From owner-freebsd-security Wed Dec 11 18:09:11 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id SAA29618 for security-outgoing; Wed, 11 Dec 1996 18:09:11 -0800 (PST) Received: from root.com (implode.root.com [198.145.90.17]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id SAA29607 for ; Wed, 11 Dec 1996 18:09:08 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by root.com (8.7.6/8.6.5) with SMTP id SAA12992; Wed, 11 Dec 1996 18:08:12 -0800 (PST) Message-Id: <199612120208.SAA12992@root.com> X-Authentication-Warning: implode.root.com: Host localhost [127.0.0.1] didn't use HELO protocol To: jc@irbs.com (John Capo) cc: freebsd-security@freebsd.org Subject: Re: Risk of having bpf0? (was URGENT: Packet sniffer found on my system) In-reply-to: Your message of "Wed, 11 Dec 1996 12:12:06 EST." From: David Greenman Reply-To: dg@root.com Date: Wed, 11 Dec 1996 18:08:11 -0800 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Quoting David Greenman (dg@root.com): >> >> I made the mistake of putting bpf in freefall's kernel a long time ago and >> forgot it was in there. Someone eventually took advantage of that and used it >> to sniff passwords at Walnut Creek CDROM. This led to a serious break-in on >> wcarchive. Needless to say, bpf is no longer in freefall's kernel. It was > >Are you saying that there is a way for a normal user to use bpf >when permissions should prevent access? No, I'm saying that after he exploited a security hole and gained root that he then used bpf to sniff passwords. Adding bpf to the kernel and rebooting the machine would *definately* have been noticed. -DG David Greenman Core-team/Principal Architect, The FreeBSD Project