From owner-freebsd-security Sun Nov 22 00:05:41 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA14305 for freebsd-security-outgoing; Sun, 22 Nov 1998 00:05:41 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (p37-max6.wlg.ihug.co.nz [209.78.48.165]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA14297; Sun, 22 Nov 1998 00:05:29 -0800 (PST) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.8/8.8.7) with ESMTP id VAA13024; Sun, 22 Nov 1998 21:03:34 +1300 (NZDT) (envelope-from andrew@squiz.co.nz) Date: Sun, 22 Nov 1998 21:03:34 +1300 (NZDT) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Don Lewis cc: Robert Watson , Mikael Karpberg , William McVey , hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Would this make FreeBSD more secure? In-Reply-To: <199811220606.WAA00417@salsa.gv.tsc.tdk.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 21 Nov 1998, Don Lewis wrote: > On Nov 17, 5:02pm, Robert Watson wrote: > } Subject: Re: Would this make FreeBSD more secure? > > } It might be nice to just have a file system socket any process can bind to > } that mediates access to the authentication system. On the one side of the > } socket is any client attempting to authenticate a user (possibly using PAM > } as the API, and then some record based protocol over the socket), and on > } the other side is Mr Auth Server that listens on the socket, accepts > } connections, and is a place where throttling of attempts could be > } performed. Similarly, it could take advantage of the SCM_AUTH (or > } whatever) uid/gid passing to authenticate the processes on the other side. > > I think this is the best solution. Unless the process is setuid root (su), > if the auth server sees that billybob is trying to validate a password, > then the auth server should only validate billybob's password. This > prevents billybob from trying to use the auth server to crack passwords, but > it allows billybob to install and use his own private screen or terminal > locker. If the server puts in a few seconds of delay for authentication of a particular user after a failed attempt, (optionally increasing with number of recent failures) then that's going to be enough to make brute force infeasible. Are there any situations where it might be desirable not to run a process as root, but where that process should be able to authorize users using the main pw table? I wonder if the auth server shouldn't be dealing with more than just the username and password. Perhaps it should also be passed enough details to implement restrictions based on which service is being requested and the location the request is coming from. This would facilitate a centralized access policy. Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 22 09:06:37 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA22088 for freebsd-security-outgoing; Sun, 22 Nov 1998 09:06:37 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.93.229]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA22083; Sun, 22 Nov 1998 09:06:35 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id MAA08261; Sun, 22 Nov 1998 12:05:16 -0500 (EST) Date: Sun, 22 Nov 1998 12:05:15 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Andrew McNaughton cc: Don Lewis , Mikael Karpberg , William McVey , hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Would this make FreeBSD more secure? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 22 Nov 1998, Andrew McNaughton wrote: > On Sat, 21 Nov 1998, Don Lewis wrote: > > > On Nov 17, 5:02pm, Robert Watson wrote: > > } Subject: Re: Would this make FreeBSD more secure? > > > > } It might be nice to just have a file system socket any process can bind to > > } that mediates access to the authentication system. On the one side of the > > } socket is any client attempting to authenticate a user (possibly using PAM > > } as the API, and then some record based protocol over the socket), and on > > } the other side is Mr Auth Server that listens on the socket, accepts > > } connections, and is a place where throttling of attempts could be > > } performed. Similarly, it could take advantage of the SCM_AUTH (or > > } whatever) uid/gid passing to authenticate the processes on the other side. > > > > I think this is the best solution. Unless the process is setuid root (su), > > if the auth server sees that billybob is trying to validate a password, > > then the auth server should only validate billybob's password. This > > prevents billybob from trying to use the auth server to crack passwords, but > > it allows billybob to install and use his own private screen or terminal > > locker. > > If the server puts in a few seconds of delay for authentication of a > particular user after a failed attempt, (optionally increasing with number > of recent failures) then that's going to be enough to make brute force > infeasible. Are there any situations where it might be desirable not to > run a process as root, but where that process should be able to authorize > users using the main pw table? > > I wonder if the auth server shouldn't be dealing with more than just the > username and password. Perhaps it should also be passed enough details to > implement restrictions based on which service is being requested and the > location the request is coming from. This would facilitate a centralized > access policy. My feeling was that this could actually be extremely general purpose protocol spoken on the wire, and that it could be used in a number of situations. For example, the server could accept kerberosIV or V authenticators to check against the local rcmd for authentication. It would probably not, however, return the shared secret, as that would allow unpriveledged users to retrieve secrets from sniffed sessions. I think a PAM like functionality is best. An example of a daemon that could use this behavior is the CMU Cyrus server -- they already have a rudimentary password checker of this form (ungeneralized) so that their imap/pop servers can be spawned by inetd as the cyrus user. This way, holes in their IMAP code do not yield root access. Also, this mechanism could be used to submit password changes without a setuid binary -- the daemon, by virtue of ancillary data passing, could be aware of the remote uid, and accept an old, plus a new password, with similar delays instituted for incorrect old passwords. I started writing code to do this based on my 'kernel tokens' work -- essentially, I had a priviledged daemon acting as a token manager. Other processes, using a file system socket, could submit existing tokens and request new tokens based on them. So a kerberos ticket in a token could be used to retrieve local UID and GID tokens. When login ran, it would receive some sort or authenticating data, generate a token, send it to the tokend, and then receive back tokens authorizing it for local access to files, etc. I only partially completed the implementation (enough to allow normal users with UID/GID tokens to retrieve authorization tokens for a few specific capabilities, such as port binding), but no doubt a subset of this behavior could used without tokens. What would make people like Terry (and myself) really happy would be to make this a 'session manager' storing session keys, etc. This requires some kind of kernel integration to be useful, and that was the aspect I hoped to acquire using my token behavior. This way, samba code running in the kernel, or pseudo-user-land code such as Coda could speak to a single session manager to retrieve keys, and ask for the prompting of new keys for the user, if an interactive user was available. Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 22 17:56:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA09504 for freebsd-security-outgoing; Sun, 22 Nov 1998 17:56:13 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from obie.softweyr.com ([204.68.178.33]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA09497 for ; Sun, 22 Nov 1998 17:56:10 -0800 (PST) (envelope-from wes@softweyr.com) Received: from softweyr.com (zaphod.softweyr.com [204.68.178.35]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id SAA04369; Sun, 22 Nov 1998 18:55:22 -0700 (MST) (envelope-from wes@softweyr.com) Message-ID: <3658C089.9920E41F@softweyr.com> Date: Sun, 22 Nov 1998 18:55:21 -0700 From: Wes Peters Organization: Softweyr llc X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.0-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: The Hermit Hacker CC: Dima Ruban , freebsd-security@FreeBSD.ORG Subject: Re: PAM on FreeBSD (was Would this make FreeBSD more secure?) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The Hermit Hacker wrote: > > Personally, I kinda like the fact that FreeBSD has finally joined > *both* Solaris and Linux in supporting PAM. I realize that for most out > there, its a Linux vs FreeBSD sort of thing, but, if I remember my > research properly, PAM was a Sun-ism first, that Linux flew with, and just > by finally bringing it in, we open ourselves up to a massive amount of new > authentication mechanism... > > Of key interest to me is NDS/Radiusd authentication, as it is what > we use on Campus/work...now I can take what i've done with Solaris for > authentication and bring my FreeBSD machines up to speed with it :) Did you happen to read my Daemon's Advocate article about this topic? I received news of the FreeBSD PAM work shortly after it was published, in the inaugural issue of Daemon News. If not, please see http://www.daemonnews.org/199809/daemonadvoc.html I will, of course, be writing an update on this topic soon, so the BSD community will be up-to-date. Once I've installed and configured this and given it a thorough wringing out, which may not happen until after the first of the year. > Thanks loads John...work *long* overdue... Indeed, my thanks as well, John. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 22 22:48:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA04144 for freebsd-security-outgoing; Sun, 22 Nov 1998 22:48:16 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from alive.znep.com (207-178-54-226.go2net.com [207.178.54.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA04139 for ; Sun, 22 Nov 1998 22:48:13 -0800 (PST) (envelope-from marcs@znep.com) Received: from localhost (marcs@localhost) by alive.znep.com (8.9.1/8.9.1) with ESMTP id WAA09984; Sun, 22 Nov 1998 22:44:32 -0800 (PST) (envelope-from marcs@znep.com) Date: Sun, 22 Nov 1998 22:44:32 -0800 (PST) From: Marc Slemko To: Don Lewis cc: freebsd-security@FreeBSD.ORG Subject: Re: Would this make FreeBSD more secure? In-Reply-To: <199811220523.VAA00366@salsa.gv.tsc.tdk.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 21 Nov 1998, Don Lewis wrote: > On Nov 17, 9:31am, Marc Slemko wrote: > } Subject: Re: Would this make FreeBSD more secure? > > } Say, for example, you have a MX record pointing to a server that does have > } privileged ports. That means that, even if the mail server does crash or > } stop listening on the port, any old user can't just bind to the port and > } steal mail. > > Even better would be to quickly make enough connections to tcp port 23 > (telnet) so that inetd decides this service is looping and shuts it down. > Then you can bind a socket to port 23 and harvest user names and passwords. Right, there are lots of ways to do this sort of thing. sendmail does it too, by default, if you push the load average too high, which is esay to do. Although you should note that a while ago, after I pointed out how easy this sort of thing is, Theo de Raadt implemented (after a few false starts I think) a change in OpenBSD inetd that doesn't close the socket, just starts accepting then dropping connections to it. I think this change was finished, although it may not have been. It is arguable if this is a good or bad thing. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 23 12:51:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA14575 for freebsd-security-outgoing; Mon, 23 Nov 1998 12:51:00 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from wind.freenet.am ([194.151.101.35]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA14568; Mon, 23 Nov 1998 12:50:38 -0800 (PST) (envelope-from casper@acc.am) Received: from lemming.acc.am (acc.freenet.am [194.151.101.251]) by wind.freenet.am (8.9.1/8.9.1) with ESMTP id AAA23861; Tue, 24 Nov 1998 00:50:30 +0400 (GMT) Received: from acc.am (nightmar.acc.am [192.168.100.108]) by lemming.acc.am (8.9.1a/8.9.1) with ESMTP id AAA12984; Tue, 24 Nov 1998 00:51:02 +0400 (AMT) Message-ID: <3659CAA1.D016100F@acc.am> Date: Tue, 24 Nov 1998 00:50:41 +0400 From: Casper Organization: ACC X-Mailer: Mozilla 4.5 [en] (Win95; I) X-Accept-Language: ru,en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG Subject: logical bug in SSH 2.0 + FreeBSD Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org When setuped restricted shell for users , for example rbash and $PATH restricted (by using login classes) to the some directory (say /usr/local/rbin) where placed links to the executables allowed to the clients any client can use ssh to get unrestricted shell .... Sshd2 setting PATH variable to the "/bin:/usr/bin:/usr/ucb:/usr/bin/X11:/usr/local/bin" by default(this can be overriden at compile time) so clients can run any shell located in the PATH and get unristricted shell .. PATH can be overriden by /etc/environment file , but how will admins use ssh ... ? Same bug presents in the sftpd .... if you put :ftp-chroot: option in the user login class , sftpd ignoring this ...... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 24 04:10:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA13608 for freebsd-security-outgoing; Tue, 24 Nov 1998 04:10:33 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ol.kyrnet.kg (ol.kyrnet.kg [195.254.160.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA13532; Tue, 24 Nov 1998 04:10:04 -0800 (PST) (envelope-from mlists@gizmo.kyrnet.kg) Received: from gizmo.kyrnet.kg (IDENT:mlists@gizmo.kyrnet.kg [192.168.1.125]) by ol.kyrnet.kg (8.9.1a/8.9.1) with ESMTP id QAA03106; Tue, 24 Nov 1998 16:36:56 +0600 Received: from localhost (mlists@localhost) by gizmo.kyrnet.kg (8.9.1a/8.9.1) with ESMTP id RAA16994; Tue, 24 Nov 1998 17:05:13 +0500 Date: Tue, 24 Nov 1998 17:05:13 +0500 (KGT) From: CyberPsychotic Reply-To: fygrave@tigerteam.net To: Casper cc: freebsd-security@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG Subject: Re: logical bug in SSH 2.0 + FreeBSD In-Reply-To: <3659CAA1.D016100F@acc.am> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hmm.. There's another weird thing I found while using ssh 2.0.10. Somehow it doesn't write user into wtmp correctly. (I tested in on FreeBSD 2.2.7 and BSDi systems), so when user logs in from remote, sshd makes him unvisible. However I didn't see such behaviour while checking it with Linux. Maybe this is already known.. just thought I should let you know. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 24 04:56:27 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA17987 for freebsd-security-outgoing; Tue, 24 Nov 1998 04:56:27 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from subpop.noc.clara.net (subpop.noc.clara.net [195.8.70.64]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id EAA17964 for ; Tue, 24 Nov 1998 04:56:24 -0800 (PST) (envelope-from levine@subpop.noc.clara.net) Received: (qmail 5355 invoked by uid 1000); 24 Nov 1998 12:56:14 -0000 Message-ID: <19981124125613.E4472@clara.net> Date: Tue, 24 Nov 1998 12:56:13 +0000 From: Neil Levine To: freebsd-security@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG Subject: Re: logical bug in SSH 2.0 + FreeBSD Reply-To: levine@clara.net References: <3659CAA1.D016100F@acc.am> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.91i In-Reply-To: ; from CyberPsychotic on Tue, Nov 24, 1998 at 05:05:13PM +0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Nov 24, 1998 at 05:05:13PM +0500, CyberPsychotic said: > Hmm.. There's another weird thing I found while using ssh 2.0.10. Somehow > it doesn't write user into wtmp correctly. (I tested in on FreeBSD 2.2.7 > and BSDi systems), so when user logs in from remote, sshd makes him > unvisible. However I didn't see such behaviour while checking it with > Linux. Maybe this is already known.. just thought I should let you know. We are seeing this too with Ssh 2.0.11...this is a pretty serious bug and I hope it gets fixed soon... regards, Neil -- -------------------------------------------------------------------- Neil Levine ClaraNet(UK) Ltd. levine@clara.net http://www.clara.net -------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 24 05:06:49 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA19681 for freebsd-security-outgoing; Tue, 24 Nov 1998 05:06:49 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from w3.worldonline.nl (w3.worldonline.nl [194.151.129.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA19675; Tue, 24 Nov 1998 05:06:43 -0800 (PST) (envelope-from maikel@w3.worldonline.nl) Received: (from maikel@localhost) by w3.worldonline.nl (8.8.8/8.8.5) id OAA11955; Tue, 24 Nov 1998 14:09:01 +0100 (CET) Message-ID: <19981124140901.31718@worldonline.nl> Date: Tue, 24 Nov 1998 14:09:01 +0100 From: Maikel Verheijen To: fygrave@tigerteam.net Cc: Casper , freebsd-security@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG Subject: Re: logical bug in SSH 2.0 + FreeBSD References: <3659CAA1.D016100F@acc.am> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.88e In-Reply-To: ; from CyberPsychotic on Tue, Nov 24, 1998 at 05:05:13PM +0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Nov 24, 1998 at 05:05:13PM +0500, CyberPsychotic wrote: > Hmm.. There's another weird thing I found while using ssh 2.0.10. Somehow > it doesn't write user into wtmp correctly. (I tested in on FreeBSD 2.2.7 > and BSDi systems), so when user logs in from remote, sshd makes him > unvisible. However I didn't see such behaviour while checking it with > Linux. Maybe this is already known.. just thought I should let you know. Same here. I also noticed this behaviour on Solaris 2.5.1 and 2.6. Groetjes, Maikel Verheijen Talk is cheap because supply exceeds demand. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 24 08:29:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA07921 for freebsd-security-outgoing; Tue, 24 Nov 1998 08:29:45 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from godzilla.lazerlink.net (godzilla.lazerlink.net [206.98.29.14]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA07904 for ; Tue, 24 Nov 1998 08:29:43 -0800 (PST) (envelope-from bfisk@lazerlink.net) Received: from c0w.lazerlink.net (c0w.lazerlink.net [206.98.29.34]) by godzilla.lazerlink.net (8.8.8/8.8.8) with SMTP id LAA05684 for ; Tue, 24 Nov 1998 11:29:39 -0500 (EST) Message-ID: <001d01be17c7$847d7da0$221d62ce@lazerlink.net> From: "Brian Fisk" To: Subject: Re: logical bug in SSH 2.0 + FreeBSD Date: Tue, 24 Nov 1998 11:28:49 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.0810.800 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.0810.800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have installed SSH 2.0.9 on 4 machines. FreeBSD 2.2.6, 2.2.5, and two 2.2.7-stable as of 2 weeks ago. I am seeing the same thing where ssh is not writing to wtmp. Brian Fisk Systems/Network Administration Lazerlink Internet Services bfisk@lazerlink.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 24 12:54:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA04856 for freebsd-security-outgoing; Tue, 24 Nov 1998 12:54:46 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from wind.freenet.am ([194.151.101.35]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA04831; Tue, 24 Nov 1998 12:54:32 -0800 (PST) (envelope-from casper@acc.am) Received: from lemming.acc.am (acc.freenet.am [194.151.101.251]) by wind.freenet.am (8.9.1/8.9.1) with ESMTP id AAA13495; Wed, 25 Nov 1998 00:54:09 +0400 (GMT) Received: from acc.am (nightmar.acc.am [192.168.100.108]) by lemming.acc.am (8.9.1a/8.9.1) with ESMTP id AAA23622; Wed, 25 Nov 1998 00:55:10 +0400 (AMT) Message-ID: <365B1CFA.52F840DF@acc.am> Date: Wed, 25 Nov 1998 00:54:18 +0400 From: Casper Organization: ACC X-Mailer: Mozilla 4.5 [en] (Win95; I) X-Accept-Language: ru,en MIME-Version: 1.0 To: "freebsd-isp@FreeBSD.ORG" , "freebsd-security@FreeBSD.ORG" Subject: Again about logical bug in SSH2.0 & FBSD - patch Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Below is a small patch made by me. It working about one week on my home FreeBSD 3.0 - SNAP 16.08.98 /*- really old for developer! :)-*/machine , and i have no problems ... I'll try to patch sftpd as soon as possible .... Feel free to write all messages and suggessions to nightmar@acc.am In ssh distribution ./apps/ssh/sshchsession.c look for lines like this ( beginning on /*line 695 of 1786 (38%), character 21335 of 59636 (35%) */ in version 2.0.10) and apply the patch provided : [--cut--] [-- original code --] /* Get the user's shell, and the last component of it. */ shell = ssh_user_shell(session->common->user_data); shell_no_path = strrchr(shell, '/'); if (shell_no_path) shell_no_path++; else shell_no_path = shell; /* Start the command. */ switch (op) { case SSH_SESSION_SHELL: [-- end original code --] [-- comment these lines -] /* Start the shell. Set initial character to '-'. */ /* buf[0] = '-'; strncpy(buf + 1, shell_no_path, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0;*/ /* Execute the shell. */ /* argv[0] = buf; argv[1] = NULL;*/ /* print motd, if "PrintMotd yes" and it exists */ /* if(session->common->config->print_motd) { f = fopen("/etc/motd", "r"); if (f) { while (fgets(linebuf, sizeof(linebuf), f)) fputs(linebuf, stdout); fclose(f); } }*/ /* execve(shell, argv, env); */ [-- end comment these lines -] [-- insert these lines --] argv[0] = "/usr/bin/login"; argv[1] = "-f"; argv[2] = session->common->user; /*-i didn't check the code that generates this string and /usr/bin/login source, so potential buffer -overrun in login ... i hope that i'm wrong :) ... -*/ argv[3] = NULL; execve("/usr/bin/login", argv, env); [-- end insert these lines --] /* Executing the shell failed. */ perror(shell); exit(254); [--cut--] See ya ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 24 16:28:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA00644 for freebsd-security-outgoing; Tue, 24 Nov 1998 16:28:59 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell.futuresouth.com (shell.futuresouth.com [198.78.58.28]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA00630 for ; Tue, 24 Nov 1998 16:28:55 -0800 (PST) (envelope-from fullermd@futuresouth.com) Received: (from fullermd@localhost) by shell.futuresouth.com (8.8.8/8.8.8) id SAA03445; Tue, 24 Nov 1998 18:28:46 -0600 (CST) Message-ID: <19981124182846.W916@futuresouth.com> Date: Tue, 24 Nov 1998 18:28:46 -0600 From: "Matthew D. Fuller" To: Brian Fisk , freebsd-security@FreeBSD.ORG Subject: Re: logical bug in SSH 2.0 + FreeBSD References: <001d01be17c7$847d7da0$221d62ce@lazerlink.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <001d01be17c7$847d7da0$221d62ce@lazerlink.net>; from Brian Fisk on Tue, Nov 24, 1998 at 11:28:49AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Nov 24, 1998 at 11:28:49AM -0500, Brian Fisk woke me up to tell me: > I have installed SSH 2.0.9 on 4 machines. FreeBSD 2.2.6, 2.2.5, and two > 2.2.7-stable as of 2 weeks ago. I am seeing the same thing where ssh is not > writing to wtmp. wtmp or utmp? Or both? *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* | FreeBSD; the way computers were meant to be | * "The only reason I'm burning my candle at both ends, is * | that I haven't figured out how to light the middle yet."| * fullermd@futuresouth.com :-} MAtthew Fuller * | http://keystone.westminster.edu/~fullermd | *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 24 19:59:42 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA19340 for freebsd-security-outgoing; Tue, 24 Nov 1998 19:59:42 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA19331 for ; Tue, 24 Nov 1998 19:59:39 -0800 (PST) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.1/frmug-2.3/nospam) with UUCP id EAA10208 for freebsd-security@FreeBSD.ORG; Wed, 25 Nov 1998 04:59:35 +0100 (CET) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (Postfix, from userid 101) id AAF4014BE; Wed, 25 Nov 1998 00:13:37 +0100 (CET) Date: Wed, 25 Nov 1998 00:13:37 +0100 From: Ollivier Robert To: freebsd-security@FreeBSD.ORG Subject: Re: logical bug in SSH 2.0 + FreeBSD Message-ID: <19981125001337.A24376@keltia.freenix.fr> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <001d01be17c7$847d7da0$221d62ce@lazerlink.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.94.16i In-Reply-To: <001d01be17c7$847d7da0$221d62ce@lazerlink.net>; from Brian Fisk on Tue, Nov 24, 1998 at 11:28:49AM -0500 X-Operating-System: FreeBSD 3.0-CURRENT/ELF ctm#4835 AMD-K6 MMX @ 200 MHz Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Brian Fisk: > I have installed SSH 2.0.9 on 4 machines. FreeBSD 2.2.6, 2.2.5, and two > 2.2.7-stable as of 2 weeks ago. I am seeing the same thing where ssh is not > writing to wtmp. Something seems to have been fixed in 2.0.11 WRT utmp: 1998-10-21 Timo J. Rinne * Moved utmp update to the child. It now seems to work at least in BSD. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 3.0-CURRENT #2: Sun Nov 8 01:22:20 CET 1998 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 26 06:41:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA04650 for freebsd-security-outgoing; Thu, 26 Nov 1998 06:41:23 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA04645 for ; Thu, 26 Nov 1998 06:41:22 -0800 (PST) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.9.1/8.8.8) id GAA24772 for ; Thu, 26 Nov 1998 06:41:17 -0800 Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by point.osg.gov.bc.ca, id smtpda24770; Thu Nov 26 06:40:57 1998 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.1/8.9.1) id GAA03910 for ; Thu, 26 Nov 1998 06:40:27 -0800 (PST) Message-Id: <199811261440.GAA03910@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdPt3906; Thu Nov 26 06:40:23 1998 X-Mailer: exmh version 2.0.2 2/24/98 Reply-to: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: cy To: freebsd-security@FreeBSD.ORG Subject: Bootpd 2.4.3 tmp race Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 26 Nov 1998 06:40:21 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It appears that our bootpd is vulnerable. I've submitted a PR to document this. For discussion (if anyone wishes to comment). Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: cschuber@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Government of BC ------- Forwarded Message Return-Path: cschuber@uumail.gov.bc.ca Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.1/8.9.1) id NAA02501 for ; Fri, 13 Nov 1998 13:00:26 -0800 (PST) Resent-Message-Id: <199811132100.NAA02501@passer.osg.gov.bc.ca> Received: from localhost.osg.gov.bc.ca(127.0.0.1), claiming to be "passer.osg.gov.bc.ca" via SMTP by localhost.osg.gov.bc.ca, id smtpdME2456; Fri Nov 13 12:59:24 1998 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.1/8.9.1) id MAA02448 for ; Fri, 13 Nov 1998 12:59:23 -0800 (PST) Received: from point.osg.gov.bc.ca(142.32.102.44) via SMTP by passer.osg.gov.bc.ca, id smtpdZq2426; Fri Nov 13 12:58:42 1998 Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.9.1/8.8.8) id MAA20980 for ; Fri, 13 Nov 1998 12:58:35 -0800 Received: from brimstone.netspace.org(128.148.157.143) via SMTP by point.osg.gov.bc.ca, id smtpda20975; Fri Nov 13 12:58:19 1998 Received: from netspace.org ([128.148.157.6]:63038 "EHLO netspace.org" ident: "TIMEDOUT2") by brimstone.netspace.org with ESMTP id <73867-26951>; Fri, 13 Nov 1998 12:26:46 -0500 Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with spool id 4903751 for BUGTRAQ@NETSPACE.ORG; Fri, 13 Nov 1998 12:19:20 -0500 Approved-By: aleph1@DFW.NET Received: from freak.conectiva.com.br (animaniacs.conectiva.com.br [200.203.180.2]) by netspace.org (8.8.7/8.8.7) with ESMTP id PAA14599 for ; Thu, 12 Nov 1998 15:40:55 -0500 Received: from localhost (marcelo@localhost) by freak.conectiva.com.br (8.9.1a/8.9.1) with ESMTP id GAA04837; Thu, 12 Nov 1998 06:13:03 -0200 X-Authentication-Warning: freak.conectiva.com.br: marcelo owned process doing -bs MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-ID: Date: Thu, 12 Nov 1998 06:13:03 -0200 Reply-To: Marcelo Tosatti Sender: Bugtraq List From: Marcelo Tosatti Subject: Bootpd 2.4.3 tmp race X-cc: wanderlei@conectiva.com.br To: BUGTRAQ@netspace.org Resent-To: cy Resent-Date: Fri, 13 Nov 1998 12:59:24 -0800 Resent-From: Cy Schubert Sorry if this is already known. I found a tmp race in bootpd 2.4.3. If the user do not specify a file to dump the database, bootpd will try to dump it in /tmp/bootpd.dump. Here goes the fix : diff -Nur bootp-2.4.3.orig/bootpd.c bootp-2.4.3/bootpd.c - --- bootp-2.4.3.orig/bootpd.c Mon Mar 27 18:38:35 1995 +++ bootp-2.4.3/bootpd.c Thu Nov 12 05:57:39 1998 @@ -91,11 +91,9 @@ #ifndef CONFIG_FILE #define CONFIG_FILE "/etc/bootptab" #endif - -#qifndef DUMPTAB_FILE - -#define DUMPTAB_FILE "/tmp/bootpd.dump" - -#endif - - +char DUMPTAB_FILE [] = "/tmp/bootpd.dump.XXXXXX"; + /* * Externals, forward declarations, and global variables @@ -369,7 +367,8 @@ if (argc > 1) bootpd_dump = argv[1]; - - + else + mktemp(DUMPTAB_FILE); /* * Get my hostname and IP address. */ Marcelo Tosatti Conectiva Internet Solutions ------- End of Forwarded Message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 26 08:19:02 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA11119 for freebsd-security-outgoing; Thu, 26 Nov 1998 08:19:02 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gilberto.physik.RWTH-Aachen.DE (gilberto.physik.rwth-aachen.de [137.226.30.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA11114 for ; Thu, 26 Nov 1998 08:19:00 -0800 (PST) (envelope-from kuku@gilberto.physik.RWTH-Aachen.DE) Received: (from kuku@localhost) by gilberto.physik.RWTH-Aachen.DE (8.8.8/8.8.7) id RAA25745 for freebsd-security@freebsd.org; Thu, 26 Nov 1998 17:19:08 +0100 (MET) (envelope-from kuku) Date: Thu, 26 Nov 1998 17:19:08 +0100 (MET) From: Christoph Kukulies Message-Id: <199811261619.RAA25745@gilberto.physik.RWTH-Aachen.DE> To: freebsd-security@FreeBSD.ORG Subject: cgi-bin/phf* security hole in apache Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Could someone explain the effect of the 'phf*' security hole (severeness) in earlier apache versions? I detected someone having tried to test it against my httpd on several machines (net wide scan). -- Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de http://blues.physik.rwth-aachen.de/hammond.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 26 09:13:37 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA15215 for freebsd-security-outgoing; Thu, 26 Nov 1998 09:13:37 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from axl.training.iafrica.com (axl.training.iafrica.com [196.31.1.175]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA15203 for ; Thu, 26 Nov 1998 09:13:22 -0800 (PST) (envelope-from sheldonh@axl.training.iafrica.com) Received: from sheldonh (helo=axl.training.iafrica.com) by axl.training.iafrica.com with local-esmtp (Exim 2.053 #1) id 0zj4xx-0005TD-00; Thu, 26 Nov 1998 19:12:29 +0200 From: Sheldon Hearn To: Christoph Kukulies cc: freebsd-security@FreeBSD.ORG Subject: Re: cgi-bin/phf* security hole in apache In-reply-to: Your message of "Thu, 26 Nov 1998 17:19:08 +0100." <199811261619.RAA25745@gilberto.physik.RWTH-Aachen.DE> Date: Thu, 26 Nov 1998 19:12:29 +0200 Message-ID: <21030.912100349@axl.training.iafrica.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 26 Nov 1998 17:19:08 +0100, Christoph Kukulies wrote: > Could someone explain the effect of the 'phf*' security hole > (severeness) in earlier apache versions? See the Apache FAQ, question 8. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 26 10:06:47 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA19664 for freebsd-security-outgoing; Thu, 26 Nov 1998 10:06:47 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gilberto.physik.RWTH-Aachen.DE (gilberto.physik.rwth-aachen.de [137.226.30.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA19643 for ; Thu, 26 Nov 1998 10:06:23 -0800 (PST) (envelope-from kuku@gilberto.physik.RWTH-Aachen.DE) Received: (from kuku@localhost) by gilberto.physik.RWTH-Aachen.DE (8.8.8/8.8.7) id TAA26100; Thu, 26 Nov 1998 19:05:45 +0100 (MET) (envelope-from kuku) Message-ID: <19981126190545.A26062@gil.physik.rwth-aachen.de> Date: Thu, 26 Nov 1998 19:05:45 +0100 From: Christoph Kukulies To: Sheldon Hearn , Christoph Kukulies Cc: freebsd-security@FreeBSD.ORG Subject: Re: cgi-bin/phf* security hole in apache References: <199811261619.RAA25745@gilberto.physik.RWTH-Aachen.DE> <21030.912100349@axl.training.iafrica.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.91 In-Reply-To: <21030.912100349@axl.training.iafrica.com>; from Sheldon Hearn on Thu, Nov 26, 1998 at 07:12:29PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Nov 26, 1998 at 07:12:29PM +0200, Sheldon Hearn wrote: > > > On Thu, 26 Nov 1998 17:19:08 +0100, Christoph Kukulies wrote: > > > Could someone explain the effect of the 'phf*' security hole > > (severeness) in earlier apache versions? > > See the Apache FAQ, question 8. Excuse me, if you already are that precise, what apache FAQ are you refering? The 'offical' one on their web page carries "8. Whom do I contact for support?" > > Ciao, > Sheldon. -- --Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 26 11:58:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA29189 for freebsd-security-outgoing; Thu, 26 Nov 1998 11:58:18 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lambic.physics.montana.edu (lambic.physics.montana.edu [153.90.192.128]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA29183 for ; Thu, 26 Nov 1998 11:58:17 -0800 (PST) (envelope-from handy@lambic.physics.montana.edu) Received: from localhost (handy@localhost) by lambic.physics.montana.edu (8.8.8/8.8.7) with ESMTP id MAA12995; Thu, 26 Nov 1998 12:57:40 -0700 (MST) (envelope-from handy@lambic.physics.montana.edu) Date: Thu, 26 Nov 1998 12:57:40 -0700 (MST) From: Brian Handy To: Christoph Kukulies cc: Sheldon Hearn , freebsd-security@FreeBSD.ORG Subject: Re: cgi-bin/phf* security hole in apache In-Reply-To: <19981126190545.A26062@gil.physik.rwth-aachen.de> Message-ID: X-files: The truth is out there MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> > Could someone explain the effect of the 'phf*' security hole >> > (severeness) in earlier apache versions? >> >> See the Apache FAQ, question 8. > >Excuse me, if you already are that precise, what apache FAQ are you refering? >The 'offical' one on their web page carries > >"8. Whom do I contact for support?" How about: http://bugs.apache.org/index/full/1605 (I wondered this once before. Apache's search engine on their site works pretty well.) Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 26 22:59:01 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA17713 for freebsd-security-outgoing; Thu, 26 Nov 1998 22:59:01 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cliff.mfn.org (cliff.mfn.org [204.238.179.8]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA17707; Thu, 26 Nov 1998 22:58:58 -0800 (PST) (envelope-from measl@mfn.org) X-Message1: Missouri FreeNet does not relay. If this email X-Message2: is unsolicited bulk or commercial, please report X-Message3: this abuse promptly to abuse@mfn.org. Thank You. X-ORIGINIP: 204.238.179.3 X-ORIGINDNS: greeves.mfn.org Received: from greeves.mfn.org (greeves.mfn.org [204.238.179.3]) by cliff.mfn.org (8.8.7/8.8.7) with SMTP id AAA03083; Fri, 27 Nov 1998 00:58:47 -0600 (CST) (envelope-from measl@mfn.org) Posted-Date: Fri, 27 Nov 1998 00:58:47 -0600 (CST) Date: Fri, 27 Nov 1998 00:58:46 -0600 (CST) From: Missouri FreeNet Administration To: freebsd-questions@FreeBSD.ORG cc: freebsd-security@FreeBSD.ORG Subject: Can kerberos log to syslogd? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The header says it all... Is there *any way to do this, short of coding it ourselves? Yours, J.A. Terranson sysadmin@mfn.org -- If the Government wants us to behave, they should set a better example! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 27 00:45:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA26338 for freebsd-security-outgoing; Fri, 27 Nov 1998 00:45:33 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from it.sivma.ru (sivmac.dialup.ru [194.87.17.172]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA26322; Fri, 27 Nov 1998 00:45:28 -0800 (PST) (envelope-from info@sivma.ru) Received: from valeric.sivma.ru (VALERY.SIVMA.RU [10.10.10.3]) by it.sivma.ru (8.8.8/8.8.8) with SMTP id LAA17883; Fri, 27 Nov 1998 11:48:26 +0300 (MSK) (envelope-from info@sivma.ru) Message-ID: <003a01be19e1$c9f0f3a0$030a0a0a@valeric.sivma.ru> From: "Sivma" To: , Subject: Deny for spec. MAC-address Date: Fri, 27 Nov 1998 11:41:42 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I want to deny access for machine with specifed MAC-address. How can I do it? Thanks. Valery Lobachev To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 27 02:00:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA03440 for freebsd-security-outgoing; Fri, 27 Nov 1998 02:00:31 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gilberto.physik.RWTH-Aachen.DE (gilberto.physik.rwth-aachen.de [137.226.30.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA03433 for ; Fri, 27 Nov 1998 02:00:08 -0800 (PST) (envelope-from kuku@gilberto.physik.RWTH-Aachen.DE) Received: (from kuku@localhost) by gilberto.physik.RWTH-Aachen.DE (8.8.8/8.8.7) id KAA28439; Fri, 27 Nov 1998 10:57:44 +0100 (MET) (envelope-from kuku) Message-ID: <19981127105744.A28408@gil.physik.rwth-aachen.de> Date: Fri, 27 Nov 1998 10:57:44 +0100 From: Christoph Kukulies To: Sheldon Hearn , Christoph Kukulies Cc: freebsd-security@FreeBSD.ORG Subject: Re: cgi-bin/phf* security hole in apache References: <19981126190545.A26062@gil.physik.rwth-aachen.de> <22257.912152434@axl.training.iafrica.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.91 In-Reply-To: <22257.912152434@axl.training.iafrica.com>; from Sheldon Hearn on Fri, Nov 27, 1998 at 09:40:34AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Nov 27, 1998 at 09:40:34AM +0200, Sheldon Hearn wrote: > > > On Thu, 26 Nov 1998 19:05:45 +0100, Christoph Kukulies wrote: > > > Excuse me, if you already are that precise, what apache FAQ are you refering? > > The 'offical' one on their web page carries > > > > "8. Whom do I contact for support?" > > That's exactly right. You're currently mailing freebsd-current, which is > not the right place to ask for help with Apache software. This means > you're contributing to the noise factor on the list and devaluing it. Despite from the somewhat unfriendly undertone in your answer - which I overhear for the moment - I find that bringing up security issues in a security list isn't adding to the noise factor. To make it 100% FreeBSD related I refine my question: Is there any danger and to what extent arising from previous or current apache httpd installations from the FreeBSD ports tree, especially WRT that phf security hole? Shouldn't the port also install the phf 'candid camera' catcher automatically? > > Ciao, > Sheldon. -- Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 27 07:14:20 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA28572 for freebsd-security-outgoing; Fri, 27 Nov 1998 07:14:20 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA28567 for ; Fri, 27 Nov 1998 07:14:19 -0800 (PST) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id QAA23588; Fri, 27 Nov 1998 16:14:09 +0100 (CET) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id QAA23571; Fri, 27 Nov 1998 16:14:08 +0100 (MET) Message-ID: <19981127161408.E9226@follo.net> Date: Fri, 27 Nov 1998 16:14:08 +0100 From: Eivind Eklund To: Christoph Kukulies Cc: freebsd-security@FreeBSD.ORG Subject: Re: cgi-bin/phf* security hole in apache References: <19981126190545.A26062@gil.physik.rwth-aachen.de> <22257.912152434@axl.training.iafrica.com> <19981127105744.A28408@gil.physik.rwth-aachen.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <19981127105744.A28408@gil.physik.rwth-aachen.de>; from Christoph Kukulies on Fri, Nov 27, 1998 at 10:57:44AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Nov 27, 1998 at 10:57:44AM +0100, Christoph Kukulies wrote: > Is there any danger and to what extent arising from previous or current > apache httpd installations from the FreeBSD ports tree, especially WRT > that phf security hole? > > Shouldn't the port also install the phf 'candid camera' catcher > automatically? Maybe. Do you have any reference to this catcher and what it does? Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 27 07:39:41 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA01199 for freebsd-security-outgoing; Fri, 27 Nov 1998 07:39:41 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gilberto.physik.RWTH-Aachen.DE (gilberto.physik.rwth-aachen.de [137.226.30.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA01194 for ; Fri, 27 Nov 1998 07:39:39 -0800 (PST) (envelope-from kuku@gilberto.physik.RWTH-Aachen.DE) Received: (from kuku@localhost) by gilberto.physik.RWTH-Aachen.DE (8.8.8/8.8.7) id QAA29344; Fri, 27 Nov 1998 16:39:28 +0100 (MET) (envelope-from kuku) Message-ID: <19981127163928.B29306@gil.physik.rwth-aachen.de> Date: Fri, 27 Nov 1998 16:39:28 +0100 From: Christoph Kukulies To: Eivind Eklund , Christoph Kukulies Cc: freebsd-security@FreeBSD.ORG Subject: Re: cgi-bin/phf* security hole in apache References: <19981126190545.A26062@gil.physik.rwth-aachen.de> <22257.912152434@axl.training.iafrica.com> <19981127105744.A28408@gil.physik.rwth-aachen.de> <19981127161408.E9226@follo.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.91 In-Reply-To: <19981127161408.E9226@follo.net>; from Eivind Eklund on Fri, Nov 27, 1998 at 04:14:08PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Nov 27, 1998 at 04:14:08PM +0100, Eivind Eklund wrote: > On Fri, Nov 27, 1998 at 10:57:44AM +0100, Christoph Kukulies wrote: > > Is there any danger and to what extent arising from previous or current > > apache httpd installations from the FreeBSD ports tree, especially WRT > > that phf security hole? > > > > Shouldn't the port also install the phf 'candid camera' catcher > > automatically? > > Maybe. Do you have any reference to this catcher and what it does? ports/www/apache12/work/apache_1.2.6/support/phf_abuse_log.cgi AFAIU if one puts this script into the server cgi-bin directory (currently there isn't any phf file in it either) this script becomes virulent (in the sense that it catches the wannabe intrudor). > > Eivind. -- --Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 27 23:22:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA13624 for freebsd-security-outgoing; Fri, 27 Nov 1998 23:22:00 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from adelphi.physics.adelaide.edu.au (adelphi.physics.adelaide.edu.au [129.127.36.247]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA13619 for ; Fri, 27 Nov 1998 23:21:57 -0800 (PST) (envelope-from kkennawa@physics.adelaide.edu.au) Received: from bragg (bragg [129.127.36.34]) by adelphi.physics.adelaide.edu.au (8.8.8/8.8.8/UofA-1.5) with SMTP id RAA27897 for ; Sat, 28 Nov 1998 17:51:48 +1030 (CST) Received: from localhost by bragg; (5.65/1.1.8.2/05Aug95-0227PM) id AA18390; Sat, 28 Nov 1998 17:51:47 +1030 Date: Sat, 28 Nov 1998 17:51:47 +1030 (CST) From: Kris Kennaway X-Sender: kkennawa@bragg To: security@FreeBSD.ORG Subject: Port 13223 scans? Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What lives on port 13223? Over the past two weeks I've been getting numerous probes from a certain subnet to this port. They seem to have taken a special interest in me today (probed about a dozen times). I set up a listener on the port and logged the following: < 00000000 4f 50 4e 47 14 00 00 00 8c 4c 1b 00 d2 c3 1a 00 # OPNG.....L...... < 00000010 81 00 00 00 # .... Look familiar to anyone? Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 28 01:01:50 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA21012 for freebsd-security-outgoing; Sat, 28 Nov 1998 01:01:50 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ol.kyrnet.kg (ol.kyrnet.kg [195.254.160.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA21006 for ; Sat, 28 Nov 1998 01:01:33 -0800 (PST) (envelope-from fygrave@tigerteam.net) Received: from gizmo.kyrnet.kg (IDENT:fygrave@gizmo.kyrnet.kg [192.168.1.125]) by ol.kyrnet.kg (8.9.1a/8.9.1) with ESMTP id NAA23902 for ; Sat, 28 Nov 1998 13:31:04 +0600 Received: from localhost (fygrave@localhost) by gizmo.kyrnet.kg (8.9.1a/8.9.1) with ESMTP id NAA05168 for ; Sat, 28 Nov 1998 13:59:24 +0500 X-Authentication-Warning: gizmo.kyrnet.kg: fygrave owned process doing -bs Date: Sat, 28 Nov 1998 13:59:23 +0500 (KGT) From: CyberPsychotic X-Sender: fygrave@gizmo.kyrnet.kg To: freebsd-security@FreeBSD.ORG Subject: Detecting remote host type and so on.. Message-ID: Confirm-receipt-to: fygrave@usa.net MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello people, This is probably abit offtopic, but anyway, That is not good when someone could figure out what platform you're running your Apache on. Recently I checked site http://www.netcraft.com which could tell you what server and on what platform you're running. They don't provide source for the code, so I just put my sniffer on, and pushed the button (they have webform) to see what that will do. All that box did, was a connection to my 80 port and issuing command HEAD / HTTP/1.0. All what comes for responce is: HTTP/1.0 200 OK Date: Sat, 28 Nov 1998 08:33:05 GMT Server: Apache/1.2.5 Last-Modified: Fri, 30 Jan 1998 06:30:47 GMT ETag: "11dc01-561-34d17397" Content-Length: 1377 Accept-Ranges: bytes Content-Type: text/html Age: 0 Connection: close --- So the place where it picks the type of WebServer is obvious: Server tag. But I wonder how would that figure out what platform I am running.. What comes in mind is that Etag here is something which purpose I don't understand. If that is a platform specific thing, maybe they just did checks on different plattforms and made pre-recordings? would appreciate any hints, best regards ~Fyodor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 28 01:48:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA24965 for freebsd-security-outgoing; Sat, 28 Nov 1998 01:48:09 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from zeus.theinternet.com.au (zeus.theinternet.com.au [203.34.176.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA24960 for ; Sat, 28 Nov 1998 01:48:05 -0800 (PST) (envelope-from akm@zeus.theinternet.com.au) Received: (from akm@localhost) by zeus.theinternet.com.au (8.8.7/8.8.7) id TAA22579; Sat, 28 Nov 1998 19:39:00 +1000 (EST) (envelope-from akm) From: Andrew Kenneth Milton Message-Id: <199811280939.TAA22579@zeus.theinternet.com.au> Subject: Re: Detecting remote host type and so on.. In-Reply-To: from CyberPsychotic at "Nov 28, 98 01:59:23 pm" To: fygrave@tigerteam.net (CyberPsychotic) Date: Sat, 28 Nov 1998 19:39:00 +1000 (EST) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org +----[ CyberPsychotic ]--------------------------------------------- | So the place where it picks the type of WebServer is obvious: Server tag. | But I wonder how would that figure out what platform I am running.. What | comes in mind is that Etag here is something which purpose I don't | understand. If that is a platform specific thing, maybe they just did | checks on different plattforms and made pre-recordings? >From the webpage.... Netcraft diagnoses the operating system of the queried host by looking in detail at the network characteristics of the response it receives from the web site. The reported operating system may be different to the one you expected because: The site is using a reverse web proxy, such as Novell's BorderManager FastCache. In this situation we will be connecting to the reverse web proxy rather than the originating web server. The site is using a load balancing, high availability, HTTP switch like BIG/ip. Some of these switches handle the TCP connection themselves, so we detect the switch's O/S rather than the web server's. The site is using a TCP connection-level firewall, such as provided in the TIS Gauntlet, BorderWare, IBM's eNetwork firewalls and other HTTP level relays. In these cases we also will receive data from the intermediate machine rather than the web server. The site has changed the default configuration of their TCP/IP stack, perhaps for performance reasons, or have an unusual LAN environment. The site uses multiple servers using different operating systems on a round robin basis. We made a mistake. If you see an O/S & web server combination reported that you know to be wrong, please tell us. -- Totally Holistic Enterprises Internet| P:+61 7 3870 0066 | Andrew The Internet (Aust) Pty Ltd | F:+61 7 3870 4477 | Milton ACN: 082 081 472 | M:+61 416 022 411 |72 Col .Sig PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au|Specialist To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 28 13:35:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA16639 for freebsd-security-outgoing; Sat, 28 Nov 1998 13:35:54 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.93.229]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA16633 for ; Sat, 28 Nov 1998 13:35:53 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id QAA03041; Sat, 28 Nov 1998 16:35:27 -0500 (EST) Date: Sat, 28 Nov 1998 16:35:27 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: CyberPsychotic cc: freebsd-security@FreeBSD.ORG Subject: Re: Detecting remote host type and so on.. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 28 Nov 1998, CyberPsychotic wrote: > Hello people, > This is probably abit offtopic, but anyway, That is not good when someone > could figure out what platform you're running your Apache on. Recently I > checked site http://www.netcraft.com which could tell you what server and > on what platform you're running. They don't provide source for the code, > so I just put my sniffer on, and pushed the button (they have webform) to > see what that will do. All that box did, was a connection to my 80 port > and issuing command HEAD / HTTP/1.0. All what comes for responce is: As far as I can tell, it is almost impossible to disguise the operating system that you are running. Most platforms display distinctive banners, have quirks in their IP implementation, or just made different design choices that may be distinguished remotely (for example, choices about timeouts, fragmentation issues, etc). While you can attempt to hide the platform by disabling as many services as possible, removing banners, and hiding behind a firewall that reformats packets and connections, there is really not a whole lot to do. I find leaving the information there is often more useful than not -- attempting to exploit a bug doesn't require knowledge of the OS/version (try all versions you have an exploit for :), but having the version information there can be useful in debugging interoperability problems. Sort of like having the sendmail version there -- makes it easier to debug problems, and lets you use wholesale network scanners to find old versions; but for someone to try to exploit a bug they just try it out. If you care a whole bunch, it could probably be cleaned up a bit, but I'm not sure its worth the trouble. If you think the server says too much, look at what your average WWW browser spews to the server :). Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message