabled? > > https://svnweb.freebsd.org/changeset/base/272807 > >> >> I've reported back on BBC news form: >> Ref. your >> 6 October 2014 Last updated at 15:29 GMT >> http://www.bbc.com/news/technology-29475566 >> >> The www.FreeBSD.org project (a Unix OS similar to Linux) >> took just 2 days to develop & test a free solution. >> http://lists.freebsd.org/pipermail/freebsd-usb/2014-October/013304.html >> > > Can you also test that patch? > > Thank you! > > --HPS > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Thu Oct 9 14:07:17 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B03456AA; Thu, 9 Oct 2014 14:07:17 +0000 (UTC) Received: from land.berklix.org (land.berklix.org [144.76.10.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 52E561BA; Thu, 9 Oct 2014 14:07:16 +0000 (UTC) Received: from mart.js.berklix.net (pD9FBE981.dip0.t-ipconnect.de [217.251.233.129]) (authenticated bits=128) by land.berklix.org (8.14.5/8.14.5) with ESMTP id s99E413d004036; Thu, 9 Oct 2014 14:04:02 GMT (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by mart.js.berklix.net (8.14.3/8.14.3) with ESMTP id s99E6wrL001585; Thu, 9 Oct 2014 16:06:58 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.7/8.14.7) with ESMTP id s99E6MpE089417; Thu, 9 Oct 2014 16:06:34 +0200 (CEST) (envelope-from jhs@berklix.com) Message-Id: <201410091406.s99E6MpE089417@fire.js.berklix.net> To: Oliver Pinter Subject: Re: BadUSB - On Accessories that Turn Evil, by Karsten Nohl + Jakob Lell From: "Julian H. Stacey" Organization: http://berklix.com BSD Unix Linux Consultants, Munich Germany User-agent: EXMH on FreeBSD http://berklix.com/free/ X-URL: http://www.berklix.com In-reply-to: Your message "Thu, 09 Oct 2014 15:59:28 +0200." Date: Thu, 09 Oct 2014 16:06:21 +0200 Cc: Hans Petter Selasky , freebsd-security@freebsd.org, Poul-Henning Kamp , freebsd-usb@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Oct 2014 14:07:17 -0000 Hi, Reference: > From: Oliver Pinter > Date: Thu, 9 Oct 2014 15:59:28 +0200 Oliver Pinter wrote: > On 10/9/14, Hans Petter Selasky wrote: > > Hi Julian, > > > > On 10/09/14 01:46, Julian H. Stacey wrote: > >> Hi Hans etc > >> "Julian H. Stacey" wrote: > >>> Hans Petter Selasky wrote: > >>>> Hi, > >>>> > >>>> Can you test the following kernel patch and give some feedback: > >>>> > >>>> https://svnweb.freebsd.org/changeset/base/272733 > >> > >> I'm now on latest current with src & sys/ GENERIC > >> /usr/src/.ctm_status # src-cur 11645 > >> > >> This time I downloaded your files properly > >> (last time I was severely distracted & made a silly mistake) > >> > >>>> After the patch you will get something like: > >>>> hw.usb.disable_enumeration: 0 > >>>> dev.uhub.0.disable_enumeration: 0 > >>>> dev.uhub.1.disable_enumeration: 0 > >>>> ... > >> > >> sysctl -a | grep enumeration > >> hw.usb.disable_enumeration: 0 > >> dev.uhub.0.disable_enumeration: 0 > >> dev.uhub.1.disable_enumeration: 0 > >> dev.uhub.2.disable_enumeration: 0 > >> dev.uhub.3.disable_enumeration: 0 > >> dev.uhub.4.disable_enumeration: 0 > >> > >> sysctl -d hw.usb.disable_enumeration > >> hw.usb.disable_enumeration: Set to disable all USB device enumeration. > >> > >> sysctl -d dev.uhub.4.disable_enumeration > >> dev.uhub.4.disable_enumeration: Set to disable enumeration on this USB > >> HUB. > >> > >> usbconfig > >> ugen0.1: at usbus0, cfg=0 md=HOST spd=HIGH (480Mbps) > >> pwr=SAVE (0mA) > >> ugen1.1: at usbus1, cfg=0 md=HOST spd=HIGH (480Mbps) > >> pwr=SAVE (0mA) > >> ugen0.2: at usbus0, cfg=0 md=HOST spd=HIGH > >> (480Mbps) pwr=SAVE (0mA) > >> ugen1.2: at usbus1, cfg=0 md=HOST spd=HIGH > >> (480Mbps) pwr=SAVE (0mA) > >> ugen0.3: <1.3M WebCam XPA2535XY> at usbus0, cfg=255 md=HOST spd=HIGH > >> (480Mbps) pwr=OFF (500mA) > >> ugen1.3: at usbus1, cfg=0 > >> md=HOST spd=LOW (1.5Mbps) pwr=ON (100mA) > >> ugen1.4: at usbus1, cfg=0 md=HOST spd=HIGH > >> (480Mbps) pwr=SAVE (100mA) > >> > > > >> > >> Great ! Seems to work. > >> > >> (Though I need to read up on how major & minor of ugen relate to > >> the digit in eg 4.disable_enumeration) > >> > >> > >>>> which is also settable through /boot/loader.conf (tunable) > >> > >> Good, > >> I hope/presume loader.conf gets run before any USB, cos I recall > >> lecturer Karsten Nohl pointing out one could get BadUSB taking up > >> residence in USB controller chips inside a PC, ie for a built in > >> mouse or web cam, so one would need to turn off enumeration earlier > >> than when first external USB approaches to connect. > > > > Yes, if set by the loader.conf, you will only see the RootHUB after boot. > > > > To get devices back after enabling enumeration again, you will need to > > reset the HUBs: > > > > usbconfig -d X.1 reset > > > > For example. > > > > BTW: I've added some exceptions, that existing devices can be detached, > > suspend/resumed and reset while the enumeration is disabled. > > Can we somehow improve this change, to powering down the ports/hubs > which has the enumeration disabled? It's usefull to have the port remain powered up for when someone says "Can I charge my smart phone on your PC/ laptop ?" Cheers, Julian -- Julian Stacey, BSD Linux Unix C Sys Eng Consultant Munich http://berklix.com Indent previous with "> ". Interleave reply paragraphs like a play script. Send plain text, not quoted-printable, HTML, base64, or multipart/alternative. From owner-freebsd-security@FreeBSD.ORG Thu Oct 9 14:30:12 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BEFABB18; Thu, 9 Oct 2014 14:30:12 +0000 (UTC) Received: from land.berklix.org (land.berklix.org [144.76.10.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4CAAA614; Thu, 9 Oct 2014 14:30:11 +0000 (UTC) Received: from mart.js.berklix.net (pD9FBE981.dip0.t-ipconnect.de [217.251.233.129]) (authenticated bits=128) by land.berklix.org (8.14.5/8.14.5) with ESMTP id s99ER6Dg005260; Thu, 9 Oct 2014 14:27:07 GMT (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by mart.js.berklix.net (8.14.3/8.14.3) with ESMTP id s99ETuqg001697; Thu, 9 Oct 2014 16:29:56 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.7/8.14.7) with ESMTP id s99ETQZ7090227; Thu, 9 Oct 2014 16:29:44 +0200 (CEST) (envelope-from jhs@berklix.com) Message-Id: <201410091429.s99ETQZ7090227@fire.js.berklix.net> To: Hans Petter Selasky Subject: Re: BadUSB - On Accessories that Turn Evil, by Karsten Nohl + Jakob Lell From: "Julian H. Stacey" Organization: http://berklix.com BSD Unix Linux Consultants, Munich Germany User-agent: EXMH on FreeBSD http://berklix.com/free/ X-URL: http://www.berklix.com In-reply-to: Your message "Thu, 09 Oct 2014 08:27:46 +0200." <54362AE2.90501@selasky.org> Date: Thu, 09 Oct 2014 16:29:26 +0200 Cc: freebsd-security@freebsd.org, Poul-Henning Kamp , freebsd-usb@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Oct 2014 14:30:12 -0000 > BTW: I've added some exceptions, that existing devices can be detached, > suspend/resumed and reset while the enumeration is disabled. > > https://svnweb.freebsd.org/changeset/base/272807 > Can you also test that patch? OK, will do. (I've got a cold so I'm slow & making mistakes, sorry). I thought I had to first download & overlay those files to replace my (automatically CTM updated) current, (as I also replaced the last set manually, since backed out) It seems (from MD5s) your code is already in current. (& I can see diffs between eg revision=272733/sys/dev/usb/usb_hub.c revision=272807/sys/dev/usb/usb_hub.c ) & my current matches 272807 apart from a header line artifact of svn, I saw comment MFC & wrongly assumed Merge For Current in 2 weeks, I assume I was wrong & it's Merge From Current to stable in 2 weeks). So I've made & rebooted standard current & just need to test now. Cheers, Julian -- Julian Stacey, BSD Linux Unix C Sys Eng Consultant Munich http://berklix.com Indent previous with "> ". Interleave reply paragraphs like a play script. Send plain text, not quoted-printable, HTML, base64, or multipart/alternative. From owner-freebsd-security@FreeBSD.ORG Thu Oct 9 14:44:24 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8DD28113; Thu, 9 Oct 2014 14:44:24 +0000 (UTC) Received: from mail.turbocat.net (mail.turbocat.net [IPv6:2a01:4f8:d16:4514::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 19D9784D; Thu, 9 Oct 2014 14:44:24 +0000 (UTC) Received: from laptop015.home.selasky.org (cm-176.74.213.204.customer.telag.net [176.74.213.204]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail.turbocat.net (Postfix) with ESMTPSA id 9087A1FE022; Thu, 9 Oct 2014 16:44:21 +0200 (CEST) Message-ID: <54369F43.9010806@selasky.org> Date: Thu, 09 Oct 2014 16:44:19 +0200 From: Hans Petter Selasky User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0 MIME-Version: 1.0 To: Oliver Pinter Subject: Re: BadUSB - On Accessories that Turn Evil, by Karsten Nohl + Jakob Lell References: <201410082347.s98NkjW3025396@fire.js.berklix.net> <54362AE2.90501@selasky.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Thu, 09 Oct 2014 14:51:11 +0000 Cc: freebsd-security@freebsd.org, "Julian H. Stacey" , Poul-Henning Kamp , freebsd-usb@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Oct 2014 14:44:24 -0000 On 10/09/14 15:59, Oliver Pinter wrote: > On 10/9/14, Hans Petter Selasky wrote: >> Hi Julian, >> >> On 10/09/14 01:46, Julian H. Stacey wrote: >>> Hi Hans etc >>> "Julian H. Stacey" wrote: >>>> Hans Petter Selasky wrote: >>>>> Hi, >>>>> >>>>> Can you test the following kernel patch and give some feedback: >>>>> >>>>> https://svnweb.freebsd.org/changeset/base/272733 >>> >>> I'm now on latest current with src & sys/ GENERIC >>> /usr/src/.ctm_status # src-cur 11645 >>> >>> This time I downloaded your files properly >>> (last time I was severely distracted & made a silly mistake) >>> >>>>> After the patch you will get something like: >>>>> hw.usb.disable_enumeration: 0 >>>>> dev.uhub.0.disable_enumeration: 0 >>>>> dev.uhub.1.disable_enumeration: 0 >>>>> ... >>> >>> sysctl -a | grep enumeration >>> hw.usb.disable_enumeration: 0 >>> dev.uhub.0.disable_enumeration: 0 >>> dev.uhub.1.disable_enumeration: 0 >>> dev.uhub.2.disable_enumeration: 0 >>> dev.uhub.3.disable_enumeration: 0 >>> dev.uhub.4.disable_enumeration: 0 >>> >>> sysctl -d hw.usb.disable_enumeration >>> hw.usb.disable_enumeration: Set to disable all USB device enumeration. >>> >>> sysctl -d dev.uhub.4.disable_enumeration >>> dev.uhub.4.disable_enumeration: Set to disable enumeration on this USB >>> HUB. >>> >>> usbconfig >>> ugen0.1: at usbus0, cfg=0 md=HOST spd=HIGH (480Mbps) >>> pwr=SAVE (0mA) >>> ugen1.1: at usbus1, cfg=0 md=HOST spd=HIGH (480Mbps) >>> pwr=SAVE (0mA) >>> ugen0.2: at usbus0, cfg=0 md=HOST spd=HIGH >>> (480Mbps) pwr=SAVE (0mA) >>> ugen1.2: at usbus1, cfg=0 md=HOST spd=HIGH >>> (480Mbps) pwr=SAVE (0mA) >>> ugen0.3: <1.3M WebCam XPA2535XY> at usbus0, cfg=255 md=HOST spd=HIGH >>> (480Mbps) pwr=OFF (500mA) >>> ugen1.3: at usbus1, cfg=0 >>> md=HOST spd=LOW (1.5Mbps) pwr=ON (100mA) >>> ugen1.4: at usbus1, cfg=0 md=HOST spd=HIGH >>> (480Mbps) pwr=SAVE (100mA) >>> >> >>> >>> Great ! Seems to work. >>> >>> (Though I need to read up on how major & minor of ugen relate to >>> the digit in eg 4.disable_enumeration) >>> >>> >>>>> which is also settable through /boot/loader.conf (tunable) >>> >>> Good, >>> I hope/presume loader.conf gets run before any USB, cos I recall >>> lecturer Karsten Nohl pointing out one could get BadUSB taking up >>> residence in USB controller chips inside a PC, ie for a built in >>> mouse or web cam, so one would need to turn off enumeration earlier >>> than when first external USB approaches to connect. >> >> Yes, if set by the loader.conf, you will only see the RootHUB after boot. >> >> To get devices back after enabling enumeration again, you will need to >> reset the HUBs: >> >> usbconfig -d X.1 reset >> >> For example. >> >> BTW: I've added some exceptions, that existing devices can be detached, >> suspend/resumed and reset while the enumeration is disabled. > > Can we somehow improve this change, to powering down the ports/hubs > which has the enumeration disabled? > Hi, I've added this as an orthogonal feature. Please test and report back: hw.usb.disable_enumeration: 0 hw.usb.disable_port_power: 0 dev.uhub.0.disable_enumeration: 0 dev.uhub.0.disable_port_power: 0 https://svnweb.freebsd.org/changeset/base/272822 Thank you! --HPS From owner-freebsd-security@FreeBSD.ORG Thu Oct 9 15:04:12 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D68A162F; Thu, 9 Oct 2014 15:04:12 +0000 (UTC) Received: from mail-wi0-x233.google.com (mail-wi0-x233.google.com [IPv6:2a00:1450:400c:c05::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 28482A9D; Thu, 9 Oct 2014 15:04:12 +0000 (UTC) Received: by mail-wi0-f179.google.com with SMTP id d1so2081203wiv.12 for ; Thu, 09 Oct 2014 08:04:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=ZdZRtaHEg3GKx6Kbr4BeSjQ8o7wSuOj9uEzJxPXGHPk=; b=AL9XkzX58dJqGk9lBuuMJWoRJQDvmlSIL90QiA6TykMH1Bd47JVbVUKOjQS2jFiVvp wwQ0qdB+96/EMqD9tah8R9YYzwmrRrUyLDm0FeLDPVZohgS/sE/7tWhhRTc4y30Qjy3x i/yLTA7/5Y8S5nRaOw9gqm+T0oL6G3pEQPLjK4X6RDwXioZTc+HEAhlKxFw+1nxjgX74 Td8bzSBAs1kZYW8Bs2/gY9fch08x49wOgpYpaSOk1YLybX2oKy7VnsFO8Vo4drDmnwrn HR9Du/HXFOLOI+h/Kajb/pyqRzFWH4XNhVLS2GUMK4U4qZWq6iVFyQNGzU2Wg08Rftlq m6yg== MIME-Version: 1.0 X-Received: by 10.194.93.193 with SMTP id cw1mr19295486wjb.50.1412867050443; Thu, 09 Oct 2014 08:04:10 -0700 (PDT) Received: by 10.27.214.7 with HTTP; Thu, 9 Oct 2014 08:04:10 -0700 (PDT) In-Reply-To: <54369F43.9010806@selasky.org> References: <201410082347.s98NkjW3025396@fire.js.berklix.net> <54362AE2.90501@selasky.org> <54369F43.9010806@selasky.org> Date: Thu, 9 Oct 2014 17:04:10 +0200 Message-ID: Subject: Re: BadUSB - On Accessories that Turn Evil, by Karsten Nohl + Jakob Lell From: Oliver Pinter To: Hans Petter Selasky Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-security@freebsd.org, "Julian H. Stacey" , Poul-Henning Kamp , freebsd-usb@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Oct 2014 15:04:12 -0000 On 10/9/14, Hans Petter Selasky wrote: > On 10/09/14 15:59, Oliver Pinter wrote: >> On 10/9/14, Hans Petter Selasky wrote: >>> Hi Julian, >>> >>> On 10/09/14 01:46, Julian H. Stacey wrote: >>>> Hi Hans etc >>>> "Julian H. Stacey" wrote: >>>>> Hans Petter Selasky wrote: >>>>>> Hi, >>>>>> >>>>>> Can you test the following kernel patch and give some feedback: >>>>>> >>>>>> https://svnweb.freebsd.org/changeset/base/272733 >>>> >>>> I'm now on latest current with src & sys/ GENERIC >>>> /usr/src/.ctm_status # src-cur 11645 >>>> >>>> This time I downloaded your files properly >>>> (last time I was severely distracted & made a silly mistake) >>>> >>>>>> After the patch you will get something like: >>>>>> hw.usb.disable_enumeration: 0 >>>>>> dev.uhub.0.disable_enumeration: 0 >>>>>> dev.uhub.1.disable_enumeration: 0 >>>>>> ... >>>> >>>> sysctl -a | grep enumeration >>>> hw.usb.disable_enumeration: 0 >>>> dev.uhub.0.disable_enumeration: 0 >>>> dev.uhub.1.disable_enumeration: 0 >>>> dev.uhub.2.disable_enumeration: 0 >>>> dev.uhub.3.disable_enumeration: 0 >>>> dev.uhub.4.disable_enumeration: 0 >>>> >>>> sysctl -d hw.usb.disable_enumeration >>>> hw.usb.disable_enumeration: Set to disable all USB device >>>> enumeration. >>>> >>>> sysctl -d dev.uhub.4.disable_enumeration >>>> dev.uhub.4.disable_enumeration: Set to disable enumeration on this >>>> USB >>>> HUB. >>>> >>>> usbconfig >>>> ugen0.1: at usbus0, cfg=0 md=HOST spd=HIGH >>>> (480Mbps) >>>> pwr=SAVE (0mA) >>>> ugen1.1: at usbus1, cfg=0 md=HOST spd=HIGH >>>> (480Mbps) >>>> pwr=SAVE (0mA) >>>> ugen0.2: at usbus0, cfg=0 md=HOST >>>> spd=HIGH >>>> (480Mbps) pwr=SAVE (0mA) >>>> ugen1.2: at usbus1, cfg=0 md=HOST >>>> spd=HIGH >>>> (480Mbps) pwr=SAVE (0mA) >>>> ugen0.3: <1.3M WebCam XPA2535XY> at usbus0, cfg=255 md=HOST spd=HIGH >>>> (480Mbps) pwr=OFF (500mA) >>>> ugen1.3: at usbus1, >>>> cfg=0 >>>> md=HOST spd=LOW (1.5Mbps) pwr=ON (100mA) >>>> ugen1.4: at usbus1, cfg=0 md=HOST spd=HIGH >>>> (480Mbps) pwr=SAVE (100mA) >>>> >>> >>>> >>>> Great ! Seems to work. >>>> >>>> (Though I need to read up on how major & minor of ugen relate to >>>> the digit in eg 4.disable_enumeration) >>>> >>>> >>>>>> which is also settable through /boot/loader.conf (tunable) >>>> >>>> Good, >>>> I hope/presume loader.conf gets run before any USB, cos I recall >>>> lecturer Karsten Nohl pointing out one could get BadUSB taking up >>>> residence in USB controller chips inside a PC, ie for a built in >>>> mouse or web cam, so one would need to turn off enumeration earlier >>>> than when first external USB approaches to connect. >>> >>> Yes, if set by the loader.conf, you will only see the RootHUB after >>> boot. >>> >>> To get devices back after enabling enumeration again, you will need to >>> reset the HUBs: >>> >>> usbconfig -d X.1 reset >>> >>> For example. >>> >>> BTW: I've added some exceptions, that existing devices can be detached, >>> suspend/resumed and reset while the enumeration is disabled. >> >> Can we somehow improve this change, to powering down the ports/hubs >> which has the enumeration disabled? >> > > Hi, > > I've added this as an orthogonal feature. Please test and report back: > > hw.usb.disable_enumeration: 0 > hw.usb.disable_port_power: 0 > > dev.uhub.0.disable_enumeration: 0 > dev.uhub.0.disable_port_power: 0 > > https://svnweb.freebsd.org/changeset/base/272822 Cool! Thanks! I will test it shortly. > > Thank you! > > --HPS > >