From owner-freebsd-security Sun Feb 11 03:48:25 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id DAA02947 for security-outgoing; Sun, 11 Feb 1996 03:48:25 -0800 (PST) Received: from tulpi.interconnect.com.au (root@tulpi.interconnect.com.au [192.189.54.18]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id DAA02940 for ; Sun, 11 Feb 1996 03:48:09 -0800 (PST) Received: (from ahill@localhost) by tulpi.interconnect.com.au id WAA06893 (8.6.11/IDA-1.6); Sun, 11 Feb 1996 22:47:31 +1100 Date: Sun, 11 Feb 1996 22:47:30 +1100 (EST) From: Anthony Hill To: Brian Tao cc: freebsd-security@freebsd.org Subject: Re: User creating root-owned directories? In-Reply-To: <199602101945.MAA12583@terra.aros.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org Precedence: bulk Lo and behold, Brian Tao once said: > > I'll perform a more detailed scan for setuid and setgid programs > > today then. A lot of our users run setuid CGI scripts (PHP tools, a > > Web page logging package)... the hacker may have named a setuid > > program after one of the PHP scripts to hide it from scrutiny. Letting users have setuid scripts is pretty deadly stuff - you might want to checkout sudo. If you must run setuid CGI scripts, the taint features in PERL are a real help. You might want to have a look at the "No you cant have root document" on our "chief security bastard"s home page. > > Probably a good time to compare MD5 signatures on the system binaries > > too... *sigh*. If I suspect root has been compromised on my system, I do a complete reinstall then recreate the user stuff from backups - you never know where the little turds may have left a surprise for you. From owner-freebsd-security Sun Feb 11 15:23:48 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id PAA07172 for security-outgoing; Sun, 11 Feb 1996 15:23:48 -0800 (PST) Received: from zarquon.hip.berkeley.edu (zarquon.HIP.Berkeley.EDU [136.152.93.146]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id PAA07167 for ; Sun, 11 Feb 1996 15:23:45 -0800 (PST) Received: (from mconst@localhost) by zarquon.hip.berkeley.edu (8.6.12/8.6.12) id PAA13282 for freebsd-security@freebsd.org; Sun, 11 Feb 1996 15:22:21 -0800 Date: Sun, 11 Feb 1996 15:22:21 -0800 From: Michael Constant Message-Id: <199602112322.PAA13282@zarquon.hip.berkeley.edu> To: freebsd-security@freebsd.org Subject: sliplogin hole? Sender: owner-security@freebsd.org Precedence: bulk This applies to 2.1-RELEASE, which is what I'm running. Forgive me if it has been fixed in -current; I haven't seen anything on freebsd-security about it, though. The sliplogin(8) manpage recommends using lines of the following form in /etc/sliphome/slip.hosts: Sfoo `hostname` foo netmask The problem with this is that the `hostname` portion is passed directly to the shell, without any processing -- as root. This means J. Random Slip-User can create a script called ~/bin/hostname that does whatever he wants, and (as long as ~/bin is before /bin in his path) his script will be run as root the next time he types "sliplogin foo". - Michael Constant From owner-freebsd-security Sun Feb 11 16:10:09 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id QAA13252 for security-outgoing; Sun, 11 Feb 1996 16:10:09 -0800 (PST) Received: from rocky.sri.MT.net (rocky.sri.MT.net [204.182.243.10]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id QAA13233 for ; Sun, 11 Feb 1996 16:10:05 -0800 (PST) Received: (from nate@localhost) by rocky.sri.MT.net (8.6.12/8.6.12) id RAA17658; Sun, 11 Feb 1996 17:12:39 -0700 Date: Sun, 11 Feb 1996 17:12:39 -0700 From: Nate Williams Message-Id: <199602120012.RAA17658@rocky.sri.MT.net> To: Michael Constant Cc: freebsd-security@freebsd.org Subject: Re: sliplogin hole? In-Reply-To: <199602112322.PAA13282@zarquon.hip.berkeley.edu> References: <199602112322.PAA13282@zarquon.hip.berkeley.edu> Sender: owner-security@freebsd.org Precedence: bulk > This applies to 2.1-RELEASE, which is what I'm running. Forgive me if > it has been fixed in -current; I haven't seen anything on freebsd-security > about it, though. > > The sliplogin(8) manpage recommends using lines of the following form > in /etc/sliphome/slip.hosts: > > Sfoo `hostname` foo netmask > > The problem with this is that the `hostname` portion is passed directly > to the shell, without any processing -- as root. This means J. Random > Slip-User can create a script called ~/bin/hostname that does whatever > he wants, and (as long as ~/bin is before /bin in his path) his script > will be run as root the next time he types "sliplogin foo". Except that the path supplied to sliplogin is the standard unix path (PATH=:/bin:/usr/bin), which doesn't use anything from the user's home directory (unless it was explicitly set in the shell script. Also, if you are concerned about security, you don't allow your slip-login users to create/modify any of their slip files, which is easy to do as long as you don't give them the same uid's for both shell login and slip login accounts and use paranoid permissions on both accounts. Nate From owner-freebsd-security Mon Feb 12 02:36:28 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id CAA13474 for security-outgoing; Mon, 12 Feb 1996 02:36:28 -0800 (PST) Received: from maelstrom.Berkeley.EDU (maelstrom-ether.Berkeley.EDU [128.32.184.248]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id CAA13469 for ; Mon, 12 Feb 1996 02:36:26 -0800 (PST) Received: (from mconst@localhost) by maelstrom.Berkeley.EDU (8.6.12/8.6.12) id CAA23693; Mon, 12 Feb 1996 02:36:18 -0800 Date: Mon, 12 Feb 1996 02:36:18 -0800 From: Michael Constant Message-Id: <199602121036.CAA23693@maelstrom.Berkeley.EDU> To: mconst@csua.berkeley.edu, nate@sri.MT.net Subject: Re: sliplogin hole? Cc: freebsd-security@freebsd.org Sender: owner-security@freebsd.org Precedence: bulk > > The sliplogin(8) manpage recommends using lines of the following form > > in /etc/sliphome/slip.hosts: > > > > Sfoo `hostname` foo netmask > > > > The problem with this is that the `hostname` portion is passed directly > > to the shell, without any processing -- as root. This means J. Random > > Slip-User can create a script called ~/bin/hostname that does whatever > > he wants, and (as long as ~/bin is before /bin in his path) his script > > will be run as root the next time he types "sliplogin foo". > > Except that the path supplied to sliplogin is the standard unix > path (PATH=:/bin:/usr/bin), which doesn't use anything from the user's > home directory (unless it was explicitly set in the shell script. Well, "PATH=:/bin:/usr/bin" contains the current directory ( . ) which is just as insecure as not changing the path at all :-) But thanks for pointing out my misconception. The exploit as I stated it does work; it's written out in full below, in case I didn't explain it clearly in my original letter. > Also, if you are concerned about security, you don't allow your > slip-login users to create/modify any of their slip files, which is easy > to do as long as you don't give them the same uid's for both shell login > and slip login accounts and use paranoid permissions on both accounts. This will work, as long as the shell user is not allowed to run sliplogin. Otherwise, the exploit stands: jrl@host% cd ~/bin jrl@host% cat > hostname #! /bin/sh touch /etc/i-am-root /bin/hostname ^D jrl@host% chmod 755 hostname jrl@host% sliplogin Sjrl starting slip login for Sjrl ... and by this point, the deed is done. - Michael Constant From owner-freebsd-security Mon Feb 12 08:52:21 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id IAA10376 for security-outgoing; Mon, 12 Feb 1996 08:52:21 -0800 (PST) Received: from rocky.sri.MT.net (rocky.sri.MT.net [204.182.243.10]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id IAA10370 for ; Mon, 12 Feb 1996 08:52:16 -0800 (PST) Received: (from nate@localhost) by rocky.sri.MT.net (8.6.12/8.6.12) id JAA19323; Mon, 12 Feb 1996 09:54:44 -0700 Date: Mon, 12 Feb 1996 09:54:44 -0700 From: Nate Williams Message-Id: <199602121654.JAA19323@rocky.sri.MT.net> To: Michael Constant Cc: mconst@csua.berkeley.edu, nate@sri.MT.net, freebsd-security@freebsd.org Subject: Re: sliplogin hole? In-Reply-To: <199602121036.CAA23693@maelstrom.Berkeley.EDU> References: <199602121036.CAA23693@maelstrom.Berkeley.EDU> Sender: owner-security@freebsd.org Precedence: bulk > Well, "PATH=:/bin:/usr/bin" contains the current directory ( . ) which > is just as insecure as not changing the path at all :-) But thanks for > pointing out my misconception. Hmmm..... Maybe I am confused, although I see that piece of code used in the 'sh' sources. > The exploit as I stated it does work; it's written out in full below, > in case I didn't explain it clearly in my original letter. ... > > jrl@host% cd ~/bin > jrl@host% cat > hostname > #! /bin/sh > touch /etc/i-am-root > /bin/hostname > ^D > jrl@host% chmod 755 hostname > jrl@host% sliplogin Sjrl > starting slip login for Sjrl > > ... and by this point, the deed is done. I just tried this, and it didn't work on my box although I was allowed to run sliplogin. It dies with: sliplogin[953]: ioctl (TIOCSCTTY): Operation not permitte Which might not occur on a dial-in line. Unfortunately, I'm unable to test this out right now, but I will try it out from home. Nate From owner-freebsd-security Mon Feb 12 09:56:14 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id JAA14604 for security-outgoing; Mon, 12 Feb 1996 09:56:14 -0800 (PST) Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id JAA14599 for ; Mon, 12 Feb 1996 09:56:11 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by passer.osg.gov.bc.ca (8.7.3/8.6.10) with SMTP id JAA31080; Mon, 12 Feb 1996 09:56:02 -0800 (PST) From: Cy Schubert - BCSC Open Systems Group Message-Id: <199602121756.JAA31080@passer.osg.gov.bc.ca> X-Authentication-Warning: passer.osg.gov.bc.ca: Host localhost [127.0.0.1] didn't use HELO protocol Reply-to: cschuber@orca.gov.bc.ca X-Mailer: DXmail To: "az.com" cc: freebsd-security@FreeBSD.ORG Subject: Re: Need help building jails In-reply-to: Your message of "Sat, 10 Feb 96 09:49:10 PST." Date: Mon, 12 Feb 96 09:56:02 -0800 X-Mts: smtp Sender: owner-security@FreeBSD.ORG Precedence: bulk > > > > 2 questions: > > 1. Haven't been above to build a jail yet with chroot! > [a few lines edited out] > chroot: jail: Operation not permitted. > > I've tried endless permutations of permissions and configurations, > nothing seems to work. If I'm super user, chroot works. Chroot(2) only works if the process calling it has superuser privilege. > > Wanted to put a chroot in the best location, presumably not .login or > .cshrc, but instead right in the /etc/passwd file as what to execute at > login. > > > 2. Can I find code for FreeBSD to do exactly the same thing as chroot with > ftpd? > > 3. Can I find code for FreeBSD to do exactly the same thing as chroot > with httpd? FTPD and HTTPD both run as root. When a connection is accepted, both chroot() and issue a setuid(). An idea would be to create a custom version of telnetd that would spawn a custom version of login which would do a chroot() just prior to doing a setuid(). The advantage is that your custom version of telnetd could replace telnetd in inetd.conf while the original version could be used from a different port. The custom login program could use /usr/local/etc/passwd instead of /etc/passwd limiting access to users within the "jail" environment. Regards, Phone: (604)389-3827 Cy Schubert OV/VM: BCSC02(CSCHUBER) Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET BC Systems Corp. Internet: cschuber@uumail.gov.bc.ca cschuber@bcsc02.gov.bc.ca "Quit spooling around, JES do it." From owner-freebsd-security Mon Feb 12 17:29:06 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id RAA19418 for security-outgoing; Mon, 12 Feb 1996 17:29:06 -0800 (PST) Received: from mistery.mcafee.com (jimd@mistery.mcafee.com [192.187.128.69]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id RAA19413 for ; Mon, 12 Feb 1996 17:29:04 -0800 (PST) Received: (from jimd@localhost) by mistery.mcafee.com (8.6.11/8.6.9) id SAA04321 for freebsd-security@freebsd.org; Mon, 12 Feb 1996 18:29:12 -0800 From: Jim Dennis Message-Id: <199602130229.SAA04321@mistery.mcafee.com> Subject: tripwire, xinetd (or tcp wrappers) To: freebsd-security@freebsd.org Date: Mon, 12 Feb 1996 18:29:11 -0800 (PST) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org Precedence: bulk Where can I find tripwire? How about xinetd? I'm setting up a new server (ftp) and would like to tighten the security up a bit (so I'm not depending as heavily on my router's packet filters). First item is I'd like to install tripwire, build its initial database, and refine it's reporting/alerts before I connect the machine to the 'net. Where can I find a copy of the FreeBSD port of this? If I grab a copy from usc.edu (or wherever) is there anything special I'll have to do to compile it under FreeBSD? Another item is that I'd like to use tcp wrappers or xinetd (again, our packet filters should prevent most problems but I'm a belt and suspenders guy when it comes to my *ix boxes). I'm open to suggestions. I was playing with Linux tcpd on a "play" system and had trouble getting it to execute a shell command to log activity (my plan was to allow access to ALL:LOCAL and log those to a file in /var/adm so I'd have some idea what services are being used by my co-workers on this system). Just allowing or denying services seemed absurdly simple. So: Does anyone have any compelling preferences for tcpd or xinetd? Are there any "gotch'yas" to compiling xinetd for FreeBSD (I notices tcpd in the ports list on the 2.1.0 CD, but couldn't find tripwire or xinetd). Is xinetd faster (suffering from less process start latency) than tcpd? I'm also interested in other monitoring and security suggestions. This particular machine (actually pair of machines) will be used for distributing files via ftp and http. I might also configure it for fsp (if I can find a suitable deamon *and* a suitable DOS|Windows|OS/2|NT|Win '95 client that can be freely distributed). Is there such a beast (free multiplatform client)? Are there any known security problems with fsp? Is there an fspd with features similar to the wu-ftpd (remote limits, group access controls, etc)? Thanks in advance for any answers. If I can return the favor, I will. From owner-freebsd-security Mon Feb 12 22:28:44 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id WAA14012 for security-outgoing; Mon, 12 Feb 1996 22:28:44 -0800 (PST) Received: from grumble.grondar.za (root@grumble.grondar.za [196.7.18.130]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id WAA13979 for ; Mon, 12 Feb 1996 22:28:33 -0800 (PST) Received: from localhost (mark@localhost [127.0.0.1]) by grumble.grondar.za (8.7.3/8.7.3) with SMTP id IAA03049; Tue, 13 Feb 1996 08:27:55 +0200 (SAT) Message-Id: <199602130627.IAA03049@grumble.grondar.za> X-Authentication-Warning: grumble.grondar.za: Host mark@localhost [127.0.0.1] didn't use HELO protocol To: Jim Dennis cc: freebsd-security@FreeBSD.ORG Subject: Re: tripwire, xinetd (or tcp wrappers) Date: Tue, 13 Feb 1996 08:27:55 +0200 From: Mark Murray Sender: owner-security@FreeBSD.ORG Precedence: bulk Jim Dennis wrote: > > Where can I find tripwire? How about xinetd? Neither have been ported to FreeBSD. Tripwire is available from cert (ftp.cert.org) and xinetd is a bunch sharfiles + later patches available from ftp.uu.net and mirrors in (something like) usenet/comp.sources.unix/volume??/xinetd/part* and usenet/comp.sources.unix/volume??/xinetd/patch* I seem to remember that there are a couple of patches in different volumes spread over a bit of time. > First item is I'd like to install tripwire, build its > initial database, and refine it's reporting/alerts before > I connect the machine to the 'net. Where can I find a copy > of the FreeBSD port of this? If I grab a copy from usc.edu > (or wherever) is there anything special I'll have to do to > compile it under FreeBSD? Naah. I works just fine. Small bit of twiddling. > So: Does anyone have any compelling preferences for tcpd or > xinetd? Are there any "gotch'yas" to compiling xinetd > for FreeBSD (I notices tcpd in the ports list on the 2.1.0 CD, > but couldn't find tripwire or xinetd). Tcp wrappers (tcpd) is/are pretty ubiquitous, but they only handle tcp - you are on your own with udp, so if you have plans to use FSP, you'll be SOL monitoring that. > Is xinetd faster (suffering from less process start latency) > than tcpd? Fractionally. Probably not even so you'd notice. > I'm also interested in other monitoring and security suggestions. > This particular machine (actually pair of machines) will be used > for distributing files via ftp and http. You amy want to have a look at COPS, also from CERT. FreeBSD already does a lot of what COPS does (scan for SUID file changes etc), but it will give you some ideas. > I might also configure it for fsp (if I can find a suitable > deamon *and* a suitable DOS|Windows|OS/2|NT|Win '95 client that > can be freely distributed). Is there such a beast (free > multiplatform client)? Are there any known security problems > with fsp? Is there an fspd with features similar to the wu-ftpd > (remote limits, group access controls, etc)? Sorry! I am clueless here! M -- Mark Murray 46 Harvey Rd, Claremont, Cape Town 7700, South Africa +27 21 61-3768 GMT+0200 Finger mark@grondar.za for PGP key From owner-freebsd-security Tue Feb 13 07:07:15 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id HAA15939 for security-outgoing; Tue, 13 Feb 1996 07:07:15 -0800 (PST) Received: from gw0.telebase.com (root@gw0.telebase.com [192.132.57.100]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id HAA15933 for ; Tue, 13 Feb 1996 07:07:12 -0800 (PST) Received: from wormhole.telebase.com by gw0.telebase.com id KAA28744; Tue, 13 Feb 1996 10:06:14 -0500 (EST) Received: from odo.telebase.com (root@odo.telebase.com [172.16.2.217]) by wormhole.telebase.com (8.7.1/8.6.9.1) with ESMTP id KAA11399; Tue, 13 Feb 1996 10:06:13 -0500 (EST) Received: (from bmc@localhost) by odo.telebase.com (8.6.12/8.6.9.1) id KAA03226; Tue, 13 Feb 1996 10:06:11 -0500 Date: Tue, 13 Feb 1996 10:06:11 -0500 Message-Id: <199602131506.KAA03226@telebase.com.> From: Brian Clapper To: Mark Murray Cc: Jim Dennis , freebsd-security@FreeBSD.ORG, Chuck Murcko Subject: Re: tripwire, xinetd (or tcp wrappers) In-Reply-To: <127245926@toto.iv> Sender: owner-security@FreeBSD.ORG Precedence: bulk >>>>> "Mark" == Mark Murray writes: Mark> Jim Dennis wrote: >> >> Where can I find tripwire? How about xinetd? Mark> Neither have been ported to FreeBSD. Tripwire is available from cert Mark> (ftp.cert.org) and xinetd is a bunch sharfiles + later patches Mark> available from ftp.uu.net and mirrors in (something like) Mark> usenet/comp.sources.unix/volume??/xinetd/part* and Mark> usenet/comp.sources.unix/volume??/xinetd/patch* Mark> I seem to remember that there are a couple of patches in different Mark> volumes spread over a bit of time. `xinetd' *has* been ported to FreeBSD, by Chuck Murcko (chuck@telebase.com). Check out ftp://ftp.telebase.com/pub/security/xinetd.2.1.7-freebsd.4.tar.gz I'm using it on a FreeBSD box, as is Chuck. We use it here on a variety of platforms to which it was not originally ported by its author, Panos Tsirigotis. >> Is xinetd faster (suffering from less process start latency) >> than tcpd? Mark> Fractionally. Probably not even so you'd notice. IMO, xinetd's somewhat simpler to use than the inetd/tcp-wrappers combination. ---- Brian Clapper .............................................. bmc@telebase.com http://www.netaxs.com/~bmc/ ............. PGP public key available on request But soft you, the fair Ophelia: Ope not thy ponderous and marble jaws, But get thee to a nunnery -- go! -- Mark "The Bard" Twain From owner-freebsd-security Tue Feb 13 07:32:28 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id HAA17565 for security-outgoing; Tue, 13 Feb 1996 07:32:28 -0800 (PST) Received: from halloran-eldar.lcs.mit.edu (halloran-eldar.lcs.mit.edu [18.26.0.159]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id HAA17558 for ; Tue, 13 Feb 1996 07:32:23 -0800 (PST) Received: by halloran-eldar.lcs.mit.edu; (5.65/1.1.8.2/19Aug95-0530PM) id AA30430; Tue, 13 Feb 1996 10:32:06 -0500 Date: Tue, 13 Feb 1996 10:32:06 -0500 From: "Garrett A. Wollman" Message-Id: <9602131532.AA30430@halloran-eldar.lcs.mit.edu> To: Mark Murray Cc: Jim Dennis , freebsd-security@FreeBSD.ORG Subject: Re: tripwire, xinetd (or tcp wrappers) In-Reply-To: <199602130627.IAA03049@grumble.grondar.za> References: <199602130627.IAA03049@grumble.grondar.za> Sender: owner-security@FreeBSD.ORG Precedence: bulk < said: > You amy want to have a look at COPS, also from CERT. FreeBSD already > does a lot of what COPS does (scan for SUID file changes etc), but > it will give you some ideas. Indeed, FreeBSD already gives you the ability to scan your entire installation for files which have changed from some pre-defined profile; see mtree(8). At one point in time, I created code for `make release' which would automatically generate the appropriate mtree files for each distribution. -GAWollman -- Garrett A. Wollman | Shashish is simple, it's discreet, it's brief. ... wollman@lcs.mit.edu | Shashish is the bonding of hearts in spite of distance. Opinions not those of| It is a bond more powerful than absence. We like people MIT, LCS, ANA, or NSA| who like Shashish. - Claude McKenzie + Florent Vollant From owner-freebsd-security Tue Feb 13 09:45:23 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id JAA25725 for security-outgoing; Tue, 13 Feb 1996 09:45:23 -0800 (PST) Received: from grumble.grondar.za (root@grumble.grondar.za [196.7.18.130]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id JAA25716 for ; Tue, 13 Feb 1996 09:45:13 -0800 (PST) Received: from localhost (mark@localhost [127.0.0.1]) by grumble.grondar.za (8.7.3/8.7.3) with SMTP id TAA02061; Tue, 13 Feb 1996 19:42:11 +0200 (SAT) Message-Id: <199602131742.TAA02061@grumble.grondar.za> X-Authentication-Warning: grumble.grondar.za: Host mark@localhost [127.0.0.1] didn't use HELO protocol To: Brian Clapper cc: Mark Murray , Jim Dennis , freebsd-security@FreeBSD.ORG, Chuck Murcko Subject: Re: tripwire, xinetd (or tcp wrappers) Date: Tue, 13 Feb 1996 19:42:10 +0200 From: Mark Murray Sender: owner-security@FreeBSD.ORG Precedence: bulk Brian Clapper wrote: > Mark> Neither have been ported to FreeBSD. Tripwire is available from cert > Mark> (ftp.cert.org) and xinetd is a bunch sharfiles + later patches > Mark> available from ftp.uu.net and mirrors in (something like) > Mark> usenet/comp.sources.unix/volume??/xinetd/part* and > Mark> usenet/comp.sources.unix/volume??/xinetd/patch* > Mark> I seem to remember that there are a couple of patches in different > Mark> volumes spread over a bit of time. > > `xinetd' *has* been ported to FreeBSD, by Chuck Murcko (chuck@telebase.com). > Check out ftp://ftp.telebase.com/pub/security/xinetd.2.1.7-freebsd.4.tar.gz I stand corrected. Perhaps this could be submitted to us as a port? > I'm using it on a FreeBSD box, as is Chuck. We use it here on a variety of > platforms to which it was not originally ported by its author, Panos > Tsirigotis. Ports please, gentlemen! > >> Is xinetd faster (suffering from less process start latency) > >> than tcpd? > > Mark> Fractionally. Probably not even so you'd notice. > > IMO, xinetd's somewhat simpler to use than the inetd/tcp-wrappers > combination. Somewhat, yes. M -- Mark Murray 46 Harvey Rd, Claremont, Cape Town 7700, South Africa +27 21 61-3768 GMT+0200 Finger mark@grondar.za for PGP key From owner-freebsd-security Tue Feb 13 09:48:26 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id JAA25894 for security-outgoing; Tue, 13 Feb 1996 09:48:26 -0800 (PST) Received: from ibp.ibp.fr (ibp.ibp.fr [132.227.60.30]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id JAA25684 for ; Tue, 13 Feb 1996 09:43:04 -0800 (PST) Received: from blaise.ibp.fr (blaise.ibp.fr [132.227.60.1]) by ibp.ibp.fr (8.6.12/jtpda-5.0) with ESMTP id SAA19487 ; Tue, 13 Feb 1996 18:41:44 +0100 Received: from (uucp@localhost) by blaise.ibp.fr (8.6.12/jtpda-5.0) with UUCP id SAA24273 ; Tue, 13 Feb 1996 18:41:47 +0100 Received: (from roberto@localhost) by keltia.freenix.fr (8.7.3/keltia-uucp-2.7) id IAA01324; Tue, 13 Feb 1996 08:53:46 +0100 (MET) From: Ollivier Robert Message-Id: <199602130753.IAA01324@keltia.freenix.fr> Subject: Re: tripwire, xinetd (or tcp wrappers) To: jimd@mistery.mcafee.com (Jim Dennis) Date: Tue, 13 Feb 1996 08:53:45 +0100 (MET) Cc: freebsd-security@freebsd.org In-Reply-To: <199602130229.SAA04321@mistery.mcafee.com> from Jim Dennis at "Feb 12, 96 06:29:11 pm" X-Operating-System: FreeBSD 2.2-CURRENT ctm#1661 X-Mailer: ELM [version 2.4ME+ PL5 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org Precedence: bulk It seems that Jim Dennis said: > Where can I find tripwire? How about xinetd? ftp://coast.cs.purdue.edu/pub/tools/unix > initial database, and refine it's reporting/alerts before > I connect the machine to the 'net. Where can I find a copy > of the FreeBSD port of this? If I grab a copy from usc.edu > (or wherever) is there anything special I'll have to do to > compile it under FreeBSD? No, I've compiled it without problem. -- Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.frmug.fr.net FreeBSD keltia.freenix.fr 2.2-CURRENT #6: Fri Feb 9 21:27:02 MET 1996 From owner-freebsd-security Tue Feb 13 09:52:07 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id JAA26079 for security-outgoing; Tue, 13 Feb 1996 09:52:07 -0800 (PST) Received: from gw0.telebase.com (root@gw0.telebase.com [192.132.57.100]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id JAA26074 for ; Tue, 13 Feb 1996 09:52:05 -0800 (PST) Received: from wormhole.telebase.com by gw0.telebase.com id MAA17167 for ; Tue, 13 Feb 1996 12:52:01 -0500 (EST) Received: from odo.telebase.com (root@odo.telebase.com [172.16.2.217]) by wormhole.telebase.com (8.7.1/8.6.9.1) with ESMTP id MAA13847; Tue, 13 Feb 1996 12:51:59 -0500 (EST) Received: (from bmc@localhost) by odo.telebase.com (8.6.12/8.6.9.1) id MAA04124; Tue, 13 Feb 1996 12:51:57 -0500 Date: Tue, 13 Feb 1996 12:51:57 -0500 Message-Id: <199602131751.MAA04124@telebase.com.> From: Brian Clapper To: freebsd-security@FreeBSD.ORG Cc: Chuck Murcko Subject: Re: tripwire, xinetd (or tcp wrappers) In-Reply-To: <199602131742.TAA02061@grumble.grondar.za> References: <199602131742.TAA02061@grumble.grondar.za> Sender: owner-security@FreeBSD.ORG Precedence: bulk >>>>> "Mark" == Mark Murray writes: >> `xinetd' *has* been ported to FreeBSD, by Chuck Murcko >> (chuck@telebase.com). Check out >> ftp://ftp.telebase.com/pub/security/xinetd.2.1.7-freebsd.4.tar.gz Mark> I stand corrected. Perhaps this could be submitted to us as a port? I've set up a couple things in the ports collection; I can prepare one for xinetd pretty quickly. I'll talk to Chuck. >> I'm using it on a FreeBSD box, as is Chuck. We use it here on a variety >> of platforms to which it was not originally ported by its author, Panos >> Tsirigotis. Mark> Ports please, gentlemen! Chuck maintains the Linux, FreeBSD, NetBSD, BSDI ports. They're all available from ftp.telebase.com; they're also mirrored at the COAST archive (ftp://coast.cs.purdue.edu/pub/mirrors/ftp.telebase.com) ---- Brian Clapper .............................................. bmc@telebase.com http://www.netaxs.com/~bmc/ ............. PGP public key available on request Real Programs don't use shared text. Otherwise, how can they use functions for scratch space after they are finished calling them? From owner-freebsd-security Wed Feb 14 14:28:34 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id OAA19012 for security-outgoing; Wed, 14 Feb 1996 14:28:34 -0800 (PST) Received: from zip.io.org (root@zip.io.org [198.133.36.80]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id OAA19000 for ; Wed, 14 Feb 1996 14:28:28 -0800 (PST) Received: (from taob@localhost) by zip.io.org (8.6.12/8.6.12) id RAA02943; Wed, 14 Feb 1996 17:24:23 -0500 Date: Wed, 14 Feb 1996 17:24:23 -0500 (EST) From: Brian Tao To: Anthony Hill cc: freebsd-security@freebsd.org Subject: Re: User creating root-owned directories? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org Precedence: bulk On Sun, 11 Feb 1996, Anthony Hill wrote: > > You might want to have a look at the "No you cant have root document" on > our "chief security bastard"s home page. What's the URL? > If I suspect root has been compromised on my system, I do a complete > reinstall then recreate the user stuff from backups - you never know where > the little turds may have left a surprise for you. That would be ideal. I have a couple more servers coming in tomorrow, which will give me a chance to do a fresh install and compare it to the existing ones. -- Brian Tao (BT300, taob@io.org) Systems Administrator, Internex Online Inc. "Though this be madness, yet there is method in't" From owner-freebsd-security Thu Feb 15 17:22:06 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id RAA10666 for security-outgoing; Thu, 15 Feb 1996 17:22:06 -0800 (PST) Received: from elane (root@NS.ELANE.COM [205.233.74.1]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id RAA10653 for ; Thu, 15 Feb 1996 17:21:59 -0800 (PST) Received: from else by elane with smtp (Smail3.1.29.1 #3) id m0tnEsw-000iZLC; Thu, 15 Feb 96 20:22 EST Received: by else (Smail3.1.29.1 #3) id m0tnEtc-000MNeC; Thu, 15 Feb 96 20:23 EST Date: Thu, 15 Feb 1996 20:23:36 -0500 (EST) From: James FitzGibbon To: Brian Tao cc: FREEBSD-SECURITY-L Subject: Re: Temporary passwd files in /etc? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org Precedence: bulk On Sun, 28 Jan 1996, Brian Tao wrote: > I found these two files lying around in the /etc directory of one > of our FreeBSD 2.1.0-RELEASE machines here. > > -rw-r--r-- 1 root wheel 459403 Jan 20 15:35 pw.007939.orig > -rw-rw-rw- 1 root wheel 612563 Jan 25 19:06 pw.021282~ > > pw.021282~ is a world readable/writeable copy of the master.passwd > file. How did either of those files get there? Do the serial numbers > on them look familiar to anyone (pids?). I didn't see an answer to this in the list, but they are created by chpass/vipw type utilities. I've never seen one get mode 666 though. Maybe Nerk did it. j. From owner-freebsd-security Fri Feb 16 07:16:00 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id HAA09177 for security-outgoing; Fri, 16 Feb 1996 07:16:00 -0800 (PST) Received: from alpha.dsu.edu (ghelmer@alpha.dsu.edu [138.247.32.12]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id HAA09172 for ; Fri, 16 Feb 1996 07:15:55 -0800 (PST) Received: (from ghelmer@localhost) by alpha.dsu.edu (8.7.3/8.7.3) id JAA07629; Fri, 16 Feb 1996 09:15:54 -0600 (CST) Date: Fri, 16 Feb 1996 09:15:53 -0600 (CST) From: Guy Helmer To: freebsd-security@freebsd.org Subject: named update Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org Precedence: bulk Does anyone know the named version details surrounding the named problem that CERT just reported? I just don't know which version tries to close up the hole. Is named in 2.0.5 and 2.1.0 a vulnerable version? Thanks to anyone who can shed light on this, Guy Guy Helmer, Dakota State University Computing Services - ghelmer@alpha.dsu.edu From owner-freebsd-security Fri Feb 16 07:48:00 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id HAA11277 for security-outgoing; Fri, 16 Feb 1996 07:48:00 -0800 (PST) Received: from zip.io.org (root@zip.io.org [198.133.36.80]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id HAA11260 for ; Fri, 16 Feb 1996 07:47:39 -0800 (PST) Received: (from taob@localhost) by zip.io.org (8.6.12/8.6.12) id KAA06143; Fri, 16 Feb 1996 10:46:52 -0500 Date: Fri, 16 Feb 1996 10:46:52 -0500 (EST) From: Brian Tao To: James FitzGibbon cc: FREEBSD-SECURITY-L Subject: Re: Temporary passwd files in /etc? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org Precedence: bulk On Thu, 15 Feb 1996, James FitzGibbon wrote: > > I didn't see an answer to this in the list, but they are created by > chpass/vipw type utilities. I've never seen one get mode 666 though. We tracked it down a while ago. We have a perl script that massages password files, pretending to be the "editor" that vipw calls. The umask in the perl script was set incorrectly. -- Brian Tao (BT300, taob@io.org) Systems Administrator, Internex Online Inc. "Though this be madness, yet there is method in't" From owner-freebsd-security Fri Feb 16 09:58:49 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id JAA19968 for security-outgoing; Fri, 16 Feb 1996 09:58:49 -0800 (PST) Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id JAA19963 for ; Fri, 16 Feb 1996 09:58:47 -0800 (PST) Received: from localhost.shockwave.com (localhost.shockwave.com [127.0.0.1]) by precipice.shockwave.com (8.7.3/8.7.3) with SMTP id JAA15558; Fri, 16 Feb 1996 09:57:33 -0800 (PST) Message-Id: <199602161757.JAA15558@precipice.shockwave.com> To: Guy Helmer cc: freebsd-security@freebsd.org Subject: Re: named update In-reply-to: Your message of "Fri, 16 Feb 1996 09:15:53 CST." Date: Fri, 16 Feb 1996 09:57:32 -0800 From: Paul Traina Sender: owner-security@freebsd.org Precedence: bulk I believe our nameds in 2.05 and 2.1 are fine, they were 4.9.3 beta9. From: Guy Helmer Subject: named update Does anyone know the named version details surrounding the named problem that CERT just reported? I just don't know which version tries to close up the hole. Is named in 2.0.5 and 2.1.0 a vulnerable version? Thanks to anyone who can shed light on this, Guy Guy Helmer, Dakota State University Computing Services - ghelmer@alpha.dsu.ed >>u From owner-freebsd-security Fri Feb 16 13:08:49 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id NAA06109 for security-outgoing; Fri, 16 Feb 1996 13:08:49 -0800 (PST) Received: (from jmb@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id NAA06101 Fri, 16 Feb 1996 13:08:46 -0800 (PST) From: "Jonathan M. Bresler" Message-Id: <199602162108.NAA06101@freefall.freebsd.org> Subject: Re: named update To: ghelmer@alpha.dsu.edu (Guy Helmer) Date: Fri, 16 Feb 1996 13:08:45 -0800 (PST) Cc: freebsd-security@freebsd.org In-Reply-To: from "Guy Helmer" at Feb 16, 96 09:15:53 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org Precedence: bulk Guy Helmer wrote: > > Does anyone know the named version details surrounding the named problem > that CERT just reported? I just don't know which version tries to close > up the hole. Is named in 2.0.5 and 2.1.0 a vulnerable version? recent cert advisory regarding BIND-4.9.3 teh problem was buffer overflow hitting the stack during a recvfrom system call. the patch is available from paul vixie its called Patch1 dont have the exact reference here the patch changed a total of two calls to recvfrom() jmb From owner-freebsd-security Fri Feb 16 16:35:01 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id QAA19722 for security-outgoing; Fri, 16 Feb 1996 16:35:01 -0800 (PST) Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id QAA19708 for ; Fri, 16 Feb 1996 16:34:59 -0800 (PST) Received: from localhost.shockwave.com (localhost.shockwave.com [127.0.0.1]) by precipice.shockwave.com (8.7.3/8.7.3) with SMTP id QAA17499; Fri, 16 Feb 1996 16:33:49 -0800 (PST) Message-Id: <199602170033.QAA17499@precipice.shockwave.com> To: "Jonathan M. Bresler" cc: ghelmer@alpha.dsu.edu (Guy Helmer), freebsd-security@freebsd.org Subject: Re: named update In-reply-to: Your message of "Fri, 16 Feb 1996 13:08:45 PST." <199602162108.NAA06101@freefall.freebsd.org> Date: Fri, 16 Feb 1996 16:33:48 -0800 From: Paul Traina Sender: owner-security@freebsd.org Precedence: bulk damn, in that case, we're vulnerable too. :-( From: "Jonathan M. Bresler" Subject: Re: named update Guy Helmer wrote: > > Does anyone know the named version details surrounding the named problem > that CERT just reported? I just don't know which version tries to close > up the hole. Is named in 2.0.5 and 2.1.0 a vulnerable version? recent cert advisory regarding BIND-4.9.3 teh problem was buffer overflow hitting the stack during a recvfrom system call. the patch is available from paul vixie its called Patch1 dont have the exact reference here the patch changed a total of two calls to recvfrom() jmb From owner-freebsd-security Sat Feb 17 01:02:09 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id BAA01540 for security-outgoing; Sat, 17 Feb 1996 01:02:09 -0800 (PST) Received: from genesis.atrad.adelaide.edu.au (genesis.atrad.adelaide.edu.au [129.127.96.120]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id BAA01535 for ; Sat, 17 Feb 1996 01:02:04 -0800 (PST) Received: from msmith@localhost by genesis.atrad.adelaide.edu.au (8.6.12/8.6.9) id TAA01376; Sat, 17 Feb 1996 19:35:57 +1030 From: Michael Smith Message-Id: <199602170905.TAA01376@genesis.atrad.adelaide.edu.au> Subject: Re: named update To: ghelmer@alpha.dsu.edu (Guy Helmer) Date: Sat, 17 Feb 1996 19:35:56 +1030 (CST) Cc: freebsd-security@FreeBSD.org In-Reply-To: from "Guy Helmer" at Feb 16, 96 09:15:53 am MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.org Precedence: bulk Guy Helmer stands accused of saying: > > Does anyone know the named version details surrounding the named problem > that CERT just reported? I just don't know which version tries to close > up the hole. Is named in 2.0.5 and 2.1.0 a vulnerable version? Is this the one involving a syslog() buffer overrun? (The one that allegedly bit a pile of linux-using ISP's in WA recently 8) AFAIK, FreeBSD 2.1 and later is not vulnerable to any syslog-overflow exploit. > Guy Helmer, Dakota State University Computing Services - ghelmer@alpha.dsu.edu -- ]] Mike Smith, Software Engineer msmith@atrad.adelaide.edu.au [[ ]] Genesis Software genesis@atrad.adelaide.edu.au [[ ]] High-speed data acquisition and (GSM mobile) 0411-222-496 [[ ]] realtime instrument control (ph/fax) +61-8-267-3039 [[ ]] Collector of old Unix hardware. "I seek PEZ!" - The Tick [[ From owner-freebsd-security Sat Feb 17 10:03:39 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id KAA20859 for security-outgoing; Sat, 17 Feb 1996 10:03:39 -0800 (PST) Received: from haven.uniserve.com (haven.uniserve.com [198.53.215.121]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id KAA20853 for ; Sat, 17 Feb 1996 10:03:36 -0800 (PST) Received: by haven.uniserve.com id <30809-24131>; Sat, 17 Feb 1996 10:06:07 -0800 Date: Sat, 17 Feb 1996 10:05:57 -0800 (PST) From: Tom Samplonius To: "Jonathan M. Bresler" cc: Guy Helmer , freebsd-security@freebsd.org Subject: Re: named update In-Reply-To: <199602162108.NAA06101@freefall.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org Precedence: bulk On Fri, 16 Feb 1996, Jonathan M. Bresler wrote: > Guy Helmer wrote: > > > > Does anyone know the named version details surrounding the named problem > > that CERT just reported? I just don't know which version tries to close > > up the hole. Is named in 2.0.5 and 2.1.0 a vulnerable version? > > recent cert advisory regarding BIND-4.9.3 teh problem > was buffer overflow hitting the stack during a recvfrom system call. > > the patch is available from paul vixie > its called Patch1 dont have the exact reference here > > the patch changed a total of two calls to recvfrom() > > jmb patch1 prevents named from dumping core when receiving hesiod queries from Ultrix machines. It does not directly correspond to this CERT alert. This core dumping problem appears to affect all 4.9.3 betas too. The problem alerted to by CERT, can allow outside attackers to introduce bad info into the named cache, affecting the security of host based authenication. It is unclear exactly what versions are affected, but 4.9.3P1 is not. Tom From owner-freebsd-security Sat Feb 17 14:08:21 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id OAA01970 for security-outgoing; Sat, 17 Feb 1996 14:08:21 -0800 (PST) Received: from umbc7.umbc.edu (pauld@f-umbc7.umbc.edu [130.85.3.7]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id OAA01961 for ; Sat, 17 Feb 1996 14:08:09 -0800 (PST) Received: (from pauld@localhost) by umbc7.umbc.edu (8.6.12/Umbc) id RAA19739; Sat, 17 Feb 1996 17:08:08 -0500 Date: Sat, 17 Feb 1996 17:08:08 -0500 (EST) From: Paul Danckaert To: freebsd-security@FreeBSD.org Subject: Kerberos Insecurities (COAST Announcement) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org Precedence: bulk Does anybody know if this effects the ebones-based kerberos package? If so, is there any info on a bug-fix? Thanks, paul --- From: COAST To: COAST Watch Date: Fri, 16 Feb 1996 20:09:36 -0500 (EST) We were going to announce this later, but events have changed that. Please don't contact us asking for the gory details -- we'll be releasing a paper on this after MIT and the vendors publish their fix(es). --spaf -----BEGIN PGP SIGNED MESSAGE----- Personnel at the COAST Laboratory (Computer Operations, Audit, and Security Technology) at Purdue University have discovered some unexepected weaknesses in the Kerberos security system. Graduate students Steve Lodin and Bryn Dole, working with Professor Eugene Spafford, have discovered a method whereby someone without privileged access to most implementations of a Kerberos 4 server can nonetheless break secret session keys issued to users. This means that it is possible to gain unauthorized access to distributed services available to a user without knowing that user's password. This method has been demonstrated to work in under 5 minutes, on average, using a typical workstation, and sometimes as quickly as 12 seconds. The Kerberos system was developed at MIT in the mid-1980s, and has been widely adopted for security in distributed systems worldwide. Kerberos is most often used on UNIX platforms by various vendors, and is often enhanced, sold and supported by 3rd-party vendors for use in academic, government, and commercial environments. The same researchers at COAST have also found a small, theoretical weakness in Kerberos version 5 that would allow similar access, given some additional information and considerable preliminary computation. Kerberos version 5 does not exhibit the same weakness as described above for Kerberos version 4. The researchers at COAST had intended to release the specific details of the problem to affected vendors and incident response teams during the week of February 19, prior to making a public announcement of their findings. However, as rumors have begun to circulate and several representatives of the news media have apparently received indication of the problem, we are releasing this preliminary announcement at this time. Government and industry sponsors of the COAST Laboratory were made aware of the preliminary details of these findings in January (full sponsors receive early notification of significant discoveries as a result of COAST research). Other affiliates of COAST as well as the world-wide network of FIRST computer incident response teams were made aware of the general nature of the findings during the week of February 5. The original plan at COAST was to release specific details only to FIRST (Forum of Incident Response and Security Teams) teams and to MIT prior to announcement by affected vendors of a fix for these weaknesses. The flaw in Kerberos version 4 is significant enough that disclosure of its details prior to a fix would allow someone with moderate programming skills to exploit it; there is currently no reason to believe that others know the details of the flaw and are exploiting it, so there is no immediate danger to the public that would warrant release of the details at this time. COAST personnel have been informed that MIT has already developed a fix for the flaw in version 4 Kerberos and is preparing it for release. Additionally, COAST researchers are cooperating with MIT personnel to identify what (if any) fixes are necessary for version 5 Kerberos. Users of either version of Kerberos should contact their vendors for details of any fixes that may be made available; vendors of products incorporating Kerberos should contact MIT directly for details of the problems and fixes. COAST is a research group of faculty and students dedicated to research into information security and computer crime investigation, and education in computer and network security. It is the largest such university-based group in the United States. Information on COAST may be found on the WWW at http://www.cs.purdue.edu/coast Information on FIRST teams may be found on the WWW at http://www.first.org Information on MIT's Kerberos may be found on the WWW at ftp://athena-dist.mit.edu/pub/kerberos/doc/KERBEROS.FAQ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Key @ ftp://ftp.cs.purdue.edu/pub/spaf/pers/pgpkey.asc iQCVAwUBMSUnIspvK4P8DALVAQFhEwP6Aojp7tclxnOcodaY6st4Ej2UUglWqEyb aFMl+WeNWSnC/HR0S/Jjxya/jLsEnXBn38EwplAl102HvbY68MLv08WnBdnejUYZ kCCtQ2mTsuC8L3YNYOqI/8P5y8vNx9s7pytHP0GczBA/vxuXvUOf6m976lIjleqn 6ZLnOM2CHjc= =K1IP -----END PGP SIGNATURE----- ------- End of Forwarded Message From owner-freebsd-security Sat Feb 17 16:50:05 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id QAA08081 for security-outgoing; Sat, 17 Feb 1996 16:50:05 -0800 (PST) Received: (from jmb@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id QAA08075 for freebsd-security; Sat, 17 Feb 1996 16:50:03 -0800 (PST) From: "Jonathan M. Bresler" Message-Id: <199602180050.QAA08075@freefall.freebsd.org> Subject: Kerberos vunerablility. To: freebsd-security Date: Sat, 17 Feb 1996 16:50:03 -0800 (PST) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@FreeBSD.ORG Precedence: bulk COAST wrote: >From spaf@cs.purdue.edu Sat Feb 17 01:37:05 1996 Date: Fri, 16 Feb 1996 20:09:36 -0500 (EST) Message-Id: <199602170109.UAA24770@uther.cs.purdue.edu> From: COAST To: COAST Watch Subject: We've been busy here.... Errors-to: coast-request@cs.purdue.edu We were going to announce this later, but events have changed that. Please don't contact us asking for the gory details -- we'll be releasing a paper on this after MIT and the vendors publish their fix(es). --spaf -----BEGIN PGP SIGNED MESSAGE----- Personnel at the COAST Laboratory (Computer Operations, Audit, and Security Technology) at Purdue University have discovered some unexepected weaknesses in the Kerberos security system. Graduate students Steve Lodin and Bryn Dole, working with Professor Eugene Spafford, have discovered a method whereby someone without privileged access to most implementations of a Kerberos 4 server can nonetheless break secret session keys issued to users. This means that it is possible to gain unauthorized access to distributed services available to a user without knowing that user's password. This method has been demonstrated to work in under 5 minutes, on average, using a typical workstation, and sometimes as quickly as 12 seconds. The Kerberos system was developed at MIT in the mid-1980s, and has been widely adopted for security in distributed systems worldwide. Kerberos is most often used on UNIX platforms by various vendors, and is often enhanced, sold and supported by 3rd-party vendors for use in academic, government, and commercial environments. The same researchers at COAST have also found a small, theoretical weakness in Kerberos version 5 that would allow similar access, given some additional information and considerable preliminary computation. Kerberos version 5 does not exhibit the same weakness as described above for Kerberos version 4. The researchers at COAST had intended to release the specific details of the problem to affected vendors and incident response teams during the week of February 19, prior to making a public announcement of their findings. However, as rumors have begun to circulate and several representatives of the news media have apparently received indication of the problem, we are releasing this preliminary announcement at this time. Government and industry sponsors of the COAST Laboratory were made aware of the preliminary details of these findings in January (full sponsors receive early notification of significant discoveries as a result of COAST research). Other affiliates of COAST as well as the world-wide network of FIRST computer incident response teams were made aware of the general nature of the findings during the week of February 5. The original plan at COAST was to release specific details only to FIRST (Forum of Incident Response and Security Teams) teams and to MIT prior to announcement by affected vendors of a fix for these weaknesses. The flaw in Kerberos version 4 is significant enough that disclosure of its details prior to a fix would allow someone with moderate programming skills to exploit it; there is currently no reason to believe that others know the details of the flaw and are exploiting it, so there is no immediate danger to the public that would warrant release of the details at this time. COAST personnel have been informed that MIT has already developed a fix for the flaw in version 4 Kerberos and is preparing it for release. Additionally, COAST researchers are cooperating with MIT personnel to identify what (if any) fixes are necessary for version 5 Kerberos. Users of either version of Kerberos should contact their vendors for details of any fixes that may be made available; vendors of products incorporating Kerberos should contact MIT directly for details of the problems and fixes. COAST is a research group of faculty and students dedicated to research into information security and computer crime investigation, and education in computer and network security. It is the largest such university-based group in the United States. Information on COAST may be found on the WWW at http://www.cs.purdue.edu/coast Information on FIRST teams may be found on the WWW at http://www.first.org Information on MIT's Kerberos may be found on the WWW at ftp://athena-dist.mit.edu/pub/kerberos/doc/KERBEROS.FAQ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Key @ ftp://ftp.cs.purdue.edu/pub/spaf/pers/pgpkey.asc iQCVAwUBMSUnIspvK4P8DALVAQFhEwP6Aojp7tclxnOcodaY6st4Ej2UUglWqEyb aFMl+WeNWSnC/HR0S/Jjxya/jLsEnXBn38EwplAl102HvbY68MLv08WnBdnejUYZ kCCtQ2mTsuC8L3YNYOqI/8P5y8vNx9s7pytHP0GczBA/vxuXvUOf6m976lIjleqn 6ZLnOM2CHjc= =K1IP -----END PGP SIGNATURE----- -- Jonathan M. Bresler FreeBSD Postmaster jmb@FreeBSD.ORG FreeBSD--4.4BSD Unix for PC clones, source included. http://www.freebsd.org/ From owner-freebsd-security Sat Feb 17 23:12:42 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id XAA29257 for security-outgoing; Sat, 17 Feb 1996 23:12:42 -0800 (PST) Received: from jhome.DIALix.COM (root@jhome.DIALix.COM [192.203.228.69]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id XAA29248 for ; Sat, 17 Feb 1996 23:12:20 -0800 (PST) Received: from localhost.DIALix.oz.au (peter@localhost.DIALix.oz.au [127.0.0.1]) by jhome.DIALix.COM (8.7.3/8.7.3) with SMTP id PAA00618 for ; Sun, 18 Feb 1996 15:12:10 +0800 (WST) Message-Id: <199602180712.PAA00618@jhome.DIALix.COM> X-Authentication-Warning: jhome.DIALix.COM: Host peter@localhost.DIALix.oz.au [127.0.0.1] didn't use HELO protocol To: security@freebsd.org Subject: kerberos4/eBones security hole... Date: Sun, 18 Feb 1996 15:12:10 +0800 From: Peter Wemm Sender: owner-security@freebsd.org Precedence: bulk Anybody want to bet on whether this is another random-number-that's-not-quite-so-random problem? -Peter ------- Forwarded Message Date: Sat, 17 Feb 1996 19:11:38 -0500 Message-Id: <199602180011.TAA22715@amsterdam.lcs.mit.edu> From: David Mazieres To: ssh@clinet.fi Subject: [JUNK] kerberos security hole Given all the ranting and raving about kerberos on this list, I thought I'd forward this. Ssh relevance: use ssh, not kerberos :-). David -------- Start of forwarded message ------- From: COAST To: COAST Watch Date: Fri, 16 Feb 1996 20:09:36 -0500 (EST) We were going to announce this later, but events have changed that. Please don't contact us asking for the gory details -- we'll be releasing a paper on this after MIT and the vendors publish their fix(es). ---spaf ------BEGIN PGP SIGNED MESSAGE----- Personnel at the COAST Laboratory (Computer Operations, Audit, and Security Technology) at Purdue University have discovered some unexepected weaknesses in the Kerberos security system. Graduate students Steve Lodin and Bryn Dole, working with Professor Eugene Spafford, have discovered a method whereby someone without privileged access to most implementations of a Kerberos 4 server can nonetheless break secret session keys issued to users. This means that it is possible to gain unauthorized access to distributed services available to a user without knowing that user's password. This method has been demonstrated to work in under 5 minutes, on average, using a typical workstation, and sometimes as quickly as 12 seconds. The Kerberos system was developed at MIT in the mid-1980s, and has been widely adopted for security in distributed systems worldwide. Kerberos is most often used on UNIX platforms by various vendors, and is often enhanced, sold and supported by 3rd-party vendors for use in academic, government, and commercial environments. The same researchers at COAST have also found a small, theoretical weakness in Kerberos version 5 that would allow similar access, given some additional information and considerable preliminary computation. Kerberos version 5 does not exhibit the same weakness as described above for Kerberos version 4. The researchers at COAST had intended to release the specific details of the problem to affected vendors and incident response teams during the week of February 19, prior to making a public announcement of their findings. However, as rumors have begun to circulate and several representatives of the news media have apparently received indication of the problem, we are releasing this preliminary announcement at this time. Government and industry sponsors of the COAST Laboratory were made aware of the preliminary details of these findings in January (full sponsors receive early notification of significant discoveries as a result of COAST research). Other affiliates of COAST as well as the world-wide network of FIRST computer incident response teams were made aware of the general nature of the findings during the week of February 5. The original plan at COAST was to release specific details only to FIRST (Forum of Incident Response and Security Teams) teams and to MIT prior to announcement by affected vendors of a fix for these weaknesses. The flaw in Kerberos version 4 is significant enough that disclosure of its details prior to a fix would allow someone with moderate programming skills to exploit it; there is currently no reason to believe that others know the details of the flaw and are exploiting it, so there is no immediate danger to the public that would warrant release of the details at this time. COAST personnel have been informed that MIT has already developed a fix for the flaw in version 4 Kerberos and is preparing it for release. Additionally, COAST researchers are cooperating with MIT personnel to identify what (if any) fixes are necessary for version 5 Kerberos. Users of either version of Kerberos should contact their vendors for details of any fixes that may be made available; vendors of products incorporating Kerberos should contact MIT directly for details of the problems and fixes. COAST is a research group of faculty and students dedicated to research into information security and computer crime investigation, and education in computer and network security. It is the largest such university-based group in the United States. Information on COAST may be found on the WWW at http://www.cs.purdue.edu/coast Information on FIRST teams may be found on the WWW at http://www.first.org Information on MIT's Kerberos may be found on the WWW at ftp://athena-dist.mit.edu/pub/kerberos/doc/KERBEROS.FAQ ------BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Key @ ftp://ftp.cs.purdue.edu/pub/spaf/pers/pgpkey.asc iQCVAwUBMSUnIspvK4P8DALVAQFhEwP6Aojp7tclxnOcodaY6st4Ej2UUglWqEyb aFMl+WeNWSnC/HR0S/Jjxya/jLsEnXBn38EwplAl102HvbY68MLv08WnBdnejUYZ kCCtQ2mTsuC8L3YNYOqI/8P5y8vNx9s7pytHP0GczBA/vxuXvUOf6m976lIjleqn 6ZLnOM2CHjc= =K1IP ------END PGP SIGNATURE----- -------- End of forwarded message ------- ------- End of Forwarded Message From owner-freebsd-security Sat Feb 17 23:23:00 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id XAA29691 for security-outgoing; Sat, 17 Feb 1996 23:23:00 -0800 (PST) Received: from grumble.grondar.za (root@grumble.grondar.za [196.7.18.130]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id XAA29682 for ; Sat, 17 Feb 1996 23:22:54 -0800 (PST) Received: from grumble.grondar.za (mark@localhost [127.0.0.1]) by grumble.grondar.za (8.7.3/8.7.3) with ESMTP id JAA16952; Sun, 18 Feb 1996 09:22:28 +0200 (SAT) Message-Id: <199602180722.JAA16952@grumble.grondar.za> To: Paul Danckaert cc: freebsd-security@FreeBSD.ORG Subject: Re: Kerberos Insecurities (COAST Announcement) Date: Sun, 18 Feb 1996 09:22:28 +0200 From: Mark Murray Sender: owner-security@FreeBSD.ORG Precedence: bulk Paul Danckaert wrote: > > Does anybody know if this effects the ebones-based kerberos package? If > so, is there any info on a bug-fix? Too early to tell. We are eagerly awaiting the follow-up. M -- Mark Murray 46 Harvey Rd, Claremont, Cape Town 7700, South Africa +27 21 61-3768 GMT+0200 Finger mark@grondar.za for PGP key