From owner-freebsd-security@FreeBSD.ORG Tue Aug 17 08:25:19 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9E58216A4CF for ; Tue, 17 Aug 2004 08:25:19 +0000 (GMT) Received: from smtp-pop3.portunity.de (smtp.wtal.portunity.de [81.92.15.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0B39643D1D for ; Tue, 17 Aug 2004 08:25:19 +0000 (GMT) (envelope-from maillist@pinguintown.de) Received: from localhost (localhost [127.0.0.1])ESMTP id 79A46F755A for ; Tue, 17 Aug 2004 10:25:18 +0200 (CEST) Received: from comsrv.pinguintown.local (unknown [82.139.212.120]) ESMTP id 5BFC6F7559 for ; Tue, 17 Aug 2004 10:25:17 +0200 (CEST) Received: from comsrv.pinguintown.local (comsrv.pinguintown.local [192.168.101.4]) by comsrv.pinguintown.local (Postfix) with ESMTP id A64EC70E13 for ; Tue, 17 Aug 2004 10:25:15 +0200 (CEST) Received: from comsrv.pinguintown.local by comsrv.pinguintown.local (AvMailGate-2.0.2-8) id 58053-1EE3AFC4; Tue, 17 Aug 2004 10:25:15 +0200 Received: from hivi.pinguintown.local (hivi.pinguintown.local [192.168.100.51]) by comsrv.pinguintown.local (Postfix) with ESMTP id 5E12D70E12 for ; Tue, 17 Aug 2004 10:25:15 +0200 (CEST) From: Alex Huth To: freebsd-security@freebsd.org Date: Tue, 17 Aug 2004 10:25:29 +0200 User-Agent: KMail/1.6.2 MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: 7bit Message-Id: <200408171025.29787.maillist@pinguintown.de> X-AntiVirus: checked by AntiVir MailGate (version: 2.0.2-8; AVE: 6.27.0.4; VDF: 6.27.0.7; host: comsrv.pinguintown.local) X-Virus-Scanned: by AMaViS perl-11 Subject: pp_nat & port_forwarding X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Aug 2004 08:25:19 -0000 Hi guys! I'm doing dialup-firewalling with ppp_nat. I know the solutions to do redircet witch natd in the nat.conf. Is there a possibility to do it with ppp_nat? Greetings Alex Huth From owner-freebsd-security@FreeBSD.ORG Tue Aug 17 18:47:35 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EDCFB16A4CE for ; Tue, 17 Aug 2004 18:47:35 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 94F6443D39 for ; Tue, 17 Aug 2004 18:47:35 +0000 (GMT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))verified)) by gw.celabo.org (Postfix) with ESMTP id 216BA5485D for ; Tue, 17 Aug 2004 13:47:35 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 8CA406D452; Tue, 17 Aug 2004 13:47:25 -0500 (CDT) Date: Tue, 17 Aug 2004 13:47:25 -0500 From: "Jacques A. Vidrine" To: freebsd-security@freebsd.org Message-ID: <20040817184725.GE46244@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i Subject: remotely exploitable vulnerability in lukemftpd / tnftpd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Aug 2004 18:47:36 -0000 Hi Everyone, http://vuxml.freebsd.org/c4b025bb-f05d-11d8-9837-000c41e2cdad.html A critical vulnerability was found in lukemftpd, which shipped with some FreeBSD versions (4.7 and later). However, with the exception of FreeBSD 4.7, lukemftpd was not built and installed by default. So, unless you are running FreeBSD 4.7-RELEASE or specified WANT_LUKEMFTP when building FreeBSD from source, you should not have lukemftpd installed. Even in FreeBSD 4.7, lukemftpd was installed but not enabled. More details will be available in a FreeBSD advisory to follow. Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org From owner-freebsd-security@FreeBSD.ORG Tue Aug 17 21:14:23 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7F84F16A4CE; Tue, 17 Aug 2004 21:14:23 +0000 (GMT) Received: from out012.verizon.net (out012pub.verizon.net [206.46.170.137]) by mx1.FreeBSD.org (Postfix) with ESMTP id CD41F43D2D; Tue, 17 Aug 2004 21:14:22 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from [192.168.1.3] ([68.160.193.218]) by out012.verizon.net (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP id <20040817211422.HRHH22270.out012.verizon.net@[192.168.1.3]>; Tue, 17 Aug 2004 16:14:22 -0500 Message-ID: <41227528.10001@mac.com> Date: Tue, 17 Aug 2004 17:14:16 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040803 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Jacques A. Vidrine" References: <20040817184725.GE46244@madman.celabo.org> In-Reply-To: <20040817184725.GE46244@madman.celabo.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Authentication-Info: Submitted using SMTP AUTH at out012.verizon.net from [68.160.193.218] at Tue, 17 Aug 2004 16:14:22 -0500 cc: freebsd-security@freebsd.org Subject: Re: remotely exploitable vulnerability in lukemftpd / tnftpd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Aug 2004 21:14:23 -0000 Jacques A. Vidrine wrote: [ ... ] > Even in FreeBSD 4.7, lukemftpd was installed but not enabled. > > More details will be available in a FreeBSD advisory to follow. Hi, Jacques-- Is this related to NetBSD Security Advisory 2004-009, at: ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2004-009.txt.asc? More importantly, is FreeBSD's stock ftpd also affected, or just lukemftpd? -- -Chuck From owner-freebsd-security@FreeBSD.ORG Tue Aug 17 21:16:48 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5936216A4CE for ; Tue, 17 Aug 2004 21:16:48 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1739843D1D for ; Tue, 17 Aug 2004 21:16:48 +0000 (GMT) (envelope-from nectar@celabo.org) Received: from localhost (localhost [127.0.0.1]) by gw.celabo.org (Postfix) with ESMTP id 93A555486E; Tue, 17 Aug 2004 16:16:47 -0500 (CDT) Received: from gw.celabo.org ([127.0.0.1]) by localhost (hellblazer.celabo.org [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 58398-09; Tue, 17 Aug 2004 16:16:37 -0500 (CDT) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (not verified)) by gw.celabo.org (Postfix) with ESMTP id 0B7BA5485D; Tue, 17 Aug 2004 16:16:37 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 8CB426D468; Tue, 17 Aug 2004 16:16:27 -0500 (CDT) Date: Tue, 17 Aug 2004 16:16:27 -0500 From: "Jacques A. Vidrine" To: Chuck Swiger Message-ID: <20040817211627.GA47375@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Chuck Swiger , freebsd-security@freebsd.org References: <20040817184725.GE46244@madman.celabo.org> <41227528.10001@mac.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <41227528.10001@mac.com> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i cc: freebsd-security@freebsd.org Subject: Re: remotely exploitable vulnerability in lukemftpd / tnftpd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Aug 2004 21:16:48 -0000 On Tue, Aug 17, 2004 at 05:14:16PM -0400, Chuck Swiger wrote: > Jacques A. Vidrine wrote: > [ ... ] > >Even in FreeBSD 4.7, lukemftpd was installed but not enabled. > > > >More details will be available in a FreeBSD advisory to follow. > > Hi, Jacques-- > > Is this related to NetBSD Security Advisory 2004-009, at: > ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2004-009.txt.asc? Yes, same issue. > More importantly, is FreeBSD's stock ftpd also affected, or just lukemftpd? Just lukemftpd. Przemyslaw's advisory has more details. http://lists.netsys.com/pipermail/full-disclosure/2004-August/025418.html Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org From owner-freebsd-security@FreeBSD.ORG Wed Aug 18 04:01:32 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6CE5B16A4CE for ; Wed, 18 Aug 2004 04:01:32 +0000 (GMT) Received: from newman.alt-network.com (wsip-68-110-223-100.ks.ok.cox.net [68.110.223.100]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9DE2243D49 for ; Wed, 18 Aug 2004 04:01:29 +0000 (GMT) (envelope-from freebsd@alt-network.com) Received: from [192.168.0.14] ([192.168.0.14])i7I41SSu011913 for ; Tue, 17 Aug 2004 23:01:28 -0500 (CDT) (envelope-from freebsd@alt-network.com) From: Justin To: freebsd-security@freebsd.org Date: Tue, 17 Aug 2004 23:01:28 -0500 User-Agent: KMail/1.6.2 References: <411CCAAE.7020505@beco.hu> In-Reply-To: <411CCAAE.7020505@beco.hu> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200408172301.28844.freebsd@alt-network.com> X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.64 X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on newman.alt-network.com Subject: Re: sequences in the auth.log X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Aug 2004 04:01:32 -0000 I'm seeing the same thing in my log. It makes me think it is a virus because test, guest, and admin are not normal unix users. Jul 17 04:14:13 newman sshd[2630]: Illegal user test from 129.194.21.5 Jul 17 04:14:14 newman sshd[2632]: Illegal user guest from 129.194.21.5 Jul 24 19:29:26 newman sshd[43831]: Illegal user test from 69.0.134.72 Jul 24 19:29:26 newman sshd[43838]: Illegal user guest from 69.0.134.72 Jul 24 19:29:27 newman sshd[43840]: Illegal user admin from 69.0.134.72 Jul 24 19:29:27 newman sshd[43842]: Illegal user admin from 69.0.134.72 Jul 24 19:29:27 newman sshd[43844]: Illegal user user from 69.0.134.72 Jul 24 19:29:33 newman sshd[43853]: Illegal user test from 69.0.134.72 Jul 24 21:17:05 newman sshd[45031]: Illegal user test from 202.6.75.195 Jul 24 21:17:07 newman sshd[45033]: Illegal user guest from 202.6.75.195 Jul 25 02:04:17 newman sshd[34873]: Illegal user test from 211.202.3.148 Jul 25 02:04:19 newman sshd[34875]: Illegal user guest from 211.202.3.148 Jul 28 12:09:17 newman sshd[16613]: Illegal user test from 65.61.98.16 Jul 28 12:09:18 newman sshd[16615]: Illegal user guest from 65.61.98.16 Jul 31 08:18:09 newman sshd[98113]: Illegal user test from 65.194.200.129 Jul 31 08:18:10 newman sshd[98116]: Illegal user guest from 65.194.200.129 Aug 1 22:47:50 newman sshd[1520]: Illegal user test from 202.114.73.4 Aug 1 22:47:53 newman sshd[1522]: Illegal user guest from 202.114.73.4 Aug 4 21:09:11 newman sshd[39267]: Illegal user test from 218.38.216.168 Aug 4 21:09:13 newman sshd[39269]: Illegal user guest from 218.38.216.168 Aug 7 13:53:00 newman sshd[15889]: Illegal user test from 64.246.20.43 Aug 7 13:53:00 newman sshd[15891]: Illegal user guest from 64.246.20.43 Aug 7 13:53:01 newman sshd[15893]: Illegal user admin from 64.246.20.43 Aug 7 14:00:37 newman sshd[15970]: Illegal user test from 64.246.20.43 Aug 7 14:00:38 newman sshd[15972]: Illegal user guest from 64.246.20.43 Aug 7 14:00:39 newman sshd[15974]: Illegal user admin from 64.246.20.43 Aug 7 14:00:40 newman sshd[15976]: Illegal user admin from 64.246.20.43 Aug 7 14:00:41 newman sshd[15978]: Illegal user user from 64.246.20.43 Aug 7 14:00:44 newman sshd[15986]: Illegal user test from 64.246.20.43 Aug 8 06:48:05 newman sshd[51656]: Illegal user test from 64.151.89.172 Aug 8 06:48:06 newman sshd[51658]: Illegal user guest from 64.151.89.172 Aug 8 06:48:07 newman sshd[51660]: Illegal user admin from 64.151.89.172 Aug 8 06:48:08 newman sshd[51662]: Illegal user admin from 64.151.89.172 Aug 8 06:48:08 newman sshd[51664]: Illegal user user from 64.151.89.172 Aug 8 06:48:12 newman sshd[51672]: Illegal user test from 64.151.89.172 Aug 9 09:33:57 newman sshd[9346]: Illegal user test from 211.241.101.137 Aug 9 09:33:59 newman sshd[9348]: Illegal user guest from 211.241.101.137 Aug 9 09:34:01 newman sshd[9350]: Illegal user admin from 211.241.101.137 Aug 9 09:34:03 newman sshd[9352]: Illegal user admin from 211.241.101.137 Aug 9 09:34:04 newman sshd[9354]: Illegal user user from 211.241.101.137 Aug 9 09:34:13 newman sshd[9362]: Illegal user test from 211.241.101.137 Aug 9 15:54:37 newman sshd[11782]: Illegal user test from 80.64.104.66 Aug 9 15:54:39 newman sshd[11784]: Illegal user guest from 80.64.104.66 Aug 9 15:54:41 newman sshd[11786]: Illegal user admin from 80.64.104.66 Aug 9 15:54:43 newman sshd[11788]: Illegal user admin from 80.64.104.66 Aug 9 15:54:44 newman sshd[11790]: Illegal user user from 80.64.104.66 Aug 9 15:54:51 newman sshd[11798]: Illegal user test from 80.64.104.66 Aug 10 12:24:14 newman sshd[1392]: Illegal user test from 200.155.22.22 Aug 10 12:32:33 newman sshd[11361]: Illegal user test from 200.155.22.22 Aug 10 12:32:35 newman sshd[11364]: Illegal user guest from 200.155.22.22 Aug 10 12:32:37 newman sshd[11370]: Illegal user admin from 200.155.22.22 Aug 10 12:32:40 newman sshd[11372]: Illegal user admin from 200.155.22.22 Aug 10 12:32:42 newman sshd[11375]: Illegal user user from 200.155.22.22 Aug 10 12:32:51 newman sshd[11399]: Illegal user test from 200.155.22.22 Aug 10 20:22:59 newman sshd[1808]: Illegal user test from 63.251.144.88 Aug 16 04:41:53 newman sshd[31175]: Illegal user test from 210.223.178.180 Aug 16 04:41:54 newman sshd[31177]: Illegal user guest from 210.223.178.180 Aug 16 04:41:56 newman sshd[31179]: Illegal user admin from 210.223.178.180 Aug 16 04:41:58 newman sshd[31181]: Illegal user admin from 210.223.178.180 Aug 16 04:42:00 newman sshd[31183]: Illegal user user from 210.223.178.180 Aug 16 04:42:08 newman sshd[31191]: Illegal user test from 210.223.178.180 Aug 17 01:28:42 newman sshd[1507]: Illegal user test from 64.62.182.146 Aug 17 01:28:42 newman sshd[1509]: Illegal user guest from 64.62.182.146 Aug 17 01:28:43 newman sshd[1511]: Illegal user admin from 64.62.182.146 Aug 17 01:28:44 newman sshd[1513]: Illegal user admin from 64.62.182.146 Aug 17 01:28:45 newman sshd[1515]: Illegal user user from 64.62.182.146 Aug 17 01:28:48 newman sshd[1523]: Illegal user test from 64.62.182.146 On Friday 13 August 2004 09:05 am, Sandor Berta wrote: > Hi all, > I found similar sequences in the > /var/auth.log files of freebsd boxes, I supervise.: > Aug 13 13:56:08 www sshd[26091]: Illegal user test from 165.21.103.20 > Aug 13 13:56:11 www sshd[26093]: Illegal user guest from 165.21.103.20 > Aug 13 13:56:15 www sshd[26096]: Illegal user admin from 165.21.103.20 > Aug 13 13:56:18 www sshd[26103]: Illegal user admin from 165.21.103.20 > Aug 13 13:56:21 www sshd[26105]: Illegal user user from 165.21.103.20 > Aug 13 13:56:25 www sshd[26107]: Failed password for root from > 165.21.103.20 port 39678 ssh2 > Aug 13 13:56:28 www sshd[26109]: Failed password for root from > 165.21.103.20 port 39760 ssh2 > Aug 13 13:56:32 www sshd[26111]: Failed password for root from > 165.21.103.20 port 39836 ssh2 > Aug 13 13:56:35 www sshd[26113]: Illegal user test from 165.21.103.20 > Aug 13 14:25:36 www sshd[26485]: Illegal user test from 202.28.120.57 > Aug 13 14:25:41 www sshd[26487]: Illegal user guest from 202.28.120.57 > > What are these? > > bye > Sandor Berta > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Wed Aug 18 04:39:30 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 56B0316A4CE for ; Wed, 18 Aug 2004 04:39:30 +0000 (GMT) Received: from rwcrmhc11.comcast.net (rwcrmhc11.comcast.net [204.127.198.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 13D3443D53 for ; Wed, 18 Aug 2004 04:39:30 +0000 (GMT) (envelope-from goreBOFH@comcast.net) Received: from [192.168.0.100] (pcp02382275pcs.pthurn01.mi.comcast.net[68.60.78.233]) by comcast.net (rwcrmhc11) with ESMTP id <20040818043929013001a18be> (Authid: goreBOFH); Wed, 18 Aug 2004 04:39:29 +0000 Message-ID: <4122DE25.50203@comcast.net> Date: Wed, 18 Aug 2004 00:42:13 -0400 From: Allen/Gore/SlackWareWolf User-Agent: Mozilla Thunderbird 0.7.1 (X11/20040626) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <411CCAAE.7020505@beco.hu> <200408172301.28844.freebsd@alt-network.com> In-Reply-To: <200408172301.28844.freebsd@alt-network.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: sequences in the auth.log X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Aug 2004 04:39:30 -0000 Same thing happened to a Linux box at my cousin's house. Apparently it's a Worm or something that scans boxes looking for a way in. Justin wrote: >I'm seeing the same thing in my log. It makes me think it is a virus because >test, guest, and admin are not normal unix users. > >Jul 17 04:14:13 newman sshd[2630]: Illegal user test from 129.194.21.5 >Jul 17 04:14:14 newman sshd[2632]: Illegal user guest from 129.194.21.5 >Jul 24 19:29:26 newman sshd[43831]: Illegal user test from 69.0.134.72 >Jul 24 19:29:26 newman sshd[43838]: Illegal user guest from 69.0.134.72 >Jul 24 19:29:27 newman sshd[43840]: Illegal user admin from 69.0.134.72 >Jul 24 19:29:27 newman sshd[43842]: Illegal user admin from 69.0.134.72 >Jul 24 19:29:27 newman sshd[43844]: Illegal user user from 69.0.134.72 >Jul 24 19:29:33 newman sshd[43853]: Illegal user test from 69.0.134.72 >Jul 24 21:17:05 newman sshd[45031]: Illegal user test from 202.6.75.195 >Jul 24 21:17:07 newman sshd[45033]: Illegal user guest from 202.6.75.195 >Jul 25 02:04:17 newman sshd[34873]: Illegal user test from 211.202.3.148 >Jul 25 02:04:19 newman sshd[34875]: Illegal user guest from 211.202.3.148 >Jul 28 12:09:17 newman sshd[16613]: Illegal user test from 65.61.98.16 >Jul 28 12:09:18 newman sshd[16615]: Illegal user guest from 65.61.98.16 >Jul 31 08:18:09 newman sshd[98113]: Illegal user test from 65.194.200.129 >Jul 31 08:18:10 newman sshd[98116]: Illegal user guest from 65.194.200.129 >Aug 1 22:47:50 newman sshd[1520]: Illegal user test from 202.114.73.4 >Aug 1 22:47:53 newman sshd[1522]: Illegal user guest from 202.114.73.4 >Aug 4 21:09:11 newman sshd[39267]: Illegal user test from 218.38.216.168 >Aug 4 21:09:13 newman sshd[39269]: Illegal user guest from 218.38.216.168 >Aug 7 13:53:00 newman sshd[15889]: Illegal user test from 64.246.20.43 >Aug 7 13:53:00 newman sshd[15891]: Illegal user guest from 64.246.20.43 >Aug 7 13:53:01 newman sshd[15893]: Illegal user admin from 64.246.20.43 >Aug 7 14:00:37 newman sshd[15970]: Illegal user test from 64.246.20.43 >Aug 7 14:00:38 newman sshd[15972]: Illegal user guest from 64.246.20.43 >Aug 7 14:00:39 newman sshd[15974]: Illegal user admin from 64.246.20.43 >Aug 7 14:00:40 newman sshd[15976]: Illegal user admin from 64.246.20.43 >Aug 7 14:00:41 newman sshd[15978]: Illegal user user from 64.246.20.43 >Aug 7 14:00:44 newman sshd[15986]: Illegal user test from 64.246.20.43 >Aug 8 06:48:05 newman sshd[51656]: Illegal user test from 64.151.89.172 >Aug 8 06:48:06 newman sshd[51658]: Illegal user guest from 64.151.89.172 >Aug 8 06:48:07 newman sshd[51660]: Illegal user admin from 64.151.89.172 >Aug 8 06:48:08 newman sshd[51662]: Illegal user admin from 64.151.89.172 >Aug 8 06:48:08 newman sshd[51664]: Illegal user user from 64.151.89.172 >Aug 8 06:48:12 newman sshd[51672]: Illegal user test from 64.151.89.172 >Aug 9 09:33:57 newman sshd[9346]: Illegal user test from 211.241.101.137 >Aug 9 09:33:59 newman sshd[9348]: Illegal user guest from 211.241.101.137 >Aug 9 09:34:01 newman sshd[9350]: Illegal user admin from 211.241.101.137 >Aug 9 09:34:03 newman sshd[9352]: Illegal user admin from 211.241.101.137 >Aug 9 09:34:04 newman sshd[9354]: Illegal user user from 211.241.101.137 >Aug 9 09:34:13 newman sshd[9362]: Illegal user test from 211.241.101.137 >Aug 9 15:54:37 newman sshd[11782]: Illegal user test from 80.64.104.66 >Aug 9 15:54:39 newman sshd[11784]: Illegal user guest from 80.64.104.66 >Aug 9 15:54:41 newman sshd[11786]: Illegal user admin from 80.64.104.66 >Aug 9 15:54:43 newman sshd[11788]: Illegal user admin from 80.64.104.66 >Aug 9 15:54:44 newman sshd[11790]: Illegal user user from 80.64.104.66 >Aug 9 15:54:51 newman sshd[11798]: Illegal user test from 80.64.104.66 >Aug 10 12:24:14 newman sshd[1392]: Illegal user test from 200.155.22.22 >Aug 10 12:32:33 newman sshd[11361]: Illegal user test from 200.155.22.22 >Aug 10 12:32:35 newman sshd[11364]: Illegal user guest from 200.155.22.22 >Aug 10 12:32:37 newman sshd[11370]: Illegal user admin from 200.155.22.22 >Aug 10 12:32:40 newman sshd[11372]: Illegal user admin from 200.155.22.22 >Aug 10 12:32:42 newman sshd[11375]: Illegal user user from 200.155.22.22 >Aug 10 12:32:51 newman sshd[11399]: Illegal user test from 200.155.22.22 >Aug 10 20:22:59 newman sshd[1808]: Illegal user test from 63.251.144.88 >Aug 16 04:41:53 newman sshd[31175]: Illegal user test from 210.223.178.180 >Aug 16 04:41:54 newman sshd[31177]: Illegal user guest from 210.223.178.180 >Aug 16 04:41:56 newman sshd[31179]: Illegal user admin from 210.223.178.180 >Aug 16 04:41:58 newman sshd[31181]: Illegal user admin from 210.223.178.180 >Aug 16 04:42:00 newman sshd[31183]: Illegal user user from 210.223.178.180 >Aug 16 04:42:08 newman sshd[31191]: Illegal user test from 210.223.178.180 >Aug 17 01:28:42 newman sshd[1507]: Illegal user test from 64.62.182.146 >Aug 17 01:28:42 newman sshd[1509]: Illegal user guest from 64.62.182.146 >Aug 17 01:28:43 newman sshd[1511]: Illegal user admin from 64.62.182.146 >Aug 17 01:28:44 newman sshd[1513]: Illegal user admin from 64.62.182.146 >Aug 17 01:28:45 newman sshd[1515]: Illegal user user from 64.62.182.146 >Aug 17 01:28:48 newman sshd[1523]: Illegal user test from 64.62.182.146 > >On Friday 13 August 2004 09:05 am, Sandor Berta wrote: > > >>Hi all, >>I found similar sequences in the >>/var/auth.log files of freebsd boxes, I supervise.: >>Aug 13 13:56:08 www sshd[26091]: Illegal user test from 165.21.103.20 >>Aug 13 13:56:11 www sshd[26093]: Illegal user guest from 165.21.103.20 >>Aug 13 13:56:15 www sshd[26096]: Illegal user admin from 165.21.103.20 >>Aug 13 13:56:18 www sshd[26103]: Illegal user admin from 165.21.103.20 >>Aug 13 13:56:21 www sshd[26105]: Illegal user user from 165.21.103.20 >>Aug 13 13:56:25 www sshd[26107]: Failed password for root from >>165.21.103.20 port 39678 ssh2 >>Aug 13 13:56:28 www sshd[26109]: Failed password for root from >>165.21.103.20 port 39760 ssh2 >>Aug 13 13:56:32 www sshd[26111]: Failed password for root from >>165.21.103.20 port 39836 ssh2 >>Aug 13 13:56:35 www sshd[26113]: Illegal user test from 165.21.103.20 >>Aug 13 14:25:36 www sshd[26485]: Illegal user test from 202.28.120.57 >>Aug 13 14:25:41 www sshd[26487]: Illegal user guest from 202.28.120.57 >> >>What are these? >> >>bye >>Sandor Berta >> >>_______________________________________________ >>freebsd-security@freebsd.org mailing list >>http://lists.freebsd.org/mailman/listinfo/freebsd-security >>To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >> >> >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > > From owner-freebsd-security@FreeBSD.ORG Wed Aug 18 09:54:45 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E13EB16A4CE for ; Wed, 18 Aug 2004 09:54:45 +0000 (GMT) Received: from pathfinder.roks.biz (roks.biz [82.207.80.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id A1D6843D58 for ; Wed, 18 Aug 2004 09:54:42 +0000 (GMT) (envelope-from padla@roks.biz) Received: from admin.office.roks.biz (admin.office.roks.biz [192.168.100.103]) by pathfinder.roks.biz (8.12.11/8.12.11) with ESMTP id i7I9sLHv027779; Wed, 18 Aug 2004 12:54:21 +0300 (EEST) (envelope-from padla@pathfinder.roks.biz) Received: from admin.office.roks.biz (localhost.roks.biz [127.0.0.1]) i7I9sM7a000858; Wed, 18 Aug 2004 12:54:22 +0300 (EEST) (envelope-from padla@admin.office.roks.biz) Received: (from padla@localhost) by admin.office.roks.biz (8.12.11/8.12.11/Submit) id i7I9sLCV000857; Wed, 18 Aug 2004 12:54:21 +0300 (EEST) (envelope-from padla) Date: Wed, 18 Aug 2004 12:54:21 +0300 From: Nikolay Pavlov To: Justin Message-ID: <20040818095421.GA207@roks.biz> Mail-Followup-To: Nikolay Pavlov , Justin , freebsd-security@freebsd.org References: <411CCAAE.7020505@beco.hu> <200408172301.28844.freebsd@alt-network.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200408172301.28844.freebsd@alt-network.com> User-Agent: Mutt/1.4.2.1i cc: freebsd-security@freebsd.org Subject: Re: sequences in the auth.log X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Aug 2004 09:54:46 -0000 Hi, Justin On Tuesday, 17 August 2004 at 23:01:28 -0500, Justin wrote: > I'm seeing the same thing in my log. It makes me think it is a virus because > test, guest, and admin are not normal unix users. And I'm too. But I think that this is a some kind of Linux worm. The first record in my auth.log dated on Jul 23 01:48:30 Nmap identificates all hosts (already more than ten) in my auth.log as "Linux 2.4.0 - 2.5.20, Linux 2.4.20 (Itanium), Linux 2.4.20 - 2.4.22 w/grsecurity.org patch" Best regards, Nikolay Pavlov. From owner-freebsd-security@FreeBSD.ORG Wed Aug 18 09:57:04 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3CC8B16A4CE for ; Wed, 18 Aug 2004 09:57:04 +0000 (GMT) Received: from dragonfly.sitetronics.com (gibsonnet.demon.nl [82.161.57.57]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6248B43D39 for ; Wed, 18 Aug 2004 09:57:03 +0000 (GMT) (envelope-from dodell@dragonfly.sitetronics.com) Received: from dragonfly.sitetronics.com (dragonfly.sitetronics.com [127.0.0.1])i7I9urrR001418; Wed, 18 Aug 2004 11:56:53 +0200 (CEST) (envelope-from dodell@dragonfly.sitetronics.com) Received: (from dodell@localhost)i7I9une6001417; Wed, 18 Aug 2004 11:56:49 +0200 (CEST) (envelope-from dodell) Date: Wed, 18 Aug 2004 11:56:49 +0200 From: "Devon H. O'Dell" To: Nikolay Pavlov , Justin , freebsd-security@freebsd.org Message-ID: <20040818095649.GA834@sitetronics.com> References: <411CCAAE.7020505@beco.hu> <200408172301.28844.freebsd@alt-network.com> <20040818095421.GA207@roks.biz> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="opJtzjQTFsWo+cga" Content-Disposition: inline In-Reply-To: <20040818095421.GA207@roks.biz> User-Agent: Mutt/1.4.2.1i X-Mailer: Mutt 1.4.2.1i (2004-02-12) X-Editor: Vim http://www.vim.org/ Subject: Re: sequences in the auth.log X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Aug 2004 09:57:04 -0000 --opJtzjQTFsWo+cga Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Nikolay Pavlov scribbled: > Hi, Justin >=20 > On Tuesday, 17 August 2004 at 23:01:28 -0500, Justin wrote: > > I'm seeing the same thing in my log. It makes me think it is a virus be= cause=20 > > test, guest, and admin are not normal unix users. >=20 > And I'm too. But I think that this is a some kind of Linux worm. > The first record in my auth.log dated on Jul 23 01:48:30 > Nmap identificates all hosts (already more than ten) in my auth.log as=20 > "Linux 2.4.0 - 2.5.20, Linux 2.4.20 (Itanium), Linux 2.4.20 - 2.4.22 w/gr= security.org patch" >=20 > Best regards, > Nikolay Pavlov. > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" >=20 This has recently and fully been discussed on the full-disclosure mailing list. --=20 Kind regards, Devon H. O'Dell | dodell@sitetronics.com Key: 4D3D8CA7 | IRC: bofh@WhatNET thebofh@efnet --opJtzjQTFsWo+cga Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFBIyfh9y+/hU09jKcRAtn7AJ4trXkGagbp47uf7uJaKNFTx8gUEQCgj+wZ BkC9cGHVTPkoxGOb3kUwSgk= =yuNy -----END PGP SIGNATURE----- --opJtzjQTFsWo+cga-- From owner-freebsd-security@FreeBSD.ORG Wed Aug 18 12:20:20 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 31C0116A4CF for ; Wed, 18 Aug 2004 12:20:20 +0000 (GMT) Received: from web52402.mail.yahoo.com (web52402.mail.yahoo.com [206.190.39.110]) by mx1.FreeBSD.org (Postfix) with SMTP id AED1943D1D for ; Wed, 18 Aug 2004 12:20:19 +0000 (GMT) (envelope-from probsdorg@yahoo.com) Message-ID: <20040818121102.95460.qmail@web52402.mail.yahoo.com> Received: from [24.199.182.230] by web52402.mail.yahoo.com via HTTP; Wed, 18 Aug 2004 05:11:02 PDT Date: Wed, 18 Aug 2004 05:11:02 -0700 (PDT) From: probsd org To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: chfn, date, chsh INFECTED according to chkrootkit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Aug 2004 12:20:20 -0000 I ran chkrootkit ( v. chkrootkit-0.43 ) earlier and noticed that chfn, date, and chsh showed as being infected. I remember reading post from the past that right now chkrootkit is giving alot of false positives, so I suspected that these 3 binaries are not bad. However, to be on the safe side, I deleted the 3 binaries, removed /usr/src and did a 'make world' to 4.10-STABLE. But, chfn, cfsh, and date are stilling showing as infected. Is my assumption that I am seeing a false positive correct, or anyone know of an exploit that would affect these 3 binaries ( and even after a 'make world' from clean src )? Michael __________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail From owner-freebsd-security@FreeBSD.ORG Wed Aug 18 14:25:06 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BB86516A4CE for ; Wed, 18 Aug 2004 14:25:06 +0000 (GMT) Received: from smtp.mi.is (smtp.mi.is [217.151.180.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9B4F143D39 for ; Wed, 18 Aug 2004 14:25:05 +0000 (GMT) (envelope-from thib@mi.is) Received: from caulfield (bofh.bitcode.org [217.151.165.254]) by smtp.mi.is (8.12.10/8.12.10/1.0.1) with SMTP id i7IEP4iv015235 for ; Wed, 18 Aug 2004 14:25:04 GMT Date: Wed, 18 Aug 2004 14:25:11 +0000 From: "Thordur Ivar B." To: freebsd-security@freebsd.org Message-Id: <20040818142511.390043af.thib@mi.is> In-Reply-To: <20040818121102.95460.qmail@web52402.mail.yahoo.com> References: <20040818121102.95460.qmail@web52402.mail.yahoo.com> Organization: n/a X-Mailer: Sylpheed version 0.9.12 (GTK+ 1.2.10; i386-portbld-freebsd5.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: chfn, date, chsh INFECTED according to chkrootkit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Aug 2004 14:25:06 -0000 On Wed, 18 Aug 2004 05:11:02 -0700 (PDT) probsd org wrote: > I ran chkrootkit ( v. chkrootkit-0.43 ) earlier and > noticed that chfn, date, and chsh showed as being > infected. I remember reading post from the past that > right now chkrootkit is giving alot of false > positives, so I suspected that these 3 binaries are > not bad. > > However, to be on the safe side, I deleted the 3 > binaries, removed /usr/src and did a 'make world' to > 4.10-STABLE. > > But, chfn, cfsh, and date are stilling showing as > infected. > > Is my assumption that I am seeing a false positive > correct, or anyone know of an exploit that would > affect these 3 binaries ( and even after a 'make > world' from clean src )? > > Michael > These are false positives. I had this showing on a box of mine (chkrootkit-0.43). And What I did was remove the binarys and resync'ed my source and did a new build. But still, you can only be sure if you trust you CVS checkout. I have found it rather annyoing not have'ing checksums of each and every file in /usr/src. And having a "secure" (man-in-the-middle attack, etc comes in mind) way of optaining the checksum file.( A good shell script could verify the checkout and you could sleep easy ;) Do correct me about the checksums if I'm wrong. -- As far as the laws of mathematics refer to reality, they are not certain, and as far as they are certain, they do not refer to reality. -- Albert Einstein From owner-freebsd-security@FreeBSD.ORG Wed Aug 18 14:45:36 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0567616A4CE for ; Wed, 18 Aug 2004 14:45:36 +0000 (GMT) Received: from web52402.mail.yahoo.com (web52402.mail.yahoo.com [206.190.39.110]) by mx1.FreeBSD.org (Postfix) with SMTP id 7CACD43D5A for ; Wed, 18 Aug 2004 14:45:35 +0000 (GMT) (envelope-from probsdorg@yahoo.com) Message-ID: <20040818144058.79805.qmail@web52402.mail.yahoo.com> Received: from [205.240.33.55] by web52402.mail.yahoo.com via HTTP; Wed, 18 Aug 2004 07:40:58 PDT Date: Wed, 18 Aug 2004 07:40:58 -0700 (PDT) From: probsd org To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Content-Filtered-By: Mailman/MimeDel 2.1.1 cc: thib@mi.is Subject: X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Aug 2004 14:45:36 -0000 > These are false positives. I had this showing on a box of mine > (chkrootkit-0.43). And What I did was remove the binarys and resync'ed my > source > and did a new build. Yea, this is basically what I did. re'synched my sources, pulled the ethernet cable, made world, and it's still showing that. I'm pretty sure this is a false positive, but just wanted to touch base with the list. Maybe later I will cvsup the latest source on a spare machine that has not been on the net and diff the src'es to make sure. Thanks group. Michael --------------------------------- Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! From owner-freebsd-security@FreeBSD.ORG Wed Aug 18 14:49:56 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9037A16A4CE for ; Wed, 18 Aug 2004 14:49:56 +0000 (GMT) Received: from pc5.i.0x5.de (n.0x5.de [213.146.113.119]) by mx1.FreeBSD.org (Postfix) with ESMTP id BEF7343D31 for ; Wed, 18 Aug 2004 14:49:52 +0000 (GMT) (envelope-from nicolas@i.0x5.de) Received: from pc5.i.0x5.de (nicolas@localhost [127.0.0.1]) by pc5.i.0x5.de (8.12.11/8.12.11) with ESMTP id i7IEnoYc055660 for ; Wed, 18 Aug 2004 16:49:50 +0200 (CEST) (envelope-from nicolas@pc5.i.0x5.de) Received: (from nicolas@localhost) by pc5.i.0x5.de (8.12.11/8.12.11/Submit) id i7IEnnZD055657 for freebsd-security@freebsd.org; Wed, 18 Aug 2004 16:49:49 +0200 (CEST) (envelope-from nicolas) Date: Wed, 18 Aug 2004 16:49:49 +0200 From: Nicolas Rachinsky To: freebsd-security@freebsd.org Message-ID: <20040818144948.GA55534@pc5.i.0x5.de> Mail-Followup-To: freebsd-security@freebsd.org References: <20040818121102.95460.qmail@web52402.mail.yahoo.com> <20040818142511.390043af.thib@mi.is> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040818142511.390043af.thib@mi.is> X-Powered-by: FreeBSD X-Homepage: http://www.rachinsky.de X-PGP-Keyid: C11ABC0E X-PGP-Fingerprint: 19DB 8392 8FE0 814A 7362 EEBD A53B 526A C11A BC0E X-PGP-Key: http://www.rachinsky.de/nicolas/nicolas_rachinsky.asc User-Agent: Mutt/1.5.6i Subject: Re: chfn, date, chsh INFECTED according to chkrootkit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Aug 2004 14:49:56 -0000 * "Thordur Ivar B." [2004-08-18 14:25 +0000]: > But still, you can only be sure if you trust you CVS checkout. And your compiler and other tools used to build everything. http://www.acm.org/classics/sep95/ Nicolas From owner-freebsd-security@FreeBSD.ORG Wed Aug 18 14:54:14 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D216216A4CE for ; Wed, 18 Aug 2004 14:54:14 +0000 (GMT) Received: from rosebud.otenet.gr (rosebud.otenet.gr [195.170.0.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id 414AF43D46 for ; Wed, 18 Aug 2004 14:54:11 +0000 (GMT) (envelope-from keramida@linux.gr) Received: from orion.daedalusnetworks.priv (aris.bedc.ondsl.gr [62.103.39.226])i7IEs7S3012636; Wed, 18 Aug 2004 17:54:07 +0300 Received: from orion.daedalusnetworks.priv (orion [127.0.0.1]) i7IEs1tY008998; Wed, 18 Aug 2004 17:54:01 +0300 (EEST) (envelope-from keramida@linux.gr) Received: (from keramida@localhost)i7IEs1L4008997; Wed, 18 Aug 2004 17:54:01 +0300 (EEST) (envelope-from keramida@linux.gr) Date: Wed, 18 Aug 2004 17:54:00 +0300 From: Giorgos Keramidas To: "Thordur Ivar B." Message-ID: <20040818145400.GF7263@orion.daedalusnetworks.priv> References: <20040818121102.95460.qmail@web52402.mail.yahoo.com> <20040818142511.390043af.thib@mi.is> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040818142511.390043af.thib@mi.is> cc: freebsd-security@freebsd.org Subject: Re: chfn, date, chsh INFECTED according to chkrootkit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Aug 2004 14:54:14 -0000 On 2004-08-18 14:25, "Thordur Ivar B." wrote: > But still, you can only be sure if you trust you CVS checkout. > I have found it rather annyoing not have'ing checksums of each and > every file in /usr/src. And having a "secure" (man-in-the-middle > attack, etc comes in mind) way of optaining the checksum file.( A good > shell script could verify the checkout and you could sleep easy ;) > > Do correct me about the checksums if I'm wrong. Would something like this work for you? # mount /mnt/floppy # mtree -c -K cksum,flags -p . | \ bzip2 -9c - > /mnt/floppy/src.dist.bz2 # umount /mnt/floppy Then you can mount the floppy disk and check the /usr/src tree against the checksums saved by mtree with: # mount /mnt/floppy # bunzip2 -cd /mnt/floppy/src.dist.bz2 | \ mtree -u -f - # umount /mnt/floppy Any differences of the files since your last CVSup should be easy to catch with this little trick. I've just tested this on my -CURRENT installation and the bzip2'd spec file generated by the first mtree invocation is a little less than 600 KB for /usr/src. It fits nicely in a single floppy disk :-) From owner-freebsd-security@FreeBSD.ORG Wed Aug 18 15:56:52 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 98E8016A4CE for ; Wed, 18 Aug 2004 15:56:52 +0000 (GMT) Received: from port-212-202-170-20.reverse.qdsl-home.de (port-212-202-198-207.dynamic.qsc.de [212.202.198.207]) by mx1.FreeBSD.org (Postfix) with SMTP id 9C8FA43D45 for ; Wed, 18 Aug 2004 15:56:51 +0000 (GMT) (envelope-from tommy@port-212-202-170-20.reverse.qdsl-home.de) Received: (qmail 53056 invoked by uid 1001); 18 Aug 2004 15:56:59 -0000 Date: Wed, 18 Aug 2004 17:56:59 +0200 From: Tommy K To: probsd org Message-ID: <20040818155659.GE8241@berlin.homeunix.com> References: <20040818121102.95460.qmail@web52402.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=unknown-8bit Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20040818121102.95460.qmail@web52402.mail.yahoo.com> User-Agent: Mutt/1.4.2.1i cc: freebsd-security@freebsd.org Subject: Re: chfn, date, chsh INFECTED according to chkrootkit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Aug 2004 15:56:52 -0000 Hello, i have written the author of chkrootkit this mail. Tommy On Fri, Jul 02, 2004 at 01:20:50PM +0200, Tommy K wrote: > Hello, > > i have tested chkrootkit on many FreeBSD 4.10** maschines and all of the > tested machines have the same INFECTED things. > > I think that is a bug in chkrootkit > > Yes, you right. I will fix it in the next version. Thanks a lot for you bug report and interest in chkrootkit, ./nelson -murilo > # chkrootkit > ROOTDIR is `/' > Checking `amd'... not infected > Checking `basename'... not infected > Checking `biff'... not infected > Checking `chfn'... INFECTED > Checking `chsh'... INFECTED > Checking `cron'... not infected > Checking `date'... INFECTED > Checking `du'... not infected > Checking `dirname'... not infected > Checking `echo'... not infected > Checking `egrep'... not infected > Checking `env'... not infected > > > Hopefully it could help you! > > Regards Tommy > > -- > Das B> Key fingerprint = BFED 7E4C 8B67 64C8 B210 89D1 5678 1A02 7354 > DFB5 > > Thomas Kamann | Auszubildener - Anwendungsentwicklung On Wed, Aug 18, 2004 at 05:11:02AM -0700, probsd org wrote: > I ran chkrootkit ( v. chkrootkit-0.43 ) earlier and > noticed that chfn, date, and chsh showed as being > infected. I remember reading post from the past that > right now chkrootkit is giving alot of false > positives, so I suspected that these 3 binaries are > not bad. > > However, to be on the safe side, I deleted the 3 > binaries, removed /usr/src and did a 'make world' to > 4.10-STABLE. > > But, chfn, cfsh, and date are stilling showing as > infected. > > Is my assumption that I am seeing a false positive > correct, or anyone know of an exploit that would > affect these 3 binaries ( and even after a 'make > world' from clean src )? > > Michael > > > > > > > __________________________________ > Do you Yahoo!? > New and Improved Yahoo! Mail - 100MB free storage! > http://promotions.yahoo.com/new_mail > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Das Büro am Draht GmbH | Blücherstraße 22 | D-10961 Berlin http://www.dasburo.com | http://tom.dasburo.com Key fingerprint = BFED 7E4C 8B67 64C8 B210 89D1 5678 1A02 7354 DFB5 Thomas Kamann | Auszubildener - Anwendungsentwicklung From owner-freebsd-security@FreeBSD.ORG Wed Aug 18 16:23:49 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1009316A4CE for ; Wed, 18 Aug 2004 16:23:49 +0000 (GMT) Received: from smtp.mi.is (smtp.mi.is [217.151.180.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id 80C5943D45 for ; Wed, 18 Aug 2004 16:23:48 +0000 (GMT) (envelope-from thib@mi.is) Received: from caulfield (bofh.bitcode.org [217.151.165.254]) by smtp.mi.is (8.12.10/8.12.10/1.0.1) with SMTP id i7IGNkiv002985 for ; Wed, 18 Aug 2004 16:23:46 GMT Date: Wed, 18 Aug 2004 16:23:55 +0000 From: "Thordur Ivar B." To: freebsd-security@freebsd.org Message-Id: <20040818162355.08596948.thib@mi.is> In-Reply-To: <20040818144948.GA55534@pc5.i.0x5.de> References: <20040818121102.95460.qmail@web52402.mail.yahoo.com> <20040818142511.390043af.thib@mi.is> <20040818144948.GA55534@pc5.i.0x5.de> Organization: n/a X-Mailer: Sylpheed version 0.9.12 (GTK+ 1.2.10; i386-portbld-freebsd5.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: chfn, date, chsh INFECTED according to chkrootkit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Aug 2004 16:23:49 -0000 On Wed, 18 Aug 2004 16:49:49 +0200 Nicolas Rachinsky wrote: > * "Thordur Ivar B." [2004-08-18 14:25 +0000]: > > But still, you can only be sure if you trust you CVS checkout. > > And your compiler and other tools used to build everything. > > http://www.acm.org/classics/sep95/ > > Nicolas > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > Yes ofcourse you will need to trust your own toolchain and compiler (I keep "trusted" binarys on CD to use in cases like this. (And for post-mortem inspection.) -- Kv, thib[att]mi{dot}is A man can do as he will, but not will as he will. -- Arthur Schopenhauer From owner-freebsd-security@FreeBSD.ORG Wed Aug 18 16:41:44 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA70916A4CE for ; Wed, 18 Aug 2004 16:41:44 +0000 (GMT) Received: from rwcrmhc13.comcast.net (rwcrmhc13.comcast.net [204.127.198.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id C8CC843D49 for ; Wed, 18 Aug 2004 16:41:44 +0000 (GMT) (envelope-from piechota@argolis.org) Received: from acropolis.argolis.org ([68.48.78.160]) by comcast.net (rwcrmhc13) with ESMTP id <2004081816414401500se8bpe>; Wed, 18 Aug 2004 16:41:44 +0000 Received: from acropolis.argolis.org (localhost [127.0.0.1]) i7IGfgux007137; Wed, 18 Aug 2004 12:41:42 -0400 (EDT) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost)i7IGfgv4007134; Wed, 18 Aug 2004 12:41:42 -0400 (EDT) (envelope-from piechota@argolis.org) X-Authentication-Warning: acropolis.argolis.org: piechota owned process doing -bs Date: Wed, 18 Aug 2004 12:41:42 -0400 (EDT) From: Matt Piechota To: "Thordur Ivar B." In-Reply-To: <20040818162355.08596948.thib@mi.is> Message-ID: <20040818123706.T887@acropolis.argolis.org> References: <20040818121102.95460.qmail@web52402.mail.yahoo.com> <20040818142511.390043af.thib@mi.is> <20040818144948.GA55534@pc5.i.0x5.de> <20040818162355.08596948.thib@mi.is> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed cc: freebsd-security@freebsd.org Subject: Re: chfn, date, chsh INFECTED according to chkrootkit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Aug 2004 16:41:45 -0000 On Wed, 18 Aug 2004, Thordur Ivar B. wrote: > Yes ofcourse you will need to trust your own toolchain and compiler (I keep > "trusted" binarys on CD to use in cases like this. (And for post-mortem > inspection.) I'm curious, where do the "trusted" binaries come from? In theory, the FreeBSD build machine could have been hacked a long time ago and the hack keeps propagating. -- Matt Piechota From owner-freebsd-security@FreeBSD.ORG Wed Aug 18 17:24:28 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5C9C116A4CF for ; Wed, 18 Aug 2004 17:24:28 +0000 (GMT) Received: from bunrab.catwhisker.org (adsl-63-193-123-122.dsl.snfc21.pacbell.net [63.193.123.122]) by mx1.FreeBSD.org (Postfix) with ESMTP id E4F8743D31 for ; Wed, 18 Aug 2004 17:24:27 +0000 (GMT) (envelope-from david@catwhisker.org) Received: from bunrab.catwhisker.org (localhost [127.0.0.1]) i7IHORsK013376 for ; Wed, 18 Aug 2004 10:24:27 -0700 (PDT) (envelope-from david@bunrab.catwhisker.org) Received: (from david@localhost) by bunrab.catwhisker.org (8.12.11/8.12.11/Submit) id i7IHORYl013375 for freebsd-security@freebsd.org; Wed, 18 Aug 2004 10:24:27 -0700 (PDT) (envelope-from david) Date: Wed, 18 Aug 2004 10:24:27 -0700 (PDT) From: David Wolfskill Message-Id: <200408181724.i7IHORYl013375@bunrab.catwhisker.org> To: freebsd-security@freebsd.org Subject: Report of collision-generation with MD5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Aug 2004 17:24:28 -0000 Just got a pointer to this via ACM "TechNews Alert" for today: http://www.acm.org/technews/articles/2004-6/0818w.html#item2 Seems that "... French computer scientist Antoine Joux reported on Aug. 12 his discovery of a flaw in the MD5 algorithm, which is often used with digital signatures...." There's more in the article cited above. Peace, david -- David H. Wolfskill david@catwhisker.org Evidence of curmudgeonliness: becoming irritated with the usage of the word "speed" in contexts referring to quantification of network performance, as opposed to "bandwidth" or "latency." From owner-freebsd-security@FreeBSD.ORG Wed Aug 18 17:58:07 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7BC4416A4CE for ; Wed, 18 Aug 2004 17:58:07 +0000 (GMT) Received: from cowbert.2y.net (d46h180.public.uconn.edu [137.99.46.180]) by mx1.FreeBSD.org (Postfix) with SMTP id 06E0243D5E for ; Wed, 18 Aug 2004 17:58:05 +0000 (GMT) (envelope-from sirmoo@cowbert.net) Received: (qmail 48660 invoked by uid 1001); 18 Aug 2004 17:58:04 -0000 Date: Wed, 18 Aug 2004 13:58:04 -0400 From: "Peter C. Lai" To: David Wolfskill Message-ID: <20040818175804.GI346@cowbert.net> References: <200408181724.i7IHORYl013375@bunrab.catwhisker.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200408181724.i7IHORYl013375@bunrab.catwhisker.org> User-Agent: Mutt/1.5.6i cc: freebsd-security@freebsd.org Subject: Re: Report of collision-generation with MD5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Aug 2004 17:58:07 -0000 Well while collisions are cryptographically significant, they don't necessarily impact any operational security of the the hash. (Since the collision merely means that there are possibly two inputs which will hash to the same digest). Where this could theoretically mean that someone could alter a signed message, we have to look at the chance that what was intended to be altered will satisfy the conditions for the collision. The only 'real' worry about this issue is that if MD5 is already cryptographically challenged in this manner, it may be more possible to find a way to reverse the hash. You can read the discussion here: http://www.rtfm.com/movabletype/archives/2004_08.html#001053 http://www.rtfm.com/movabletype/archives/2004_03.html#000820 On Wed, Aug 18, 2004 at 10:24:27AM -0700, David Wolfskill wrote: > Just got a pointer to this via ACM "TechNews Alert" for today: > > http://www.acm.org/technews/articles/2004-6/0818w.html#item2 > > Seems that "... French computer scientist Antoine Joux reported on > Aug. 12 his discovery of a flaw in the MD5 algorithm, which is often > used with digital signatures...." > > There's more in the article cited above. > > Peace, > david > -- > David H. Wolfskill david@catwhisker.org > Evidence of curmudgeonliness: becoming irritated with the usage of the > word "speed" in contexts referring to quantification of network > performance, as opposed to "bandwidth" or "latency." > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology Yale University School of Medicine SenseLab | Research Assistant http://cowbert.2y.net/ From owner-freebsd-security@FreeBSD.ORG Wed Aug 18 18:08:16 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 21E2C16A4CE for ; Wed, 18 Aug 2004 18:08:16 +0000 (GMT) Received: from mta2.rdslink.ro (mta2.rdslink.ro [193.231.236.124]) by mx1.FreeBSD.org (Postfix) with ESMTP id B2FEA43D46 for ; Wed, 18 Aug 2004 18:08:14 +0000 (GMT) (envelope-from dr.clau@rdslink.ro) Received: (qmail 17910 invoked from network); 18 Aug 2004 21:01:59 -0000 Received: from unknown (HELO mail.rdslink.ro) (193.231.236.20) by mta2.rdslink.ro with DES-CBC3-SHA encrypted SMTP; 18 Aug 2004 21:01:59 -0000 Received: (qmail 28028 invoked from network); 18 Aug 2004 18:07:19 -0000 Received: from unknown (HELO ?82.79.29.15?) (82.79.29.15) by mail.rdslink.ro with SMTP; 18 Aug 2004 18:07:19 -0000 Message-ID: <41239B0C.1000703@rdslink.ro> Date: Wed, 18 Aug 2004 21:08:12 +0300 From: Claudiu User-Agent: Mozilla Thunderbird 0.7.3 (X11/20040807) X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Peter C. Lai" , freebsd-security@freebsd.org References: <200408181724.i7IHORYl013375@bunrab.catwhisker.org> <20040818175804.GI346@cowbert.net> In-Reply-To: <20040818175804.GI346@cowbert.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Report of collision-generation with MD5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Aug 2004 18:08:16 -0000 hello, please explain what do you mean by "reverse the hash". Is this the recreation of the originial message from its hash ? With respect, Peter C. Lai wrote: > Well while collisions are cryptographically significant, they don't > necessarily impact any operational security of the the hash. (Since the > collision merely means that there are possibly two inputs which will hash to > the same digest). Where this could theoretically mean that someone could > alter a signed message, we have to look at the chance that what was intended > to be altered will satisfy the conditions for the collision. The only 'real' > worry about this issue is that if MD5 is already cryptographically challenged > in this manner, it may be more possible to find a way to reverse the hash. > > You can read the discussion here: > http://www.rtfm.com/movabletype/archives/2004_08.html#001053 > http://www.rtfm.com/movabletype/archives/2004_03.html#000820 > > On Wed, Aug 18, 2004 at 10:24:27AM -0700, David Wolfskill wrote: > >>Just got a pointer to this via ACM "TechNews Alert" for today: >> >>http://www.acm.org/technews/articles/2004-6/0818w.html#item2 >> >>Seems that "... French computer scientist Antoine Joux reported on >>Aug. 12 his discovery of a flaw in the MD5 algorithm, which is often >>used with digital signatures...." >> >>There's more in the article cited above. >> >>Peace, >>david >>-- >>David H. Wolfskill david@catwhisker.org >>Evidence of curmudgeonliness: becoming irritated with the usage of the >>word "speed" in contexts referring to quantification of network >>performance, as opposed to "bandwidth" or "latency." >>_______________________________________________ >>freebsd-security@freebsd.org mailing list >>http://lists.freebsd.org/mailman/listinfo/freebsd-security >>To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > -- Claudiu Dragalina-Paraipan e-mail: dr.clau@rdslink.ro From owner-freebsd-security@FreeBSD.ORG Wed Aug 18 18:16:45 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC21316A4CE for ; Wed, 18 Aug 2004 18:16:45 +0000 (GMT) Received: from avscan2.sentex.ca (avscan2.sentex.ca [199.212.134.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7D85443D3F for ; Wed, 18 Aug 2004 18:16:45 +0000 (GMT) (envelope-from mike@sentex.net) Received: from localhost (localhost.sentex.ca [127.0.0.1]) by avscan2.sentex.ca (8.12.11/8.12.11) with ESMTP id i7IIGik1096597; Wed, 18 Aug 2004 14:16:44 -0400 (EDT) (envelope-from mike@sentex.net) Received: from avscan2.sentex.ca ([127.0.0.1]) by localhost (avscan2.sentex.ca [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 96528-01; Wed, 18 Aug 2004 14:16:44 -0400 (EDT) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by avscan2.sentex.ca (8.12.11/8.12.11) with ESMTP id i7IIGiRM096575; Wed, 18 Aug 2004 14:16:44 -0400 (EDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.11/8.12.11) with ESMTP id i7IIGb3a006690; Wed, 18 Aug 2004 14:16:37 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <6.1.2.0.0.20040818141732.04a6e060@64.7.153.2> X-Sender: mdtpop@64.7.153.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.1.2.0 Date: Wed, 18 Aug 2004 14:21:18 -0400 To: "Peter C. Lai" From: Mike Tancsa In-Reply-To: <20040818175804.GI346@cowbert.net> References: <200408181724.i7IHORYl013375@bunrab.catwhisker.org> <20040818175804.GI346@cowbert.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by amavisd-new X-Virus-Scanned: by amavisd-new at avscan2b cc: freebsd-security@freebsd.org Subject: Re: Report of collision-generation with MD5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Aug 2004 18:16:46 -0000 At 01:58 PM 18/08/2004, Peter C. Lai wrote: >Well while collisions are cryptographically significant, they don't >necessarily impact any operational security of the the hash. (Since the >collision merely means that there are possibly two inputs which will hash to >the same digest). As I have no crypto background to evaluate some of the (potentially wild and erroneous) claims being made in the popular press* (eg http://news.com.com/2100-1002_3-5313655.html see quote below), one thing that comes to mind is the safety of ports. If someone can pad an archive to come up with the same MD5 hash, this would challenge the security of the FreeBSD ports system no ? * "MD5's flaws that have been identified in the past few days mean that an attacker can generate one hash collision in a few hours on a standard PC. To write a specific back door and cloak it with the same hash collision may be much more time intensive. " ---Mike From owner-freebsd-security@FreeBSD.ORG Wed Aug 18 18:24:33 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3551916A4D0 for ; Wed, 18 Aug 2004 18:24:33 +0000 (GMT) Received: from cowbert.2y.net (d46h180.public.uconn.edu [137.99.46.180]) by mx1.FreeBSD.org (Postfix) with SMTP id 9517E43D53 for ; Wed, 18 Aug 2004 18:24:32 +0000 (GMT) (envelope-from sirmoo@cowbert.net) Received: (qmail 48792 invoked by uid 1001); 18 Aug 2004 18:24:32 -0000 Date: Wed, 18 Aug 2004 14:24:32 -0400 From: "Peter C. Lai" To: Mike Tancsa Message-ID: <20040818182432.GJ346@cowbert.net> References: <200408181724.i7IHORYl013375@bunrab.catwhisker.org> <20040818175804.GI346@cowbert.net> <6.1.2.0.0.20040818141732.04a6e060@64.7.153.2> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6.1.2.0.0.20040818141732.04a6e060@64.7.153.2> User-Agent: Mutt/1.5.6i cc: freebsd-security@freebsd.org Subject: Re: Report of collision-generation with MD5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Aug 2004 18:24:33 -0000 On Wed, Aug 18, 2004 at 02:21:18PM -0400, Mike Tancsa wrote: > At 01:58 PM 18/08/2004, Peter C. Lai wrote: > >Well while collisions are cryptographically significant, they don't > >necessarily impact any operational security of the the hash. (Since the > >collision merely means that there are possibly two inputs which will hash > >to > >the same digest). > > > As I have no crypto background to evaluate some of the (potentially wild > and erroneous) claims being made in the popular press* (eg > http://news.com.com/2100-1002_3-5313655.html see quote below), one thing > that comes to mind is the safety of ports. If someone can pad an archive > to come up with the same MD5 hash, this would challenge the security of the > FreeBSD ports system no ? Yes that is the potential worry. But if you step back from cryptography for a minute and look at information theory, it would only matter if changes to an archive are meaningful to the attacker. Since I am not an expert in information theory, I can't calculate how likely it is that a significant (meaningful content alteration) change to the archive can result in one which causes a collision. The necessary changes that have to be made to the archive to generate the same hash may prevent it from being untar'd or the build to break, or something similar. It is probably still more likely that an attacker would alter an archive and then attempt to change the reported hash in the INDEX to that of the new hash. Then again, everything I'm saying is pure speculation. > > * "MD5's flaws that have been identified in the past few days mean that an > attacker can generate one hash collision in a few hours on a standard PC. > To write a specific back door and cloak it with the same hash collision may > be much more time intensive. " > > ---Mike > -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology Yale University School of Medicine SenseLab | Research Assistant http://cowbert.2y.net/ From owner-freebsd-security@FreeBSD.ORG Wed Aug 18 18:29:58 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 44F8716A4CE for ; Wed, 18 Aug 2004 18:29:58 +0000 (GMT) Received: from cowbert.2y.net (d46h180.public.uconn.edu [137.99.46.180]) by mx1.FreeBSD.org (Postfix) with SMTP id EAA7C43D5A for ; Wed, 18 Aug 2004 18:29:57 +0000 (GMT) (envelope-from sirmoo@cowbert.net) Received: (qmail 48839 invoked by uid 1001); 18 Aug 2004 18:29:57 -0000 Date: Wed, 18 Aug 2004 14:29:57 -0400 From: "Peter C. Lai" To: Claudiu Message-ID: <20040818182957.GK346@cowbert.net> References: <200408181724.i7IHORYl013375@bunrab.catwhisker.org> <20040818175804.GI346@cowbert.net> <41239B0C.1000703@rdslink.ro> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <41239B0C.1000703@rdslink.ro> User-Agent: Mutt/1.5.6i cc: freebsd-security@freebsd.org Subject: Re: Report of collision-generation with MD5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Aug 2004 18:29:58 -0000 On Wed, Aug 18, 2004 at 09:08:12PM +0300, Claudiu wrote: > hello, > > please explain what do you mean by "reverse the hash". Is this the > recreation of the originial message from its hash ? The short answer is yes. The slightly longer answer is that such is only one specific case. The general case is that the digest should not reveal any information about the original message. From owner-freebsd-security@FreeBSD.ORG Wed Aug 18 18:35:23 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7857716A518 for ; Wed, 18 Aug 2004 18:35:23 +0000 (GMT) Received: from smtp.mi.is (smtp.mi.is [217.151.180.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id B56E643D45 for ; Wed, 18 Aug 2004 18:35:21 +0000 (GMT) (envelope-from thib@mi.is) Received: from caulfield (bofh.bitcode.org [217.151.165.254]) by smtp.mi.is (8.12.10/8.12.10/1.0.1) with SMTP id i7IIZKiv023167 for ; Wed, 18 Aug 2004 18:35:20 GMT Date: Wed, 18 Aug 2004 18:35:29 +0000 From: "Thordur Ivar B." To: freebsd-security@freebsd.org Message-Id: <20040818183529.5c52521b.thib@mi.is> In-Reply-To: <20040818123706.T887@acropolis.argolis.org> References: <20040818121102.95460.qmail@web52402.mail.yahoo.com> <20040818142511.390043af.thib@mi.is> <20040818144948.GA55534@pc5.i.0x5.de> <20040818162355.08596948.thib@mi.is> <20040818123706.T887@acropolis.argolis.org> Organization: n/a X-Mailer: Sylpheed version 0.9.12 (GTK+ 1.2.10; i386-portbld-freebsd5.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: chfn, date, chsh INFECTED according to chkrootkit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Aug 2004 18:35:23 -0000 On Wed, 18 Aug 2004 12:41:42 -0400 (EDT) Matt Piechota wrote: > On Wed, 18 Aug 2004, Thordur Ivar B. wrote: > > > Yes ofcourse you will need to trust your own toolchain and compiler (I keep > > "trusted" binarys on CD to use in cases like this. (And for post-mortem > > inspection.) > > I'm curious, where do the "trusted" binaries come from? In theory, > the FreeBSD build machine could have been hacked a long time ago and the > hack keeps propagating. > > -- > Matt Piechota Note the "" around trusted. There is no way (besieds manually going through the entire src-tree to be sure that the sources are "trust worthy" but I have the highest confident of the administrative personnel wich keep's the source safe and the machines uncomprimised and the developers in general. If I did not "trust" them I would simply shutdown my machines, remove the caples and throw it out the window. My $0.05 -- Kv, thib[att]mi{dot}is A man can do as he will, but not will as he will. -- Arthur Schopenhauer From owner-freebsd-security@FreeBSD.ORG Wed Aug 18 19:26:44 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4E18B16A4CE for ; Wed, 18 Aug 2004 19:26:44 +0000 (GMT) Received: from recife.ipadnet.com.br (recife.ipadnet.com.br [200.249.204.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id BDD4E43D49 for ; Wed, 18 Aug 2004 19:26:42 +0000 (GMT) (envelope-from mario.lobo@ipad.com.br) Received: from marioLobo ([200.249.204.142]) by recife.ipadnet.com.br (8.12.8/8.12.8) with ESMTP id i7IJhpX4018096; Wed, 18 Aug 2004 16:43:52 -0300 From: mario.lobo@ipad.com.br Organization: IPAD To: "Peter C. Lai" Date: Wed, 18 Aug 2004 16:27:26 -0300 MIME-Version: 1.0 Message-ID: <4123836E.9751.1DE28B5@localhost> Priority: normal In-reply-to: <20040818182957.GK346@cowbert.net> References: <41239B0C.1000703@rdslink.ro> X-mailer: Pegasus Mail for Windows (4.21c) Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: Quoted-printable Content-description: Mail message body cc: freebsd-security@freebsd.org Subject: Re: Report of collision-generation with MD5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: mario.lobo@ipad.com.br List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Aug 2004 19:26:44 -0000 How about a password hash? Wouldn=B4t those collisions enable the criation= of a different password with the same hash? -- //| //|| // | // || -//--//---|| ARIO LOBO // // || --------------------------------- mario.lobo@ipad.com.br http://www.ipad.com.br On 18 Aug 2004 at 14:29, Peter C. Lai wrote: > On Wed, Aug 18, 2004 at 09:08:12PM +0300, Claudiu wrote: > > hello, > > > > please explain what do you mean by "reverse the hash". Is this the > > recreation of the originial message from its hash ? > > The short answer is yes. The slightly longer answer is that such is only= one > specific case. The general case is that the digest should not reveal any= > information about the original message. > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.o= rg" From owner-freebsd-security@FreeBSD.ORG Wed Aug 18 20:35:53 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA51616A4CE for ; Wed, 18 Aug 2004 20:35:53 +0000 (GMT) Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id F0F8243D1F for ; Wed, 18 Aug 2004 20:35:52 +0000 (GMT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) i7IKZiie006190 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 18 Aug 2004 21:35:44 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)id i7IKZipu006189; Wed, 18 Aug 2004 21:35:44 +0100 (BST) (envelope-from matthew) Date: Wed, 18 Aug 2004 21:35:44 +0100 From: Matthew Seaman To: Mike Tancsa Message-ID: <20040818203544.GB4900@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Mike Tancsa , "Peter C. Lai" , freebsd-security@freebsd.org References: <200408181724.i7IHORYl013375@bunrab.catwhisker.org> <20040818175804.GI346@cowbert.net> <6.1.2.0.0.20040818141732.04a6e060@64.7.153.2> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="QKdGvSO+nmPlgiQ/" Content-Disposition: inline In-Reply-To: <6.1.2.0.0.20040818141732.04a6e060@64.7.153.2> User-Agent: Mutt/1.5.6i X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.5.6 (smtp.infracaninophile.co.uk [IPv6:::1]); Wed, 18 Aug 2004 21:35:44 +0100 (BST) X-Virus-Scanned: clamd / ClamAV version devel-20040705, clamav-milter version 0.74a on smtp.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, hits=-4.8 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=2.64 X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on happy-idiot-talk.infracaninophile.co.uk cc: "Peter C. Lai" cc: freebsd-security@freebsd.org Subject: Re: Report of collision-generation with MD5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Aug 2004 20:35:54 -0000 --QKdGvSO+nmPlgiQ/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Aug 18, 2004 at 02:21:18PM -0400, Mike Tancsa wrote: > At 01:58 PM 18/08/2004, Peter C. Lai wrote: > >Well while collisions are cryptographically significant, they don't > >necessarily impact any operational security of the the hash. (Since the > >collision merely means that there are possibly two inputs which will has= h=20 > >to > >the same digest). >=20 >=20 > As I have no crypto background to evaluate some of the (potentially wild= =20 > and erroneous) claims being made in the popular press* (eg=20 > http://news.com.com/2100-1002_3-5313655.html see quote below), one thing= =20 > that comes to mind is the safety of ports. If someone can pad an archive= =20 > to come up with the same MD5 hash, this would challenge the security of t= he=20 > FreeBSD ports system no ? >=20 > * "MD5's flaws that have been identified in the past few days mean that a= n=20 > attacker can generate one hash collision in a few hours on a standard PC.= =20 > To write a specific back door and cloak it with the same hash collision m= ay=20 > be much more time intensive. " At least the SHA-1 hash is still considered secure, and there's a whole series of SHA-nnn functions beyond that. I believe SHA-1 is already used implicitly by FreeBSD as the standard hash function used by gnupg(1) when digitally signing security alerts. Various SHA hashes are already given in a few ports distinfo files -- eg sysutils/coreutils, net/fping, misc/less -- although there seems to be no support in bsd.port.mk for checking anything other than MD5 as yet. I can't see any justification for giving up on MD5 just yet, but should the need eventually arise switching the ports over to an alternative hashing algorithm could be done relatively quickly. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --QKdGvSO+nmPlgiQ/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (FreeBSD) iD8DBQFBI72giD657aJF7eIRAiwEAJ45lAa2amRV5pjixFgeSFVJLjx5mgCfRZNp qNvO90zpGHlm7AMl0kVTG4c= =TQEd -----END PGP SIGNATURE----- --QKdGvSO+nmPlgiQ/-- From owner-freebsd-security@FreeBSD.ORG Wed Aug 18 20:54:44 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2AC9716A4CE for ; Wed, 18 Aug 2004 20:54:44 +0000 (GMT) Received: from electricrain.com (electricrain.com [64.71.143.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id D110143D1D for ; Wed, 18 Aug 2004 20:54:43 +0000 (GMT) (envelope-from fuzzy@electricrain.com) Received: (qmail 15744 invoked by uid 540); 18 Aug 2004 20:54:41 -0000 Date: Wed, 18 Aug 2004 13:54:41 -0700 From: Chris Doherty To: freebsd-security@freebsd.org Message-ID: <20040818205440.GL9800@zot.electricrain.com> References: <200408181724.i7IHORYl013375@bunrab.catwhisker.org> <20040818175804.GI346@cowbert.net> <41239B0C.1000703@rdslink.ro> <20040818182957.GK346@cowbert.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040818182957.GK346@cowbert.net> User-Agent: Mutt/1.4i X-Operating-System: XEmacs X-Koan: mu. X-Message-Flag: This message contains absolutely no malicious code. Organization: The Inside Foundation Subject: Re: Report of collision-generation with MD5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: chris-freebsd@randomcamel.net List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Aug 2004 20:54:44 -0000 On Wed, Aug 18, 2004 at 02:29:57PM -0400, Peter C. Lai said: > On Wed, Aug 18, 2004 at 09:08:12PM +0300, Claudiu wrote: > > hello, > > > > please explain what do you mean by "reverse the hash". Is this the > > recreation of the originial message from its hash ? > > The short answer is yes. The slightly longer answer is that such is only one > specific case. The general case is that the digest should not reveal any > information about the original message. well, technically you're not "reversing the hash": you can't re-create a message from its hash, because the information is simply gone--digesting algorithms are massively lossy by definition. that is, you can't take a 128-bit MD5 hash and recover the original 2-megabyte message, which makes sense. what you can do, if you have a proper attack formula, is find *a* message that produces *that one hash*. that is, if I have message M which produces hash H, I can use the attack to find *a* message M' which will also produce hash H. I suppose the possibility exists that M' will equal the original M, but I'd speculate that the odds are remarkably small. chris ------------------------------- Chris Doherty chris [at] randomcamel.net "I think," said Christopher Robin, "that we ought to eat all our provisions now, so we won't have so much to carry." -- A. A. Milne ------------------------------- From owner-freebsd-security@FreeBSD.ORG Wed Aug 18 23:46:57 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EB44E16A4CE for ; Wed, 18 Aug 2004 23:46:57 +0000 (GMT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5966643D41 for ; Wed, 18 Aug 2004 23:46:57 +0000 (GMT) (envelope-from brett@lariat.org) Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id RAA05055; Wed, 18 Aug 2004 17:46:50 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.1.1.1.2.20040818174540.08540a60@localhost> X-Sender: brett@localhost (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.1.1.1 Date: Wed, 18 Aug 2004 17:46:48 -0600 To: chris-freebsd@randomcamel.net, freebsd-security@freebsd.org From: Brett Glass In-Reply-To: <20040818205440.GL9800@zot.electricrain.com> References: <200408181724.i7IHORYl013375@bunrab.catwhisker.org> <20040818175804.GI346@cowbert.net> <41239B0C.1000703@rdslink.ro> <20040818182957.GK346@cowbert.net> <20040818205440.GL9800@zot.electricrain.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: Re: Report of collision-generation with MD5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Aug 2004 23:46:58 -0000 At 02:54 PM 8/18/2004, Chris Doherty wrote: >what you can do, if you have a proper attack formula, is find *a* message >that produces *that one hash*. that is, if I have message M which produces >hash H, I can use the attack to find *a* message M' which will also >produce hash H. The thing is, passwords are short and have limited entropy. Chances are, if you find a password that produces the same hash, it's M. --Brett From owner-freebsd-security@FreeBSD.ORG Thu Aug 19 00:22:34 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2D9DF16A4CE for ; Thu, 19 Aug 2004 00:22:34 +0000 (GMT) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by mx1.FreeBSD.org (Postfix) with ESMTP id 765DF43D31 for ; Thu, 19 Aug 2004 00:22:33 +0000 (GMT) (envelope-from fgleiser@cactus.fi.uba.ar) Received: from localhost (localhost [127.0.0.1]) by cactus.fi.uba.ar (8.12.11/8.12.11) with ESMTP id i7J0N7YQ030724; Wed, 18 Aug 2004 21:23:07 -0300 (ART) (envelope-from fgleiser@cactus.fi.uba.ar) Date: Wed, 18 Aug 2004 21:23:07 -0300 (ART) From: Fernando Gleiser To: Chris Doherty In-Reply-To: <20040818205440.GL9800@zot.electricrain.com> Message-ID: <20040818211706.D25438@cactus.fi.uba.ar> References: <200408181724.i7IHORYl013375@bunrab.catwhisker.org> <20040818175804.GI346@cowbert.net> <41239B0C.1000703@rdslink.ro> <20040818205440.GL9800@zot.electricrain.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Score: -104.901 () BAYES_00,USER_IN_WHITELIST X-Scanned-By: MIMEDefang 2.42 cc: freebsd-security@freebsd.org Subject: Re: Report of collision-generation with MD5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Aug 2004 00:22:34 -0000 On Wed, 18 Aug 2004, Chris Doherty wrote: > > well, technically you're not "reversing the hash": you can't re-create a > message from its hash, because the information is simply gone--digesting > algorithms are massively lossy by definition. that is, you can't take a > 128-bit MD5 hash and recover the original 2-megabyte message, which makes > sense. > > what you can do, if you have a proper attack formula, is find *a* message > that produces *that one hash*. that is, if I have message M which produces > hash H, I can use the attack to find *a* message M' which will also > produce hash H. There are (potentially) infinite inputs and just 2^128 outputs, so you can always (given enough time and/or horsepower) greate a colision. The problem is you need to create a message M' such that it is similar enough to the original one so the recipient gets fooled he got the original one. I think the odds of backdooring a source code file and modifying it so it hashes to the same value are very small. Fer From owner-freebsd-security@FreeBSD.ORG Thu Aug 19 08:16:14 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 30EE116A4CE for ; Thu, 19 Aug 2004 08:16:14 +0000 (GMT) Received: from sollube.sarenet.es (sollube.sarenet.es [192.148.167.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 832A943D2F for ; Thu, 19 Aug 2004 08:16:13 +0000 (GMT) (envelope-from borjamar@sarenet.es) Received: from [172.16.1.6] (ns10-sarenetlan-dhcp.sarenet.es [192.148.167.10]) by sollube.sarenet.es (Postfix) with ESMTP id 58AF39BB for ; Thu, 19 Aug 2004 10:16:12 +0200 (CEST) Mime-Version: 1.0 (Apple Message framework v619) In-Reply-To: <41239B0C.1000703@rdslink.ro> References: <200408181724.i7IHORYl013375@bunrab.catwhisker.org> <20040818175804.GI346@cowbert.net> <41239B0C.1000703@rdslink.ro> Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <176CF1F4-F1B8-11D8-9F60-000393C94468@sarenet.es> Content-Transfer-Encoding: 7bit From: Borja Marcos Date: Thu, 19 Aug 2004 10:16:37 +0200 To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.619) Subject: Re: Report of collision-generation with MD5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Aug 2004 08:16:14 -0000 On 18 Aug 2004, at 20:08, Claudiu wrote: > hello, > > please explain what do you mean by "reverse the hash". Is this the > recreation of the originial message from its hash ? You cannot reverse a hash. By definition, it is a non-reversible mathematical function. If you get a set of messages and apply a hash to each of them, given a big enogh set of messages you will find that some of them have the same hash. The issue is not the existence of collisions. It is obvious that there will be collisions. The issue is how easy or hard it is to find a collision. Imagine a very simple hash: a checksum. Given a message, M, it is trivial to generate another message with the same checksum. However, using a "cryptographically secure" hash, there is no easy method to do that, other than brute force. What researchers have discovered could lead to a shortcut, easier (and cheaper) to perform that a brute force search for collision finding. It does not mean that those digests are "broken", but indeed it means that they are less secure than previously thought. Borja. From owner-freebsd-security@FreeBSD.ORG Thu Aug 19 09:45:26 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C89C416A4CE for ; Thu, 19 Aug 2004 09:45:26 +0000 (GMT) Received: from sollube.sarenet.es (sollube.sarenet.es [192.148.167.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6556143D48 for ; Thu, 19 Aug 2004 09:45:26 +0000 (GMT) (envelope-from borjamar@sarenet.es) Received: from [172.16.1.6] (ns10-sarenetlan-dhcp.sarenet.es [192.148.167.10]) by sollube.sarenet.es (Postfix) with ESMTP id 77429CCF; Thu, 19 Aug 2004 11:45:25 +0200 (CEST) In-Reply-To: <200408190935.i7J9ZLrT025111@cairo.anu.edu.au> References: <200408190935.i7J9ZLrT025111@cairo.anu.edu.au> Mime-Version: 1.0 (Apple Message framework v619) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <8E285C78-F1C4-11D8-9F60-000393C94468@sarenet.es> Content-Transfer-Encoding: 7bit From: Borja Marcos Date: Thu, 19 Aug 2004 11:45:50 +0200 To: Darren Reed X-Mailer: Apple Mail (2.619) cc: freebsd-security@freebsd.org Subject: Re: Report of collision-generation with MD5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Aug 2004 09:45:26 -0000 > Someone I was talking to made a point of highlighting that this is > what the Chinese Government is allowing to be published in this area > of research. That's enough to make you wonder what they've > discovered but not published... There is a fine line between false sense of security and conspiranoia, and when using *any* cryptographic system (which includes algorithms) you must decide where to put your trust. I think (this is a personal opinion) that such an important discovery is really hard to keep secret. Since cryptography became a public research area, it is quite likely for important discoveries to be widely known. Of course, researchers working for government agencies can keep their discoveries secret, but bear in mind that an apparently "harmless" Mathematics discovery can have a dramatic impact on cryptography. Although the example is obvious, imagine an article with a title such as: "A faster method to factorize integers constructed as the product of two primes given the constraints...". It could have a dramatic impact on the security of any system using the RSA algorithm. Do you think it is so easy to filter Mathematics research reports? This is the joy of basic research. In many cases (of course you know in my example!) you don't really know what the practical applications/consequences will be. Borja. From owner-freebsd-security@FreeBSD.ORG Thu Aug 19 10:29:10 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 19F2D16A4CE for ; Thu, 19 Aug 2004 10:29:10 +0000 (GMT) Received: from dirg.bris.ac.uk (dirg.bris.ac.uk [137.222.10.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id B1F8343D45 for ; Thu, 19 Aug 2004 10:29:09 +0000 (GMT) (envelope-from Jan.Grant@bristol.ac.uk) Received: from mail.ilrt.bris.ac.uk ([137.222.16.62]) by dirg.bris.ac.uk with esmtp (Exim 4.34) id 1BxkAG-0005py-AO; Thu, 19 Aug 2004 11:29:03 +0100 Received: from cmjg (helo=localhost) by mail.ilrt.bris.ac.uk with local-esmtp (Exim 4.34) id 1Bxk87-0004Jz-9t; Thu, 19 Aug 2004 11:26:47 +0100 Date: Thu, 19 Aug 2004 11:26:47 +0100 (BST) From: Jan Grant X-X-Sender: cmjg@mail.ilrt.bris.ac.uk To: Brett Glass In-Reply-To: <6.1.1.1.2.20040818174540.08540a60@localhost> Message-ID: References: <200408181724.i7IHORYl013375@bunrab.catwhisker.org> <20040818175804.GI346@cowbert.net> <41239B0C.1000703@rdslink.ro> <20040818205440.GL9800@zot.electricrain.com> <6.1.1.1.2.20040818174540.08540a60@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Jan Grant X-Spam-Score: 0.0 X-Spam-Level: / cc: freebsd-security@freebsd.org Subject: Re: Report of collision-generation with MD5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Aug 2004 10:29:10 -0000 On Wed, 18 Aug 2004, Brett Glass wrote: > At 02:54 PM 8/18/2004, Chris Doherty wrote: > > >what you can do, if you have a proper attack formula, is find *a* message > >that produces *that one hash*. that is, if I have message M which produces > >hash H, I can use the attack to find *a* message M' which will also > >produce hash H. > > The thing is, passwords are short and have limited entropy. Chances are, > if you find a password that produces the same hash, it's M. Details in the paper are few, but I don't think what Chris describes in the snippet Brett quotes is what's necessarily happening. That is, for any given MD5 initial state, they seem to be saying that they can find two related messages that produce the same hash. NOT that they necessarily can find a message with the same has as a _given_ message. Which I guess means that they can tack two different strings on the end of any arbitrary file (since they claim they can attack an arbitrary IV) and the resulting two files will also have the same MD5 hash, but that won't be the MD5 of the original. The two appended strings are effectively random, and differ from each other only in a few bits. -- jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/ Tel +44(0)117 9287088 Fax +44 (0)117 9287112 http://ioctl.org/jan/ Hang on, wasn't he holding a wooden parrot? No! It was a porcelain owl. From owner-freebsd-security@FreeBSD.ORG Thu Aug 19 14:49:05 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DEDAC16A4CE for ; Thu, 19 Aug 2004 14:49:05 +0000 (GMT) Received: from lvlworld.com (dsl-38.226.240.220.dsl.comindico.com.au [220.240.226.38]) by mx1.FreeBSD.org (Postfix) with SMTP id 6709F43D53 for ; Thu, 19 Aug 2004 14:48:46 +0000 (GMT) (envelope-from tigger@onemoremonkey.com) Received: (qmail 2603 invoked from network); 19 Aug 2004 14:50:33 -0000 Received: from unknown (HELO piglet.goo) (192.168.1.120) by eeeor.goo with SMTP; 19 Aug 2004 14:50:33 -0000 Date: Fri, 20 Aug 2004 00:48:43 +1000 From: Tig To: freebsd-security@freebsd.org Message-Id: <20040820004843.011b8de8@piglet.goo> In-Reply-To: <20040818182957.GK346@cowbert.net> References: <200408181724.i7IHORYl013375@bunrab.catwhisker.org> <20040818175804.GI346@cowbert.net> <41239B0C.1000703@rdslink.ro> <20040818182957.GK346@cowbert.net> X-Mailer: Sylpheed-Claws 0.9.12 (GTK+ 1.2.10; i386-portbld-freebsd5.2.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Bogosity: No, tests=bogofilter, spamicity=0.896238, version=0.17.5 Subject: Re: Report of collision-generation with MD5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Aug 2004 14:49:06 -0000 On Wed, 18 Aug 2004 14:29:57 -0400 "Peter C. Lai" wrote: > On Wed, Aug 18, 2004 at 09:08:12PM +0300, Claudiu wrote: > > hello, > > > > please explain what do you mean by "reverse the hash". Is this the > > recreation of the originial message from its hash ? > > The short answer is yes. The slightly longer answer is that such is > only one specific case. The general case is that the digest should not > reveal any information about the original message. > If this is the case, then it would be very cool! Imagine sending 32 bytes, then 'reverse the hash' to get XX MB's worth of data :] That would be great compression! -Tig From owner-freebsd-security@FreeBSD.ORG Thu Aug 19 14:53:56 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7494816A4CE for ; Thu, 19 Aug 2004 14:53:56 +0000 (GMT) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id D229E43D41 for ; Thu, 19 Aug 2004 14:53:55 +0000 (GMT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.13.1/8.13.1) with ESMTP id i7JErrnt019975; Thu, 19 Aug 2004 16:53:53 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Tig From: "Poul-Henning Kamp" In-Reply-To: Your message of "Fri, 20 Aug 2004 00:48:43 +1000." <20040820004843.011b8de8@piglet.goo> Date: Thu, 19 Aug 2004 16:53:53 +0200 Message-ID: <19974.1092927233@critter.freebsd.dk> Sender: phk@critter.freebsd.dk cc: freebsd-security@freebsd.org Subject: Re: Report of collision-generation with MD5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Aug 2004 14:53:56 -0000 In message <20040820004843.011b8de8@piglet.goo>, Tig writes: >On Wed, 18 Aug 2004 14:29:57 -0400 >"Peter C. Lai" wrote: > >> On Wed, Aug 18, 2004 at 09:08:12PM +0300, Claudiu wrote: >> > hello, >> > >> > please explain what do you mean by "reverse the hash". Is this the >> > recreation of the originial message from its hash ? >> >> The short answer is yes. The slightly longer answer is that such is >> only one specific case. The general case is that the digest should not >> reveal any information about the original message. >> > > >If this is the case, then it would be very cool! > >Imagine sending 32 bytes, then 'reverse the hash' to get XX MB's worth >of data :] > >That would be great compression! That would not be compression (and hopefully you know it). -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. From owner-freebsd-security@FreeBSD.ORG Thu Aug 19 15:40:22 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5092416A4DA for ; Thu, 19 Aug 2004 15:40:22 +0000 (GMT) Received: from mail.ki.iif.hu (mignon.ki.iif.hu [193.6.222.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2103E43D1D for ; Thu, 19 Aug 2004 15:40:19 +0000 (GMT) (envelope-from mohacsi@niif.hu) Received: from localhost (localhost [127.0.0.1]) by mail.ki.iif.hu (Postfix) with ESMTP id 0258D5533; Thu, 19 Aug 2004 17:40:17 +0200 (CEST) Received: from mail.ki.iif.hu ([127.0.0.1]) by localhost (mignon.ki.iif.hu [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 02008-01; Thu, 19 Aug 2004 17:40:10 +0200 (CEST) Received: by mail.ki.iif.hu (Postfix, from userid 1003) id E4FBA551F; Thu, 19 Aug 2004 17:40:10 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by mail.ki.iif.hu (Postfix) with ESMTP id E2D4D5514; Thu, 19 Aug 2004 17:40:10 +0200 (CEST) Date: Thu, 19 Aug 2004 17:40:10 +0200 (CEST) From: Mohacsi Janos X-X-Sender: mohacsi@mignon.ki.iif.hu To: Jan Grant In-Reply-To: Message-ID: <20040819171922.U87148@mignon.ki.iif.hu> References: <200408181724.i7IHORYl013375@bunrab.catwhisker.org> <20040818175804.GI346@cowbert.net> <41239B0C.1000703@rdslink.ro> <6.1.1.1.2.20040818174540.08540a60@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Virus-Scanned: by amavisd-new at mail.ki.iif.hu cc: freebsd-security@freebsd.org Subject: Re: Report of collision-generation with MD5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Aug 2004 15:40:22 -0000 Hi! On Thu, 19 Aug 2004, Jan Grant wrote: > On Wed, 18 Aug 2004, Brett Glass wrote: > >> At 02:54 PM 8/18/2004, Chris Doherty wrote: >> >>> what you can do, if you have a proper attack formula, is find *a* message >>> that produces *that one hash*. that is, if I have message M which produces >>> hash H, I can use the attack to find *a* message M' which will also >>> produce hash H. >> >> The thing is, passwords are short and have limited entropy. Chances are, >> if you find a password that produces the same hash, it's M. > > Details in the paper are few, but I don't think what Chris describes in > the snippet Brett quotes is what's necessarily happening. That is, for > any given MD5 initial state, they seem to be saying that they can find > two related messages that produce the same hash. NOT that they > necessarily can find a message with the same has as a _given_ message. > Which I guess means that they can tack two different strings on the end > of any arbitrary file (since they claim they can attack an arbitrary IV) > and the resulting two files will also have the same MD5 hash, but that > won't be the MD5 of the original. The two appended strings are > effectively random, and differ from each other only in a few bits. > To avoid the possible attack probably we should start adding additional digest to MD5 e.g. - SHA1. Probably some flexible merthod should be used as in NetBSD pkgsrc: distinfo files says what kind of hash are available: digest(1) utity computes according to it and make process does comparison for each available hash. If any fails it reports. Multiple hash can mitigate the possibility of attack. Regards, Janos Mohacsi Network Engineer, Research Associate NIIF/HUNGARNET, HUNGARY Key 00F9AF98: 8645 1312 D249 471B DBAE 21A2 9F52 0D1F 00F9 AF98 From owner-freebsd-security@FreeBSD.ORG Thu Aug 19 23:11:30 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 53CEC16A4CE for ; Thu, 19 Aug 2004 23:11:30 +0000 (GMT) Received: from marx.hkr.ath.cx (203-173-45-72.dyn.iinet.net.au [203.173.45.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5B77D43D4C for ; Thu, 19 Aug 2004 23:11:27 +0000 (GMT) (envelope-from afx@pkl.net) Received: from darcia (unknown [192.168.1.47]) by marx.hkr.ath.cx (Postfix) with ESMTP id E0D563F4E; Fri, 20 Aug 2004 09:04:43 +1000 (EST) From: "George F. Costanzo" To: "'David Wolfskill'" Date: Fri, 20 Aug 2004 09:11:25 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 In-Reply-To: <200408181724.i7IHORYl013375@bunrab.catwhisker.org> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 Thread-Index: AcSFSEEgGnq7STcpS5qRGeCEHy7RCwA90t+g Message-Id: <20040819230443.E0D563F4E@marx.hkr.ath.cx> cc: freebsd-security@freebsd.org Subject: RE: Report of collision-generation with MD5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Aug 2004 23:11:30 -0000 The reporter got mixed up. Antoine Joux published a SHA-0 collision, while the Chinese researchers, Xiaoyun Wang and co. put out the paper on collisions in MD5, MD4, HAVAL, and full RIPEMD. A copy can be found here: http://eprint.iacr.org/2004/199.pdf This is the second version, after they used the wrong IV's initially. They plan to release a more detailed version in the near future. I wouldn't just wave off the attack; they seem to be able to find collisions fairly quickly. For more info see recent posts on: http://www.mail-archive.com/cryptography%40metzdowd.com/ -- George F. Costanzo PGP Fingerprint: 1E4F 09F2 D637 B917 8D61 0413 4FBC 7DB0 1407 2B6D > -----Original Message----- > From: owner-freebsd-security@freebsd.org [mailto:owner-freebsd- > security@freebsd.org] On Behalf Of David Wolfskill > Sent: Thursday, August 19, 2004 3:24 AM > To: freebsd-security@freebsd.org > Subject: Report of collision-generation with MD5 > > Just got a pointer to this via ACM "TechNews Alert" for today: > > http://www.acm.org/technews/articles/2004-6/0818w.html#item2 > > Seems that "... French computer scientist Antoine Joux reported on > Aug. 12 his discovery of a flaw in the MD5 algorithm, which is often > used with digital signatures...." > > There's more in the article cited above. > > Peace, > david > -- > David H. Wolfskill david@catwhisker.org > Evidence of curmudgeonliness: becoming irritated with the usage of the > word "speed" in contexts referring to quantification of network > performance, as opposed to "bandwidth" or "latency."