From owner-freebsd-security Sun Mar 10 17:20:36 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id RAA06614 for security-outgoing; Sun, 10 Mar 1996 17:20:36 -0800 (PST) Received: from iceonline.com (root@ns.iceonline.com [204.191.208.3]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id RAA06607 for ; Sun, 10 Mar 1996 17:20:33 -0800 (PST) Received: from edmbbs.iceonline.com by iceonline.com with uucp (Smail3.1.29.1 #1) id m0tvw9p-001Z7sC; Sun, 10 Mar 96 17:12 PST Received: by edmbbs.iceonline.com (UUPM-1.51) id D6300AZ Sun, Mar 10, 1996 17:04:27 EST From: sreid@edmbbs.iceonline.com Message-Id: <9603101704.D6300AZ@edmbbs.iceonline.com> X-Mailer: UUPlus Mail 1.51 To: security@freebsd.org Subject: How secure is FreeBSD 2.1 right after install? Organization: EDMBBS Marketing Date: Sun, 10 Mar 96 17:04:26 EST Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Is there anything I need to do to secure my system after a fresh install >from the Walnut Creek CD? I've already disabled the r*, finger and telnet services in inetd.conf. I don't expect I'll need them. Is there anything else I need to worry about? Our local ethernet will start with two FreeBSD machines and a Cisco router, connected to the internet. One of the FreeBSD machines will be a web server (probably running Apache) and the other will be for web page development under X Windows. I'm concerned that X might be a potential security hole, since it uses TCP port 6000 to accept connections from clients... Can I close off remote access to the X server without having to install a firewall? I won't need to access the X server from the LAN. Can X be set to ignore the TCP port? I'm interested in anything that might be a security problem. From owner-freebsd-security Mon Mar 11 07:00:22 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id HAA13208 for security-outgoing; Mon, 11 Mar 1996 07:00:22 -0800 (PST) Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id HAA13201 for ; Mon, 11 Mar 1996 07:00:20 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by passer.osg.gov.bc.ca (8.7.4/8.6.10) with SMTP id HAA03943; Mon, 11 Mar 1996 07:00:17 -0800 (PST) From: Cy Schubert - BCSC Open Systems Group Message-Id: <199603111500.HAA03943@passer.osg.gov.bc.ca> X-Authentication-Warning: passer.osg.gov.bc.ca: Host localhost [127.0.0.1] didn't use HELO protocol Reply-to: cschuber@orca.gov.bc.ca X-Mailer: DXmail To: sreid@edmbbs.iceonline.com cc: security@FreeBSD.ORG Subject: Re: How secure is FreeBSD 2.1 right after install? In-reply-to: Your message of "Sun, 10 Mar 96 17:04:26 EST." <9603101704.D6300AZ@edmbbs.iceonline.com> Date: Mon, 11 Mar 96 07:00:17 -0800 X-Mts: smtp Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > Is there anything I need to do to secure my system after a fresh install > >from the Walnut Creek CD? > > I've already disabled the r*, finger and telnet services in inetd.conf. > I don't expect I'll need them. Is there anything else I need to worry > about? > > Our local ethernet will start with two FreeBSD machines and a Cisco > router, connected to the internet. One of the FreeBSD machines will be a > web server (probably running Apache) and the other will be for web page > development under X Windows. > > I'm concerned that X might be a potential security hole, since it uses > TCP port 6000 to accept connections from clients... Can I close off > remote access to the X server without having to install a firewall? I > won't need to access the X server from the LAN. Can X be set to ignore > the TCP port? > > I'm interested in anything that might be a security problem. > Here are some basic steps I would start with: 1. Install TCP/Wrapper and block all of your TCP services run out of inetd. 2. Recompile the kernel to make use of the IP Firewall code, then block TCP ports 7, 9, 13, 19, 37, 53, 67, 88, 111, 161, 162, 177, 512, 513, 514, 520, 2049, 1, 11, 15, 43, 95, 123, 144, 515, 651, 2000, 6000-6100, ypserv yppasswdd, ypbind, mountd, and nfs. I would also block UDP ports 7, 9, 13, 19, 37, 53, 67, 88, 111, 161, 162, 177, 512, 513, 514, 520, 2049, ypserv, yppasswd, ypbind, mountd, nfs, and port 1023. You could also block TCP services run out of inetd as well, however TCP/Wrapper does a better job of reporting and does some "PARANOID" checks against the DNS that filtering will not do. If you're really paranoid you could block those ports. On the other hand you would probably be better off blocking these ports at your router. If you're really paranoid you could do both. Many of the commercial firewalls consist of two routers and a bastion host (firewall machine). If you allow dial-in connections much of this may be of no use since many hackers also phreak telephone lines. 3. Install Tripwire. 4. Run CRACK and COPS or Tiger on a weekly basis. 5. Route all auth.* messages to another machine and report on all anomolies. 6. Replace Sendmail 8.6.12 with Sendmail 8.7.4 and install smrsh. 7. If you don't expect to receive mail from the Internet on your FreeBSD boxes run Sendmail out of inetd and cron, then wrap it with TCP/Wrapper. If you don't need to receive mail at all don't even run sendmail out of inetd, just let sendmail queue messages from cron. This is what comres to mind at the moment. There's a lot more you could do if you want to spend the time at it. Regards, Phone: (604)389-3827 Cy Schubert OV/VM: BCSC02(CSCHUBER) Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET BC Systems Corp. Internet: cschuber@uumail.gov.bc.ca cschuber@bcsc02.gov.bc.ca "Quit spooling around, JES do it." From owner-freebsd-security Mon Mar 11 09:42:23 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id JAA27377 for security-outgoing; Mon, 11 Mar 1996 09:42:23 -0800 (PST) Received: from ibp.ibp.fr (ibp.ibp.fr [132.227.60.30]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id JAA27372 for ; Mon, 11 Mar 1996 09:42:20 -0800 (PST) Received: from blaise.ibp.fr (blaise.ibp.fr [132.227.60.1]) by ibp.ibp.fr (8.6.12/jtpda-5.0) with ESMTP id SAA27241 ; Mon, 11 Mar 1996 18:42:17 +0100 Received: from (uucp@localhost) by blaise.ibp.fr (8.6.12/jtpda-5.0) with UUCP id SAA09175 ; Mon, 11 Mar 1996 18:42:17 +0100 Received: (from roberto@localhost) by keltia.freenix.fr (8.7.3/keltia-uucp-2.7) id IAA01731; Mon, 11 Mar 1996 08:47:29 +0100 (MET) From: Ollivier Robert Message-Id: <199603110747.IAA01731@keltia.freenix.fr> Subject: Re: How secure is FreeBSD 2.1 right after install? To: sreid@edmbbs.iceonline.com Date: Mon, 11 Mar 1996 08:47:28 +0100 (MET) Cc: security@FreeBSD.ORG In-Reply-To: <9603101704.D6300AZ@edmbbs.iceonline.com> from "sreid@edmbbs.iceonline.com" at "Mar 10, 96 05:04:26 pm" X-Operating-System: FreeBSD 2.2-CURRENT ctm#1759 X-Mailer: ELM [version 2.4ME+ PL11 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk It seems that sreid@edmbbs.iceonline.com said: > I've already disabled the r*, finger and telnet services in inetd.conf. > I don't expect I'll need them. Is there anything else I need to worry > about? Put some filters on your Cisco; refuse any internal address coming from the external interface (IP spoofing), add access lists for what you don't want to come from the Internet. > I'm concerned that X might be a potential security hole, since it uses > TCP port 6000 to accept connections from clients... Can I close off > remote access to the X server without having to install a firewall? I Block all connection attempts coming to port 6000-6099 coming from the Internet. Use Xauthority-style authentication on the X server. > won't need to access the X server from the LAN. Can X be set to ignore > the TCP port? You'll have to hack the source, that's not really necessary if you block at the router level. -- Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.frmug.fr.net FreeBSD keltia.freenix.fr 2.2-CURRENT #1: Tue Feb 20 01:16:51 MET 1996 From owner-freebsd-security Tue Mar 12 00:56:12 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id AAA16256 for security-outgoing; Tue, 12 Mar 1996 00:56:12 -0800 (PST) Received: from falcon.tioga.com (root@falcon.tioga.com [205.146.65.5]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id AAA16203 for ; Tue, 12 Mar 1996 00:56:04 -0800 (PST) Received: (from tbalfe@localhost) by falcon.tioga.com (8.6.12/8.6.12) id DAA05368; Tue, 12 Mar 1996 03:56:30 GMT Date: Tue, 12 Mar 1996 03:56:30 +0000 () From: Thomas J Balfe To: freebsd-security@freebsd.org Subject: CA-95:14 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Does 2.1R have the RFC 1408 or RFC 1572 telnetd_environment_vulnerability bug worked out of it, or do I have to apply a patch? Are there any other things that I should apply to 2.1R? Thanks. TheLion #freebsd -- Thomas J Balfe Tioga Communications, Inc. tbalfe@tioga.com From owner-freebsd-security Tue Mar 12 15:37:27 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id PAA01786 for security-outgoing; Tue, 12 Mar 1996 15:37:27 -0800 (PST) Received: from nervosa.com (root@nervosa.com [192.187.228.86]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id PAA01781 for ; Tue, 12 Mar 1996 15:37:24 -0800 (PST) Received: from nervosa.com (coredump@onyx.nervosa.com [10.0.0.1]) by nervosa.com (8.7.5/nervosa.com.2) with SMTP id PAA10257; Tue, 12 Mar 1996 15:37:04 -0800 (PST) Date: Tue, 12 Mar 1996 15:37:03 -0800 (PST) From: invalid opcode To: Thomas J Balfe cc: freebsd-security@FreeBSD.org Subject: Re: CA-95:14 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 12 Mar 1996, Thomas J Balfe wrote: > Does 2.1R have the RFC 1408 or RFC 1572 telnetd_environment_vulnerability > bug worked out of it, or do I have to apply a patch? Are there any other > things that I should apply to 2.1R? Thanks. > Thomas J Balfe As far as I can tell (strings /usr/bin/telnet | grep -i LD), it doesn't appear to be present. == Chris Layne ============================================================= == coredump@nervosa.com ================ http://www.nervosa.com/~coredump == From owner-freebsd-security Tue Mar 12 23:27:22 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id XAA07610 for security-outgoing; Tue, 12 Mar 1996 23:27:22 -0800 (PST) Received: from haven.uniserve.com (haven.uniserve.com [198.53.215.121]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id XAA07605 for ; Tue, 12 Mar 1996 23:27:20 -0800 (PST) Received: by haven.uniserve.com id <34810-149>; Tue, 12 Mar 1996 23:30:05 -0800 Date: Tue, 12 Mar 1996 23:29:54 -0800 (PST) From: Tom Samplonius To: invalid opcode cc: Thomas J Balfe , freebsd-security@FreeBSD.org Subject: Re: CA-95:14 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 12 Mar 1996, invalid opcode wrote: > On Tue, 12 Mar 1996, Thomas J Balfe wrote: > > > Does 2.1R have the RFC 1408 or RFC 1572 telnetd_environment_vulnerability > > bug worked out of it, or do I have to apply a patch? Are there any other > > things that I should apply to 2.1R? Thanks. > > Thomas J Balfe > > As far as I can tell (strings /usr/bin/telnet | grep -i LD), it doesn't > appear to be present. Read more carefully. The specified problem is in telnetd, not telnet. I can't speak for 2.1R, but the problem is not in -stable or -current. Tom From owner-freebsd-security Wed Mar 13 00:48:49 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id AAA14816 for security-outgoing; Wed, 13 Mar 1996 00:48:49 -0800 (PST) Received: from nervosa.com (root@nervosa.com [192.187.228.86]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id AAA14809 for ; Wed, 13 Mar 1996 00:48:46 -0800 (PST) Received: from nervosa.com (coredump@onyx.nervosa.com [10.0.0.1]) by nervosa.com (8.7.5/nervosa.com.2) with SMTP id AAA25323; Wed, 13 Mar 1996 00:44:19 -0800 (PST) Date: Wed, 13 Mar 1996 00:44:16 -0800 (PST) From: invalid opcode To: Tom Samplonius cc: Thomas J Balfe , freebsd-security@FreeBSD.org Subject: Re: CA-95:14 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 12 Mar 1996, Tom Samplonius wrote: > Read more carefully. The specified problem is in telnetd, not telnet. > I can't speak for 2.1R, but the problem is not in -stable or -current. > Tom Sorry, my mistake. It appears that it is still present in -release, but i've tried to exploit it here and no luck. == Chris Layne ============================================================= == coredump@nervosa.com ================ http://www.nervosa.com/~coredump == From owner-freebsd-security Wed Mar 13 03:22:25 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id DAA23408 for security-outgoing; Wed, 13 Mar 1996 03:22:25 -0800 (PST) Received: from kdat.calpoly.edu (kdat.csc.calpoly.edu [129.65.54.101]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id DAA23399 for ; Wed, 13 Mar 1996 03:22:23 -0800 (PST) Received: (from nlawson@localhost) by kdat.calpoly.edu (8.6.12/N8) id DAA10184; Wed, 13 Mar 1996 03:22:02 -0800 From: Nathan Lawson Message-Id: <199603131122.DAA10184@kdat.calpoly.edu> Subject: Re: CA-95:14 To: coredump@nervosa.com (invalid opcode) Date: Wed, 13 Mar 1996 03:22:02 -0800 (PST) Cc: security@freebsd.org In-Reply-To: from "invalid opcode" at Mar 13, 96 00:44:16 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > On Tue, 12 Mar 1996, Tom Samplonius wrote: > > > Read more carefully. The specified problem is in telnetd, not telnet. > > I can't speak for 2.1R, but the problem is not in -stable or -current. > > Tom > > Sorry, my mistake. It appears that it is still present in -release, but > i've tried to exploit it here and no luck. > It's easy to exploit. Create your own shared library (man ld if you don't know how). Pass in an LD_LIBRARY_PATH variable via the telnet environ command. Login will use your library instead of the /usr/lib ones. As for doing a strings on telnet and grepping for LD, that is an utter misunderstanding of the problem. The problem isn't in telnet, strings wouldn't show it, and it has nothing to do with LD variables specifically. You can pass ANY environmental variable to login, which is the real problem. -- Nate Lawson \Yeah, I was dreaming through the 'howzlife', yawning, car black, CS-EE double \when she told me 'mad and meaningless as ever...' and a song major, \came on the radio like a cemetery rhyme for a million crying unaccredited \corpses in their tragedy of respectable existence. - BR From owner-freebsd-security Wed Mar 13 04:32:44 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id EAA27000 for security-outgoing; Wed, 13 Mar 1996 04:32:44 -0800 (PST) Received: from nervosa.com (root@nervosa.com [192.187.228.86]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id EAA26995 for ; Wed, 13 Mar 1996 04:32:41 -0800 (PST) Received: from nervosa.com (coredump@onyx.nervosa.com [10.0.0.1]) by nervosa.com (8.7.5/nervosa.com.2) with SMTP id EAA10737; Wed, 13 Mar 1996 04:32:32 -0800 (PST) Date: Wed, 13 Mar 1996 04:32:23 -0800 (PST) From: invalid opcode To: Nathan Lawson cc: security@freebsd.org Subject: Re: CA-95:14 In-Reply-To: <199603131122.DAA10184@kdat.calpoly.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Wed, 13 Mar 1996, Nathan Lawson wrote: > > Sorry, my mistake. It appears that it is still present in -release, but > > i've tried to exploit it here and no luck. > > It's easy to exploit. Create your own shared library (man ld if you don't I did that. No go. I'll try again. > As for doing a strings on telnet and grepping for LD, that is an utter > misunderstanding of the problem. The problem isn't in telnet, strings wouldn't > Nate Lawson \Yeah, I was dreaming through the 'howzlife', yawning, car black, I said I was wrong the first time, and that I intended to grep in telnetd and not telnet. == Chris Layne ============================================================= == coredump@nervosa.com ================ http://www.nervosa.com/~coredump == From owner-freebsd-security Wed Mar 13 08:45:08 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id IAA08073 for security-outgoing; Wed, 13 Mar 1996 08:45:08 -0800 (PST) Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id IAA08052 for ; Wed, 13 Mar 1996 08:44:47 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by passer.osg.gov.bc.ca (8.7.4/8.6.10) with SMTP id IAA19150; Wed, 13 Mar 1996 08:42:30 -0800 (PST) From: Cy Schubert - BCSC Open Systems Group Message-Id: <199603131642.IAA19150@passer.osg.gov.bc.ca> X-Authentication-Warning: passer.osg.gov.bc.ca: Host localhost [127.0.0.1] didn't use HELO protocol Reply-to: cschuber@orca.gov.bc.ca X-Mailer: DXmail To: invalid opcode cc: Thomas J Balfe , freebsd-security@freebsd.org Subject: Re: CA-95:14 In-reply-to: Your message of "Tue, 12 Mar 96 15:37:03 PST." Date: Wed, 13 Mar 96 08:42:29 -0800 X-Mts: smtp Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > On Tue, 12 Mar 1996, Thomas J Balfe wrote: > > > Does 2.1R have the RFC 1408 or RFC 1572 telnetd_environment_vulnerability > > bug worked out of it, or do I have to apply a patch? Are there any other > > things that I should apply to 2.1R? Thanks. > > Thomas J Balfe > > As far as I can tell (strings /usr/bin/telnet | grep -i LD), it doesn't > appear to be present. Actually, if you strings /usr/libexec/telnetd | grep LD and it doesn't appear to be present you have the problem. Another test would be to perform the following: telnet telnet> environ define LD_LIBRARY_PATH=/foobar telnet> environ export LD_LIBRARY_PATH telnet> open localhost ..... log in ..... $ printenv | grep LD_LIBRARY_PATH or echo $LD_LIBRARY_PATH If LD_LIBRARY_PATH is /foobar or if you get a loader message indicating it cannot find /foobar you have the problem. As far as I could tell in January when I got my 2.1R CDROM, FreeBSD does not have the problem. 2.0.5R, however, does. Regards, Phone: (604)389-3827 Cy Schubert OV/VM: BCSC02(CSCHUBER) Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET BC Systems Corp. Internet: cschuber@uumail.gov.bc.ca cschuber@bcsc02.gov.bc.ca "Quit spooling around, JES do it." From owner-freebsd-security Wed Mar 13 11:40:46 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id LAA18621 for security-outgoing; Wed, 13 Mar 1996 11:40:46 -0800 (PST) Received: from nervosa.com (root@nervosa.com [192.187.228.86]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id LAA18612 for ; Wed, 13 Mar 1996 11:40:39 -0800 (PST) Received: from nervosa.com (coredump@onyx.nervosa.com [10.0.0.1]) by nervosa.com (8.7.5/nervosa.com.2) with SMTP id LAA29745; Wed, 13 Mar 1996 11:34:27 -0800 (PST) Date: Wed, 13 Mar 1996 11:34:25 -0800 (PST) From: invalid opcode To: cschuber@orca.gov.bc.ca cc: Thomas J Balfe , freebsd-security@FreeBSD.ORG Subject: Re: CA-95:14 In-Reply-To: <199603131642.IAA19150@passer.osg.gov.bc.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Wed, 13 Mar 1996, Cy Schubert - BCSC Open Systems Group wrote: > Actually, if you strings /usr/libexec/telnetd | grep LD and it doesn't appear to > be present you have the problem. Another test would be to perform the Yep, because in the fixed versions, there are some strncmp()'s on the various LD_* strings. > As far as I could tell in January when I got my 2.1R CDROM, FreeBSD does not > have the problem. 2.0.5R, however, does. > Cy Schubert OV/VM: BCSC02(CSCHUBER) I looked in the CVS repository, this problem is fixed in 2.1.0-RELEASE. As an added note, it was fixed in the 3.0 version of Slackware Linux also. == Chris Layne ============================================================= == coredump@nervosa.com ================ http://www.nervosa.com/~coredump ==