From owner-freebsd-security Sun Feb 2 00:43:25 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id AAA08895 for security-outgoing; Sun, 2 Feb 1997 00:43:25 -0800 (PST) Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id AAA08888 for ; Sun, 2 Feb 1997 00:43:21 -0800 (PST) Message-Id: <199702020843.AAA08888@freefall.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA190292998; Sun, 2 Feb 1997 19:43:19 +1100 From: Darren Reed Subject: BSDI's Firewalling package. To: security@freebsd.org Date: Sun, 2 Feb 1997 19:43:18 +1100 (EDT) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Checkout: http://www.krystal.com/IPFilters.html has comparisons between other available products. Darren From owner-freebsd-security Sun Feb 2 21:55:07 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id VAA10243 for security-outgoing; Sun, 2 Feb 1997 21:55:07 -0800 (PST) Received: from enteract.com (root@enteract.com [206.54.252.1]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id VAA10238 for ; Sun, 2 Feb 1997 21:55:05 -0800 (PST) Received: (from tqbf@localhost) by enteract.com (8.8.4/8.7.6) id XAA07517; Sun, 2 Feb 1997 23:54:55 -0600 (CST) From: "Thomas H. Ptacek" Message-Id: <199702030554.XAA07517@enteract.com> Subject: Critical Security Problem in 4.4BSD crt0 To: bugtraq@netspace.org Date: Sun, 2 Feb 1997 23:54:54 -0600 (CST) Cc: freebsd-security@freebsd.org Reply-To: tqbf@enteract.com X-Mailer: ELM [version 2.4 PL24 ME8a] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk There is a critically important security problem in FreeBSD 2.1.5's C runtime support library that will enable anyone with control of the environment of a process to cause it to execute arbitrary code. All executable SUID programs on the system are vulnerable to this problem. The issue is that FreeBSD 2.1.5's crt0.c start() routine, which calls the "main()" entry point function in the program that is starting, will under some circumstances call routines that set the "locale" of the program. The routines that do this are heavily dependant on environment variables, which are in some circumstances copied directly into local character buffers on the stack of the locale routines. An immediately exploitable problem is evident in "startup_setrunelocale()", which, if certain environment variables are set, will copy the value of "PATH_LOCALE" directly into a 1024 byte buffer on the routine's stack. An attacker simply needs to insert machine code and virtual memory addresses into the "PATH_LOCALE" variable, enable startup locale processing, and run an SUID program. On FreeBSD 2.1.5, startup locale processing is enabled by setting the environment variable "ENABLE_STARTUP_LOCALE". "startup_setrunelocale()" is called if the environment variable "LC_CTYPE" is set as well. An exploit to this problem was written in less than 5 minutes. It's a completely typical stack overrun. There is at least one report of individuals activing exploiting this problem on the net. FreeBSD 2.2-BETA, as well as OpenBSD, seem to have this problem resolved. FreeBSD's crt0 start() function does not process locales and is thus not vulnerable to this problem. I have seen no announcements from the FreeBSD team about 2.2's resolution to the problem, or 2.1.5's vulnerability, and can only assume that they are unaware of it. Thanks to Michael Scher at U.S. Host for information about this problem. ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- "I'm standing alone, I'm watching you all, I'm seeing you sinking." From owner-freebsd-security Sun Feb 2 22:26:23 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id WAA11149 for security-outgoing; Sun, 2 Feb 1997 22:26:23 -0800 (PST) Received: from panda.hilink.com.au (panda.hilink.com.au [203.2.144.5]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id WAA11142 for ; Sun, 2 Feb 1997 22:26:18 -0800 (PST) Received: (from danny@localhost) by panda.hilink.com.au (8.7.6/8.7.3) id RAA27732; Mon, 3 Feb 1997 17:29:45 +1100 (EST) Date: Mon, 3 Feb 1997 17:29:43 +1100 (EST) From: "Daniel O'Callaghan" To: freebsd-security@freebsd.org Subject: Critical Security Problem in 4.4BSD crt0 (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk ---------- Forwarded message ---------- Date: Sun, 2 Feb 1997 23:54:54 -0600 (CST) From: Thomas H. Ptacek To: bugtraq@netspace.org Cc: freebsd-security@freebsd.org Subject: Critical Security Problem in 4.4BSD crt0 There is a critically important security problem in FreeBSD 2.1.5's C runtime support library that will enable anyone with control of the environment of a process to cause it to execute arbitrary code. All executable SUID programs on the system are vulnerable to this problem. The issue is that FreeBSD 2.1.5's crt0.c start() routine, which calls the "main()" entry point function in the program that is starting, will under some circumstances call routines that set the "locale" of the program. The routines that do this are heavily dependant on environment variables, which are in some circumstances copied directly into local character buffers on the stack of the locale routines. An immediately exploitable problem is evident in "startup_setrunelocale()", which, if certain environment variables are set, will copy the value of "PATH_LOCALE" directly into a 1024 byte buffer on the routine's stack. An attacker simply needs to insert machine code and virtual memory addresses into the "PATH_LOCALE" variable, enable startup locale processing, and run an SUID program. On FreeBSD 2.1.5, startup locale processing is enabled by setting the environment variable "ENABLE_STARTUP_LOCALE". "startup_setrunelocale()" is called if the environment variable "LC_CTYPE" is set as well. An exploit to this problem was written in less than 5 minutes. It's a completely typical stack overrun. There is at least one report of individuals activing exploiting this problem on the net. FreeBSD 2.2-BETA, as well as OpenBSD, seem to have this problem resolved. FreeBSD's crt0 start() function does not process locales and is thus not vulnerable to this problem. I have seen no announcements from the FreeBSD team about 2.2's resolution to the problem, or 2.1.5's vulnerability, and can only assume that they are unaware of it. Thanks to Michael Scher at U.S. Host for information about this problem. ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- "I'm standing alone, I'm watching you all, I'm seeing you sinking." From owner-freebsd-security Sun Feb 2 23:07:22 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id XAA12530 for security-outgoing; Sun, 2 Feb 1997 23:07:22 -0800 (PST) Received: from roundtable.cif.rochester.edu (sadmin@roundtable.cif.rochester.edu [128.151.220.14]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id XAA12524 for ; Sun, 2 Feb 1997 23:07:19 -0800 (PST) Received: (from sadmin@localhost) by roundtable.cif.rochester.edu (8.8.5/8.8.3) id CAA07764 for freebsd-security@freebsd.org; Mon, 3 Feb 1997 02:06:56 -0500 (EST) From: Security Administrator Message-Id: <199702030706.CAA07764@roundtable.cif.rochester.edu> Subject: Re: Critical Security Problem in 4.4BSD crt0 To: freebsd-security@freebsd.org (FreeBSD Security) Date: Mon, 3 Feb 1997 02:06:55 -0500 (EST) In-Reply-To: <199702030554.XAA07517@enteract.com> from "Thomas H. Ptacek" at Feb 2, 97 11:54:54 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk 2-3-97 Question: Does this problem in 2.1.5 appear in 2.1.6 or 2.1.6.1? Since the libraries are similar, my guess without comparing code is that the bug is there. Could you post an example of the exploit that you wrote for 2.1.5? Thanks, Josh Pincus -- System Security Administrator Computer Interest Floor University of Rochester Rochester, NY 14627 sadmin@roundtable.cif.rochester.edu From owner-freebsd-security Sun Feb 2 23:48:43 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id XAA13860 for security-outgoing; Sun, 2 Feb 1997 23:48:43 -0800 (PST) Received: from spitfire.ecsel.psu.edu (qmailr@spitfire.ecsel.psu.edu [146.186.218.51]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id XAA13854 for ; Sun, 2 Feb 1997 23:48:39 -0800 (PST) Received: (qmail 13188 invoked by uid 1000); 3 Feb 1997 07:48:35 -0000 Message-ID: <19970203074835.13187.qmail@spitfire.ecsel.psu.edu> To: Security Administrator cc: freebsd-security@freebsd.org, bugtraq@netspace.org Subject: Re: Critical Security Problem in 4.4BSD crt0 In-reply-to: Your message of "Mon, 03 Feb 1997 02:06:55 EST." <199702030706.CAA07764@roundtable.cif.rochester.edu> Date: Mon, 03 Feb 1997 02:48:34 -0500 From: Dan Cross Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Question: Does this problem in 2.1.5 appear in 2.1.6 or 2.1.6.1? Since the > libraries are similar, my guess without comparing code is that the bug > is there. yes, the bug does indeed appear in 2.1.6, at least. Here's an untested patch which SHOULD fix the problem, though: ----- Begin startup_setlocale.diff *** startup_setlocale.c 1997/02/03 07:40:46 1.1 --- startup_setlocale.c 1997/02/03 07:41:47 *************** *** 174,183 **** return(0); } ! (void) strcpy(name, PathLocale); ! (void) strcat(name, "/"); ! (void) strcat(name, encoding); ! (void) strcat(name, "/LC_CTYPE"); if ((fp = fopen(name, "r")) == NULL) return(ENOENT); --- 174,181 ---- return(0); } ! (void) snprintf(name, ! PATH_MAX, "%s/%s/LC_CTYPE", PathLocale, encoding); if ((fp = fopen(name, "r")) == NULL) return(ENOENT); ----- End of startup_setlocale.diff Note that there might be more problems, but I haven't got the time to test for them right now. :-( - Dan C. From owner-freebsd-security Mon Feb 3 01:03:23 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id BAA16406 for security-outgoing; Mon, 3 Feb 1997 01:03:23 -0800 (PST) Received: from super-g.inch.com (super-g.com [204.178.32.161]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id BAA16399 for ; Mon, 3 Feb 1997 01:03:20 -0800 (PST) Received: from localhost (spork@localhost) by super-g.inch.com (8.8.5/8.6.9) with SMTP id EAA18922; Mon, 3 Feb 1997 04:08:56 -0500 (EST) Date: Mon, 3 Feb 1997 04:08:55 -0500 (EST) From: spork X-Sender: spork@super-g.inch.com To: Dan Cross cc: freebsd-security@freebsd.org Subject: Re: Critical Security Problem in 4.4BSD crt0 In-Reply-To: <19970203074835.13187.qmail@spitfire.ecsel.psu.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk What would happen if the "safe" 2.2 library were used under 2.1.6? It certainly compiles OK... Or am I smoking crack here? Charles On Mon, 3 Feb 1997, Dan Cross wrote: > > Question: Does this problem in 2.1.5 appear in 2.1.6 or 2.1.6.1? Since the > > libraries are similar, my guess without comparing code is that the bug > > is there. > > yes, the bug does indeed appear in 2.1.6, at least. Here's an untested > patch which SHOULD fix the problem, though: > > ----- Begin startup_setlocale.diff > *** startup_setlocale.c 1997/02/03 07:40:46 1.1 > --- startup_setlocale.c 1997/02/03 07:41:47 > *************** > *** 174,183 **** > return(0); > } > > ! (void) strcpy(name, PathLocale); > ! (void) strcat(name, "/"); > ! (void) strcat(name, encoding); > ! (void) strcat(name, "/LC_CTYPE"); > > if ((fp = fopen(name, "r")) == NULL) > return(ENOENT); > --- 174,181 ---- > return(0); > } > > ! (void) snprintf(name, > ! PATH_MAX, "%s/%s/LC_CTYPE", PathLocale, encoding); > > if ((fp = fopen(name, "r")) == NULL) > return(ENOENT); > ----- End of startup_setlocale.diff > > Note that there might be more problems, but I haven't got the time > to test for them right now. :-( > > - Dan C. > From owner-freebsd-security Mon Feb 3 01:44:12 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id BAA17918 for security-outgoing; Mon, 3 Feb 1997 01:44:12 -0800 (PST) Received: from enteract.com (root@enteract.com [206.54.252.1]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id BAA17913 for ; Mon, 3 Feb 1997 01:44:08 -0800 (PST) Received: (from tqbf@localhost) by enteract.com (8.8.5/8.7.6) id DAA18201; Mon, 3 Feb 1997 03:43:14 -0600 (CST) From: "Thomas H. Ptacek" Message-Id: <199702030943.DAA18201@enteract.com> Subject: Re: Critical Security Problem in 4.4BSD crt0 To: torbjorn@norway.eu.net (Torbjorn Ose) Date: Mon, 3 Feb 1997 03:42:33 -0600 (CST) Cc: tqbf@enteract.com, freebsd-security@freebsd.org Reply-To: tqbf@enteract.com In-Reply-To: <199702030817.JAA22183@kirov.eunet.no> from "Torbjorn Ose" at Feb 3, 97 08:17:55 am X-Mailer: ELM [version 2.4 PL24 ME8a] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > This was also fixed in 2.1.6 and there was much talk about this ages ago > when it was first discovered. This was last year sometime. I also recall > reading an advisory from FreeBSD about this. Interesting. I very recently installed 2.1.6 over the network from FTP.FREEBSD.ORG on one of our machines. Immediately after finding the problem, I tried my exploit on the 2.1.6 machine. It worked without modification. After reading your message, I tried again. It still worked. I then looked at the source tree for 2.1.6, and sure enough, crt0 start() still does startup locale processing, and startup_setrunelocale() still has a stack overrun. Then I downloaded the library source distribution from wcarchive and diffed 2.1.5 against 2.1.6. Know what changed? The version numbers in the RCS strings. I note that I am unable to find any evidence of a crt0 announcement from FreeBSD. Searches of the freebsd-announce and freebsd-security mailing lists turn up nothing relevant to crt0, start(), or locales. Could you provide a URL to this announcement you recall reading? The problem certainly was not fixed "by 2.1.6"; 2.1.6 needs to be patched (just as 2.1.5 does). Any system installed off the FTP servers, since the release of 2.1.6 up to and including today, is vulnerable to this problem. Thanks for the input. ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- "I'm standing alone, I'm watching you all, I'm seeing you sinking." From owner-freebsd-security Mon Feb 3 02:14:10 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id CAA20332 for security-outgoing; Mon, 3 Feb 1997 02:14:10 -0800 (PST) Received: from stop.no (gw.eunet.no [195.0.195.195]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id CAA20317 for ; Mon, 3 Feb 1997 02:14:04 -0800 (PST) Received: from kirov.eunet.no ([193.71.2.3]) by full.stop.no with ESMTP id <21773>; Mon, 3 Feb 1997 12:43:03 +0000 Received: from kirov.eunet.no (localhost [127.0.0.1]) by kirov.eunet.no (8.8.2/8.8.2/Torbjorn) with ESMTP id LAA27365; Mon, 3 Feb 1997 11:13:52 +0100 (MET) Message-Id: <199702031013.LAA27365@kirov.eunet.no> To: tqbf@enteract.com cc: freebsd-security@freebsd.org Subject: Re: Critical Security Problem in 4.4BSD crt0 In-reply-to: Your message of "Mon, 03 Feb 1997 03:42:33 CST." <199702030943.DAA18201@enteract.com> Date: Mon, 3 Feb 1997 10:13:51 +0000 From: Torbjorn Ose Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message <199702030943.DAA18201@enteract.com>, "Thomas H. Ptacek" writes: > > This was also fixed in 2.1.6 and there was much talk about this ages ago > > when it was first discovered. This was last year sometime. I also recall > > reading an advisory from FreeBSD about this. ok, I could be wrong about 2.1.6. Here's the first message I can find that mentions the problem (from Best of Security). It's from August 1996 so the problem has been well known for a long time. It seems all other messages I have on this bug are personal mails that I cannot quote from without permission. From: Julian Assange Date: Thu, 15 Aug 1996 09:28:05 +1000 To: best-of-security@suburbia.net Subject: BoS: Wide spread resolv+ bugs Resent-Date: Thu, 15 Aug 1996 09:28:19 +1000 X-Mailer: ELM [version 2.4 PL23] Content-Type: text Resent-Message-Id: <"vYeOh1.0.0C5.94c4o"@suburbia> Resent-From: best-of-security@suburbia.net X-Mailing-List: archive/latest/219 X-Loop: best-of-security@suburbia.net Precedence: list Resent-Sender: best-of-security-request@suburbia.net Alan Cox intimated on bugtraq that he has found some bugs in resolv+. The bugs have been about for years and concern the passing of enviromental variables to resolv+ code (which is normally called by ping, rlogin, rsh, ssh etc). Since it looks like the cat is about to leap from the bag, I think I had better explain. Resolv+ is a library, often incorporated with libc, but sometimes stand alone (e.g -lresolv). It contains gethostbyname()/gethostbyaddr() as well as other dns functions. As an example of wonders of resolv+: $ export RESOLV_HOST_CONF=/etc/shadow $ rlogin thepopeneverlikedbadgersanywaymate Linux is prone to this. Solaris/Sunos does not appear to be. FreeBSD is not. But thats ok, they make up for it with NLS/Locale, which is a far, far bigger problem. -- "Of all tyrannies a tyranny sincerely exercised for the good of its victims may be the most oppressive. It may be better to live under robber barons than under omnipotent moral busybodies, The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for own good will torment us without end, for they do so with the approval of their own conscience." - C.S. Lewis, _God in the Dock_ +---------------------+--------------------+----------------------------------+ |Julian Assange RSO | PO Box 2031 BARKER | Secret Analytic Guy Union | |proff@suburbia.net | VIC 3122 AUSTRALIA | finger for PGP key hash ID = | |proff@gnu.ai.mit.edu | FAX +61-3-98199066 | 0619737CCC143F6DEA73E27378933690 | +---------------------+--------------------+----------------------------------+ Torbjorn From owner-freebsd-security Mon Feb 3 02:26:47 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id CAA21429 for security-outgoing; Mon, 3 Feb 1997 02:26:47 -0800 (PST) Received: from enteract.com (root@enteract.com [206.54.252.1]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id CAA21417 for ; Mon, 3 Feb 1997 02:26:42 -0800 (PST) Received: (from tqbf@localhost) by enteract.com (8.8.5/8.7.6) id EAA19567; Mon, 3 Feb 1997 04:26:20 -0600 (CST) From: "Thomas H. Ptacek" Message-Id: <199702031026.EAA19567@enteract.com> Subject: Re: Critical Security Problem in 4.4BSD crt0 To: torbjorn@norway.eu.net (Torbjorn Ose) Date: Mon, 3 Feb 1997 04:25:39 -0600 (CST) Cc: freebsd-security@freebsd.org Reply-To: tqbf@enteract.com In-Reply-To: <199702031013.LAA27365@kirov.eunet.no> from "Torbjorn Ose" at Feb 3, 97 10:13:51 am X-Mailer: ELM [version 2.4 PL24 ME8a] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > ok, I could be wrong about 2.1.6. Here's the first message I can find that You are. The problem is "fixed" in -current with patches to setlocale.c that check mismatched e/uid and do bounds checking on the string copies, but 2.2 doesn't do startup locale processing. 2.1.6 did not resolve this problem. > mentions the problem (from Best of Security). It's from August 1996 so the > problem has been well known for a long time. It seems all other messages I have Uh. locales have been a problem for a long, long time. They can be used to subvert quite a few programs. startup locale processing and a crt0 vulnerability have not been well known for a long time. I would hope that the FreeBSD team, upon becoming aware of a problem that rendered every privileged binary on their system vulnerable, would have released an official announcement about the problem. locale processing in general is an issue for many reasons, not the least (and not the only) of which is the fact that the routines aren't coded safely for SUID programs. Silently processing locale information in every program on the system out of start() is a different issue, though. I'm fairly certain that if Mr. Assange was aware (in August) of the crt0 vulnerability, he'd have notified someone (as opposed to leaving vague hints in unrelated messages). However, I obviously don't speak for him. > on this bug are personal mails that I cannot quote from without permission. If your information regarding this problem is not publically available, it's irrelevant to the purposes of my posts on bugtraq and comp.security.unix. I'll reiterate: 2.1.6 is vulnerable to this problem, and anyone with a 2.1.6 installation is vulnerable. The FreeBSD team has not made information regarding this problem available to the public, although they did silently fix it in -current. Thanks again for your input. ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- "I'm standing alone, I'm watching you all, I'm seeing you sinking." From owner-freebsd-security Mon Feb 3 03:32:55 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id DAA24048 for security-outgoing; Mon, 3 Feb 1997 03:32:55 -0800 (PST) Received: from root.com (implode.root.com [198.145.90.17]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id DAA24043 for ; Mon, 3 Feb 1997 03:32:49 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by root.com (8.7.6/8.6.5) with SMTP id DAA10128; Mon, 3 Feb 1997 03:31:29 -0800 (PST) Message-Id: <199702031131.DAA10128@root.com> X-Authentication-Warning: implode.root.com: Host localhost [127.0.0.1] didn't use HELO protocol To: tqbf@enteract.com cc: torbjorn@norway.eu.net (Torbjorn Ose), freebsd-security@FreeBSD.ORG Subject: Re: Critical Security Problem in 4.4BSD crt0 In-reply-to: Your message of "Mon, 03 Feb 1997 04:25:39 CST." <199702031026.EAA19567@enteract.com> From: David Greenman Reply-To: dg@root.com Date: Mon, 03 Feb 1997 03:31:29 -0800 Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk >> ok, I could be wrong about 2.1.6. Here's the first message I can find that > >You are. The problem is "fixed" in -current with patches to setlocale.c >that check mismatched e/uid and do bounds checking on the string copies, >but 2.2 doesn't do startup locale processing. 2.1.6 did not resolve this >problem. ... >and anyone with a 2.1.6 installation is vulnerable. The FreeBSD team has >not made information regarding this problem available to the public, >although they did silently fix it in -current. For the record, the setlocale call from crt0 was removed after a debate about its architectural [in]correctness and had nothing to do with any security hole. I'm not aware of any security related fixes to startup_setrunelocale() in any version of FreeBSD, nor have I seen or heard (until your report) about any security related problems in any of the locale code. It sounds like you're suggesting that there was some sort of coverup, and that simply isn't true. Anyway, thank you for finding the problem. It's certainly not the only security hole in past versions of FreeBSD, but with bug reports like yours and others, we hope to make FreeBSD more secure in the future. -DG David Greenman Core-team/Principal Architect, The FreeBSD Project From owner-freebsd-security Mon Feb 3 03:38:28 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id DAA24289 for security-outgoing; Mon, 3 Feb 1997 03:38:28 -0800 (PST) Received: from enteract.com (root@enteract.com [206.54.252.1]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id DAA24284 for ; Mon, 3 Feb 1997 03:38:26 -0800 (PST) Received: (from tqbf@localhost) by enteract.com (8.8.5/8.7.6) id FAA21844; Mon, 3 Feb 1997 05:38:09 -0600 (CST) From: "Thomas H. Ptacek" Message-Id: <199702031138.FAA21844@enteract.com> Subject: Re: Critical Security Problem in 4.4BSD crt0 To: dg@root.com Date: Mon, 3 Feb 1997 05:37:28 -0600 (CST) Cc: tqbf@enteract.com, torbjorn@norway.eu.net, freebsd-security@FreeBSD.ORG Reply-To: tqbf@enteract.com In-Reply-To: <199702031131.DAA10128@root.com> from "David Greenman" at Feb 3, 97 03:31:29 am X-Mailer: ELM [version 2.4 PL24 ME8a] Content-Type: text Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > For the record, the setlocale call from crt0 was removed after a debate > about its architectural [in]correctness and had nothing to do with any I figured as such. =) > security hole. I'm not aware of any security related fixes to > startup_setrunelocale() in any version of FreeBSD, nor have I seen or The new locale routines attempt bounds checking and check for mismatched e/uids to stave off locale vulnerabilities in SUID programs (probably based on the idea that users shouldn't have that much control over the internal operations of an SUID program). > locale code. It sounds like you're suggesting that there was some sort of > coverup, and that simply isn't true. I'm sorry, that wasn't what I was trying to imply. I would see no reason for the FreeBSD team to cover up security problems. I do have a general problem with a lack of announcement from the FreeBSD team about problems (as they're found), but I certainly wouldn't want to suggest that you're in any way sitting on this problem. I'm sure that, given the severity of this problem, I'll be seeing an official announcement about this problem from the FreeBSD folks very soon. Thanks for clarifying. ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- "I'm standing alone, I'm watching you all, I'm seeing you sinking." From owner-freebsd-security Mon Feb 3 04:31:32 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id EAA26595 for security-outgoing; Mon, 3 Feb 1997 04:31:32 -0800 (PST) Received: from tfs.com (tfs.com [140.145.250.1]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id EAA26586 for ; Mon, 3 Feb 1997 04:31:29 -0800 (PST) Received: from schizo.dk.tfs.com by tfs.com (smail3.1.28.1) with SMTP id m0vrNXV-0003wUC; Mon, 3 Feb 97 04:30 PST Received: from critter.dk.tfs.com (critter.dk.tfs.com [140.145.230.252]) by schizo.dk.tfs.com (8.8.2/8.7.3) with ESMTP id NAA02386; Mon, 3 Feb 1997 13:30:21 +0100 (MET) Received: from critter.dk.tfs.com (localhost [127.0.0.1]) by critter.dk.tfs.com (8.8.2/8.8.2) with ESMTP id NAA00750; Mon, 3 Feb 1997 13:31:54 +0100 (MET) To: tqbf@enteract.com cc: dg@root.com, torbjorn@norway.eu.net, freebsd-security@FreeBSD.ORG Subject: Re: Critical Security Problem in 4.4BSD crt0 In-reply-to: Your message of "Mon, 03 Feb 1997 05:37:28 CST." <199702031138.FAA21844@enteract.com> Date: Mon, 03 Feb 1997 13:31:53 +0100 Message-ID: <748.854973113@critter.dk.tfs.com> From: Poul-Henning Kamp Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk In message <199702031138.FAA21844@enteract.com>, "Thomas H. Ptacek" writes: >I do have a general problem with a lack of announcement from the >FreeBSD team about problems (as they're found), [...] Well, it is to some extent a conflict of interest thing. If I find a problem in some code, which I have not heard about anywhere else, I usually commit it with a rather toned down commit message. There is no reason to provide free munitions to criminals. On the other hand, vulnerabilities that have been announced publically we answer publically with the relevant information. We could of course loudly praise our own genius and tell the world every time we fix a problem, but we would essentially sell all of our users every time we did so. No easy solution I'm afraid. -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@tfs.com TRW Financial Systems, Inc. Power and ignorance is a disgusting cocktail. From owner-freebsd-security Mon Feb 3 04:46:47 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id EAA26984 for security-outgoing; Mon, 3 Feb 1997 04:46:47 -0800 (PST) Received: from enteract.com (root@enteract.com [206.54.252.1]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id EAA26977 for ; Mon, 3 Feb 1997 04:46:43 -0800 (PST) Received: (from tqbf@localhost) by enteract.com (8.8.5/8.7.6) id GAA24561; Mon, 3 Feb 1997 06:46:28 -0600 (CST) From: "Thomas H. Ptacek" Message-Id: <199702031246.GAA24561@enteract.com> Subject: Re: Critical Security Problem in 4.4BSD crt0 To: phk@critter.dk.tfs.com (Poul-Henning Kamp) Date: Mon, 3 Feb 1997 06:45:46 -0600 (CST) Cc: tqbf@enteract.com, dg@root.com, torbjorn@norway.eu.net, freebsd-security@FreeBSD.ORG Reply-To: tqbf@enteract.com In-Reply-To: <748.854973113@critter.dk.tfs.com> from "Poul-Henning Kamp" at Feb 3, 97 01:31:53 pm X-Mailer: ELM [version 2.4 PL24 ME8a] Content-Type: text Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > There is no reason to provide free munitions to criminals. You're kidding yourself if you think the criminals don't have these munitions already. As previously stated, the vulnerability we're discussing is being actively exploited on the network. The case is probably the same with every other vulnerability you have, or will, find in your code. The "criminals" have far more time on their hands to find problems than you do. Finding problems in your code is all they do. You have better things to do. Partial (or non) disclosure is not an effective option for the FreeBSD project (until the FreeBSD project gets someone like Mr. de Raadt to comb the entire source tree). Until that time, members of the FreeBSD project will probably not be the first people to become aware of security issues with FreeBSD code. > On the other hand, vulnerabilities that have been announced publically > we answer publically with the relevant information. freebsd-security@freebsd.org isn't considered "public announcement"? > We could of course loudly praise our own genius and tell the world > every time we fix a problem, but we would essentially sell all of I hardly think fixing problems qualifies as genius. > No easy solution I'm afraid. Sure there is. Every security vulnerability you find in your code needs to be patched immediately by everyone running the vulnerable code. Nobody is going to know that their code is vulnerable unless you tell them. Therefore, it seems somewhat obvious to me that every time you find a security vulnerability, you should post a security announcement to freebsd-security, freebsd-announce, and CERT. Chances are, someone has already found the vulnerability you're looking at and is using it to comprimise hosts running the problematic code. If you don't intend to do that, the only recourse we have is to post problem details publically as soon as they are found, including exploitation details. This is the only way the problems will be taken seriously by "security incident response teams", and announcement from "security incident response teams" seem to be the only thing that ever prompts the FreeBSD team to release a security announcement. This is, of course, the attitude I'm taking with the crt0 problem. I assume you will come forward with an announcement regarding the problem in the very near future, because I trust that you perceive the severity of this problem in the same manner that I do. If you don't, I'll announce the problem again, with exploit details, and if at that point you don't release an announcement, the various CERT groups will. Seems to me like you can either choose to come forward with security issues as you become aware of them, or you can find out about your security problems from bugtraq by reading the exploits. I certainly won't be sending in any problem reports if they're not going to be acted on, and "acted on", to my mind, includes notifying your users. It's your choice, of course, but people complain (loudly) when exploitation details are posted to bugtraq (and the like). If immediate public disclosure of all FreeBSD security problems is not a policy you find acceptable, I suggest you take steps to provide an effective alternative. Thanks for listening! ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- "I'm standing alone, I'm watching you all, I'm seeing you sinking." From owner-freebsd-security Mon Feb 3 04:53:44 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id EAA27177 for security-outgoing; Mon, 3 Feb 1997 04:53:44 -0800 (PST) Received: from pdx1.world.net (pdx1.world.net [192.243.32.18]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id EAA27172 for ; Mon, 3 Feb 1997 04:53:42 -0800 (PST) From: proff@suburbia.net Received: from suburbia.net (suburbia.net [203.4.184.1]) by pdx1.world.net (8.7.5/8.7.3) with SMTP id EAA04953 for ; Mon, 3 Feb 1997 04:55:05 -0800 (PST) Received: (qmail 8354 invoked by uid 110); 3 Feb 1997 12:53:27 -0000 Message-ID: <19970203125327.8353.qmail@suburbia.net> Subject: Re: Critical Security Problem in 4.4BSD crt0 In-Reply-To: <199702031026.EAA19567@enteract.com> from "Thomas H. Ptacek" at "Feb 3, 97 04:25:39 am" To: tqbf@enteract.com Date: Mon, 3 Feb 1997 23:53:27 +1100 (EST) Cc: security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > I'm fairly certain that if Mr. Assange was aware (in August) of the crt0 > vulnerability, he'd have notified someone (as opposed to leaving vague > hints in unrelated messages). However, I obviously don't speak for him. Sometimes vauge hints in unrelated messages is all you get ;) I wasn't as close to the FreeBSD development process in August and by the time I got around to doing FreeBSD security reviews the problem had disappeared of its own accord. There are a signficant number of security fixes, including to libc about to enter the source base, dyson willing. OpenBSD's bombastically brandished claims about security should be viewed with a grain of salt [IMHO]. ______________________________________________________________________________ Prof. Julian Assange |If you want to build a ship, don't drum up people |together to collect wood and don't assign them tasks proff@iq.org |and work, but rather teach them to long for the endless proff@gnu.ai.mit.edu |immensity of the sea. -- Antoine de Saint Exupery From owner-freebsd-security Mon Feb 3 05:10:49 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id FAA27725 for security-outgoing; Mon, 3 Feb 1997 05:10:49 -0800 (PST) Received: from enteract.com (root@enteract.com [206.54.252.1]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id FAA27718 for ; Mon, 3 Feb 1997 05:10:41 -0800 (PST) Received: (from tqbf@localhost) by enteract.com (8.8.5/8.7.6) id HAA26121; Mon, 3 Feb 1997 07:10:17 -0600 (CST) From: "Thomas H. Ptacek" Message-Id: <199702031310.HAA26121@enteract.com> Subject: Re: Critical Security Problem in 4.4BSD crt0 To: proff@suburbia.net Date: Mon, 3 Feb 1997 07:09:35 -0600 (CST) Cc: tqbf@enteract.com, security@freebsd.org Reply-To: tqbf@enteract.com In-Reply-To: <19970203125327.8353.qmail@suburbia.net> from "proff@suburbia.net" at Feb 3, 97 11:53:27 pm X-Mailer: ELM [version 2.4 PL24 ME8a] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Sometimes vauge hints in unrelated messages is all you get ;) Thanks, Proff! =) > by the time I got around to doing FreeBSD security reviews the > problem had disappeared of its own accord. The problem's not gone. The problem's nowhere near gone. There are tons of 2.1.5 and 2.1.6 systems on the net. As long as the distributions remain on the FreeBSD FTP servers, they should be kept secure. A problem that renders every single program on the system vulnerable is serious regardless of which revision it affects. Neh? Thanks. ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- "I'm standing alone, I'm watching you all, I'm seeing you sinking." From owner-freebsd-security Mon Feb 3 05:17:06 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id FAA27868 for security-outgoing; Mon, 3 Feb 1997 05:17:06 -0800 (PST) Received: from pdx1.world.net (pdx1.world.net [192.243.32.18]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id FAA27863 for ; Mon, 3 Feb 1997 05:17:03 -0800 (PST) From: proff@suburbia.net Received: from suburbia.net (suburbia.net [203.4.184.1]) by pdx1.world.net (8.7.5/8.7.3) with SMTP id FAA05409 for ; Mon, 3 Feb 1997 05:18:13 -0800 (PST) Received: (qmail 10619 invoked by uid 110); 3 Feb 1997 13:16:10 -0000 Message-ID: <19970203131610.10618.qmail@suburbia.net> Subject: Re: Critical Security Problem in 4.4BSD crt0 In-Reply-To: <199702031310.HAA26121@enteract.com> from "Thomas H. Ptacek" at "Feb 3, 97 07:09:35 am" To: tqbf@enteract.com Date: Tue, 4 Feb 1997 00:16:10 +1100 (EST) Cc: tqbf@enteract.com, security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > The problem's not gone. The problem's nowhere near gone. There are tons of > 2.1.5 and 2.1.6 systems on the net. As long as the distributions remain on > the FreeBSD FTP servers, they should be kept secure. A problem that > renders every single program on the system vulnerable is serious > regardless of which revision it affects. > > Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] You are right of course, I guess I'm suffering from -current or death mentality. Cheers, -- Prof. Julian Assange |If you want to build a ship, don't drum up people |together to collect wood and don't assign them tasks proff@iq.org |and work, but rather teach them to long for the endless proff@gnu.ai.mit.edu |immensity of the sea. -- Antoine de Saint Exupery From owner-freebsd-security Mon Feb 3 05:19:52 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id FAA27966 for security-outgoing; Mon, 3 Feb 1997 05:19:52 -0800 (PST) Received: from tfs.com (tfs.com [140.145.250.1]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id FAA27961 for ; Mon, 3 Feb 1997 05:19:50 -0800 (PST) Received: from schizo.dk.tfs.com by tfs.com (smail3.1.28.1) with SMTP id m0vrOII-0003vnC; Mon, 3 Feb 97 05:18 PST Received: from critter.dk.tfs.com (critter.dk.tfs.com [140.145.230.252]) by schizo.dk.tfs.com (8.8.2/8.7.3) with ESMTP id OAA02560; Mon, 3 Feb 1997 14:18:43 +0100 (MET) Received: from critter.dk.tfs.com (localhost [127.0.0.1]) by critter.dk.tfs.com (8.8.2/8.8.2) with ESMTP id OAA00811; Mon, 3 Feb 1997 14:20:20 +0100 (MET) To: tqbf@enteract.com cc: dg@root.com, torbjorn@norway.eu.net, freebsd-security@FreeBSD.ORG Subject: Re: Critical Security Problem in 4.4BSD crt0 In-reply-to: Your message of "Mon, 03 Feb 1997 06:45:46 CST." <199702031246.GAA24561@enteract.com> Date: Mon, 03 Feb 1997 14:20:19 +0100 Message-ID: <809.854976019@critter.dk.tfs.com> From: Poul-Henning Kamp Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk In message <199702031246.GAA24561@enteract.com>, "Thomas H. Ptacek" writes: >> There is no reason to provide free munitions to criminals. > >You're kidding yourself if you think the criminals don't have these >munitions already. As previously stated, the vulnerability we're >discussing is being actively exploited on the network. The case is >probably the same with every other vulnerability you have, or will, find >in your code. Some of them, but remember that there is also a great deal of misguided youth out there. >until the FreeBSD project gets someone like Mr. de >Raadt to comb the entire source tree. Rendering /sbin/restore broken as a result... :-( I'm not impressed. >FreeBSD project will probably not be the first people to become aware of >security issues with FreeBSD code. sometimes, sometimes not. >> On the other hand, vulnerabilities that have been announced publically >> we answer publically with the relevant information. > >freebsd-security@freebsd.org isn't considered "public announcement"? I'm not really active in that end of it, and I'm sure we can use more people for it :-) So if you have some time... >> No easy solution I'm afraid. > >Sure there is. Every security vulnerability you find in your code needs to >be patched immediately by everyone running the vulnerable code. Nobody is >going to know that their code is vulnerable unless you tell them. This is unfortunately a lot easier said than done. If you want to spear head this effort, please say so, we can always use more manpower. >Chances are, someone has already found the vulnerability you're looking at >and is using it to comprimise hosts running the problematic code. Then again, chances are that they havn't, we will (usually) never know. >If you don't intend to do that, the only recourse we have is to post >problem details publically as soon as they are found, including >exploitation details. This is the only way the problems will be taken >seriously by "security incident response teams", and announcement from >"security incident response teams" seem to be the only thing that ever >prompts the FreeBSD team to release a security announcement. You know, it reminds me of the news a couple of days ago that students in South Korea had used a 30000 item ireplaceable rock collection from the universe as projectiles against police in the recent riots. It's a lot easier to be a "rebel" than to be the "official party". How about this: If you find a hole, you send us a patch, and if we do not fix it within a particular period (two weeks ?) you can post it to the world ? Wouldn't that seem more fair ? I belive in fixing any problem we hear about, but I also belive in not washing our laundry in public. If I find a security hole, and nobody has explited it yet, I still see no reason for me to yell out over the entire world that it's there. The fact that people will upgrade their systems and as such close the hole next time is good enough for me. -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@tfs.com TRW Financial Systems, Inc. Power and ignorance is a disgusting cocktail. From owner-freebsd-security Mon Feb 3 05:45:46 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id FAA28913 for security-outgoing; Mon, 3 Feb 1997 05:45:46 -0800 (PST) Received: from enteract.com (root@enteract.com [206.54.252.1]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id FAA28906 for ; Mon, 3 Feb 1997 05:45:41 -0800 (PST) Received: (from tqbf@localhost) by enteract.com (8.8.5/8.7.6) id HAA29502; Mon, 3 Feb 1997 07:43:00 -0600 (CST) From: "Thomas H. Ptacek" Message-Id: <199702031343.HAA29502@enteract.com> Subject: Re: Critical Security Problem in 4.4BSD crt0 To: phk@critter.dk.tfs.com (Poul-Henning Kamp) Date: Mon, 3 Feb 1997 07:42:18 -0600 (CST) Cc: tqbf@enteract.com, dg@root.com, torbjorn@norway.eu.net, freebsd-security@FreeBSD.ORG Reply-To: tqbf@enteract.com In-Reply-To: <809.854976019@critter.dk.tfs.com> from "Poul-Henning Kamp" at Feb 3, 97 02:20:19 pm X-Mailer: ELM [version 2.4 PL24 ME8a] Content-Type: text Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk This thread really isn't going anywhere. My concrete suggestion is that you release security announcements as soon as you become aware of a security problem with your code, whether you found it or someone else did. If there's something I can do to help ensure that this happens, let me know. > Some of them, but remember that there is also a great deal of misguided > youth out there. Perhaps I have a bit more experience dealing with the "misguided youth" combing FreeBSD code than you do. Perhaps not. If I had to place a bet on whether the FreeBSD project or the underground had any particular bug, I would almost always put my money on the underground. Again, it seems to me like combing your source tree looking for coding errors is not your top priority; nobody expects it to be. However, if you're not doing that, you really don't have a choice but to resort to full disclosure. I think the bad guys are way ahead of you. > Rendering /sbin/restore broken as a result... :-( I'm not impressed. Oh well. I don't want to get into an argument about the merits or demerits of Mr. de Raadt. I'm sure you don't either. OpenBSD has it's strong points, FreeBSD has it's strong points, let's leave it at that. > I'm not really active in that end of it, and I'm sure we can use more > people for it :-) So if you have some time... Think about how much time and effort I've spent so far. =) I have time. I'm not dependant on the FreeBSD project to make this information public, as you know. I also don't speak for the FreeBSD project, so I'd prefer that announcements about security issues in FreeBSD be handled by a representative of the FreeBSD project. Again, my complaint is simply that prior experience has shown that security-related problem reports do not elicit announcements from the FreeBSD team to their users. I think this is wrong. In most cases, these problem reports affect many, many people running older versions of your operating system. As long as they're on the FTP site, they're supported. > This is unfortunately a lot easier said than done. If you want to spear > head this effort, please say so, we can always use more manpower. Heh. If you can point me to all the announcements you've made in the past year, I can fill you in on everything else I know about or have reported, and I can type them up in the format of your previous announcements. You can then feel free to distribute them as you wish. > Then again, chances are that they havn't, we will (usually) never know. Well, let's look at it this way: there's a problem in your 2.1.x code that renders *every single executable program* vulnerable to a trivially exploitable stack overrun. As stated before, this problem is now being actively exploited by unknown parties on the network. The bad guys knew about this before you did. To me, that's telling. I'm not trying to indict you for not knowing. I didn't know until I took a closer look at the twisted monstrosity that is your locale code (sorry, had to say it. =]). I'm simply suggesting that the most effective way to assist your users in maintaining secure systems is to disclose the vulnerabilities, along with patches, as quickly as possible. > How about this: If you find a hole, you send us a patch, and if we > do not fix it within a particular period (two weeks ?) you can post it > to the world ? Two weeks? You think a vulnerability window of (at least) two weeks is acceptable? I'd just as soon post it to the world immediately, so affected systems could get themselves patched. That's me, though. What would require a two week delay? Anything the obvious patch would break would be worth breaking to maintain security; you can release an "official, effective" patch later on and treat the initial one as a workaround. > not washing our laundry in public. If I find a security hole, and > nobody has explited it yet, I still see no reason for me to yell > out over the entire world that it's there. The fact that people Well, you and I disagree on that point. My perspective on this issue is pretty simple. I don't assume for a moment that I am the first person to find any given problem that I find. Experience has proven me right most of the time. Given this, I feel it's fairly important to neutralize the problem immediately by posting information about it. Silent fixes to your code don't help people that are running vulnerable code. When you find problems, the majority of the people running your code are vulnerable, even after you fix the problem. I think silent fixes are bad. I think every time you find a problem and silently fix it, you ignore the possibility that criminals on the network already found and are exploiting the problem - you're thus potentially allowing systems to be broken into. I'd much rather have to wade through your dirty laundry than see my systems broken into simply because I didn't have the time to keep -current. You obviously don't expect all your users to run -current (in fact, I get the impression that you discourage it for non-developers). You obviously want your users to be running secure versions of your OS. The only way to do this is to provide them with security information as it becomes available. Where do we disagree on this? ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- "I'm standing alone, I'm watching you all, I'm seeing you sinking." From owner-freebsd-security Mon Feb 3 06:33:21 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id GAA00747 for security-outgoing; Mon, 3 Feb 1997 06:33:21 -0800 (PST) Received: from tfs.com (tfs.com [140.145.250.1]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id GAA00739 for ; Mon, 3 Feb 1997 06:33:19 -0800 (PST) Received: from schizo.dk.tfs.com by tfs.com (smail3.1.28.1) with SMTP id m0vrPRQ-0003yFC; Mon, 3 Feb 97 06:32 PST Received: from critter.dk.tfs.com (critter.dk.tfs.com [140.145.230.252]) by schizo.dk.tfs.com (8.8.2/8.7.3) with ESMTP id PAA03012; Mon, 3 Feb 1997 15:32:14 +0100 (MET) Received: from critter.dk.tfs.com (localhost [127.0.0.1]) by critter.dk.tfs.com (8.8.2/8.8.2) with ESMTP id PAA01099; Mon, 3 Feb 1997 15:33:50 +0100 (MET) To: tqbf@enteract.com cc: dg@root.com, torbjorn@norway.eu.net, freebsd-security@FreeBSD.ORG Subject: Re: Critical Security Problem in 4.4BSD crt0 In-reply-to: Your message of "Mon, 03 Feb 1997 07:42:18 CST." <199702031343.HAA29502@enteract.com> Date: Mon, 03 Feb 1997 15:33:50 +0100 Message-ID: <1097.854980430@critter.dk.tfs.com> From: Poul-Henning Kamp Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk In message <199702031343.HAA29502@enteract.com>, "Thomas H. Ptacek" writes: >This thread really isn't going anywhere. My concrete suggestion is that >you release security announcements as soon as you become aware of a >security problem with your code, whether you found it or someone else did. > >If there's something I can do to help ensure that this happens, let me >know. Send us patches and give us a fair amount of time before you yell it out to the wind. >> This is unfortunately a lot easier said than done. If you want to spear >> head this effort, please say so, we can always use more manpower. > >Heh. If you can point me to all the announcements you've made in the past >year, I can fill you in on everything else I know about or have reported, >and I can type them up in the format of your previous announcements. You >can then feel free to distribute them as you wish. Thanks for the offer, please contact pst@freebsd.org for how you can help out here. >> How about this: If you find a hole, you send us a patch, and if we >> do not fix it within a particular period (two weeks ?) you can post it >> to the world ? > >Two weeks? Two weeks. Most of the problems don't have one line fixes. >You think a vulnerability window of (at least) two weeks is acceptable? yes. >could get themselves patched. That's me, though. What would require a two >week delay? Anything the obvious patch would break would be worth breaking >to maintain security; you can release an "official, effective" patch later >on and treat the initial one as a workaround. Time to find the right fix. Time to roll a snapshot if need be. Notice I didn't say it would always take two weeks, but that we'd like to have time to not rush out the wrong non-solution. >You obviously don't expect all your users to run -current (in fact, I >get the impression that you discourage it for non-developers). You >obviously want your users to be running secure versions of your OS. The >only way to do this is to provide them with security information as it >becomes available. > >Where do we disagree on this? In that many systems cannot "just upgrade" any and all times. I may have more experience in the operational aspects of computers than you have. What we need is manpower who are interested and dedicated in their effort to >help< the users, rather than rip the carpet out under them. -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@tfs.com TRW Financial Systems, Inc. Power and ignorance is a disgusting cocktail. From owner-freebsd-security Mon Feb 3 06:43:51 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id GAA01168 for security-outgoing; Mon, 3 Feb 1997 06:43:51 -0800 (PST) Received: from anacreon.sol.net (anacreon.sol.net [206.55.64.116]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id GAA01120; Mon, 3 Feb 1997 06:42:49 -0800 (PST) Received: from solaria.sol.net (solaria.sol.net [206.55.65.75]) by anacreon.sol.net (8.6.12/8.6.12) with ESMTP id IAA16547; Mon, 3 Feb 1997 08:42:46 -0600 Received: from localhost by solaria.sol.net (8.5/8.5) id IAA17586; Mon, 3 Feb 1997 08:22:10 -0600 From: Joe Greco Message-Id: <199702031422.IAA17586@solaria.sol.net> Subject: Question: 2.1.7? To: security@freebsd.org, core@freebsd.org Date: Mon, 3 Feb 97 8:22:08 CST X-Mailer: ELM [version 2.4dev PL65] MIME-Version: 1.0 Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk With the recent exploits for things such as talkd, sendmail, and the wonderful freakin' locale processing problem I see on bugtraq, would it be wise to consider a 2.1 point release that addressed these issues? If not, maybe a "patchkit" that could be installed (source or binary, whatever) could be done. But I think a "2.1.7" type release would be most ideal... I would be happy to work on some of this, as I have already done the work for some of the problems. Note I am not on security or core so please cc: any interesting responses. ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/342-4847 From owner-freebsd-security Mon Feb 3 07:13:42 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id HAA02464 for security-outgoing; Mon, 3 Feb 1997 07:13:42 -0800 (PST) Received: from char-star.rdist.org (char-star.rdist.org [206.54.252.22]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id HAA02459 for ; Mon, 3 Feb 1997 07:13:40 -0800 (PST) From: tqbf@enteract.com Received: (qmail 2486 invoked by uid 1001); 3 Feb 1997 15:14:28 -0000 Date: 3 Feb 1997 15:14:28 -0000 Message-ID: <19970203151428.2485.qmail@char-star.rdist.org> To: spork@super-g.com, freebsd-security@freebsd.org Subject: Re: Critical Security Problem in 4.4BSD crt0 In-Reply-To: Reply-To: tqbf@enteract.com Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In article , you wrote: >What would happen if the "safe" 2.2 library were used under 2.1.6? It >certainly compiles OK... Or am I smoking crack here? The problem is much easier to resolve than that. Just remove locale processing from crt0.c. A patch has been provided elsewhere. This shouldn't break anything on most systems. -- ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- exit(main(kfp->kargc, argv, environ)); From owner-freebsd-security Mon Feb 3 07:44:21 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id HAA03901 for security-outgoing; Mon, 3 Feb 1997 07:44:21 -0800 (PST) Received: from enteract.com (root@enteract.com [206.54.252.1]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id HAA03895 for ; Mon, 3 Feb 1997 07:44:16 -0800 (PST) Received: (from tqbf@localhost) by enteract.com (8.8.5/8.7.6) id JAA12610; Mon, 3 Feb 1997 09:44:14 -0600 (CST) From: "Thomas H. Ptacek" Message-Id: <199702031544.JAA12610@enteract.com> Subject: Problems with locale routines in general... To: freebsd-security@freebsd.org Date: Mon, 3 Feb 1997 09:43:33 -0600 (CST) Cc: bugtraq@netspace.org Reply-To: tqbf@enteract.com X-Mailer: ELM [version 2.4 PL24 ME8a] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I'm sure I'm rehashing something that the developers are already aware of (FreeBSD -current is not vulnerable to this problem), but from the looks of it, anyone who installed FreeBSD 2.2 prior to December of 1996 is vulnerable to locale routine problems similar to the one that afflicts crt0 start() in FreeBSD 2.1.x. Specifically, I'm able to cause a shell to be executed from any program that calls setlocale() in FreeBSD 2.2. I tested this out with dmesg, which promptly gave me an SGID "kmem" shell. Note that programs that shed privilege using saved-set UIDs are vulnerable to this problem as well, as the machine code used to take over the affected programs can easily restore privilege. The locale routines were patched at the end of 1996 to cause PATH_LOCALE (the environment variable who's contents are trampling all over the stack frames of locale routines) to be ignored if the euid doesn't match the uid; the patch also avoids the stack overrun by allocating space for the variable on the heap with strdup(). People running FreeBSD revisions that don't have this patch will want to make sure they've applied these patches as soon as possible. Vulnerability can easily be assessed by setting LC_CTYPE, filling PATH_LOCALE with 2000 random characters, and attempting to run /sbin/dmesg (which will segfault if the problem exists). ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- "I'm standing alone, I'm watching you all, I'm seeing you sinking." From owner-freebsd-security Mon Feb 3 07:49:38 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id HAA04146 for security-outgoing; Mon, 3 Feb 1997 07:49:38 -0800 (PST) Received: from mailserv.tversu.ac.ru (root@mailserv.tversu.ac.ru [193.233.128.3]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id HAA04110 for ; Mon, 3 Feb 1997 07:49:15 -0800 (PST) Received: from localhost (vadim@localhost) by mailserv.tversu.ac.ru (8.6.12/8.6.12) with SMTP id SAA00828 for ; Mon, 3 Feb 1997 18:47:48 +0300 Date: Mon, 3 Feb 1997 18:47:48 +0300 (MSK) From: Vadim Kolontsov To: freebsd-security@freebsd.org Subject: Simple/dirty solution for PATH_LOCALE hole In-Reply-To: <1097.854980430@critter.dk.tfs.com> Message-ID: MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-229207380-854984868=:689" Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --0-229207380-854984868=:689 Content-Type: TEXT/PLAIN; charset=US-ASCII Hello, this program (see attachment) simply patches binaries for 2.1.0 (2.1.5?) and removes _startup_locale() call - you don't need to recompile anything. Kind of temporary fix... Of course, I recommend to apply normal patches to crt0.c and startup_locale.c, rebuild libraries, stat-linked binaries and so on... but my solution can be useful sometimes... or not? Best regards, Vadim. -------------------------------------------------------------------------- Vadim Kolontsov SysAdm/Programmer Tver Regional Center of New Information Technologies Networks Lab --0-229207380-854984868=:689 Content-Type: APPLICATION/octet-stream; name="lfix.tar.gz" Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: H4sIAAAAAAAAA+1Z/1PbyhHPr+iv2DjNQwLbSP7GA0NaktgN83gJgyF9aZzx yNLJviJLGp1k7Cb87929k2zZJJCmhdfp42ZkSae93b29vd3Pnn2Pz3ae3G+D hrnbbMITwNaqqzuY2T17gVZtt9kw67uNOoBl1s36E2jes16ypSKxY4AnU9vl k1vorsaM+Q+h0MM2n9bfT5hIqs59ybBMs2Wa31z/Wsvazdff3G00cf2t1m7j CZj3pVCx/cHXf2cLNFqNeqXLhhVrb6+l0bv0CNAdA96TXeCX0A+DRIRTOJCG +ksyZbFIq7ZTjdMXNOJDmIJjB5AKBsmYC4jicBTbE0hCkMy4B3OkGfLAjjkT gCTT1A9YbA99hkK3djTtGQ8cP3UZHIjE5WF1/GK1y+fD1b404NhNfdozl3k8 YPC60z26ODkfvOt2e53zZYxpmguSlxfdbuds0Dv+eweKzTJrDU3DmY5gxJIB E5E+DblraJ9phoOBLSaDgV6ahFMfnuPX8nNmz/pByWhr15rmhAFO0xmjO82Z +PgJDqH0odMrg0hjBvtGqa1pxA4mNg90HiRgxyOnrEZs4fP046dMlOoapp6H TN5enJy0qTcNBB8FzAWp4ZbtuvEgSuIiiRpY7Fz0shlzxJj5PmlGvaX+jA37 s1q9P2uy/uxntz+z6L6n3k38Vrf6M7eW9bWwb7fw7JUyLnmP1cDnn7PnPTXa MfuzIV71oZLQyDjTGMdG2lrOpYnUTdLFVHpZyInh5eLlefm1g/6zI8bIxCpe OROztnbVV689FGk21q5dupeUqWhZePbogU4rBE8PoWZQj1wbAC+KkczT0fNY HJehdCHsEdvPNk3m94PAnjDlG3IQm/FEr1jq9VoKyNZ3Yvt+6OgNc6+lvnJP f0rfijIhk1nCPbaJnkND7ITBhE3CeF6QowSZuRwaKb2BGMo+HCFYomNvGczZ nlkuboeKSGKfBfrCWQzFiHhsH95OKQm9MNb5odnmcAA3Kfj2tpGpuUUa4Cuq tvRM/kkyKXi2rnzdwLdV/ge1VW75GMUy374GbK8FhPbSJLraLUY+VH7KNo8p X9BQLJjqpdOj8zeDk3evjk46pbI0ZRmypcxJOm+PXp50Br3zo7Pzi9MlMYaC BS1N1NflTrc+od9MuZPwCRLRVpVB5MHjv8r/+HN/6V/m/0bjm/m/1TBref63 TCTE/N80zcf8/xBtZ4tC0TL979LreTF/U1J3uaAsDXqIeSSgRwOUhxOZw4Tg uEt5kA/aFMiFDJukETghZmo9DTBYQjdm7GXvNdSqVnVmQAV4IgUMGQEHL/Vp gyNemERhbMdz5IKuSbxDD1Z2Ie47J415Modx6LOq1DpEUZPIxw0JmOhZgEiE EEfAMGUiConsxBlTTwyIIxywAxdiRkM4Tg0jqtI54Q4+z5EmuMSBC7xyxZMx 8rqSg6XAV2E0j/lojEDplQFkvO9DSzj0WIKhTR/ny1GNZGwnq6hJhfmrML5U gpkd+xwNSIw4Ag3kgSbJzIkQgyGXCQMR4o/PkwRnJDWfgxeHEzXrmPnMRqPQ xI835Xwx9CE8idDaibQ8T3BmdyIxLxHr0Ayz0+huuCbmYodMLAFbAS9NbHFp KcT09TjaXqeuKer+rIXwoIaQwTIpg1P67nV9e6RCOL2+X77K98xhs+DvUZpW qKt7jO685blI64URJi75DcN0vK2y6wJ/yaGYBT7Wmi2ZsZaogUDDU8+lvPQ5 BxFPpUYqVd3ADvgbxvvZepNY6Jeei35JLkfMbHfnCt2c1NA2NohDSVzyKEJz Y9Ivg9Jf5f6YJWkc5CDjOtPGIyb6T6huGVBfTEY4yjUI1Vg/qCZxJF4wnCPk UR6mtEZP/JZ2nuOHguko+qvaLqyHvuRMIj1PzqT4x3oN06V0EuNHVJbbfMSD f7LVoMSDu9VeN+otWlqtZqZmbammpCa0b+QkcHgogZdSO8d369O5bUqZhwiG UI4i25DCFy3KXAU55t4yofUpZSjxKwo8rEU9nM4lugei0jL0Op1fBojWDISR 5g96KfEj60gFKVrephl8j4+SqrQtEYHiQraBH+Bt26rjUw5FaZE5hSZa4YVP e3IP/3c3oWRJ88un5YYy3Y3tKcZ+27lMI/HnH5oi6fF+oUZeeJwqz8rErayq tsr2OqtzUyqLChX0jfmkWd2EOR4+VsT0k1qrATrxuB+gCG0DFq2U3SsCKhUQ mLMx6E7Q6STdRoFgSgSYKOf0M0S1cjI5RVkfWQU17yzHu+c9zAuJiNrqpfP2 HMuEPO7jh0EYJZSUcdnx8+D0zYfeMaYtoiDJA/Q+36Un6pH8nYVr6I4qV5CF rhQg0VQciJIhHaTzrqv8QSASQASjO6uRw6Gcvik290HbyHOf1YYhBoTL9grN VNK8/wYNYiY79RMiUStXCA+yDq4cAk00cNuqZ0olYd6jFQrmA3RqWPDQbnr2 wqeW4NHDBRXVajVfJrI3ZWJpXUzGyioFY2OckIRXY4Jvek4ssx0NXgvBUeUF feaBF5JRaZ26BgatANVPmZpptkrIKaMmrIKPIhnkq6eYOWN8z1kqlNAbHJ9d 9M6+4P1veF8Ern8zwr/KQhcm2Z0r6T0y4nw1dBXkL2L76oSWkV3P5/YTafob afjly1rnX89Ob3a+O39j5Prm0GlFMNxmlYzXf2aNmIkkjNm6NUB/PjNwu/gs Tp5Kx1kxyVL4t21z/XuU3P9TTdb/v9qXjPbfPcm4o/6HRqOV1/+1enMX6/+a WXs8/3+Q9gzyxZc7Sx5hqvMgTXt5/Pb18RlGwz99Pj3rdI9/u5anr5qG9XF+ 2kmkmiafs65qiAlk5GC6eLfoqIQZubZBpWKk3rJx1TAf6eQjC4MdAKRDKQon rHBX78SctMhZK43kt2zMGt+sS3OwHA72tY14AhUPtqp0foBhZqsqbxKVZFr/ 3qt0f03u/7PO0etfO/cm4479b5mN9f9/rVqz/rj/H6K9Yb4floFA2vIMEKsK 157fOAnE+5S7WPALTsds8hzJ5XEyp0M6GT4KJ3RYCY0Qh2s8gX+kdHITTiaI 2AWEKR35+T6VLoOseBzQvxk+osXFadXi3E3L68sIb/LY7QKhbEltTHXEVSJW WJs4l4QqkjEjTYc+I42ZIKHLYaRpPopOM1UPFRwlQ7IJYyxtkyIXGvwSlT5W p4UTOmojDZFaAgnLWIxaPVzkAeqOE+WJpKsZyGCYct8tHDNW1o4ZZVEhEgSx cq5Hvgi/JtiOIj8r9qXWcWJiSLMFeOjMeItCRNXyf9XvO5E8rfaq0MNZzGEy BxaMfC7GsG/8H0e+x/bYHttj+2O3fwGUg2apACgAAA== --0-229207380-854984868=:689-- From owner-freebsd-security Mon Feb 3 08:22:34 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id IAA05632 for security-outgoing; Mon, 3 Feb 1997 08:22:34 -0800 (PST) Received: from nic.follonett.no (nic.follonett.no [194.198.43.10]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA05626 for ; Mon, 3 Feb 1997 08:22:29 -0800 (PST) Received: (from uucp@localhost) by nic.follonett.no (8.8.5/8.8.3) with UUCP id RAA29396; Mon, 3 Feb 1997 17:19:31 +0100 (MET) Received: from oo7 (oo7.dimaga.com [192.0.0.65]) by dimaga.com (8.7.5/8.7.2) with SMTP id RAA01619; Mon, 3 Feb 1997 17:21:24 +0100 (MET) Message-Id: <3.0.32.19970203172123.00b499e0@dimaga.com> X-Sender: eivind@dimaga.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Mon, 03 Feb 1997 17:21:24 +0100 To: tqbf@enteract.com From: Eivind Eklund Subject: Re: Critical Security Problem in 4.4BSD crt0 Cc: phk@critter.dk.tfs.com (Poul-Henning Kamp), dg@root.com, torbjorn@norway.eu.net, freebsd-security@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk At 07:42 AM 2/3/97 -0600, Thomas H. Ptacek wrote: >This thread really isn't going anywhere. My concrete suggestion is that >you release security announcements as soon as you become aware of a >security problem with your code, whether you found it or someone else did. > >If there's something I can do to help ensure that this happens, let me >know. There is. I've just joined the FreeBSD commit team with the explict purpose of doing proactive security reviews; however, I'm just going to quietly patch all problems I find that _seems like_ they could be security holes. I'm not going to actually run through a setuid program and verify that there is a way to get user data to a potential buffer overflow - I'll just add checks to make sure that the buffer overflow can never happen. If you feel like actually checking which of the things I fix is a security hole (and somebody some committer know can vouch that you aren't one of these dangerous hackers :) I can throw the patches in your direction and let you write an advisory _for those that turn out to be actual holes_. That means that for eg a buffer overflow, you should prove, either by logic or by demonstration, that one can make this buffer overflow as a user. I'm reasonably certain I can make them get published :) Personally I feel that my time is more efficiently spent on finding and fixing more bugs, rather than publishing advisories. There are some very effective ways of finding potential buffer overflows and other "standard holes", though I haven't seen anything indicating that there are any significant amount of hackers using them. I think we would see more breakins by actually making public where to look. >> Some of them, but remember that there is also a great deal of misguided >> youth out there. > >Perhaps I have a bit more experience dealing with the "misguided youth" >combing FreeBSD code than you do. Perhaps not. If I had to place a bet on >whether the FreeBSD project or the underground had any particular bug, I >would almost always put my money on the underground. As a former member of the underground I would tend to disagree; things seem to pop up on bugtraq almost as fast as there is an exploit for them these days. And that isn't all that fast, either. >Again, my complaint is simply that prior experience has shown that >security-related problem reports do not elicit announcements from the >FreeBSD team to their users. I think this is wrong. In most cases, these >problem reports affect many, many people running older versions of your >operating system. As long as they're on the FTP site, they're supported. I've been thinking about setting up a mailing list for distributing binary patches; this would require some VERY tight security for how those patches are sent and accepted, though. (I've been thinking along the lines of PGP-signing from two different core team members with their keys on very different machines.) This could even be used to throw out patches _without_ telling what the problem was. >> How about this: If you find a hole, you send us a patch, and if we >> do not fix it within a particular period (two weeks ?) you can post it >> to the world ? > >Two weeks? > >You think a vulnerability window of (at least) two weeks is acceptable? No. But neither is breaking the systems. Or making the systems of the less security-conscious sysadmins much _more_ vulnerable by telling everybody about the problem. The problem is that there are no acceptable solutions for this, so we just have to find the least distasteful of them. >I'd just as soon post it to the world immediately, so affected systems >could get themselves patched. That's me, though. What would require a two >week delay? Anything the obvious patch would break would be worth breaking >to maintain security; you can release an "official, effective" patch later >on and treat the initial one as a workaround. Two weeks isn't something we will need in most cases - but it is something that might be needed in _some_ cases. >I think silent fixes are bad. I think every time you find a problem and >silently fix it, you ignore the possibility that criminals on the network >already found and are exploiting the problem - you're thus potentially >allowing systems to be broken into. I'd much rather have to wade through >your dirty laundry than see my systems broken into simply because I didn't >have the time to keep -current. What about those that don't have time to even keep -stable? Eivind Eklund / perhaps@yes.no / http://maybe.yes.no/perhaps/ From owner-freebsd-security Mon Feb 3 08:35:58 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id IAA06650 for security-outgoing; Mon, 3 Feb 1997 08:35:58 -0800 (PST) Received: from gateway.skipstone.com (root@GATEWAY.SKIPSTONE.COM [198.214.10.129]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA06645 for ; Mon, 3 Feb 1997 08:35:55 -0800 (PST) Received: from [204.69.236.50] (hotapplepie.skipstone.com [204.69.236.50]) by gateway.skipstone.com (8.7.4/8.6.9) with SMTP id KAA07563; Mon, 3 Feb 1997 10:21:17 -0600 Date: 3 Feb 97 10:22:11 -0600 Subject: Re: Question: 2.1.7? From: "Richard Wackerbarth" To: "Joe Greco" Cc: security@freebsd.org X-Mailer: Cyberdog/2.0a2 MIME-Version: 1.0 Message-Id: Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, Feb 3, 1997 8:22 AM, Joe Greco wrote: > With the recent exploits for things such as talkd, sendmail, and the > wonderful freakin' locale processing problem I see on bugtraq, would > it be wise to consider a 2.1 point release that addressed these issues? Personally, I do not feel that a 2.1.7 release is appropriate. 2.2 is "just around the corner". However, I do feel that the patches need to be committed to the 2.1 tree. Those who are interested can track 2.1 via CTM or CVSup. It is my intention to continue supplying the CTM updates for 2.1 until such time as either 1) all those with commit privledges refuse to make additional commits or 2) 2.2 has been tested sufficiently that we can reasonably recommend that users (including those who run "mission critical" situations such as eg. ISP servers) upgrade to it. However, I am not within the group of comitters and can therefore simply add my voice to those who encourage that these important corrections be committed to the 2.1 branch as well as later branches. From owner-freebsd-security Mon Feb 3 09:04:02 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id JAA08068 for security-outgoing; Mon, 3 Feb 1997 09:04:02 -0800 (PST) Received: from chilly-willy.avsi.com ([207.122.107.2]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id JAA08051 for ; Mon, 3 Feb 1997 09:03:55 -0800 (PST) Received: (qmail 10551 invoked by uid 1111); 3 Feb 1997 17:02:56 -0000 Date: Mon, 3 Feb 1997 12:02:56 -0500 (EST) From: "Peter C. Norton" To: "Thomas H. Ptacek" cc: best-of-security@suburbia.net, freebsd-security@freebsd.org Subject: Re: BoS: Critical Security Problem in 4.4BSD crt0 In-Reply-To: <199702030554.XAA07517@enteract.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > There is a critically important security problem in FreeBSD 2.1.5's C > runtime support library that will enable anyone with control of the > environment of a process to cause it to execute arbitrary code. All > executable SUID programs on the system are vulnerable to this problem. It seems that this problem is evident in prior releases of freebsd, at least as far back as 2.0.5, maybe further. -Peter From owner-freebsd-security Mon Feb 3 10:12:01 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id KAA11844 for security-outgoing; Mon, 3 Feb 1997 10:12:01 -0800 (PST) Received: from melange.gnu.ai.mit.edu (melange.gnu.ai.mit.edu [128.52.46.66]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id KAA11815 for ; Mon, 3 Feb 1997 10:11:57 -0800 (PST) Received: by melange.gnu.ai.mit.edu (8.7.5/8.6.12GNU) id NAA02231; Mon, 3 Feb 1997 13:11:42 -0500 (EST) To: tqbf@enteract.com Cc: bugtraq@netspace.org, freebsd-security@freebsd.org Subject: Re: Critical Security Problem in 4.4BSD crt0 References: <199702030554.XAA07517@enteract.com> From: mycroft@gnu.ai.mit.edu (Charles M. Hannum) Date: 03 Feb 1997 13:11:36 -0500 In-Reply-To: "Thomas H. Ptacek"'s message of Sun, 2 Feb 1997 23:54:54 -0600 (CST) Message-ID: Lines: 15 X-Mailer: Gnus v5.3/Emacs 19.34 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk "Thomas H. Ptacek" writes: > > The issue is that FreeBSD 2.1.5's crt0.c start() routine, which calls the > "main()" entry point function in the program that is starting, will under > some circumstances call routines that set the "locale" of the program. The > routines that do this are heavily dependant on environment variables, > which are in some circumstances copied directly into local character > buffers on the stack of the locale routines. I'd like to point out that, despite the subject line, this hole has nothing to do with 4.4BSD; it is specific to FreeBSD, and does *not* affect other 4.4BSD-derived systems. From owner-freebsd-security Mon Feb 3 11:00:19 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id LAA13756 for security-outgoing; Mon, 3 Feb 1997 11:00:19 -0800 (PST) Received: from super-g.inch.com (super-g.com [204.178.32.161]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA13746 for ; Mon, 3 Feb 1997 11:00:11 -0800 (PST) Received: from localhost (spork@localhost) by super-g.inch.com (8.8.5/8.6.9) with SMTP id OAA23643; Mon, 3 Feb 1997 14:05:44 -0500 (EST) Date: Mon, 3 Feb 1997 14:05:43 -0500 (EST) From: spork X-Sender: spork@super-g.inch.com To: David Greenman cc: tqbf@enteract.com, Torbjorn Ose , freebsd-security@FreeBSD.ORG Subject: Re: Critical Security Problem in 4.4BSD crt0 In-Reply-To: <199702031131.DAA10128@root.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Hello, Now that everyone is all settled on why the bug is there and how bad it is, what is the course of action for those of us using 2.1.6? I've applied the patch posted to Bugtraq, but is there an "official" patch yet from FBSD, Inc.? The one posted to Bugtraq had words like "should, might, maybe"... Or can I pull down some 2.2 source and drop it in? Not a programmer, but wishing I was everytime a new security hole opens, Charles On Mon, 3 Feb 1997, David Greenman wrote: > >> ok, I could be wrong about 2.1.6. Here's the first message I can find that > > > >You are. The problem is "fixed" in -current with patches to setlocale.c > >that check mismatched e/uid and do bounds checking on the string copies, > >but 2.2 doesn't do startup locale processing. 2.1.6 did not resolve this > >problem. > ... > >and anyone with a 2.1.6 installation is vulnerable. The FreeBSD team has > >not made information regarding this problem available to the public, > >although they did silently fix it in -current. > > For the record, the setlocale call from crt0 was removed after a debate > about its architectural [in]correctness and had nothing to do with any > security hole. I'm not aware of any security related fixes to > startup_setrunelocale() in any version of FreeBSD, nor have I seen or > heard (until your report) about any security related problems in any of the > locale code. It sounds like you're suggesting that there was some sort of > coverup, and that simply isn't true. > Anyway, thank you for finding the problem. It's certainly not the only > security hole in past versions of FreeBSD, but with bug reports like yours > and others, we hope to make FreeBSD more secure in the future. > > -DG > > David Greenman > Core-team/Principal Architect, The FreeBSD Project > From owner-freebsd-security Mon Feb 3 12:11:15 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id MAA17253 for security-outgoing; Mon, 3 Feb 1997 12:11:15 -0800 (PST) Received: from selkirk.csrv.nidc.edu (selkirk.csrv.nidc.edu [192.133.128.10]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id MAA17227 for ; Mon, 3 Feb 1997 12:11:00 -0800 (PST) Received: by selkirk.csrv.nidc.edu (1.38.193.5/16.2) id AA29859; Mon, 3 Feb 1997 12:12:40 -0800 Date: Mon, 3 Feb 1997 12:12:40 -0800 (PST) From: Mark Nottage Reply-To: nott0546@uidaho.edu To: security@freefall.freebsd.org Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk unsubscribe PLEASE! UNSUBSCRIBE ME! unsubscribe markn@selkirk.csrv.nidc.edu From owner-freebsd-security Mon Feb 3 12:25:58 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id MAA17837 for security-outgoing; Mon, 3 Feb 1997 12:25:58 -0800 (PST) Received: from gvr.win.tue.nl (root@gvr.win.tue.nl [131.155.210.19]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA17782; Mon, 3 Feb 1997 12:24:30 -0800 (PST) Received: (from guido@localhost) by gvr.win.tue.nl (8.8.5/8.8.2) id VAA10988; Mon, 3 Feb 1997 21:23:45 +0100 (MET) From: Guido van Rooij Message-Id: <199702032023.VAA10988@gvr.win.tue.nl> Subject: fix to lfix ;-)) To: vadim@tversu.ac.ru, freebsd-security@freebsd.org Date: Mon, 3 Feb 1997 21:23:45 +0100 (MET) Cc: pst@freebsd.org (Paul Traina), imp@freebsd.org X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Underneath a newer version of the lfix program. This gets rid of a file descriptor leak present in the original version. -Guido begin 644 lfix.c M+RH*"B`@,#,M1F5B+3$Y.3<*"B`@5&AI"D@+2!I="!C86X@ M8F4@=7-E9G5L(&9O2!H;VQE+@H*("!4;R!C;VUP;&5T92!D969E;G-E('EO M=2!N965D('1O('!A=&-H('EO=7(@;&EB8R!A;F0@6]U)VQL(&9I;F0@=&AA="!T:&ES('!R;V=R M86T@8V%N)W0@=V]R:R!W:71H(&5A2!FPH@("!I9B`H M(5-&;&%G*0H@("`@9G!R:6YT9BAS=&1E6]U(&AA=F4@8F%C:W5P2!V97)B;W-E(&UO9&5<;B(I.PH@(&5X M:70H,2D["GT*"G9O:60@;6%I;BAI;G0@87)G8RP@8VAA"DL(&%L97)T(2XN7&XB+"!P M+3YF='-?;F%M92P@;VQD;6]D92D["B`@("`@(&-O;G1I;G5E.PH@("`@?0H@ %('T*?0I? ` end From owner-freebsd-security Mon Feb 3 12:54:57 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id MAA19464 for security-outgoing; Mon, 3 Feb 1997 12:54:57 -0800 (PST) Received: from narcissus.ml.org (root@brosenga.Pitzer.edu [134.173.120.201]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA19458 for ; Mon, 3 Feb 1997 12:54:55 -0800 (PST) Received: (from ben@localhost) by narcissus.ml.org (8.7.5/8.7.3) id MAA06860; Mon, 3 Feb 1997 12:54:53 -0800 (PST) Date: Mon, 3 Feb 1997 12:54:53 -0800 (PST) From: Stranger Bone To: Poul-Henning Kamp cc: freebsd-security@FreeBSD.ORG Subject: Re: Critical Security Problem in 4.4BSD crt0 In-Reply-To: <1097.854980430@critter.dk.tfs.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 3 Feb 1997, Poul-Henning Kamp wrote: > >Where do we disagree on this? > > In that many systems cannot "just upgrade" any and all times. I may > have more experience in the operational aspects of computers than > you have. > > What we need is manpower who are interested and dedicated in their > effort to >help< the users, rather than rip the carpet out under > them. This sysadmin agrees. I'd far prefer that security exploits be kept under people's hats as much as possible until a patch can be released; and I'd far rather wait a week or two for a patch than get an immediate patch and then randomly start seeing programs die on signal six or whatever. While I agree with Mr. Ptacek's ideals, I've noticed that his grand plan for immediate bug-fixes doesn't include a source of manpower. Talk, Mr. Ptacek, is cheap, as they say. All in all I am inclined to trust core on this sort of thing (even when they disagree with each other? hmm). They've been doing this for a *long* time, most of them, and they have a pretty good idea of what's practical and what's not. > -- > Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. > http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. > whois: [PHK] | phk@tfs.com TRW Financial Systems, Inc. > Power and ignorance is a disgusting cocktail. > Ben The views expressed above are not those of the Worker's Compensation Board of Queensland, Australia. From owner-freebsd-security Mon Feb 3 13:28:11 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id NAA21352 for security-outgoing; Mon, 3 Feb 1997 13:28:11 -0800 (PST) Received: from sax.sax.de (sax.sax.de [193.175.26.33]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id NAA21259; Mon, 3 Feb 1997 13:27:18 -0800 (PST) Received: (from uucp@localhost) by sax.sax.de (8.6.12/8.6.12-s1) with UUCP id WAA10749; Mon, 3 Feb 1997 22:25:19 +0100 Received: (from j@localhost) by uriah.heep.sax.de (8.8.5/8.6.9) id WAA14166; Mon, 3 Feb 1997 22:05:12 +0100 (MET) Message-ID: Date: Mon, 3 Feb 1997 22:05:12 +0100 From: j@uriah.heep.sax.de (J Wunsch) To: jgreco@solaria.sol.net (Joe Greco) Cc: security@freebsd.org, core@freebsd.org Subject: Re: Question: 2.1.7? References: <199702031422.IAA17586@solaria.sol.net> X-Mailer: Mutt 0.55-PL10 Mime-Version: 1.0 X-Phone: +49-351-2012 669 X-PGP-Fingerprint: DC 47 E6 E4 FF A6 E9 8F 93 21 E0 7D F9 12 D6 4E Reply-To: joerg_wunsch@uriah.heep.sax.de (Joerg Wunsch) In-Reply-To: <199702031422.IAA17586@solaria.sol.net>; from Joe Greco on Feb 3, 1997 08:22:08 -0500 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk As Joe Greco wrote: > If not, maybe a "patchkit" that could be installed (source or binary, > whatever) could be done. But I think a "2.1.7" type release would be > most ideal... I think our basic position to this is that we don't mind, as long as somebody is going to do the work. We are simply unable to maintain three diverging branches. -- cheers, J"org joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE Never trust an operating system you don't have sources for. ;-) From owner-freebsd-security Mon Feb 3 13:38:56 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id NAA22126 for security-outgoing; Mon, 3 Feb 1997 13:38:56 -0800 (PST) Received: from anacreon.sol.net (anacreon.sol.net [206.55.64.116]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id NAA22049; Mon, 3 Feb 1997 13:37:46 -0800 (PST) Received: from solaria.sol.net (solaria.sol.net [206.55.65.75]) by anacreon.sol.net (8.6.12/8.6.12) with ESMTP id PAA18490; Mon, 3 Feb 1997 15:37:44 -0600 Received: from localhost by solaria.sol.net (8.5/8.5) id PAA20783; Mon, 3 Feb 1997 15:17:07 -0600 From: Joe Greco Message-Id: <199702032117.PAA20783@solaria.sol.net> Subject: Re: Question: 2.1.7? To: joerg_wunsch@uriah.heep.sax.de Date: Mon, 3 Feb 97 15:17:05 CST Cc: security@freebsd.org, core@freebsd.org In-Reply-To: from "J Wunsch" at Feb 3, 97 10:05:12 pm X-Mailer: ELM [version 2.4dev PL65] MIME-Version: 1.0 Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > As Joe Greco wrote: > > > If not, maybe a "patchkit" that could be installed (source or binary, > > whatever) could be done. But I think a "2.1.7" type release would be > > most ideal... > > I think our basic position to this is that we don't mind, as long as > somebody is going to do the work. We are simply unable to maintain > three diverging branches. I'm willing to put up or shut up, since I'm having to do the work locally here anyways (at least for the issues that are an issue here). If someone is willing to commit the changes, I do not mind feeding the needed changes(*), many of which have been applied to 2.2 or 3.0 anyways, to them. (*)That is not a blanket statement saying I'll do every BugTraq bug that comes along, but I would love nothing more than to fold in the changes that I have to support locally anyways. I _immediately_ have crt0 patches for today's BugTraq of the day, and the talkd exploit, etc. I realize the 2.1.X branch is "semi dead" but it is also very stable. I am running 2.2 on several key systems, but do not wish to commit to it entirely until it's proven its stability over a six month period. I mean, my Web server has been up 180 days!!!!!! 3:34PM up 180 days, 17 mins, 1 user, load averages: 0.00, 0.00, 0.00 Fantastic... that beats any SunOS records I can recall. I want to be running all 2.2 within a year, but until then, I am sure that many of us will want to see 2.1 vulnerabilities fixed. As I said, I won't promise to do it all, but I will certainly contribute anything I can. I just need someone to commit the stuff. ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/342-4847 From owner-freebsd-security Mon Feb 3 13:48:40 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id NAA22770 for security-outgoing; Mon, 3 Feb 1997 13:48:40 -0800 (PST) Received: from panda.hilink.com.au (panda.hilink.com.au [203.2.144.5]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA22761 for ; Mon, 3 Feb 1997 13:48:34 -0800 (PST) Received: (from danny@localhost) by panda.hilink.com.au (8.7.6/8.7.3) id IAA01719; Tue, 4 Feb 1997 08:51:03 +1100 (EST) Date: Tue, 4 Feb 1997 08:51:02 +1100 (EST) From: "Daniel O'Callaghan" To: Joe Greco cc: security@freebsd.org Subject: Re: Question: 2.1.7? In-Reply-To: <199702031422.IAA17586@solaria.sol.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 3 Feb 1997, Joe Greco wrote: > With the recent exploits for things such as talkd, sendmail, and the > wonderful freakin' locale processing problem I see on bugtraq, would > it be wise to consider a 2.1 point release that addressed these issues? > > If not, maybe a "patchkit" that could be installed (source or binary, > whatever) could be done. But I think a "2.1.7" type release would be > most ideal... > > I would be happy to work on some of this, as I have already done the > work for some of the problems. I have already suggested a 'security update package repository' to Jordan and Paul Traina. They like the idea. Still musing over the exact implementation though. But as soon as I get libc patches, I'll build packages for 2.1.0, 2.1.5 and 2.1.6 and make them available from somewhere, along with sendmail885. regards, Danny From owner-freebsd-security Mon Feb 3 17:56:04 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id RAA07186 for security-outgoing; Mon, 3 Feb 1997 17:56:04 -0800 (PST) Received: from spitfire.ecsel.psu.edu (qmailr@spitfire.ecsel.psu.edu [146.186.218.51]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id RAA07175 for ; Mon, 3 Feb 1997 17:56:01 -0800 (PST) Received: (qmail 29805 invoked by uid 1000); 4 Feb 1997 01:55:53 -0000 Date: 4 Feb 1997 01:55:53 -0000 Message-ID: <19970204015553.29804.qmail@spitfire.ecsel.psu.edu> To: security@freebsd.org Subject: more locale patches... From: Dan Cross Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk (NOTE: these patches are for 2.2...) Here are patches for more locate stuff from 2.2-CURRENT, well, it's not that current: : spitfire 1144; uname -a FreeBSD spitfire.ecsel.psu.edu 2.2-CURRENT FreeBSD 2.2-CURRENT #0: Sat Sep 28 16:39:56 EDT 1996 tenser@spitfire.ecsel.psu.edu:/usr/src/sys/compile/SPIT FIRE i386 : spitfire 1145; But they might help out nonetheless. Note that in setlocale.c, the sections that were changed are enclosed in #if 0's, marked with the comment, ``someday we might actually use the file.'' :-) I see no harm in changing that code now, however, in preperation for the future. :-) Thanks! - Dan C. (btw- I don't guarantee that this fixes every bug in the locale functions, but, it's a start. :-) ----- Begin locale.diff *** collate.c 1997/02/03 23:45:56 1.1 --- collate.c 1997/02/03 23:49:55 *************** *** 71,80 **** return 0; if (!_PathLocale && !(_PathLocale = getenv("PATH_LOCALE"))) _PathLocale = _PATH_LOCALE; ! strcpy(buf, _PathLocale); ! strcat(buf, "/"); ! strcat(buf, encoding); ! strcat(buf, "/LC_COLLATE"); if ((fp = fopen(buf, "r")) == NULL) { __collate_load_error = save_load_error; return -1; --- 71,78 ---- return 0; if (!_PathLocale && !(_PathLocale = getenv("PATH_LOCALE"))) _PathLocale = _PATH_LOCALE; ! (void)snprintf(buf, ! PATH_MAX, "%s/%s/LC_COLLATE", _PathLocale, encoding); if ((fp = fopen(buf, "r")) == NULL) { __collate_load_error = save_load_error; return -1; *** setrunelocale.c 1997/02/03 23:47:15 1.1 --- setrunelocale.c 1997/02/03 23:48:19 *************** *** 86,95 **** if (!_PathLocale && !(_PathLocale = getenv("PATH_LOCALE"))) _PathLocale = _PATH_LOCALE; ! (void) strcpy(name, _PathLocale); ! (void) strcat(name, "/"); ! (void) strcat(name, encoding); ! (void) strcat(name, "/LC_CTYPE"); if ((fp = fopen(name, "r")) == NULL) return(ENOENT); --- 86,93 ---- if (!_PathLocale && !(_PathLocale = getenv("PATH_LOCALE"))) _PathLocale = _PATH_LOCALE; ! (void)snprintf(name, ! PATH_MAX, "%s/%s/LC_CTYPE", _PathLocale, encoding); if ((fp = fopen(name, "r")) == NULL) return(ENOENT); ----- End locale.diff From owner-freebsd-security Mon Feb 3 18:07:09 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id SAA07979 for security-outgoing; Mon, 3 Feb 1997 18:07:09 -0800 (PST) Received: from spitfire.ecsel.psu.edu (qmailr@spitfire.ecsel.psu.edu [146.186.218.51]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id SAA07941 for ; Mon, 3 Feb 1997 18:06:49 -0800 (PST) From: tenser@spitfire.ecsel.psu.edu Received: (qmail 29929 invoked by uid 1000); 4 Feb 1997 02:06:33 -0000 Date: 4 Feb 1997 02:06:33 -0000 Message-ID: <19970204020633.29928.qmail@spitfire.ecsel.psu.edu> To: security@freebsd.org Subject: Re: more locale patches... Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Whoops, I must have been smoking my hair. setlocale.c isn't affected. My bad. Gee, maybe I should get some sleep... (Sorry for mentioning the wrong file and possibly causing confusion. :-) - Dan C. From owner-freebsd-security Mon Feb 3 19:21:14 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id TAA12549 for security-outgoing; Mon, 3 Feb 1997 19:21:14 -0800 (PST) Received: from nimbus.superior.net (root@nimbus.superior.net [206.153.96.1]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id TAA12528 for ; Mon, 3 Feb 1997 19:20:53 -0800 (PST) Received: (from robert@localhost) by nimbus.superior.net (8.8.5/8.8.5) id WAA04927 for freebsd-security@freebsd.org; Mon, 3 Feb 1997 22:20:46 -0500 (EST) From: Robert Blayzor Message-Id: <199702040320.WAA04927@nimbus.superior.net> Subject: Subscribe To: freebsd-security@freebsd.org Date: Mon, 3 Feb 1997 22:20:45 -0500 (EST) X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk subscribe -- Robert Blayzor robert@superior.net Telecon Communications System Administrator Network Engineer 131 Enterprise Rd. Superior Net Services 518-762-3456 Johnstown, NY 12095 "FreeBSD! Turning PC's into Workstations!" From owner-freebsd-security Mon Feb 3 20:06:17 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id UAA15007 for security-outgoing; Mon, 3 Feb 1997 20:06:17 -0800 (PST) Received: from spitfire.ecsel.psu.edu (qmailr@spitfire.ecsel.psu.edu [146.186.218.51]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id UAA14993 for ; Mon, 3 Feb 1997 20:06:09 -0800 (PST) From: tenser@spitfire.ecsel.psu.edu Received: (qmail 1017 invoked by uid 1000); 4 Feb 1997 04:06:01 -0000 Date: 4 Feb 1997 04:06:01 -0000 Message-ID: <19970204040601.1016.qmail@spitfire.ecsel.psu.edu> To: security@freebsd.org cc: tqbf@enteract.com, bugtraq@netspace.org Subject: Patches for 2.1.6-RELEASE locale stuff... Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I took another look at the locale code for 2.1.6-RELEASE (availible in /usr/src/lib/libc/locale), and tried to go though everything and look for buffer overrun type stuff. Here is a set of patches for the four files I modified. I don't guarantee that this takes care of all possible locale security problems, but it's a start for the folks who are going to presumably issue an advisory and official patch at some point in the future. These patched source files at least compile on my 386 running 2.1.6. Any errors I might have made, I attribute to lack of sleep over the last few days. :-) (Note, just to clarify: My first patch should have thwarted the startup locale processing bug. These patches are for other buffer overrun problems in the locale stuff in the C library. That first patch is also included here for convenience.) - Dan C. ----- Begin 2.1.6-locale.diff *** collate.c 1997/02/04 02:49:05 1.1 --- collate.c 1997/02/04 02:54:58 *************** *** 66,75 **** return -1; if (!path_locale && !(path_locale = getenv("PATH_LOCALE"))) path_locale = _PATH_LOCALE; ! strcpy(buf, path_locale); ! strcat(buf, "/"); ! strcat(buf, encoding); ! strcat(buf, "/LC_COLLATE"); if ((fp = fopen(buf, "r")) == NULL) return -1; FREAD(__collate_charmap_table, sizeof(__collate_charmap_table), 1, fp); --- 66,73 ---- return -1; if (!path_locale && !(path_locale = getenv("PATH_LOCALE"))) path_locale = _PATH_LOCALE; ! (void)snprintf(buf, ! PATH_MAX, "%s/%s/LC_COLLATE", path_locale, encoding); if ((fp = fopen(buf, "r")) == NULL) return -1; FREAD(__collate_charmap_table, sizeof(__collate_charmap_table), 1, fp); *** rune.c 1997/02/04 03:18:28 1.1 --- rune.c 1997/02/04 03:19:21 *************** *** 74,83 **** if (!PathLocale && !(PathLocale = getenv("PATH_LOCALE"))) PathLocale = _PATH_LOCALE; ! (void) strcpy(name, PathLocale); ! (void) strcat(name, "/"); ! (void) strcat(name, encoding); ! (void) strcat(name, "/LC_CTYPE"); if ((fp = fopen(name, "r")) == NULL) return(ENOENT); --- 74,81 ---- if (!PathLocale && !(PathLocale = getenv("PATH_LOCALE"))) PathLocale = _PATH_LOCALE; ! (void)snprintf(name, ! PATH_MAX, "%s/%s/LC_CTYPE", PathLocale, encoding); if ((fp = fopen(name, "r")) == NULL) return(ENOENT); *** setlocale.c 1997/02/04 03:22:26 1.1 --- setlocale.c 1997/02/04 03:22:54 *************** *** 198,201 **** --- 198,203 ---- case LC_NUMERIC: return (NULL); } + + return(NULL); /* 2.2 has this with the comment, ``Just in Case'' */ } *** startup_setlocale.c 1997/02/03 07:40:46 1.1 --- startup_setlocale.c 1997/02/03 07:41:47 *************** *** 174,183 **** return(0); } ! (void) strcpy(name, PathLocale); ! (void) strcat(name, "/"); ! (void) strcat(name, encoding); ! (void) strcat(name, "/LC_CTYPE"); if ((fp = fopen(name, "r")) == NULL) return(ENOENT); --- 174,181 ---- return(0); } ! (void) snprintf(name, ! PATH_MAX, "%s/%s/LC_CTYPE", PathLocale, encoding); if ((fp = fopen(name, "r")) == NULL) return(ENOENT); ----- End 2.1.6-locale.diff From owner-freebsd-security Mon Feb 3 20:18:19 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id UAA16102 for security-outgoing; Mon, 3 Feb 1997 20:18:19 -0800 (PST) Received: from zen.nash.org (nash.pr.mcs.net [204.95.47.72]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id UAA16090 for ; Mon, 3 Feb 1997 20:18:13 -0800 (PST) Received: from zen.nash.org (localhost [127.0.0.1]) by zen.nash.org (8.8.4/8.6.12) with SMTP id WAA03287; Mon, 3 Feb 1997 22:16:36 -0600 (CST) Message-ID: <32F6B824.41C67EA6@mcs.com> Date: Mon, 03 Feb 1997 22:16:36 -0600 From: Alex Nash X-Mailer: Mozilla 3.01Gold (X11; I; FreeBSD 2.2-RELEASE i386) MIME-Version: 1.0 To: tqbf@enteract.com CC: Poul-Henning Kamp , dg@root.com, torbjorn@norway.eu.net, freebsd-security@FreeBSD.ORG Subject: Re: Critical Security Problem in 4.4BSD crt0 References: <199702031343.HAA29502@enteract.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Thomas H. Ptacek wrote: > Heh. If you can point me to all the announcements you've made in the past > year, I can fill you in on everything else I know about or have reported, > and I can type them up in the format of your previous announcements. You > can then feel free to distribute them as you wish. ftp://freefall.freebsd.org/pub/CERT/advisories/ Alex From owner-freebsd-security Mon Feb 3 20:55:23 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id UAA17957 for security-outgoing; Mon, 3 Feb 1997 20:55:23 -0800 (PST) Received: from spitfire.ecsel.psu.edu (qmailr@spitfire.ecsel.psu.edu [146.186.218.51]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id UAA17942 for ; Mon, 3 Feb 1997 20:55:09 -0800 (PST) Received: (qmail 1527 invoked by uid 1000); 4 Feb 1997 04:54:49 -0000 Message-ID: <19970204045449.1526.qmail@spitfire.ecsel.psu.edu> To: "Daniel O'Callaghan" cc: security@freebsd.org Subject: Re: Patches for 2.1.6-RELEASE locale stuff... In-reply-to: Your message of "Tue, 04 Feb 1997 15:38:46 +1100." Date: Mon, 03 Feb 1997 23:54:49 -0500 From: Dan Cross Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Thanks for all the work you are putting in on this. No problem, this is the most interesting thing that I've been involved with in days. :-) > One thing I'm not > sure of is the impact this has on static binaries. Can you please > clarify this, possibly to freebsd-security. Well, staticly linked binaries are just as vulnerable to attack as dynamically linked ones. The problem is two fold with staticly linked binaries, however, since recompiling the libraries is not enough to fix the problem, one must also recompile the staticly linked binaries and link them against the patched libraries. Hope this helps! (cc'ed to security@freebsd.org as requested.) - Dan C. From owner-freebsd-security Mon Feb 3 22:40:39 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id WAA21898 for security-outgoing; Mon, 3 Feb 1997 22:40:39 -0800 (PST) Received: from super-g.inch.com (super-g.com [204.178.32.161]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id WAA21890 for ; Mon, 3 Feb 1997 22:40:35 -0800 (PST) Received: from localhost (spork@localhost) by super-g.inch.com (8.8.5/8.6.9) with SMTP id BAA25086; Tue, 4 Feb 1997 01:45:17 -0500 (EST) Date: Tue, 4 Feb 1997 01:45:17 -0500 (EST) From: spork X-Sender: spork@super-g.inch.com To: "Daniel O'Callaghan" cc: Joe Greco , security@freebsd.org Subject: Re: Question: 2.1.7? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk yes yes yes!!! Please Please Please!!! On Tue, 4 Feb 1997, Daniel O'Callaghan wrote: > > I have already suggested a 'security update package repository' to Jordan > and Paul Traina. They like the idea. Still musing over the exact > implementation though. But as soon as I get libc patches, I'll build > packages for 2.1.0, 2.1.5 and 2.1.6 and make them available from > somewhere, along with sendmail885. > > regards, > > Danny > From owner-freebsd-security Tue Feb 4 01:13:35 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id BAA04195 for security-outgoing; Tue, 4 Feb 1997 01:13:35 -0800 (PST) Received: from char-star.rdist.org (char-star.rdist.org [206.54.252.22]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id BAA04184 for ; Tue, 4 Feb 1997 01:13:32 -0800 (PST) From: tqbf@enteract.com Received: (qmail 26636 invoked by uid 1001); 4 Feb 1997 09:14:28 -0000 Message-ID: <19970204091428.26635.qmail@char-star.rdist.org> Subject: A much simpler fix to the locale problem... To: freebsd-security@freebsd.org Date: Tue, 4 Feb 1997 03:14:28 -0600 (CST) Reply-To: tqbf@enteract.com X-Mailer: ELM [version 2.4ME+ PL22 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Why doesn't FreeBSD simply disable startup setlocale processing altogether? It seems to me that those locale routines are far, far too involved to be run from start() in the first place. I'd be concerned that there are problems with the locale routines that are far more subtle than simple stack overruns. ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- exit(main(kfp->kargc, argv, environ)); From owner-freebsd-security Tue Feb 4 02:16:46 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id CAA07159 for security-outgoing; Tue, 4 Feb 1997 02:16:46 -0800 (PST) Received: from pdx1.world.net (pdx1.world.net [192.243.32.18]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id CAA07150 for ; Tue, 4 Feb 1997 02:16:41 -0800 (PST) From: proff@suburbia.net Received: from suburbia.net (suburbia.net [203.4.184.1]) by pdx1.world.net (8.7.5/8.7.3) with SMTP id CAA23827 for ; Tue, 4 Feb 1997 02:18:05 -0800 (PST) Received: (qmail 15152 invoked by uid 110); 4 Feb 1997 10:16:17 -0000 Message-ID: <19970204101617.15151.qmail@suburbia.net> Subject: Re: Critical Security Problem in 4.4BSD crt0 In-Reply-To: from "Charles M. Hannum" at "Feb 3, 97 01:11:36 pm" To: mycroft@GNU.AI.MIT.EDU Date: Tue, 4 Feb 1997 21:16:17 +1100 (EST) Cc: security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > "Thomas H. Ptacek" writes: > > > > > The issue is that FreeBSD 2.1.5's crt0.c start() routine, which calls the > > "main()" entry point function in the program that is starting, will under > > some circumstances call routines that set the "locale" of the program. The > > routines that do this are heavily dependant on environment variables, > > which are in some circumstances copied directly into local character > > buffers on the stack of the locale routines. > > I'd like to point out that, despite the subject line, this hole has > nothing to do with 4.4BSD; it is specific to FreeBSD, and does *not* > affect other 4.4BSD-derived systems. > Yes, it does. But not by crt0. From owner-freebsd-security Tue Feb 4 05:53:00 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id FAA16503 for security-outgoing; Tue, 4 Feb 1997 05:53:00 -0800 (PST) Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.2.228.19]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id FAA16498 for ; Tue, 4 Feb 1997 05:52:57 -0800 (PST) Received: (from bde@localhost) by godzilla.zeta.org.au (8.8.3/8.6.9) id AAA22898; Wed, 5 Feb 1997 00:50:02 +1100 Date: Wed, 5 Feb 1997 00:50:02 +1100 From: Bruce Evans Message-Id: <199702041350.AAA22898@godzilla.zeta.org.au> To: mycroft@GNU.AI.MIT.EDU, proff@suburbia.net Subject: Re: Critical Security Problem in 4.4BSD crt0 Cc: security@freebsd.org Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >> I'd like to point out that, despite the subject line, this hole has >> nothing to do with 4.4BSD; it is specific to FreeBSD, and does *not* >> affect other 4.4BSD-derived systems. >> > >Yes, it does. But not by crt0. 4.4Lite uses snprintf() to avoid the buffer overrun. I think it doesn't actually use the buffer contents, so it has no problems with user-supplied buffer contents or self-supplied truncation of the buffer. Bruce From owner-freebsd-security Tue Feb 4 07:51:34 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id HAA22391 for security-outgoing; Tue, 4 Feb 1997 07:51:34 -0800 (PST) Received: from Mailbox.mcs.com (Mailbox.mcs.com [192.160.127.87]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id HAA22386 for ; Tue, 4 Feb 1997 07:51:32 -0800 (PST) Received: from Jupiter.Mcs.Net (Jupiter.mcs.net [192.160.127.88]) by Mailbox.mcs.com (8.8.5/8.8.2) with ESMTP id JAA16999; Tue, 4 Feb 1997 09:51:28 -0600 (CST) Received: (from karl@localhost) by Jupiter.Mcs.Net (8.8.5/8.8.2) id JAA18527; Tue, 4 Feb 1997 09:51:24 -0600 (CST) From: Karl Denninger Message-Id: <199702041551.JAA18527@Jupiter.Mcs.Net> Subject: Re: Question: 2.1.7? To: spork@super-g.com (spork) Date: Tue, 4 Feb 1997 09:51:23 -0600 (CST) Cc: danny@panda.hilink.com.au, jgreco@solaria.sol.net, security@FreeBSD.ORG In-Reply-To: from "spork" at Feb 4, 97 01:45:17 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > yes yes yes!!! Please Please Please!!! > > On Tue, 4 Feb 1997, Daniel O'Callaghan wrote: > > > > I have already suggested a 'security update package repository' to Jordan > > and Paul Traina. They like the idea. Still musing over the exact > > implementation though. But as soon as I get libc patches, I'll build > > packages for 2.1.0, 2.1.5 and 2.1.6 and make them available from > > somewhere, along with sendmail885. > > > > regards, > > > > Danny Warning! There are static-linked executables which are shipped SUID with most FreeBSD implementations. THESE MUST BE RECOMPILED ALSO! Make very, very sure you don't have any old SUID executables laying around. If you do, you're vulnerable even with a libc fix. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | 99 Analog numbers, 77 ISDN, Web servers $75/mo Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ Fax: [+1 773 248-9865] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal From owner-freebsd-security Tue Feb 4 08:01:08 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id IAA23010 for security-outgoing; Tue, 4 Feb 1997 08:01:08 -0800 (PST) Received: from anacreon.sol.net (anacreon.sol.net [206.55.64.116]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id IAA23005 for ; Tue, 4 Feb 1997 08:01:04 -0800 (PST) Received: from solaria.sol.net (solaria.sol.net [206.55.65.75]) by anacreon.sol.net (8.6.12/8.6.12) with ESMTP id KAA23214; Tue, 4 Feb 1997 10:01:02 -0600 Received: from localhost by solaria.sol.net (8.5/8.5) id KAA00609; Tue, 4 Feb 1997 10:00:59 -0600 From: Joe Greco Message-Id: <199702041600.KAA00609@solaria.sol.net> Subject: Re: Question: 2.1.7? To: karl@Mcs.Net (Karl Denninger) Date: Tue, 4 Feb 97 10:00:58 CST Cc: spork@super-g.com, danny@panda.hilink.com.au, security@FreeBSD.ORG In-Reply-To: <199702041551.JAA18527@Jupiter.Mcs.Net> from "Karl Denninger" at Feb 4, 97 09:51:23 am X-Mailer: ELM [version 2.4dev PL65] MIME-Version: 1.0 Content-Type: text Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > Warning! > > There are static-linked executables which are shipped SUID with most FreeBSD > implementations. THESE MUST BE RECOMPILED ALSO! > > Make very, very sure you don't have any old SUID executables laying around. > If you do, you're vulnerable even with a libc fix. Warning! You pretty much have to recompile the entire system, to be safe. Otherwise there will come a time when someone discovers a vulnerability due to a non-SUID executable being forked off (perhaps several layers deep) by a SUID program or other program being run by root... Paranoid? Yes. True? Sadly. I am very interested in this whole topic... ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/342-4847 From owner-freebsd-security Tue Feb 4 08:04:04 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id IAA23222 for security-outgoing; Tue, 4 Feb 1997 08:04:04 -0800 (PST) Received: from Mailbox.mcs.com (Mailbox.mcs.com [192.160.127.87]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA23213 for ; Tue, 4 Feb 1997 08:04:01 -0800 (PST) Received: from Jupiter.Mcs.Net (Jupiter.mcs.net [192.160.127.88]) by Mailbox.mcs.com (8.8.5/8.8.2) with ESMTP id KAA19876; Tue, 4 Feb 1997 10:03:50 -0600 (CST) Received: (from karl@localhost) by Jupiter.Mcs.Net (8.8.5/8.8.2) id KAA18948; Tue, 4 Feb 1997 10:03:45 -0600 (CST) From: Karl Denninger Message-Id: <199702041603.KAA18948@Jupiter.Mcs.Net> Subject: Re: Question: 2.1.7? To: jgreco@solaria.sol.net (Joe Greco) Date: Tue, 4 Feb 1997 10:03:45 -0600 (CST) Cc: karl@Mcs.Net, spork@super-g.com, danny@panda.hilink.com.au, security@FreeBSD.ORG In-Reply-To: <199702041600.KAA00609@solaria.sol.net> from "Joe Greco" at Feb 4, 97 10:00:58 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > > Warning! > > > > There are static-linked executables which are shipped SUID with most FreeBSD > > implementations. THESE MUST BE RECOMPILED ALSO! > > > > Make very, very sure you don't have any old SUID executables laying around. > > If you do, you're vulnerable even with a libc fix. > > Warning! > > You pretty much have to recompile the entire system, to be safe. > > Otherwise there will come a time when someone discovers a vulnerability > due to a non-SUID executable being forked off (perhaps several layers deep) > by a SUID program or other program being run by root... > > Paranoid? Yes. True? Sadly. > > I am very interested in this whole topic... > > ... Joe > > ------------------------------------------------------------------------------- > Joe Greco - Systems Administrator jgreco@ns.sol.net > Solaria Public Access UNIX - Milwaukee, WI 414/342-4847 That was basically what I was saying.... "make world" is pretty much required. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | 99 Analog numbers, 77 ISDN, Web servers $75/mo Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ Fax: [+1 773 248-9865] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal From owner-freebsd-security Tue Feb 4 09:29:41 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id JAA29912 for security-outgoing; Tue, 4 Feb 1997 09:29:41 -0800 (PST) Received: from anacreon.sol.net (anacreon.sol.net [206.55.64.116]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id JAA29829; Tue, 4 Feb 1997 09:27:47 -0800 (PST) Received: from solaria.sol.net (solaria.sol.net [206.55.65.75]) by anacreon.sol.net (8.6.12/8.6.12) with ESMTP id LAA23751; Tue, 4 Feb 1997 11:27:44 -0600 Received: from localhost by solaria.sol.net (8.5/8.5) id LAA01352; Tue, 4 Feb 1997 11:27:40 -0600 From: Joe Greco Message-Id: <199702041727.LAA01352@solaria.sol.net> Subject: 2.1.6+++: crt0.c CRITICAL CHANGE To: gpalmer@freebsd.org Date: Tue, 4 Feb 97 11:27:39 CST Cc: core@freebsd.org, security@freebsd.org X-Mailer: ELM [version 2.4dev PL65] MIME-Version: 1.0 Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk (I just got commit privs, and already I am looking to make a change that affects the entire 2.1-STABLE tree...) I offer for inspection, freefall:/f/tmp/jgreco/src/lib/csu/i386/crt0.c as a proposed change to 2.1-STABLE's crt0.c This file, derived from version 1.16.4.4, has one functional change: removal of the "startup locale" code. The following lines were removed: #include extern void _startup_setlocale __P((int, const char *)); if (getenv("ENABLE_STARTUP_LOCALE") != NULL) _startup_setlocale(LC_ALL, ""); The locale code has a buffer overrun condition that allows this little code bit to potentially compromise the associated program - that's pretty much all of them, unfortunately. The locale code should be fixed as well, although I am not yet aware of what changes need to be made there. In revision 1.21 of crt0.c, ache removed these bits of code, and several other sources indicate that removal of the locale code is a sufficient fix. It therefore seems appropriate to move forward by removing this from crt0.c. If anyone is aware of any undesirable side effects, or has any objection to this modification being committed to the 2.1-STABLE branch, please speak up. I am obviously aware that crt0.c is a critical bit of code, and no change to this code should be undertaken lightly. I will commit this code tomorrow unless there is any objection. I would prefer to have several people review the change and acknowledge that this is acceptable. Thank you, ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/342-4847 From owner-freebsd-security Tue Feb 4 12:14:57 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id MAA09355 for security-outgoing; Tue, 4 Feb 1997 12:14:57 -0800 (PST) Received: from panda.hilink.com.au (panda.hilink.com.au [203.2.144.5]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA09346 for ; Tue, 4 Feb 1997 12:14:51 -0800 (PST) Received: (from danny@localhost) by panda.hilink.com.au (8.7.6/8.7.3) id HAA00857; Wed, 5 Feb 1997 07:14:24 +1100 (EST) Date: Wed, 5 Feb 1997 07:14:23 +1100 (EST) From: "Daniel O'Callaghan" To: Karl Denninger cc: spork , jgreco@solaria.sol.net, security@FreeBSD.ORG Subject: Re: Question: 2.1.7? In-Reply-To: <199702041551.JAA18527@Jupiter.Mcs.Net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 4 Feb 1997, Karl Denninger wrote: > > There are static-linked executables which are shipped SUID with most FreeBSD > implementations. THESE MUST BE RECOMPILED ALSO! > > Make very, very sure you don't have any old SUID executables laying around. > If you do, you're vulnerable even with a libc fix. Thanks, I am aware of this. The package will include replacement static suid binaries. Cheers, Danny From owner-freebsd-security Tue Feb 4 12:26:51 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id MAA10005 for security-outgoing; Tue, 4 Feb 1997 12:26:51 -0800 (PST) Received: from mexico.brainstorm.eu.org (root@mexico.brainstorm.fr [193.56.58.253]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA09925; Tue, 4 Feb 1997 12:25:18 -0800 (PST) Received: from brasil.brainstorm.eu.org (brasil.brainstorm.fr [193.56.58.33]) by mexico.brainstorm.eu.org (8.8.4/8.8.4) with ESMTP id VAA21506; Tue, 4 Feb 1997 21:25:03 +0100 Received: (from uucp@localhost) by brasil.brainstorm.eu.org (8.8.4/8.6.12) with UUCP id VAA20354; Tue, 4 Feb 1997 21:24:12 +0100 Received: (from roberto@localhost) by keltia.freenix.fr (8.8.5/keltia-uucp-2.9) id TAA03510; Tue, 4 Feb 1997 19:51:35 +0100 (CET) Message-ID: <19970204195134.KQ41280@keltia.freenix.fr> Date: Tue, 4 Feb 1997 19:51:34 +0100 From: roberto@keltia.freenix.fr (Ollivier Robert) To: security@freebsd.org Cc: core@freebsd.org Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE References: <199702041727.LAA01352@solaria.sol.net> X-Mailer: Mutt 0.60,1-3,9 Mime-Version: 1.0 X-Operating-System: FreeBSD 3.0-CURRENT ctm#2999 In-Reply-To: <199702041727.LAA01352@solaria.sol.net>; from Joe Greco on Feb 4, 1997 11:27:39 -0500 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk According to Joe Greco: > In revision 1.21 of crt0.c, ache removed these bits of code, and several > other sources indicate that removal of the locale code is a sufficient > fix. It therefore seems appropriate to move forward by removing this > from crt0.c. I think it was agreed to get rid the "local hack" (as it was named at the time) and do it the way that is in CURRENT. So I'm for removing it. Programs that want proper locale support will do the (void) setlocale(LC_ALL, ""); call themselves. -- Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 3.0-CURRENT #39: Sun Feb 2 22:12:44 CET 1997 From owner-freebsd-security Tue Feb 4 13:50:43 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id NAA14788 for security-outgoing; Tue, 4 Feb 1997 13:50:43 -0800 (PST) Received: from austin.polstra.com (austin.polstra.com [206.213.73.10]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA14622; Tue, 4 Feb 1997 13:49:29 -0800 (PST) Received: from austin.polstra.com (jdp@localhost) by austin.polstra.com (8.8.5/8.8.5) with ESMTP id NAA25064; Tue, 4 Feb 1997 13:48:04 -0800 (PST) Message-Id: <199702042148.NAA25064@austin.polstra.com> To: Joe Greco cc: gpalmer@freebsd.org, core@freebsd.org, security@freebsd.org Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE In-reply-to: Your message of "Tue, 04 Feb 1997 11:27:39 CST." <199702041727.LAA01352@solaria.sol.net> References: <199702041727.LAA01352@solaria.sol.net> Date: Tue, 04 Feb 1997 13:48:04 -0800 From: John Polstra Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > In revision 1.21 of crt0.c, ache removed these bits of code, and > several other sources indicate that removal of the locale code is > a sufficient fix. It therefore seems appropriate to move forward > by removing this from crt0.c. Nobody seems to dispute that. But has the actual problem (the buffer overflow) been fixed in the locale code? That needs to be done too. > If anyone is aware of any undesirable side effects The thing to do when you're changing crt0.c is to think very carefully about what will happen with all the combinations: new crt0, old libc.so.x.x old crt0, new libc.so.x.x new crt0, new libc.so.x.x and test all the combinations too. I have been burned by this more than once, when I had thought I had it all figured out. It's a really unpleasant experience to wake up the morning after a commit and find out you've broken make world for a few dozen people. The crt0 changes are particularly insidious, because they can be very hard to back out again. Anyway, I personally don't see such problems in your proposed change. PS - Welcome to the development team! John P. -- John Polstra jdp@polstra.com John D. Polstra & Co., Inc. Seattle, Washington USA "Self-knowledge is always bad news." -- John Barth From owner-freebsd-security Tue Feb 4 14:34:55 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id OAA18931 for security-outgoing; Tue, 4 Feb 1997 14:34:55 -0800 (PST) Received: from Mailbox.mcs.com (Mailbox.mcs.com [192.160.127.87]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA18865; Tue, 4 Feb 1997 14:33:25 -0800 (PST) Received: from Jupiter.Mcs.Net (karl@Jupiter.mcs.net [192.160.127.88]) by Mailbox.mcs.com (8.8.5/8.8.2) with ESMTP id QAA18045; Tue, 4 Feb 1997 16:33:24 -0600 (CST) Received: (from karl@localhost) by Jupiter.Mcs.Net (8.8.5/8.8.2) id QAA02876; Tue, 4 Feb 1997 16:33:23 -0600 (CST) From: Karl Denninger Message-Id: <199702042233.QAA02876@Jupiter.Mcs.Net> Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE To: jdp@polstra.com (John Polstra) Date: Tue, 4 Feb 1997 16:33:23 -0600 (CST) Cc: jgreco@solaria.sol.net, gpalmer@freebsd.org, core@freebsd.org, security@freebsd.org In-Reply-To: <199702042148.NAA25064@austin.polstra.com> from "John Polstra" at Feb 4, 97 01:48:04 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > > In revision 1.21 of crt0.c, ache removed these bits of code, and > > several other sources indicate that removal of the locale code is > > a sufficient fix. It therefore seems appropriate to move forward > > by removing this from crt0.c. > > Nobody seems to dispute that. But has the actual problem (the buffer > overflow) been fixed in the locale code? That needs to be done too. No. And BEWARE FOLKS -- "at" calls setlocale, and at runs SUID ROOT. If the buffer overflow problemS (and yes, I mean plural; just go do a "grep" for "strcpy" in that directory and you'll see what I mean) aren't all fixed any call to setlocale() within an SUID program is problematic at BEST. The entire locale() thing needs to be re-thought for SUID programs. I'll go so far given the current spaghetti mess in there as to suggest that setlocale() be prohibited for anything running with EUID == 0, or EUID != RUID until a real review and fix of the entire code set can be conducted. Yes, that's extreme. Take a look at it yourself and then tell me its unjustified. For now I'm going through all the SUID executables that I really need (most have already had their SUIDness revoked here -- shutdown, for example, doesn't realy need to be SUID since you should be root to run it anyway) and marking setlocale()s commented out with a #define INSECURE until this mess is fixed. > > If anyone is aware of any undesirable side effects > > The thing to do when you're changing crt0.c is to think very carefully > about what will happen with all the combinations: > > new crt0, old libc.so.x.x > old crt0, new libc.so.x.x > new crt0, new libc.so.x.x > > and test all the combinations too. I have been burned by this more > than once, when I had thought I had it all figured out. It's a > really unpleasant experience to wake up the morning after a commit > and find out you've broken make world for a few dozen people. The > crt0 changes are particularly insidious, because they can be very > hard to back out again. Correct. > Anyway, I personally don't see such problems in your proposed change. > > PS - Welcome to the development team! > > John P. > -- > John Polstra jdp@polstra.com > John D. Polstra & Co., Inc. Seattle, Washington USA > "Self-knowledge is always bad news." -- John Barth -- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | 99 Analog numbers, 77 ISDN, Web servers $75/mo Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ Fax: [+1 773 248-9865] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal From owner-freebsd-security Tue Feb 4 14:35:56 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id OAA19040 for security-outgoing; Tue, 4 Feb 1997 14:35:56 -0800 (PST) Received: from sax.sax.de (sax.sax.de [193.175.26.33]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id OAA18944; Tue, 4 Feb 1997 14:34:58 -0800 (PST) Received: (from uucp@localhost) by sax.sax.de (8.6.12/8.6.12-s1) with UUCP id XAA21579; Tue, 4 Feb 1997 23:33:30 +0100 Received: (from j@localhost) by uriah.heep.sax.de (8.8.5/8.6.9) id WAA29157; Tue, 4 Feb 1997 22:42:28 +0100 (MET) Message-ID: Date: Tue, 4 Feb 1997 22:42:28 +0100 From: j@uriah.heep.sax.de (J Wunsch) To: jgreco@solaria.sol.net (Joe Greco) Cc: core@freebsd.org, security@freebsd.org Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE References: <199702041727.LAA01352@solaria.sol.net> X-Mailer: Mutt 0.55-PL10 Mime-Version: 1.0 X-Phone: +49-351-2012 669 X-PGP-Fingerprint: DC 47 E6 E4 FF A6 E9 8F 93 21 E0 7D F9 12 D6 4E Reply-To: joerg_wunsch@uriah.heep.sax.de (Joerg Wunsch) In-Reply-To: <199702041727.LAA01352@solaria.sol.net>; from Joe Greco on Feb 4, 1997 11:27:39 -0500 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk As Joe Greco wrote: > The following lines were removed: > > #include > > extern void _startup_setlocale __P((int, const char *)); > > if (getenv("ENABLE_STARTUP_LOCALE") != NULL) > _startup_setlocale(LC_ALL, ""); I thought this has been removed long ago. Go for it. It has been found to be a poor concept anyway. -- cheers, J"org joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE Never trust an operating system you don't have sources for. ;-) From owner-freebsd-security Tue Feb 4 15:07:12 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id PAA20871 for security-outgoing; Tue, 4 Feb 1997 15:07:12 -0800 (PST) Received: from cs.pdx.edu (root@cs.pdx.edu [204.203.64.22]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id PAA20856 for ; Tue, 4 Feb 1997 15:07:08 -0800 (PST) Received: from sirius.cs.pdx.edu (root@sirius.cs.pdx.edu [204.203.64.13]) by cs.pdx.edu (8.8.5/8.8.5) with ESMTP id PAA23337 for ; Tue, 4 Feb 1997 15:07:01 -0800 (PST) Received: from localhost (jrb@localhost [127.0.0.1]) by sirius.cs.pdx.edu (8.8.5/8.8.5) with ESMTP id PAA18695 for ; Tue, 4 Feb 1997 15:06:59 -0800 (PST) Message-Id: <199702042306.PAA18695@sirius.cs.pdx.edu> To: freebsd-security@FreeBSD.org Subject: release of ipsec for freebsd In-reply-to: Your message of "Tue, 13 Aug 1996 09:48:47 +0200." <199608130748.AA198942528@euro.eurocontrol.fr> Date: Tue, 04 Feb 1997 15:06:58 -0800 From: Jim Binkley Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk If anyone should be interested in the IP Security WG efforts (IPSEC wg), we have made a port of last summer's NRL/ipsec code for IPv4 (not v6) into freebsd 2.1.0, which is our current Mobile-IP kernel src base. This is NOT just mobile-ip oriented, but is aimed at more general network security. The src includes some test apps, some but not all NRL supplied utilities, some test apps of our own, and complete kernel src. In order to get the release, please see the web page: http://www.cs.pdx.edu/research/SMN/index.html, and page down to "PSU IPSEC/FreeBSD port". You have to grab two gzip'ed tar archives, one at PSU, and one at MIT. The latter is for the "export controlled" portion. a few feature (or lack thereof) points: 1. for IPv4, not IPv6 2. experimental!. you must be a kernel hacker 3. NRL's ipsec was transport (socket) oriented. We kept that and added a 1st cut routing binding too (you can view this as a virtual private network mechanism). 4. routes using route(8) or arp(8) can have a ESP/DES binding (and RSN will have an AH/ binding too). 5. our virtual tunnel driver which is part of our MIP implementation but is crucial to the IPSEC stuff too. 6. our Mobile-IP (MIP) kernel routing hacks which don't hurt anything normal and can be ignored if you don't care about Mobile-IP. 7. a couple of simple tcp/udp apps to test and demo the transport (socket) IPSEC bindings. 8. btw, the NRL key(8) utility has been renamed as ipkey(8), as key() already existed. 9. includes (obviousally) NRL's key socket in its form as of last summer. We are starting a majordomo mailing list at PSU. the list name is: freebsd-ipsec@cs.pdx.edu, majordomo@cs.pdx.edu to join. We do not guarantee to "maintain" this or fix bugs or whatever. We are however in the process of improving it and are hoping to finish some parts, and fix some bugs in another release in a few months. Jim Binkley jrb@cs.pdx.edu From owner-freebsd-security Tue Feb 4 18:20:37 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id SAA14288 for security-outgoing; Tue, 4 Feb 1997 18:20:37 -0800 (PST) Received: from panda.hilink.com.au (panda.hilink.com.au [203.2.144.5]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id SAA14264 for ; Tue, 4 Feb 1997 18:20:31 -0800 (PST) Received: (from danny@localhost) by panda.hilink.com.au (8.7.6/8.7.3) id NAA05244; Wed, 5 Feb 1997 13:20:21 +1100 (EST) Date: Wed, 5 Feb 1997 13:20:21 +1100 (EST) From: "Daniel O'Callaghan" To: Karl Denninger , spork , jgreco@solaria.sol.net, security@freebsd.org Subject: Re: Question: 2.1.7? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Wed, 5 Feb 1997, I wrote: > On Tue, 4 Feb 1997, Karl Denninger wrote: > > There are static-linked executables which are shipped SUID with most FreeBSD > > implementations. THESE MUST BE RECOMPILED ALSO! > > > > Make very, very sure you don't have any old SUID executables laying around. > > If you do, you're vulnerable even with a libc fix. > > Thanks, I am aware of this. The package will include replacement static > suid binaries. As pointed out later in the discussion, there are also scarey thoughts of non-suid binaries becoming vulnerable by being run by root at some stage. I have no pretensions of completely understanding all of the interrelationships amongst cc, libc and the generated programs, (learning fast, mind you), so I'd like to concentrate my efforts to the Project on a more cosmetic level. At the basic level, to fix the crt0() problem in 2.1.x, one needs to rebuild libc with a new crt0(), and rebuild all statically linked binaries. It has been suggested that a 'make world' is needed, replacing all binaries, just in case. If I'm going to make security update packages for 2.1.0 and 2.1.5/6, I'd like some comments on what needs to be included. Danny From owner-freebsd-security Tue Feb 4 18:27:57 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id SAA16016 for security-outgoing; Tue, 4 Feb 1997 18:27:57 -0800 (PST) Received: from Mailbox.mcs.com (Mailbox.mcs.com [192.160.127.87]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id SAA16004 for ; Tue, 4 Feb 1997 18:27:55 -0800 (PST) Received: from Jupiter.Mcs.Net (karl@Jupiter.mcs.net [192.160.127.88]) by Mailbox.mcs.com (8.8.5/8.8.2) with ESMTP id UAA05274; Tue, 4 Feb 1997 20:27:52 -0600 (CST) Received: (from karl@localhost) by Jupiter.Mcs.Net (8.8.5/8.8.2) id UAA09923; Tue, 4 Feb 1997 20:27:52 -0600 (CST) From: Karl Denninger Message-Id: <199702050227.UAA09923@Jupiter.Mcs.Net> Subject: Re: Question: 2.1.7? To: danny@panda.hilink.com.au (Daniel O'Callaghan) Date: Tue, 4 Feb 1997 20:27:52 -0600 (CST) Cc: karl@Mcs.Net, spork@super-g.com, jgreco@solaria.sol.net, security@freebsd.org In-Reply-To: from "Daniel O'Callaghan" at Feb 5, 97 01:20:21 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > On Wed, 5 Feb 1997, I wrote: > > > On Tue, 4 Feb 1997, Karl Denninger wrote: > > > There are static-linked executables which are shipped SUID with most FreeBSD > > > implementations. THESE MUST BE RECOMPILED ALSO! > > > > > > Make very, very sure you don't have any old SUID executables laying around. > > > If you do, you're vulnerable even with a libc fix. > > > > Thanks, I am aware of this. The package will include replacement static > > suid binaries. > > As pointed out later in the discussion, there are also scarey thoughts of > non-suid binaries becoming vulnerable by being run by root at some stage. > I have no pretensions of completely understanding all of the > interrelationships amongst cc, libc and the generated programs, (learning > fast, mind you), so I'd like to concentrate my efforts to the Project on > a more cosmetic level. > > At the basic level, to fix the crt0() problem in 2.1.x, one needs to > rebuild libc with a new crt0(), and rebuild all statically linked binaries. > It has been suggested that a 'make world' is needed, replacing all > binaries, just in case. If I'm going to make security update packages > for 2.1.0 and 2.1.5/6, I'd like some comments on what needs to be included. > > Danny ASSUMING you know that you haven't been compromised (hah!) already: 1) All static linked executables, SUID or not (SUIDs are obviously far more important!) 2) libc.so.* 3) libc.* 4) crt0.o Anything with SUID enabled MUST be scrutinized for calls to setlocale(), and if you find them, they must be REMOVED. Now, the problem is that if you've been penetrated you need to reload *everything*, since the possibility exists that your OTHER binaries have been modified. You *do* keep MD5 checksums around somewhere that they can't be tampered with (like on offline media), yes? :-) -- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | 99 Analog numbers, 77 ISDN, Web servers $75/mo Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ Fax: [+1 773 248-9865] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal From owner-freebsd-security Wed Feb 5 03:08:45 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id DAA07458 for security-outgoing; Wed, 5 Feb 1997 03:08:45 -0800 (PST) Received: from gw-nl1.philips.com (gw-nl1.philips.com [192.68.44.33]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id DAA07401; Wed, 5 Feb 1997 03:07:24 -0800 (PST) Received: (from nobody@localhost) by gw-nl1.philips.com (8.6.10/8.6.10-0.994n-08Nov95) id MAA21942; Wed, 5 Feb 1997 12:05:40 +0100 Received: from unknown(130.139.36.3) by gw-nl1.philips.com via smap (V1.3+ESMTP) with ESMTP id sma021806; Wed Feb 5 12:05:15 1997 Received: from bsd.lss.cp.philips.com (bsd.lss.cp.philips.com [130.144.199.33]) by smtprelay.nl.cis.philips.com (8.6.10/8.6.10-1.2.1m-970131) with SMTP id MAA09574; Wed, 5 Feb 1997 12:05:14 +0100 Received: by bsd.lss.cp.philips.com (8.8.3/1.63) id MAA21662; Wed, 5 Feb 1997 12:05:13 +0100 (MET) From: Guido.vanRooij@nl.cis.philips.com (Guido van Rooij) Message-Id: <199702051105.MAA21662@bsd.lss.cp.philips.com> Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE To: joerg_wunsch@uriah.heep.sax.de Date: Wed, 5 Feb 1997 12:05:13 +0100 (MET) Cc: jgreco@solaria.sol.net, core@freebsd.org, security@freebsd.org In-Reply-To: from J Wunsch at "Feb 4, 97 10:42:28 pm" X-Mailer: ELM [version 2.4ME+ PL22 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk J Wunsch wrote: > As Joe Greco wrote: > > > The following lines were removed: > > > > #include > > > > extern void _startup_setlocale __P((int, const char *)); > > > > if (getenv("ENABLE_STARTUP_LOCALE") != NULL) > > _startup_setlocale(LC_ALL, ""); > > I thought this has been removed long ago. > > Go for it. It has been found to be a poor concept anyway. Yiou can use the lfix program to do so. It was posted by a Russian guy, who's name I forgot. I added a fix so it can actually do the complete filesystem in one sweep. Basically it patches the binary to replace the above call by nop's. -Guido From owner-freebsd-security Wed Feb 5 06:49:01 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id GAA18495 for security-outgoing; Wed, 5 Feb 1997 06:49:01 -0800 (PST) Received: from smyrno.sol.net (smyrno.sol.net [206.55.64.117]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id GAA18308; Wed, 5 Feb 1997 06:47:19 -0800 (PST) Received: from solaria.sol.net (solaria.sol.net [206.55.65.75]) by smyrno.sol.net (8.8.3/8.8.3) with SMTP id IAA25199; Wed, 5 Feb 1997 08:47:15 -0600 (CST) Received: from localhost by solaria.sol.net (8.5/8.5) id IAA11557; Wed, 5 Feb 1997 08:47:13 -0600 From: Joe Greco Message-Id: <199702051447.IAA11557@solaria.sol.net> Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE To: Guido.vanRooij@nl.cis.philips.com (Guido van Rooij) Date: Wed, 5 Feb 97 8:47:11 CST Cc: joerg_wunsch@uriah.heep.sax.de, core@freebsd.org, security@freebsd.org, jkh@freebsd.org In-Reply-To: <199702051105.MAA21662@bsd.lss.cp.philips.com> from "Guido van Rooij" at Feb 5, 97 12:05:13 pm X-Mailer: ELM [version 2.4dev PL65] MIME-Version: 1.0 Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > I thought this has been removed long ago. > > > > Go for it. It has been found to be a poor concept anyway. > > Yiou can use the lfix program to do so. It was posted by a Russian guy, > who's name I forgot. I added a fix so it can actually do the complete > filesystem in one sweep. Basically it patches the binary to replace > the above call by nop's. PERFECT!!! We have a solution :-) (this was the most worrisome security hole, the smaller ones like talkd could be "patched" much more easily). But could you be a little more vague, please? Where do I get it from? :-) I don't see it on Freefall... a DejaNews search doesn't turn anything up... Ah. I see it on the security list archive. Jordan: once we have it tested, can we get this posted somewhere and make big blinking neon signs that PEOPLE NEED TO RUN THIS? I'm gonna compile it up and try it shortly. With this, it would be MUCH simpler to release a "security binary kit" upgrade to 2.1.X series systems. ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/342-4847 From owner-freebsd-security Wed Feb 5 07:07:31 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id HAA19650 for security-outgoing; Wed, 5 Feb 1997 07:07:31 -0800 (PST) Received: from gw-nl1.philips.com (gw-nl1.philips.com [192.68.44.33]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id HAA19267; Wed, 5 Feb 1997 07:03:53 -0800 (PST) Received: (from nobody@localhost) by gw-nl1.philips.com (8.6.10/8.6.10-0.994n-08Nov95) id QAA11694; Wed, 5 Feb 1997 16:02:14 +0100 Received: from unknown(130.139.36.3) by gw-nl1.philips.com via smap (V1.3+ESMTP) with ESMTP id sma011536; Wed Feb 5 16:01:20 1997 Received: from bsd.lss.cp.philips.com (bsd.lss.cp.philips.com [130.144.199.33]) by smtprelay.nl.cis.philips.com (8.6.10/8.6.10-1.2.1m-970131) with SMTP id QAA23409; Wed, 5 Feb 1997 16:01:18 +0100 Received: by bsd.lss.cp.philips.com (8.8.3/1.63) id QAA01260; Wed, 5 Feb 1997 16:01:18 +0100 (MET) From: Guido.vanRooij@nl.cis.philips.com (Guido van Rooij) Message-Id: <199702051501.QAA01260@bsd.lss.cp.philips.com> Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE To: jgreco@solaria.sol.net (Joe Greco) Date: Wed, 5 Feb 1997 16:01:18 +0100 (MET) Cc: Guido.vanRooij@nl.cis.philips.com, joerg_wunsch@uriah.heep.sax.de, core@freebsd.org, security@freebsd.org, jkh@freebsd.org In-Reply-To: <199702051447.IAA11557@solaria.sol.net> from Joe Greco at "Feb 5, 97 08:47:11 am" X-Mailer: ELM [version 2.4ME+ PL22 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Joe Greco wrote: > > > > Yiou can use the lfix program to do so. It was posted by a Russian guy, > > who's name I forgot. I added a fix so it can actually do the complete > > filesystem in one sweep. Basically it patches the binary to replace > > the above call by nop's. > > PERFECT!!! We have a solution :-) (this was the most worrisome security > hole, the smaller ones like talkd could be "patched" much more easily). > > But could you be a little more vague, please? Where do I get it from? :-) > > I don't see it on Freefall... a DejaNews search doesn't turn anything up... > Ah. I see it on the security list archive. > > Jordan: once we have it tested, can we get this posted somewhere and make > big blinking neon signs that PEOPLE NEED TO RUN THIS? I'm gonna compile > it up and try it shortly. > > With this, it would be MUCH simpler to release a "security binary kit" > upgrade to 2.1.X series systems. Before everyone starts singing `Halleluia', let me state first that this does not solve everything. At runs a setlocale() itsself, so it is still vulnerable. Further, It will not solve the problem for ppl that actually NEED the locale stuff.... -Guido From owner-freebsd-security Wed Feb 5 07:18:37 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id HAA27025 for security-outgoing; Wed, 5 Feb 1997 07:18:37 -0800 (PST) Received: from smyrno.sol.net (smyrno.sol.net [206.55.64.117]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id HAA24697; Wed, 5 Feb 1997 07:15:22 -0800 (PST) Received: from solaria.sol.net (solaria.sol.net [206.55.65.75]) by smyrno.sol.net (8.8.3/8.8.3) with SMTP id JAA25592; Wed, 5 Feb 1997 09:15:19 -0600 (CST) Received: from localhost by solaria.sol.net (8.5/8.5) id JAA11822; Wed, 5 Feb 1997 09:15:17 -0600 From: Joe Greco Message-Id: <199702051515.JAA11822@solaria.sol.net> Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE To: Guido.vanRooij@nl.cis.philips.com (Guido van Rooij) Date: Wed, 5 Feb 97 9:15:15 CST Cc: Guido.vanRooij@nl.cis.philips.com, joerg_wunsch@uriah.heep.sax.de, core@freebsd.org, security@freebsd.org, jkh@freebsd.org In-Reply-To: <199702051501.QAA01260@bsd.lss.cp.philips.com> from "Guido van Rooij" at Feb 5, 97 04:01:18 pm X-Mailer: ELM [version 2.4dev PL65] MIME-Version: 1.0 Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > With this, it would be MUCH simpler to release a "security binary kit" > > upgrade to 2.1.X series systems. > > Before everyone starts singing `Halleluia', let me state first that > this does not solve everything. At runs a setlocale() itsself, so > it is still vulnerable. Further, It will not solve the problem for ppl > that actually NEED the locale stuff.... The locale stuff appears to have been removed from 2.2's crt0.c as well, I don't know anything more about what was done, but it seems to me that that suggests that it is not mandatory for use of the locale stuff. The comments suggested that it was an easy way to try to locale-ize the entire system. It should not, I would think, preclude the use of the locale code, but then again, I am only very mildly familiar with that stuff. ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/342-4847 From owner-freebsd-security Wed Feb 5 08:05:29 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id IAA12735 for security-outgoing; Wed, 5 Feb 1997 08:05:29 -0800 (PST) Received: from gvr.win.tue.nl (root@gvr.win.tue.nl [131.155.210.19]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA09467; Wed, 5 Feb 1997 08:03:39 -0800 (PST) Received: (from guido@localhost) by gvr.win.tue.nl (8.8.5/8.8.2) id RAA16464; Wed, 5 Feb 1997 17:01:24 +0100 (MET) From: Guido van Rooij Message-Id: <199702051601.RAA16464@gvr.win.tue.nl> Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE In-Reply-To: <199702051447.IAA11557@solaria.sol.net> from Joe Greco at "Feb 5, 97 08:47:11 am" To: jgreco@solaria.sol.net (Joe Greco) Date: Wed, 5 Feb 1997 17:01:24 +0100 (MET) Cc: Guido.vanRooij@nl.cis.philips.com, joerg_wunsch@uriah.heep.sax.de, core@freebsd.org, security@freebsd.org, jkh@freebsd.org X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > PERFECT!!! We have a solution :-) (this was the most worrisome security > hole, the smaller ones like talkd could be "patched" much more easily). > > But could you be a little more vague, please? Where do I get it from? :-) > > I don't see it on Freefall... a DejaNews search doesn't turn anything up... > Ah. I see it on the security list archive. > > Jordan: once we have it tested, can we get this posted somewhere and make > big blinking neon signs that PEOPLE NEED TO RUN THIS? I'm gonna compile > it up and try it shortly. > > With this, it would be MUCH simpler to release a "security binary kit" > upgrade to 2.1.X series systems. There's still one thing to add to lfix: it should call chflags(2) when it is required. -Guido From owner-freebsd-security Wed Feb 5 08:08:08 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id IAA17073 for security-outgoing; Wed, 5 Feb 1997 08:08:08 -0800 (PST) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA13960; Wed, 5 Feb 1997 08:06:15 -0800 (PST) Received: from time.cdrom.com (localhost [127.0.0.1]) by time.cdrom.com (8.8.5/8.6.9) with ESMTP id IAA19244; Wed, 5 Feb 1997 08:04:35 -0800 (PST) To: Joe Greco cc: Guido.vanRooij@nl.cis.philips.com (Guido van Rooij), joerg_wunsch@uriah.heep.sax.de, core@freebsd.org, security@freebsd.org, jkh@freebsd.org Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE In-reply-to: Your message of "Wed, 05 Feb 1997 08:47:11 CST." <199702051447.IAA11557@solaria.sol.net> Date: Wed, 05 Feb 1997 08:04:34 -0800 Message-ID: <19240.855158674@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Jordan: once we have it tested, can we get this posted somewhere and make > big blinking neon signs that PEOPLE NEED TO RUN THIS? I'm gonna compile > it up and try it shortly. If it works, it's sure a hell of a lot easier than a reinstall. Certainly. Jordan From owner-freebsd-security Wed Feb 5 08:21:40 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id IAA02118 for security-outgoing; Wed, 5 Feb 1997 08:21:40 -0800 (PST) Received: from gw-nl1.philips.com (gw-nl1.philips.com [192.68.44.33]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA00606; Wed, 5 Feb 1997 08:19:17 -0800 (PST) Received: (from nobody@localhost) by gw-nl1.philips.com (8.6.10/8.6.10-0.994n-08Nov95) id RAA29917; Wed, 5 Feb 1997 17:17:13 +0100 Received: from unknown(130.139.36.3) by gw-nl1.philips.com via smap (V1.3+ESMTP) with ESMTP id sma029272; Wed Feb 5 17:15:03 1997 Received: from bsd.lss.cp.philips.com (bsd.lss.cp.philips.com [130.144.199.33]) by smtprelay.nl.cis.philips.com (8.6.10/8.6.10-1.2.1m-970131) with SMTP id RAA09448; Wed, 5 Feb 1997 17:15:01 +0100 Received: by bsd.lss.cp.philips.com (8.8.3/1.63) id RAA05095; Wed, 5 Feb 1997 17:15:00 +0100 (MET) From: Guido.vanRooij@nl.cis.philips.com (Guido van Rooij) Message-Id: <199702051615.RAA05095@bsd.lss.cp.philips.com> Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE To: jkh@time.cdrom.com (Jordan K. Hubbard) Date: Wed, 5 Feb 1997 17:15:00 +0100 (MET) Cc: jgreco@solaria.sol.net, Guido.vanRooij@nl.cis.philips.com, joerg_wunsch@uriah.heep.sax.de, core@freebsd.org, security@freebsd.org, jkh@freebsd.org In-Reply-To: <19240.855158674@time.cdrom.com> from "Jordan K. Hubbard" at "Feb 5, 97 08:04:34 am" X-Mailer: ELM [version 2.4ME+ PL22 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Jordan K. Hubbard wrote: > > Jordan: once we have it tested, can we get this posted somewhere and make > > big blinking neon signs that PEOPLE NEED TO RUN THIS? I'm gonna compile > > it up and try it shortly. > > If it works, it's sure a hell of a lot easier than a reinstall. Certainly. It does work. I tested it on a life system. However, as stated earlier, it should check for immutable and append only flags and react accordingly. Further, you MUST run it in single user mode as it is impossible to patch running binaries. -Guido From owner-freebsd-security Wed Feb 5 08:26:32 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id IAA05310 for security-outgoing; Wed, 5 Feb 1997 08:26:32 -0800 (PST) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA03869; Wed, 5 Feb 1997 08:24:43 -0800 (PST) Received: from time.cdrom.com (localhost [127.0.0.1]) by time.cdrom.com (8.8.5/8.6.9) with ESMTP id IAA19376; Wed, 5 Feb 1997 08:23:07 -0800 (PST) To: Guido.vanRooij@nl.cis.philips.com (Guido van Rooij) cc: jgreco@solaria.sol.net, joerg_wunsch@uriah.heep.sax.de, core@freebsd.org, security@freebsd.org, jkh@freebsd.org Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE In-reply-to: Your message of "Wed, 05 Feb 1997 17:15:00 +0100." <199702051615.RAA05095@bsd.lss.cp.philips.com> Date: Wed, 05 Feb 1997 08:23:06 -0800 Message-ID: <19372.855159786@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > It does work. I tested it on a life system. However, as stated earlier, > it should check for immutable and append only flags and react accordingly. OK. Is anyone making those changes? :-) I should note that this kind of solution is kinda scarey in that we'll have to document the heck out of it before we can ever unleash it on the general public without getting back a flood of "Augh! I nuked my system! Nothing runs now!!" reports. Is there enough committment here for making it into that kind of solution? ;) Jordan From owner-freebsd-security Wed Feb 5 08:33:44 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id IAA12077 for security-outgoing; Wed, 5 Feb 1997 08:33:44 -0800 (PST) Received: from gw-nl1.philips.com (gw-nl1.philips.com [192.68.44.33]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA11307; Wed, 5 Feb 1997 08:32:23 -0800 (PST) Received: (from nobody@localhost) by gw-nl1.philips.com (8.6.10/8.6.10-0.994n-08Nov95) id RAA02619; Wed, 5 Feb 1997 17:28:25 +0100 Received: from unknown(130.139.36.3) by gw-nl1.philips.com via smap (V1.3+ESMTP) with ESMTP id sma002450; Wed Feb 5 17:27:40 1997 Received: from bsd.lss.cp.philips.com (bsd.lss.cp.philips.com [130.144.199.33]) by smtprelay.nl.cis.philips.com (8.6.10/8.6.10-1.2.1m-970131) with SMTP id RAA11844; Wed, 5 Feb 1997 17:27:38 +0100 Received: by bsd.lss.cp.philips.com (8.8.3/1.63) id RAA05885; Wed, 5 Feb 1997 17:27:38 +0100 (MET) From: Guido.vanRooij@nl.cis.philips.com (Guido van Rooij) Message-Id: <199702051627.RAA05885@bsd.lss.cp.philips.com> Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE To: jkh@time.cdrom.com (Jordan K. Hubbard) Date: Wed, 5 Feb 1997 17:27:38 +0100 (MET) Cc: Guido.vanRooij@nl.cis.philips.com, jgreco@solaria.sol.net, joerg_wunsch@uriah.heep.sax.de, core@freebsd.org, security@freebsd.org, jkh@freebsd.org In-Reply-To: <19372.855159786@time.cdrom.com> from "Jordan K. Hubbard" at "Feb 5, 97 08:23:06 am" X-Mailer: ELM [version 2.4ME+ PL22 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Jordan K. Hubbard wrote: > > It does work. I tested it on a life system. However, as stated earlier, > > it should check for immutable and append only flags and react accordingly. > > OK. Is anyone making those changes? :-) > > I should note that this kind of solution is kinda scarey in that we'll > have to document the heck out of it before we can ever unleash it on > the general public without getting back a flood of "Augh! I nuked my > system! Nothing runs now!!" reports. Is there enough committment > here for making it into that kind of solution? ;) It is in fact a simple system. It checks at the exact locations in the binary and checks every byte that is constant. See the source. If it isn't somehow recognised, it will skip it (like e.g. shell scripts). But I agree it should be reviewed by a *lot* of ppl. Especially Bruce ;-) I'll try to see if I can make the cgflags(2) stuff later today. Further, perhaps we should make an lfix for different versions of the OS as well (I'm not sure if the program can be applied to 2.0.5 e.g.) -Guido From owner-freebsd-security Wed Feb 5 08:34:45 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id IAA12872 for security-outgoing; Wed, 5 Feb 1997 08:34:45 -0800 (PST) Received: from nic.follonett.no (nic.follonett.no [194.198.43.10]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA11831; Wed, 5 Feb 1997 08:33:17 -0800 (PST) Received: (from uucp@localhost) by nic.follonett.no (8.8.5/8.8.3) with UUCP id RAA00795; Wed, 5 Feb 1997 17:27:44 +0100 (MET) Received: from oo7 (oo7.dimaga.com [192.0.0.65]) by dimaga.com (8.7.5/8.7.2) with SMTP id RAA14881; Wed, 5 Feb 1997 17:30:27 +0100 (MET) Message-Id: <3.0.32.19970205173026.0093c150@dimaga.com> X-Sender: eivind@dimaga.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 05 Feb 1997 17:30:28 +0100 To: Guido.vanRooij@nl.cis.philips.com (Guido van Rooij) From: Eivind Eklund Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE Cc: jgreco@solaria.sol.net (Joe Greco), Guido.vanRooij@nl.cis.philips.com, joerg_wunsch@uriah.heep.sax.de, core@freebsd.org, security@freebsd.org, jkh@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk At 04:01 PM 2/5/97 +0100, Guido van Rooij wrote: >Joe Greco wrote: [on binary patching of 2.1.6 binaries] >> With this, it would be MUCH simpler to release a "security binary kit" >> upgrade to 2.1.X series systems. > >Before everyone starts singing `Halleluia', let me state first that >this does not solve everything. At runs a setlocale() itsself, I was unable to find a call to any locale-function in 2.1.6 "at". However, can anybody can say crontab? I knew you could. Other programs that might want a patch are csh, expr, diff, tr and cc - all of them might be run as root from a script and get passed locale. >so it is still vulnerable. Further, It will not solve the problem for ppl >that actually NEED the locale stuff.... Who needs locales? Is there _anybody_ that use them? I don't know of anybody that use them on UNIX, and nobody that would say they need them on any platform. Eivind Eklund / perhaps@yes.no / http://maybe.yes.no/perhaps/ From owner-freebsd-security Wed Feb 5 09:03:06 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id JAA20784 for security-outgoing; Wed, 5 Feb 1997 09:03:06 -0800 (PST) Received: from mailserv.tversu.ac.ru (root@mailserv.tversu.ac.ru [193.233.128.3]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id JAA18453; Wed, 5 Feb 1997 09:00:24 -0800 (PST) Received: from localhost (vadim@localhost) by mailserv.tversu.ac.ru (8.6.12/8.6.12) with SMTP id TAA25626; Wed, 5 Feb 1997 19:55:52 +0300 Date: Wed, 5 Feb 1997 19:55:52 +0300 (MSK) From: Vadim Kolontsov To: Guido van Rooij cc: Joe Greco , joerg_wunsch@uriah.heep.sax.de, core@freebsd.org, security@freebsd.org, jkh@freebsd.org Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE In-Reply-To: <199702051501.QAA01260@bsd.lss.cp.philips.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Wed, 5 Feb 1997, Guido van Rooij wrote: > > > Yiou can use the lfix program to do so. It was posted by a Russian guy, > > > who's name I forgot. I added a fix so it can actually do the complete > > > filesystem in one sweep. Basically it patches the binary to replace > > > the above call by nop's. > > > > PERFECT!!! We have a solution :-) (this was the most worrisome security > > hole, the smaller ones like talkd could be "patched" much more easily). > > Before everyone starts singing `Halleluia', let me state first that > this does not solve everything. At runs a setlocale() itsself, so > it is still vulnerable. Further, It will not solve the problem for ppl > that actually NEED the locale stuff.... Yes, but why not to use lfix only for static binaries? I can add checking if binary statically or dynamic linked. Also we can include a patched and recompiled version of libc into archive. Of course, problem with _static_ binaries which uses setlocale() _by itself_ is still exists... this binaries need recompilation.. any ideas? Are there any such programs in FreeBSD distribution? Vadim. -------------------------------------------------------------------------- Vadim Kolontsov SysAdm/Programmer Tver Regional Center of New Information Technologies Networks Lab From owner-freebsd-security Wed Feb 5 09:25:53 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id JAA15336 for security-outgoing; Wed, 5 Feb 1997 09:25:53 -0800 (PST) Received: from smyrno.sol.net (smyrno.sol.net [206.55.64.117]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA13156; Wed, 5 Feb 1997 09:24:53 -0800 (PST) Received: from solaria.sol.net (solaria.sol.net [206.55.65.75]) by smyrno.sol.net (8.8.3/8.8.3) with SMTP id LAA27072; Wed, 5 Feb 1997 11:24:43 -0600 (CST) Received: from localhost by solaria.sol.net (8.5/8.5) id LAA12793; Wed, 5 Feb 1997 11:24:40 -0600 From: Joe Greco Message-Id: <199702051724.LAA12793@solaria.sol.net> Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE To: vadim@tversu.ac.ru (Vadim Kolontsov) Date: Wed, 5 Feb 97 11:24:38 CST Cc: Guido.vanRooij@nl.cis.philips.com, joerg_wunsch@uriah.heep.sax.de, core@freebsd.org, security@freebsd.org, jkh@freebsd.org In-Reply-To: from "Vadim Kolontsov" at Feb 5, 97 07:55:52 pm X-Mailer: ELM [version 2.4dev PL65] MIME-Version: 1.0 Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Yes, but why not to use lfix only for static binaries? I can add > checking if binary statically or dynamic linked. Also we can include a > patched and recompiled version of libc into archive. > Of course, problem with _static_ binaries which uses setlocale() > _by itself_ is still exists... this binaries need recompilation.. any > ideas? Are there any such programs in FreeBSD distribution? It should be much more practical to release a small "patch" that included a repaired locale-safe libc, plus the static binaries, plus the "lfix" program with a script to go through and install everything. The thing that terrified me was the possibility that one would have to generate a large "patch" to fix every binary... I will get my butt in gear and go look to see if lfix works on 2.0, 2.0.5, and 2.1.0. ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/342-4847 From owner-freebsd-security Wed Feb 5 09:42:49 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id JAA12312 for security-outgoing; Wed, 5 Feb 1997 09:42:49 -0800 (PST) Received: from char-star.rdist.org (char-star.rdist.org [206.54.252.22]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id JAA12268 for ; Wed, 5 Feb 1997 09:42:45 -0800 (PST) From: tqbf@enteract.com Received: (qmail 9986 invoked by uid 1001); 5 Feb 1997 17:43:07 -0000 Date: 5 Feb 1997 17:43:07 -0000 Message-ID: <19970205174307.9985.qmail@char-star.rdist.org> To: eivind@dimaga.com, freebsd-security@freebsd.org Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE In-Reply-To: <3.0.32.19970205173026.0093c150@dimaga.com> Reply-To: tqbf@enteract.com Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In article <3.0.32.19970205173026.0093c150@dimaga.com>, you wrote: >I was unable to find a call to any locale-function in 2.1.6 "at". That's because 2.1.x programs don't explicitly call setlocale() - they rely on crt0 start() to do that for them. FreeBSD 2.2's at(1) explicitly calls setlocale() from main(), before getopt. In 2.1.6, you're screwed until you fix crt0.c. In FreeBSD 2.2, prior to December, you're screwed until you remove the setlocale() call from at(1) or fix your locale routines. -- ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- exit(main(kfp->kargc, argv, environ)); From owner-freebsd-security Wed Feb 5 09:43:13 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id JAA12965 for security-outgoing; Wed, 5 Feb 1997 09:43:13 -0800 (PST) Received: from Mailbox.mcs.com (Mailbox.mcs.com [192.160.127.87]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA11430; Wed, 5 Feb 1997 09:42:17 -0800 (PST) Received: from Jupiter.Mcs.Net (karl@Jupiter.mcs.net [192.160.127.88]) by Mailbox.mcs.com (8.8.5/8.8.2) with ESMTP id LAA17828; Wed, 5 Feb 1997 11:42:15 -0600 (CST) Received: (from karl@localhost) by Jupiter.Mcs.Net (8.8.5/8.8.2) id LAA05872; Wed, 5 Feb 1997 11:42:14 -0600 (CST) From: Karl Denninger Message-Id: <199702051742.LAA05872@Jupiter.Mcs.Net> Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE To: jgreco@solaria.sol.net (Joe Greco) Date: Wed, 5 Feb 1997 11:42:14 -0600 (CST) Cc: Guido.vanRooij@nl.cis.philips.com, joerg_wunsch@uriah.heep.sax.de, core@freebsd.org, security@freebsd.org, jkh@freebsd.org, current@freebsd.org In-Reply-To: <199702051515.JAA11822@solaria.sol.net> from "Joe Greco" at Feb 5, 97 09:15:15 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > > With this, it would be MUCH simpler to release a "security binary kit" > > > upgrade to 2.1.X series systems. > > > > Before everyone starts singing `Halleluia', let me state first that > > this does not solve everything. At runs a setlocale() itsself, so > > it is still vulnerable. Further, It will not solve the problem for ppl > > that actually NEED the locale stuff.... > > The locale stuff appears to have been removed from 2.2's crt0.c as well, > I don't know anything more about what was done, but it seems to me that > that suggests that it is not mandatory for use of the locale stuff. > > The comments suggested that it was an easy way to try to locale-ize > the entire system. It should not, I would think, preclude the use of > the locale code, but then again, I am only very mildly familiar with > that stuff. > > ... Joe > > ------------------------------------------------------------------------------- > Joe Greco - Systems Administrator jgreco@ns.sol.net > Solaria Public Access UNIX - Milwaukee, WI 414/342-4847 NO NO NO NO! The ENTIRE setlocale() code is a HUGE security problem. Among other things, any program which is SUID or SGID Kmem is INSTANTLY penetrable to provide access to the resources which would otherwise be "protected". SETLOCALE MUST BE REMOVED FROM USE UNTIL IT CAN BE FIXED. It is FULL of non-bounds-checked calls to string routines. I have already found setlocale() calls in SEVERAL privileged programs. Note that Tom Ptaeck WILL be releasing *EXPLOITS AND DETAILS* within one week. Either this gets fixed or the world knows how to break in. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | 99 Analog numbers, 77 ISDN, Web servers $75/mo Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ Fax: [+1 773 248-9865] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal From owner-freebsd-security Wed Feb 5 10:15:03 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id KAA17128 for security-outgoing; Wed, 5 Feb 1997 10:15:03 -0800 (PST) Received: from nic.follonett.no (nic.follonett.no [194.198.43.10]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id KAA17035 for ; Wed, 5 Feb 1997 10:14:54 -0800 (PST) Received: (from uucp@localhost) by nic.follonett.no (8.8.5/8.8.3) with UUCP id TAA02278; Wed, 5 Feb 1997 19:13:04 +0100 (MET) Received: from oo7 (oo7.dimaga.com [192.0.0.65]) by dimaga.com (8.7.5/8.7.2) with SMTP id TAA18893; Wed, 5 Feb 1997 19:08:09 +0100 (MET) Message-Id: <3.0.32.19970205190809.009ec770@dimaga.com> X-Sender: eivind@dimaga.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 05 Feb 1997 19:08:10 +0100 To: tqbf@enteract.com From: Eivind Eklund Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE Cc: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk At 05:43 PM 2/5/97 -0000, tqbf@enteract.com wrote: >In article <3.0.32.19970205173026.0093c150@dimaga.com>, you wrote: >>I was unable to find a call to any locale-function in 2.1.6 "at". > >That's because 2.1.x programs don't explicitly call setlocale() - they >rely on crt0 start() to do that for them. FreeBSD 2.2's at(1) explicitly >calls setlocale() from main(), before getopt. > >In 2.1.6, you're screwed until you fix crt0.c. In FreeBSD 2.2, prior to >December, you're screwed until you remove the setlocale() call from at(1) >or fix your locale routines. ... don't forget crontab, which will screw you (call setlocale) in 2.1.6 (and 2.2?), as setuid root. The other programs on the list I posted here earlier today call setlocale, but are not setuid, so they aren't _that_ dangerous. Eivind Eklund / perhaps@yes.no / http://maybe.yes.no/perhaps/ From owner-freebsd-security Wed Feb 5 10:17:48 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id KAA19076 for security-outgoing; Wed, 5 Feb 1997 10:17:48 -0800 (PST) Received: from smyrno.sol.net (smyrno.sol.net [206.55.64.117]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id KAA18247; Wed, 5 Feb 1997 10:16:43 -0800 (PST) Received: from solaria.sol.net (solaria.sol.net [206.55.65.75]) by smyrno.sol.net (8.8.3/8.8.3) with SMTP id MAA27464; Wed, 5 Feb 1997 12:16:41 -0600 (CST) Received: from localhost by solaria.sol.net (8.5/8.5) id MAA13357; Wed, 5 Feb 1997 12:16:38 -0600 From: Joe Greco Message-Id: <199702051816.MAA13357@solaria.sol.net> Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE To: karl@Mcs.Net (Karl Denninger) Date: Wed, 5 Feb 97 12:16:36 CST Cc: Guido.vanRooij@nl.cis.philips.com, joerg_wunsch@uriah.heep.sax.de, core@freebsd.org, security@freebsd.org, jkh@freebsd.org In-Reply-To: <199702051742.LAA05872@Jupiter.Mcs.Net> from "Karl Denninger" at Feb 5, 97 11:42:14 am X-Mailer: ELM [version 2.4dev PL65] MIME-Version: 1.0 Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > The locale stuff appears to have been removed from 2.2's crt0.c as well, > > I don't know anything more about what was done, but it seems to me that > > that suggests that it is not mandatory for use of the locale stuff. > > > > The comments suggested that it was an easy way to try to locale-ize > > the entire system. It should not, I would think, preclude the use of > > the locale code, but then again, I am only very mildly familiar with > > that stuff. > > NO NO NO NO! > > The ENTIRE setlocale() code is a HUGE security problem. Among other things, > any program which is SUID or SGID Kmem is INSTANTLY penetrable to provide > access to the resources which would otherwise be "protected". > > SETLOCALE MUST BE REMOVED FROM USE UNTIL IT CAN BE FIXED. It is FULL of > non-bounds-checked calls to string routines. > > I have already found setlocale() calls in SEVERAL privileged programs. > > Note that Tom Ptaeck WILL be releasing *EXPLOITS AND DETAILS* within one > week. Either this gets fixed or the world knows how to break in. KARL!!!! Shut the hell up already. The bull in a china shop routine is getting very fucking old. You are not being part of the solution, so you are being part of the problem. I have just as much at stake here as you do. I agree that there is a tank-sized hole. But what needs to happen is some strategizing, so that a _fix_ can be released. A _fix_ that addresses the concerns. That is still being discussed. There is complete buy-in and complete consensus, from everything I can tell, that something MUST be done, and something WILL be done. It appears to me that a cleanup "security" release (2.1.6.2, or 2.1.7, or whatever) WILL happen, quite possibly with a bunch of other fixes as well. Nobody wants that more than me. We are also looking at ways to distribute a "patch kit" for pre-2.1.6 releases. It's gonna get fixed, Karl. Now, if you REALLY want to help, drop the bulldog act, and sign up to do something USEFUL. I'm trying. You can too! An organization your size must have a C programmer or two, why not have them spend a day eliminating every single unchecked bounds string function call that they can? That is how things get DONE. You might even regain some credibility. But we need to make sure that the effort is coordinated. ... JG From owner-freebsd-security Wed Feb 5 10:48:07 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id KAA29793 for security-outgoing; Wed, 5 Feb 1997 10:48:07 -0800 (PST) Received: from Mailbox.mcs.com (Mailbox.mcs.com [192.160.127.87]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id KAA29668; Wed, 5 Feb 1997 10:46:18 -0800 (PST) Received: from Jupiter.Mcs.Net (karl@Jupiter.mcs.net [192.160.127.88]) by Mailbox.mcs.com (8.8.5/8.8.2) with ESMTP id MAA02633; Wed, 5 Feb 1997 12:46:17 -0600 (CST) Received: (from karl@localhost) by Jupiter.Mcs.Net (8.8.5/8.8.2) id MAA08211; Wed, 5 Feb 1997 12:46:17 -0600 (CST) From: Karl Denninger Message-Id: <199702051846.MAA08211@Jupiter.Mcs.Net> Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE To: jgreco@solaria.sol.net (Joe Greco) Date: Wed, 5 Feb 1997 12:46:16 -0600 (CST) Cc: karl@Mcs.Net, Guido.vanRooij@nl.cis.philips.com, joerg_wunsch@uriah.heep.sax.de, core@freebsd.org, security@freebsd.org, jkh@freebsd.org In-Reply-To: <199702051816.MAA13357@solaria.sol.net> from "Joe Greco" at Feb 5, 97 12:16:36 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I wrote: > > NO NO NO NO! > > > > The ENTIRE setlocale() code is a HUGE security problem. Among other things, > > any program which is SUID or SGID Kmem is INSTANTLY penetrable to provide > > access to the resources which would otherwise be "protected". > > > > SETLOCALE MUST BE REMOVED FROM USE UNTIL IT CAN BE FIXED. It is FULL of > > non-bounds-checked calls to string routines. > > > > I have already found setlocale() calls in SEVERAL privileged programs. > > > > Note that Tom Ptaeck WILL be releasing *EXPLOITS AND DETAILS* within one > > week. Either this gets fixed or the world knows how to break in. > > Shut the hell up already. The bull in a china shop routine is getting > very fucking old. You are not being part of the solution, so you are > being part of the problem. No chance. I happen to have already notified people of several related problems, including those in "at" and "crontab". I AM PART OF THE SOLUTION. Look. I've submitted prs before which have been flamed because they weren't "stylized" the way people wanted them, or were just ignored until some time later -- even when SEVERE and SECURITY have shown up in them. Frankly, I'm tired of tilting at windmills. > I have just as much at stake here as you do. I agree that there is a > tank-sized hole. But what needs to happen is some strategizing, so that > a _fix_ can be released. A _fix_ that addresses the concerns. That is > still being discussed. There is complete buy-in and complete consensus, > from everything I can tell, that something MUST be done, and something > WILL be done. The FIX is the go through setlocale() and fix the holes in the code! Nothing else is adequate, and every other path is a LOT more work. And yes, I WILL submit a pr on this as soon as I can find a few hours to do the fix, verify it, and make world to test. At the same time I post it to the committers I'll post it publically, and 24 hours later I post the exploit which takes advantage of the problem. That's as far as I'll go. Frankly, until then setlocale() ought to have a "return()" right after its invocation -- noop the entire routine out until then. Its THAT bad. > It appears to me that a cleanup "security" release (2.1.6.2, or 2.1.7, > or whatever) WILL happen, quite possibly with a bunch of other fixes > as well. Nobody wants that more than me. 2.2 is ALSO affected. That's being IGNORED right now. > It's gonna get fixed, Karl. Now, if you REALLY want to help, drop the > bulldog act, and sign up to do something USEFUL. I'm trying. You can > too! An organization your size must have a C programmer or two, why > not have them spend a day eliminating every single unchecked bounds > string function call that they can? That is how things get DONE. What makes you think we're not doing that. > You might even regain some credibility. > > But we need to make sure that the effort is coordinated. > > ... JG I don't have commit access, and won't wait long for those who do to play with this. If I had it you'd have already seen the commit; I would have stayed up all night last night to code a REAL fix. As it is I won't stay up all night, because I have NO IDEA how long it will take for that to be of benefit -- or if it EVER will be. That's a problem. I don't CARE if you think I have credibility or not. I'm getting email by the BOATLOAD in support of my stance on this issue, from others who are affected and who are mad as hell at the way these issues have been handled in the past and present. My fealty isn't to the core team. Its to the people out there who run the code, and to those who I've recommended use the software in question. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | 99 Analog numbers, 77 ISDN, Web servers $75/mo Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ Fax: [+1 773 248-9865] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal From owner-freebsd-security Wed Feb 5 11:03:18 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id LAA02126 for security-outgoing; Wed, 5 Feb 1997 11:03:18 -0800 (PST) Received: from char-star.rdist.org (char-star.rdist.org [206.54.252.22]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id LAA02109 for ; Wed, 5 Feb 1997 11:03:11 -0800 (PST) From: tqbf@enteract.com Received: (qmail 11805 invoked by uid 1001); 5 Feb 1997 19:03:33 -0000 Date: 5 Feb 1997 19:03:33 -0000 Message-ID: <19970205190333.11804.qmail@char-star.rdist.org> To: karl@Mcs.Net, freebsd-security@freebsd.org Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE In-Reply-To: <199702051742.LAA05872@Jupiter.Mcs.Net> Reply-To: tqbf@enteract.com Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In article <199702051742.LAA05872@Jupiter.Mcs.Net>, you wrote: >The ENTIRE setlocale() code is a HUGE security problem. Among other things, locales in general are an issue. FreeBSD's rewritten locale code, which obviously wasn't written with much thought towards security, is another issue. The main issue, to my mind, is the caller of an SUID program being able to control the path to it's locale information. To my mind, SUID/SGID programs should be ignoring PATH_LOCALE. I don't know that the best way to handle this is from euid/uid checks in libc - that seems like a hack to me. >SETLOCALE MUST BE REMOVED FROM USE UNTIL IT CAN BE FIXED. It is FULL of ... but, Mr. Denninger is right here. Among other things, the idiom for calling setlocale() seems to be to do it first, before argument processing. This means that any program vulnerable to any problem caused by the locale routings is vulnerable regardless of how it's called. I am concerned about privileged code calling non-privileged code and becoming vulnerable. >I have already found setlocale() calls in SEVERAL privileged programs. They're all over the place in 2.2, as a consequence of it not being handled automatically anymore. >Note that Tom Ptaeck WILL be releasing *EXPLOITS AND DETAILS* within one >week. Either this gets fixed or the world knows how to break in. I'm not concerned about the "fix" for the problem in question, since they're already out there (just remove locale processing altogether). I'm concerned that the FreeBSD project is not going to inform their users of this problem. This is, in my opinion, probably the most severe problem with FreeBSD that has been brought to public attention. An advisory for this problem needs to be released immediately. The FreeBSD project needs to come to grips with the fact that there are many, many people who won't act on a problem until CERT releases an advisory. Until that happens, people will remain vulnerable to the problem, regardless of how much effort goes into finding "the right fix". I'll repeat myself, again: everyone that you should be worried about having exploit details to this problem ALREADY DOES. People are being broken into with this as we speak. There's a vast amount of 2.1 systems out there, and those 2.1 systems are on networks with other systems, and their vulnerabilites are going to seed the comprimise of entire networks. This is not good. Please, please, please alert the public (and the incident response teams) about this problem. -- ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- exit(main(kfp->kargc, argv, environ)); From owner-freebsd-security Wed Feb 5 11:08:37 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id LAA02509 for security-outgoing; Wed, 5 Feb 1997 11:08:37 -0800 (PST) Received: from enteract.com (root@enteract.com [206.54.252.1]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA02490 for ; Wed, 5 Feb 1997 11:08:19 -0800 (PST) Received: (from tqbf@localhost) by enteract.com (8.8.5/8.7.6) id NAA15847; Wed, 5 Feb 1997 13:07:58 -0600 (CST) From: "Thomas H. Ptacek" Message-Id: <199702051907.NAA15847@enteract.com> Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE To: eivind@dimaga.com (Eivind Eklund) Date: Wed, 5 Feb 1997 13:07:14 -0600 (CST) Cc: freebsd-security@freebsd.org Reply-To: tqbf@enteract.com In-Reply-To: <3.0.32.19970205195349.009f08d0@dimaga.com> from "Eivind Eklund" at Feb 5, 97 07:53:50 pm X-Mailer: ELM [version 2.4 PL24 ME8a] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > I checked _everything_ for calls to locale. The only significant items are > the ones I mentioned. The only one that is setuid() as default (or likely > to be set setuid) is crontab. Yeah, I checked FreeBSD 2.2 with the assumption that 2.1 programs wouldn't bother with redundant locale calls. There are many SGID kmem binaries in 2.2 that are vulnerable - this is equally as bad as a root comprimise. ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- "I'm standing alone, I'm watching you all, I'm seeing you sinking." From owner-freebsd-security Wed Feb 5 12:06:30 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id MAA07915 for security-outgoing; Wed, 5 Feb 1997 12:06:30 -0800 (PST) Received: from Mailbox.mcs.com (Mailbox.mcs.com [192.160.127.87]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA07904; Wed, 5 Feb 1997 12:06:18 -0800 (PST) Received: from Jupiter.Mcs.Net (karl@Jupiter.mcs.net [192.160.127.88]) by Mailbox.mcs.com (8.8.5/8.8.2) with ESMTP id OAA20779; Wed, 5 Feb 1997 14:06:14 -0600 (CST) Received: (from karl@localhost) by Jupiter.Mcs.Net (8.8.5/8.8.2) id OAA11778; Wed, 5 Feb 1997 14:06:13 -0600 (CST) From: Karl Denninger Message-Id: <199702052006.OAA11778@Jupiter.Mcs.Net> Subject: PATCH for *ALL* FreeBSD Setlocale() problems - EVERYONE SHOULD READ THIS MESSAGE To: tqbf@enteract.com Date: Wed, 5 Feb 1997 14:06:13 -0600 (CST) Cc: karl@Mcs.Net, freebsd-security@freebsd.org, current@freebsd.org In-Reply-To: <19970205190333.11804.qmail@char-star.rdist.org> from "tqbf@enteract.com" at Feb 5, 97 07:03:33 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > In article <199702051742.LAA05872@Jupiter.Mcs.Net>, you wrote: > >The ENTIRE setlocale() code is a HUGE security problem. Among other things, > > locales in general are an issue. FreeBSD's rewritten locale code, which > obviously wasn't written with much thought towards security, is another > issue. The main issue, to my mind, is the caller of an SUID program being > able to control the path to it's locale information. > > To my mind, SUID/SGID programs should be ignoring PATH_LOCALE. I don't > know that the best way to handle this is from euid/uid checks in libc - > that seems like a hack to me. > > >SETLOCALE MUST BE REMOVED FROM USE UNTIL IT CAN BE FIXED. It is FULL of > > ... but, Mr. Denninger is right here. Among other things, the idiom for > calling setlocale() seems to be to do it first, before argument > processing. This means that any program vulnerable to any problem caused > by the locale routings is vulnerable regardless of how it's called. I am > concerned about privileged code calling non-privileged code and becoming > vulnerable. > > >I have already found setlocale() calls in SEVERAL privileged programs. > > They're all over the place in 2.2, as a consequence of it not being > handled automatically anymore. Right. I have the following patches at this point. They are NOT yet tested. I am doing that now and rebuilding. Once the testing is complete, I will advise. NOTE THAT THIS APPLIES TO *ALL* VERSIONS OF FREEBSD WHICH HAVE THE LOCALE DIRECTORY UNDER LIBC IN THE SOURCE TREE. There may be minor differences, but frankly, I expect that these or a slight varient absolutely MUST be applied to close this hole. And unfortunately, you have to rebuild everything once you've done so (or at least, libc.so.x, crt0.o and all static binaries). I will EXPECT that these will show up in the CVS tree within 48 hours unless there are VERY good reasons expressed for them not being included. I WILL be looking for them to appear. This SHOULD fix the vulnerability; if not correctly, then by brute force (by disallowing setlocale() calls from anything running with privileges) This is from a scan for "strcpy"s in the "locale" directory under libc. These patches: 1) Fix all the roaring obvious strcpys and strcats to be the str(n) equivalents. There IS an exception in the final concatenation routine, but the arguments to that routine should have been checked already, so that should be safe. 2) Disallow setlocale() entirely if: 1) You're SUID or SGID 2) OR you are running with EUID = 0 regardless of how Go ahead and poke at this if you'd like - - that's what code reviews are all about - - but I believe this does address the vulnerability. *** collate.c Wed Feb 5 13:28:17 1997 --- collate.c.orig Wed Feb 5 13:26:08 1997 *************** *** 74,83 **** return -1; } /* Range checking already done at upper level caller */ ! (void) strncpy(buf, _PathLocale, (PATH_MAX - 1)); ! (void) strncat(buf, "/", (PATH_MAX - (2 + strlen(buf))); ! (void) strncat(buf, encoding, (PATH_MAX - (1 + strlen(buf))); ! (void) strncat(buf, "/LC_COLLATE", (PATH_MAX - (1 + strlen(buf))); if ((fp = fopen(buf, "r")) == NULL) { __collate_load_error = save_load_error; return -1; --- 74,83 ---- return -1; } /* Range checking already done at upper level caller */ ! (void) strcpy(buf, _PathLocale); ! (void) strcat(buf, "/"); ! (void) strcat(buf, encoding); ! (void) strcat(buf, "/LC_COLLATE"); if ((fp = fopen(buf, "r")) == NULL) { __collate_load_error = save_load_error; return -1; *** setlocale.c Wed Feb 5 13:56:46 1997 --- setlocale.c.orig Wed Feb 5 13:26:12 1997 *************** *** 106,119 **** int i, j, len; char *env, *r; - /* - * KSD - If we're setuid or setgid, or root, ignore this and return - * instantly 2/5/97 - */ - if ((geteuid() != getuid()) || (getegid() != getgid()) || !geteuid()) { - return(NULL); - } - if (category < LC_ALL || category >= _LC_LAST) return (NULL); --- 106,111 ---- *************** *** 124,133 **** /* * Default to the current locale for everything. */ ! for (i = 1; i < _LC_LAST; ++i) { ! (void)strncpy(new_categories[i], current_categories[i], 31); ! new_categories[i][31] = 0; ! } /* * Now go fill up new_categories from the locale argument --- 116,123 ---- /* * Default to the current locale for everything. */ ! for (i = 1; i < _LC_LAST; ++i) ! (void)strcpy(new_categories[i], current_categories[i]); /* * Now go fill up new_categories from the locale argument *************** *** 176,199 **** ++locale; while (*++r && *r != '/'); } while (*locale); ! while (i < _LC_LAST) { ! (void)strncpy(new_categories[i], ! new_categories[i-1], 31); ! new_categories[i][31] = 0; ! } } } if (category) return (loadlocale(category)); for (i = 1; i < _LC_LAST; ++i) { ! (void)strncpy(saved_categories[i], current_categories[i], 31); ! saved_categories[i][31] = 0; if (loadlocale(i) == NULL) { for (j = 1; j < i; j++) { ! (void)strncpy(new_categories[j], ! saved_categories[j], 31); ! new_categories[j][31] = 0; /* XXX can fail too */ (void)loadlocale(j); } --- 166,186 ---- ++locale; while (*++r && *r != '/'); } while (*locale); ! while (i < _LC_LAST) ! (void)strcpy(new_categories[i], ! new_categories[i-1]); } } + if (category) return (loadlocale(category)); for (i = 1; i < _LC_LAST; ++i) { ! (void)strcpy(saved_categories[i], current_categories[i]); if (loadlocale(i) == NULL) { for (j = 1; j < i; j++) { ! (void)strcpy(new_categories[j], ! saved_categories[j]); /* XXX can fail too */ (void)loadlocale(j); } *************** *** 218,226 **** currentlocale() { int i; - /* - * Bounds already checked on current_categories; can't overflow - KSD 2/5/97 - */ (void)strcpy(current_locale_string, current_categories[1]); --- 205,210 ---- *************** *** 228,234 **** if (strcmp(current_categories[1], current_categories[i])) { (void) strcpy(current_locale_string, current_categories[1]); (void) strcat(current_locale_string, "/"); ! (void) strncat(current_locale_string, current_categories[2]); (void) strcat(current_locale_string, "/"); (void) strcat(current_locale_string, current_categories[3]); (void) strcat(current_locale_string, "/"); --- 212,218 ---- if (strcmp(current_categories[1], current_categories[i])) { (void) strcpy(current_locale_string, current_categories[1]); (void) strcat(current_locale_string, "/"); ! (void) strcat(current_locale_string, current_categories[2]); (void) strcat(current_locale_string, "/"); (void) strcat(current_locale_string, current_categories[3]); (void) strcat(current_locale_string, "/"); *** setrunelocale.c Wed Feb 5 13:35:20 1997 --- setrunelocale.c.orig Wed Feb 5 13:26:22 1997 *************** *** 86,96 **** if (!_PathLocale) return(EFAULT); /* Range checking already done at upper level caller */ ! (void) strncpy(name, _PathLocale, (PATH_MAX - 1)); ! name[PATH_MAX - 1] = 0; (void) strcat(name, "/"); ! (void) strncat(name, encoding, (PATH_MAX - (2 + strlen(name))); ! (void) strncat(name, "/LC_CTYPE", (PATH_MAX - (2 + strlen(name))); if ((fp = fopen(name, "r")) == NULL) return(ENOENT); --- 86,95 ---- if (!_PathLocale) return(EFAULT); /* Range checking already done at upper level caller */ ! (void) strcpy(name, _PathLocale); (void) strcat(name, "/"); ! (void) strcat(name, encoding); ! (void) strcat(name, "/LC_CTYPE"); if ((fp = fopen(name, "r")) == NULL) return(ENOENT); -- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | 99 Analog numbers, 77 ISDN, Web servers $75/mo Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ Fax: [+1 773 248-9865] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal From owner-freebsd-security Wed Feb 5 12:10:46 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id MAA08190 for security-outgoing; Wed, 5 Feb 1997 12:10:46 -0800 (PST) Received: from Mailbox.mcs.com (Mailbox.mcs.com [192.160.127.87]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA08181; Wed, 5 Feb 1997 12:10:35 -0800 (PST) Received: from Jupiter.Mcs.Net (karl@Jupiter.mcs.net [192.160.127.88]) by Mailbox.mcs.com (8.8.5/8.8.2) with ESMTP id OAA21699; Wed, 5 Feb 1997 14:10:34 -0600 (CST) Received: (from karl@localhost) by Jupiter.Mcs.Net (8.8.5/8.8.2) id OAA11914; Wed, 5 Feb 1997 14:10:33 -0600 (CST) From: Karl Denninger Message-Id: <199702052010.OAA11914@Jupiter.Mcs.Net> Subject: REPLACE LAST MESSAGE REGARDING PATCHES - I posted the wrong file To: karl@Mcs.Net (Karl Denninger) Date: Wed, 5 Feb 1997 14:10:33 -0600 (CST) Cc: tqbf@enteract.com, karl@Mcs.Net, freebsd-security@freebsd.org, current@freebsd.org In-Reply-To: <199702052006.OAA11778@Jupiter.Mcs.Net> from "Karl Denninger" at Feb 5, 97 02:06:13 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Blargh! Wrong file included. These DO compile; again, they are currently UNDER TEST. *** collate.c Wed Feb 5 14:08:43 1997 --- collate.c.orig Wed Feb 5 13:26:08 1997 *************** *** 74,83 **** return -1; } /* Range checking already done at upper level caller */ ! (void) strncpy(buf, _PathLocale, (PATH_MAX - 1)); ! (void) strncat(buf, "/", (PATH_MAX - (2 + strlen(buf)))); ! (void) strncat(buf, encoding, (PATH_MAX - (1 + strlen(buf)))); ! (void) strncat(buf, "/LC_COLLATE", (PATH_MAX - (1 + strlen(buf)))); if ((fp = fopen(buf, "r")) == NULL) { __collate_load_error = save_load_error; return -1; --- 74,83 ---- return -1; } /* Range checking already done at upper level caller */ ! (void) strcpy(buf, _PathLocale); ! (void) strcat(buf, "/"); ! (void) strcat(buf, encoding); ! (void) strcat(buf, "/LC_COLLATE"); if ((fp = fopen(buf, "r")) == NULL) { __collate_load_error = save_load_error; return -1; *** setlocale.c Wed Feb 5 14:07:23 1997 --- setlocale.c.orig Wed Feb 5 13:26:12 1997 *************** *** 106,119 **** int i, j, len; char *env, *r; - /* - * KSD - If we're setuid or setgid, or root, ignore this and return - * instantly 2/5/97 - */ - if ((geteuid() != getuid()) || (getegid() != getgid()) || !geteuid()) { - return(NULL); - } - if (category < LC_ALL || category >= _LC_LAST) return (NULL); --- 106,111 ---- *************** *** 124,133 **** /* * Default to the current locale for everything. */ ! for (i = 1; i < _LC_LAST; ++i) { ! (void)strncpy(new_categories[i], current_categories[i], 31); ! new_categories[i][31] = 0; ! } /* * Now go fill up new_categories from the locale argument --- 116,123 ---- /* * Default to the current locale for everything. */ ! for (i = 1; i < _LC_LAST; ++i) ! (void)strcpy(new_categories[i], current_categories[i]); /* * Now go fill up new_categories from the locale argument *************** *** 176,199 **** ++locale; while (*++r && *r != '/'); } while (*locale); ! while (i < _LC_LAST) { ! (void)strncpy(new_categories[i], ! new_categories[i-1], 31); ! new_categories[i][31] = 0; ! } } } if (category) return (loadlocale(category)); for (i = 1; i < _LC_LAST; ++i) { ! (void)strncpy(saved_categories[i], current_categories[i], 31); ! saved_categories[i][31] = 0; if (loadlocale(i) == NULL) { for (j = 1; j < i; j++) { ! (void)strncpy(new_categories[j], ! saved_categories[j], 31); ! new_categories[j][31] = 0; /* XXX can fail too */ (void)loadlocale(j); } --- 166,186 ---- ++locale; while (*++r && *r != '/'); } while (*locale); ! while (i < _LC_LAST) ! (void)strcpy(new_categories[i], ! new_categories[i-1]); } } + if (category) return (loadlocale(category)); for (i = 1; i < _LC_LAST; ++i) { ! (void)strcpy(saved_categories[i], current_categories[i]); if (loadlocale(i) == NULL) { for (j = 1; j < i; j++) { ! (void)strcpy(new_categories[j], ! saved_categories[j]); /* XXX can fail too */ (void)loadlocale(j); } *************** *** 218,226 **** currentlocale() { int i; - /* - * Bounds already checked on current_categories; can't overflow - KSD 2/5/97 - */ (void)strcpy(current_locale_string, current_categories[1]); --- 205,210 ---- *** setrunelocale.c Wed Feb 5 14:08:18 1997 --- setrunelocale.c.orig Wed Feb 5 13:26:22 1997 *************** *** 86,96 **** if (!_PathLocale) return(EFAULT); /* Range checking already done at upper level caller */ ! (void) strncpy(name, _PathLocale, (PATH_MAX - 1)); ! name[PATH_MAX - 1] = 0; (void) strcat(name, "/"); ! (void) strncat(name, encoding, (PATH_MAX - (2 + strlen(name)))); ! (void) strncat(name, "/LC_CTYPE", (PATH_MAX - (2 + strlen(name)))); if ((fp = fopen(name, "r")) == NULL) return(ENOENT); --- 86,95 ---- if (!_PathLocale) return(EFAULT); /* Range checking already done at upper level caller */ ! (void) strcpy(name, _PathLocale); (void) strcat(name, "/"); ! (void) strcat(name, encoding); ! (void) strcat(name, "/LC_CTYPE"); if ((fp = fopen(name, "r")) == NULL) return(ENOENT); --- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | 99 Analog numbers, 77 ISDN, Web servers $75/mo Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ Fax: [+1 773 248-9865] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal From owner-freebsd-security Wed Feb 5 12:17:31 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id MAA08568 for security-outgoing; Wed, 5 Feb 1997 12:17:31 -0800 (PST) Received: from gvr.win.tue.nl (root@gvr.win.tue.nl [131.155.210.19]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA08485; Wed, 5 Feb 1997 12:16:10 -0800 (PST) Received: (from guido@localhost) by gvr.win.tue.nl (8.8.5/8.8.2) id VAA17521; Wed, 5 Feb 1997 21:14:04 +0100 (MET) From: Guido van Rooij Message-Id: <199702052014.VAA17521@gvr.win.tue.nl> Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE In-Reply-To: from Vadim Kolontsov at "Feb 5, 97 07:55:52 pm" To: vadim@tversu.ac.ru (Vadim Kolontsov) Date: Wed, 5 Feb 1997 21:14:04 +0100 (MET) Cc: Guido.vanRooij@nl.cis.philips.com, jgreco@solaria.sol.net, joerg_wunsch@uriah.heep.sax.de, core@freebsd.org, security@freebsd.org, jkh@freebsd.org X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > Yes, but why not to use lfix only for static binaries? I can add > checking if binary statically or dynamic linked. Also we can include a > patched and recompiled version of libc into archive. > Of course, problem with _static_ binaries which uses setlocale() > _by itself_ is still exists... this binaries need recompilation.. any > ideas? Are there any such programs in FreeBSD distribution? Both statically and dynamically binaries suffer from the problem... -Guido From owner-freebsd-security Wed Feb 5 12:22:29 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id MAA08878 for security-outgoing; Wed, 5 Feb 1997 12:22:29 -0800 (PST) Received: from gvr.win.tue.nl (root@gvr.win.tue.nl [131.155.210.19]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA08864 for ; Wed, 5 Feb 1997 12:22:19 -0800 (PST) Received: (from guido@localhost) by gvr.win.tue.nl (8.8.5/8.8.2) id VAA17555; Wed, 5 Feb 1997 21:21:39 +0100 (MET) From: Guido van Rooij Message-Id: <199702052021.VAA17555@gvr.win.tue.nl> Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE In-Reply-To: <19970205190333.11804.qmail@char-star.rdist.org> from "tqbf@enteract.com" at "Feb 5, 97 07:03:33 pm" To: tqbf@enteract.com Date: Wed, 5 Feb 1997 21:21:39 +0100 (MET) Cc: karl@Mcs.Net, freebsd-security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > An advisory for this problem needs to be released immediately. The FreeBSD > project needs to come to grips with the fact that there are many, many > people who won't act on a problem until CERT releases an advisory. Until > that happens, people will remain vulnerable to the problem, regardless of > how much effort goes into finding "the right fix". > I only want to make an advisory when we can adise something. At this time there is still uncertainty about what to do. I think the following should do the trick: 1) patch for crt0.c including something where the env. variable will e ignored for SUID/SGID programs. This should solve the case where ppl. want to rebuilt everything 2) For a binary only fix: a) new shared libc's for every release since 2.0 b) the lfix program that patches out the call to startup_setlocale in the binary; this for every release and including checks for immutable and append only flags. And of course a README that wll not leave any doubt on the exact actions to take. That should do the trick. Please correct me if I forgot anything. -Guido From owner-freebsd-security Wed Feb 5 12:32:21 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id MAA09422 for security-outgoing; Wed, 5 Feb 1997 12:32:21 -0800 (PST) Received: from enteract.com (root@enteract.com [206.54.252.1]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA09406 for ; Wed, 5 Feb 1997 12:32:13 -0800 (PST) Received: (from tqbf@localhost) by enteract.com (8.8.5/8.7.6) id OAA26233; Wed, 5 Feb 1997 14:31:17 -0600 (CST) From: "Thomas H. Ptacek" Message-Id: <199702052031.OAA26233@enteract.com> Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE To: guido@gvr.win.tue.nl (Guido van Rooij) Date: Wed, 5 Feb 1997 14:30:34 -0600 (CST) Cc: tqbf@enteract.com, karl@Mcs.Net, freebsd-security@freebsd.org Reply-To: tqbf@enteract.com In-Reply-To: <199702052021.VAA17555@gvr.win.tue.nl> from "Guido van Rooij" at Feb 5, 97 09:21:39 pm X-Mailer: ELM [version 2.4 PL24 ME8a] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > 1) patch for crt0.c including something where the env. variable will e > ignored for SUID/SGID programs. This should solve the case where > ppl. want to rebuilt everything How do you intend to do this reliably without issetugid() support? ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- "I'm standing alone, I'm watching you all, I'm seeing you sinking." From owner-freebsd-security Wed Feb 5 12:32:46 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id MAA09463 for security-outgoing; Wed, 5 Feb 1997 12:32:46 -0800 (PST) Received: from narnia.plutotech.com (narnia.plutotech.com [206.168.67.130]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA09284; Wed, 5 Feb 1997 12:29:55 -0800 (PST) Received: from narnia (localhost [127.0.0.1]) by narnia.plutotech.com (8.8.5/8.7.3) with ESMTP id MAA00483; Wed, 5 Feb 1997 12:28:11 -0800 (PST) Message-Id: <199702052028.MAA00483@narnia.plutotech.com> X-Mailer: exmh version 2.0beta 12/23/96 To: Karl Denninger cc: jgreco@solaria.sol.net (Joe Greco), Guido.vanRooij@nl.cis.philips.com, joerg_wunsch@uriah.heep.sax.de, core@freebsd.org, security@freebsd.org, jkh@freebsd.org Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE In-reply-to: Your message of "Wed, 05 Feb 1997 12:46:16 CST." <199702051846.MAA08211@Jupiter.Mcs.Net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 05 Feb 1997 12:28:11 -0800 From: "Justin T. Gibbs" Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >I AM PART OF THE SOLUTION. Your name isn't listed in reference to any of the action items for addressing this issue (unless you count the one about PR control), so I fail to see how this could be true. Core was informed of the security issues regarding the 2.1.6 release and other security issues related to 2.2 and 3.0 at approximately the same time that you had your blow up and the actions we are taking now are exactly the same as we would have taken regardless. You may think that you've "kicked our buts into action", but the pride we have in the project did that long before we were blessed with your spittle. >Look. I've submitted prs before which have been flamed because they weren't >"stylized" the way people wanted them, or were just ignored until some time >later -- even when SEVERE and SECURITY have shown up in them. > >Frankly, I'm tired of tilting at windmills. If the speed of development or reaction time of a free project like FreeBSD does not suite your needs, then don't use it. >The FIX is the go through setlocale() and fix the holes in the code! >Nothing else is adequate, and every other path is a LOT more work. Every method for fixing this, and numerous other potential problems with 2.1.6, 2.2, and 3.0 requires study, and after acceptance, careful coding, a review process, and documentation. To do otherwise is to open us to a recurring cycle of security whole/quick fix/security whole/quick fix. Core has already determined a course of action on these issues and a statement regarding the entire issue will be released once it has passed final review. >And yes, I WILL submit a pr on this as soon as I can find a few hours to >do the fix, verify it, and make world to test. At the same time I post >it to the committers I'll post it publically, and 24 hours later I post >the exploit which takes advantage of the problem. > >That's as far as I'll go. This will only serve to confuse our userbase about what the exact problem is, which releases and binaries are affected, and how to address the problem completly. During Core's investigation of this problem, much more information then you provided has surfaced all of which will be communicated in our announcement. >Frankly, until then setlocale() ought to have a "return()" right after its >invocation -- noop the entire routine out until then. Its THAT bad. This does not completely address the security issue and would only give some users undue self assurance that they are safe from further breakins. >2.2 is ALSO affected. That's being IGNORED right now. Not true. Simply because you are not privy to the discussions about this issue does not mean that we are ignoring anything. Our announcement will have information on *all* versions of FreeBSD that have this problem. >What makes you think we're not doing that. Your attitude has not been one of, "Here is the problem, how can I direct the resources at my disposal to help the project correct it." Instead, you have pronounced yourself the "unsung hero" of security that will create a solution of your own liking and publish whatever (dis)information you see fit. As I mentioned before, this only adds to the confusion. >I don't have commit access, and won't wait long for those who do to play >with this. If I had it you'd have already seen the commit; I would have >stayed up all night last night to code a REAL fix. Several Core members did stay up all last night working on this problem. >As it is I won't stay up all night, because I have NO IDEA how long it will >take for that to be of benefit -- or if it EVER will be. That's a problem. If you have the resources to contribute to fixing this problem, all you need to do is promise to cooperate in a controlled effort and we'll happily accept your help. Right now, you look like a loaded gun with the safety off and we cannot afford that kind of instability while we work to handle this delicate situation. >I don't CARE if you think I have credibility or not. I'm getting email by >the BOATLOAD in support of my stance on this issue, from others who are >affected and who are mad as hell at the way these issues have been handled >in the past and present. Then they have the same misconception; that flying off the handle made any difference in how this issue was and is being handled. It didn't. >My fealty isn't to the core team. Its to the people out there who run the >code, and to those who I've recommended use the software in question. Then quit confusing them with your comments and wait for our pending security announcement which will have all of the facts straight and give proper guidlines for securing an affected system. >-- >Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity >http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service > | 99 Analog numbers, 77 ISDN, Web servers $75/mo >Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net >/ >Fax: [+1 773 248-9865] | 2 FULL DS-3 Internet links; 400Mbps B/W Interna >l -- Justin T. Gibbs =========================================== FreeBSD: Turning PCs into workstations =========================================== From owner-freebsd-security Wed Feb 5 12:37:25 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id MAA09736 for security-outgoing; Wed, 5 Feb 1997 12:37:25 -0800 (PST) Received: from Mailbox.mcs.com (Mailbox.mcs.com [192.160.127.87]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA09688; Wed, 5 Feb 1997 12:36:16 -0800 (PST) Received: from Jupiter.Mcs.Net (karl@Jupiter.mcs.net [192.160.127.88]) by Mailbox.mcs.com (8.8.5/8.8.2) with ESMTP id OAA27596; Wed, 5 Feb 1997 14:36:14 -0600 (CST) Received: (from karl@localhost) by Jupiter.Mcs.Net (8.8.5/8.8.2) id OAA12786; Wed, 5 Feb 1997 14:36:11 -0600 (CST) From: Karl Denninger Message-Id: <199702052036.OAA12786@Jupiter.Mcs.Net> Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE To: gibbs@narnia.plutotech.com (Justin T. Gibbs) Date: Wed, 5 Feb 1997 14:36:11 -0600 (CST) Cc: karl@Mcs.Net, jgreco@solaria.sol.net, Guido.vanRooij@nl.cis.philips.com, joerg_wunsch@uriah.heep.sax.de, core@freebsd.org, security@freebsd.org, jkh@freebsd.org In-Reply-To: <199702052028.MAA00483@narnia.plutotech.com> from "Justin T. Gibbs" at Feb 5, 97 12:28:11 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > >The FIX is the go through setlocale() and fix the holes in the code! > >Nothing else is adequate, and every other path is a LOT more work. > > Every method for fixing this, and numerous other potential problems with > 2.1.6, 2.2, and 3.0 requires study, and after acceptance, careful coding, > a review process, and documentation. To do otherwise is to open us to a > recurring cycle of security whole/quick fix/security whole/quick fix. Core > has already determined a course of action on these issues and a statement > regarding the entire issue will be released once it has passed final review. I was told that this release would be posted LAST NIGHT. Its 15 hours beyond "last night". No information has been posted. Why? I've now provided a patch. Either commit it or get off the pot. > This will only serve to confuse our userbase about what the exact problem > is, which releases and binaries are affected, and how to address the problem > completly. During Core's investigation of this problem, much more information > then you provided has surfaced all of which will be communicated in our > announcement. That's false. The setlocale() problem is fixable with a patch to setlocale(). > >2.2 is ALSO affected. That's being IGNORED right now. > > Not true. Simply because you are not privy to the discussions about this > issue does not mean that we are ignoring anything. Our announcement will > have information on *all* versions of FreeBSD that have this problem. Keeping the discussion private (ie: "not privvy") means you believe there's something to hide. I disagree. Either discourse in public or it doesn't count in my book. Again, the talkd bug handling is what got me going on this generic issue with FreeBSD. Now we have a much more serious one. > Your attitude has not been one of, "Here is the problem, how can I direct > the resources at my disposal to help the project correct it." Instead, > you have pronounced yourself the "unsung hero" of security that will create > a solution of your own liking and publish whatever (dis)information you > see fit. As I mentioned before, this only adds to the confusion. Bullshit. I have now published a patch which corrects the problem in setlocale(). > If you have the resources to contribute to fixing this problem, all you need > to do is promise to cooperate in a controlled effort and we'll happily accept > your help. Right now, you look like a loaded gun with the safety off and we > cannot afford that kind of instability while we work to handle this delicate > situation. CORE created the loaded gun by mishandling the talkd problem. You further exacerbated it with this mess. Now you have a patch in hand. > >My fealty isn't to the core team. Its to the people out there who run the > >code, and to those who I've recommended use the software in question. > > Then quit confusing them with your comments and wait for our pending security > announcement which will have all of the facts straight and give proper > guidlines for securing an affected system. In a pig's eye. THAT goal could have been accomplished within hours. I waited for the promised announcement last night. It never came. Now I've coded a patch to fix the problem. Its been posted, and I'm verifying it. If it passes my inspection I want it committed, or a damn good reason why it won't be. NOW. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | 99 Analog numbers, 77 ISDN, Web servers $75/mo Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ Fax: [+1 773 248-9865] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal From owner-freebsd-security Wed Feb 5 12:43:03 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id MAA10262 for security-outgoing; Wed, 5 Feb 1997 12:43:03 -0800 (PST) Received: from enteract.com (root@enteract.com [206.54.252.1]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA10246 for ; Wed, 5 Feb 1997 12:42:51 -0800 (PST) Received: (from tqbf@localhost) by enteract.com (8.8.5/8.7.6) id OAA27560 for freebsd-security@freebsd.org; Wed, 5 Feb 1997 14:42:50 -0600 (CST) From: "Thomas H. Ptacek" Message-Id: <199702052042.OAA27560@enteract.com> Subject: While we're on the subject... To: freebsd-security@freebsd.org Date: Wed, 5 Feb 1997 14:42:07 -0600 (CST) Reply-To: tqbf@enteract.com X-Mailer: ELM [version 2.4 PL24 ME8a] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk OpenBSD has the locale issue resolved reliably already. OpenBSD supports issetugid(). Thus, I can tell, even when I'm deep in libc, if I was called from an SUID program. I can do that because execve() flipped a bit in my proc structure when it noticed that I was SUID. This is a good thing. Meaningless UID checks probably aren't. Anything could have happened to my creds, depending on the programmer calling the library, and I have no way of determining what happened. What's holding FreeBSD up on supporting issetugid()? ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- "I'm standing alone, I'm watching you all, I'm seeing you sinking." From owner-freebsd-security Wed Feb 5 12:46:08 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id MAA10632 for security-outgoing; Wed, 5 Feb 1997 12:46:08 -0800 (PST) Received: from Mailbox.mcs.com (Mailbox.mcs.com [192.160.127.87]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA10627; Wed, 5 Feb 1997 12:46:01 -0800 (PST) Received: from Jupiter.Mcs.Net (karl@Jupiter.mcs.net [192.160.127.88]) by Mailbox.mcs.com (8.8.5/8.8.2) with ESMTP id OAA29838; Wed, 5 Feb 1997 14:45:58 -0600 (CST) Received: (from karl@localhost) by Jupiter.Mcs.Net (8.8.5/8.8.2) id OAA13118; Wed, 5 Feb 1997 14:45:57 -0600 (CST) From: Karl Denninger Message-Id: <199702052045.OAA13118@Jupiter.Mcs.Net> Subject: PATCH VERIFIED AGAINST CRONTAB AND AT FOR -CURRENT BRANCH To: guido@gvr.win.tue.nl (Guido van Rooij) Date: Wed, 5 Feb 1997 14:45:57 -0600 (CST) Cc: tqbf@enteract.com, karl@Mcs.Net, freebsd-security@freebsd.org, current@freebsd.org In-Reply-To: <199702052021.VAA17555@gvr.win.tue.nl> from "Guido van Rooij" at Feb 5, 97 09:21:39 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > An advisory for this problem needs to be released immediately. The FreeBSD > > project needs to come to grips with the fact that there are many, many > > people who won't act on a problem until CERT releases an advisory. Until > > that happens, people will remain vulnerable to the problem, regardless of > > how much effort goes into finding "the right fix". > > I only want to make an advisory when we can adise something. At this time > there is still uncertainty about what to do. I think the following > should do the trick: > > 1) patch for crt0.c including something where the env. variable will e > ignored for SUID/SGID programs. This should solve the case where > ppl. want to rebuilt everything > 2) For a binary only fix: > a) new shared libc's for every release since 2.0 > b) the lfix program that patches out the call to startup_setlocale > in the binary; this for every release and including > checks for immutable and append only flags. And of > course a README that wll not leave any doubt on the > exact actions to take. > > That should do the trick. Please correct me if I forgot anything. > > -Guido Ok. My preliminary testing is complete. The patch that I made to setlocale() absolutely does close the hole for "crontab" and "at" in the -CURRENT branch. The exploit Tom provided to me no longer produces a core fault (which indicates that the stack frame got clobbered, and that minor adjustments to it would produce a root shell prompt instead). As such, I expect that the rest of the problem is *ALSO* fixed with the patch that I posted to the security and current lists. Critique away. If there isn't a DAMN GOOD reason not to commit that fix, I believe it should go in. Like now. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | 99 Analog numbers, 77 ISDN, Web servers $75/mo Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ Fax: [+1 773 248-9865] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal From owner-freebsd-security Wed Feb 5 12:51:40 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id MAA11004 for security-outgoing; Wed, 5 Feb 1997 12:51:40 -0800 (PST) Received: from gateway.skipstone.com (root@GATEWAY.SKIPSTONE.COM [198.214.10.129]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA10997 for ; Wed, 5 Feb 1997 12:51:33 -0800 (PST) Received: from [204.69.236.50] (hotapplepie.skipstone.com [204.69.236.50]) by gateway.skipstone.com (8.7.4/8.6.9) with SMTP id OAA16175; Wed, 5 Feb 1997 14:51:29 -0600 Date: 5 Feb 97 14:51:30 -0600 Subject: Re: REPLACE LAST MESSAGE REGARDING PATCHES - I posted the wrong file From: "Richard Wackerbarth" To: "Karl Denninger" Cc: freebsd-security@freebsd.org X-Mailer: Cyberdog/2.0a2 MIME-Version: 1.0 Message-Id: Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Wed, Feb 5, 1997 2:10 PM, Karl Denninger wrote: > >Blargh! Wrong file included. These DO compile; again, they are currently >UNDER TEST. Since you have proven that you, too, can make a mistake, perhaps you should back off on your insistance of INSTANT action. I would much prefer a PROMPT AND CORRECT response. From owner-freebsd-security Wed Feb 5 12:55:59 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id MAA11336 for security-outgoing; Wed, 5 Feb 1997 12:55:59 -0800 (PST) Received: from Mailbox.mcs.com (Mailbox.mcs.com [192.160.127.87]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA11329 for ; Wed, 5 Feb 1997 12:55:51 -0800 (PST) Received: from Jupiter.Mcs.Net (karl@Jupiter.mcs.net [192.160.127.88]) by Mailbox.mcs.com (8.8.5/8.8.2) with ESMTP id OAA02347; Wed, 5 Feb 1997 14:55:50 -0600 (CST) Received: (from karl@localhost) by Jupiter.Mcs.Net (8.8.5/8.8.2) id OAA13523; Wed, 5 Feb 1997 14:55:50 -0600 (CST) From: Karl Denninger Message-Id: <199702052055.OAA13523@Jupiter.Mcs.Net> Subject: Re: REPLACE LAST MESSAGE REGARDING PATCHES - I posted the wrong To: rkw@dataplex.net (Richard Wackerbarth) Date: Wed, 5 Feb 1997 14:55:50 -0600 (CST) Cc: karl@Mcs.Net, freebsd-security@freebsd.org In-Reply-To: from "Richard Wackerbarth" at Feb 5, 97 02:51:30 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > On Wed, Feb 5, 1997 2:10 PM, Karl Denninger wrote: > > > >Blargh! Wrong file included. These DO compile; again, they are currently > >UNDER TEST. > > Since you have proven that you, too, can make a mistake, perhaps you should > back off on your insistance of INSTANT action. I would much prefer a PROMPT > AND CORRECT response. > > > > I'm not backing off on anything. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | 99 Analog numbers, 77 ISDN, Web servers $75/mo Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ Fax: [+1 773 248-9865] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal From owner-freebsd-security Wed Feb 5 13:01:50 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id NAA11636 for security-outgoing; Wed, 5 Feb 1997 13:01:50 -0800 (PST) Received: from narnia.plutotech.com (narnia.plutotech.com [206.168.67.130]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA11563; Wed, 5 Feb 1997 12:59:43 -0800 (PST) Received: from narnia (localhost [127.0.0.1]) by narnia.plutotech.com (8.8.5/8.7.3) with ESMTP id MAA00563; Wed, 5 Feb 1997 12:57:58 -0800 (PST) Message-Id: <199702052057.MAA00563@narnia.plutotech.com> X-Mailer: exmh version 2.0beta 12/23/96 To: Karl Denninger cc: gibbs@plutotech.com (Justin T. Gibbs), jgreco@solaria.sol.net, Guido.vanRooij@nl.cis.philips.com, joerg_wunsch@uriah.heep.sax.de, core@freebsd.org, security@freebsd.org, jkh@freebsd.org Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE In-reply-to: Your message of "Wed, 05 Feb 1997 14:36:11 CST." <199702052036.OAA12786@Jupiter.Mcs.Net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 05 Feb 1997 12:57:58 -0800 From: "Justin T. Gibbs" Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >> >The FIX is the go through setlocale() and fix the holes in the code! >> >Nothing else is adequate, and every other path is a LOT more work. >> >> Every method for fixing this, and numerous other potential problems with >> 2.1.6, 2.2, and 3.0 requires study, and after acceptance, careful coding, >> a review process, and documentation. To do otherwise is to open us to a >> recurring cycle of security whole/quick fix/security whole/quick fix. Core >> has already determined a course of action on these issues and a statement >> regarding the entire issue will be released once it has passed final review. > >I was told that this release would be posted LAST NIGHT. > >Its 15 hours beyond "last night". No information has been posted. Why? All security announcements go to the CERT first-teams list before public announcement. This has been true of all recent security announcements made about FreeBSD. We have a well established set of guidlines for dealing with security issues, and notifying CERT first is one of them. >I've now provided a patch. Either commit it or get off the pot. Your patch isn't sufficient. >> This will only serve to confuse our userbase about what the exact problem >> is, which releases and binaries are affected, and how to address the problem >> completly. During Core's investigation of this problem, much more informati >on >> then you provided has surfaced all of which will be communicated in our >> announcement. > >That's false. The setlocale() problem is fixable with a patch to >setlocale(). And which binaries must you rebuild in order for that patch to be fully effective? How do you address third party software that is only availible in binary form? Your analysis of this problem doesn't scratch the surface of the kind of information our user base needs in order to be protected. >> >2.2 is ALSO affected. That's being IGNORED right now. >> >> Not true. Simply because you are not privy to the discussions about this >> issue does not mean that we are ignoring anything. Our announcement will >> have information on *all* versions of FreeBSD that have this problem. > >Keeping the discussion private (ie: "not privvy") means you believe there's >something to hide. I disagree. Either discourse in public or it doesn't >count in my book. The discussion was kept private in order to not disseminate misinformation to our userbase. Last nights flurry of mail on this issue began with speculation on several problems, followed by investigation and much work on providing the proper patches and documentation. If this entire dialog was made public, which includes many references to "non-problems", would only serve to confuse the issue. Our goal was to collect the correct information and only to make it public once we verified the full scope of the problem. >Again, the talkd bug handling is what got me going on this generic issue >with FreeBSD. Now we have a much more serious one. People are human. >> Your attitude has not been one of, "Here is the problem, how can I direct >> the resources at my disposal to help the project correct it." Instead, >> you have pronounced yourself the "unsung hero" of security that will create >> a solution of your own liking and publish whatever (dis)information you >> see fit. As I mentioned before, this only adds to the confusion. > >Bullshit. I have now published a patch which corrects the problem in >setlocale(). Your patch is not enough. We are currently looking at fixing a number of related problems in the source tree before releasing 2.1.7. There's a nice sign-up sheet if you want to really be of help. Our course of action will require a considerable number of man hours and we want to complete the task as quickly as possible. >> If you have the resources to contribute to fixing this problem, all you need >> to do is promise to cooperate in a controlled effort and we'll happily accep >t >> your help. Right now, you look like a loaded gun with the safety off and we > >> cannot afford that kind of instability while we work to handle this delicate > >> situation. > >CORE created the loaded gun by mishandling the talkd problem. I think you are again confusing the actions of one or two people with the actions of Core. >You further >exacerbated it with this mess. Now you have a patch in hand. We had several patches in had long before yours showed up. >> Then quit confusing them with your comments and wait for our pending >> security announcement which will have all of the facts straight and give >> proper guidlines for securing an affected system. > >In a pig's eye. THAT goal could have been accomplished within hours. Not true. Do you know this problem affects systems prior to 2.1.6? Do you know which snapshots and Beta/GAMMA releases are affected? How about which types of statically linked binaries must be replaced before you are safe. Answering all of those questions, and many others, takes time. >I waited for the promised announcement last night. It never came. As I explained before, we are following our security policy on this issue and your actions wont change that. >Now I've coded a patch to fix the problem. Its been posted, and I'm >verifying it. Oh great. You posted an un-verified patch. That would be an unacceptable action for Core to officially take. >If it passes my inspection I want it committed, or a damn >good reason why it won't be. > >NOW. As I said before, Core will continue to take action in this matter as it sees fit regardless of your actions or threats. >-- >Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity >http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service > | 99 Analog numbers, 77 ISDN, Web servers $75/mo >Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net >/ >Fax: [+1 773 248-9865] | 2 FULL DS-3 Internet links; 400Mbps B/W Interna >l -- Justin T. Gibbs =========================================== FreeBSD: Turning PCs into workstations =========================================== From owner-freebsd-security Wed Feb 5 13:10:18 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id NAA12100 for security-outgoing; Wed, 5 Feb 1997 13:10:18 -0800 (PST) Received: from spitfire.ecsel.psu.edu (spitfire.ecsel.psu.edu [146.186.218.51]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id NAA12051 for ; Wed, 5 Feb 1997 13:09:45 -0800 (PST) Received: (qmail 418 invoked by uid 1000); 5 Feb 1997 21:09:08 -0000 Message-ID: <19970205210908.417.qmail@spitfire.ecsel.psu.edu> To: Karl Denninger cc: security@freebsd.org Subject: Re: PATCH for *ALL* FreeBSD Setlocale() problems - EVERYONE SHOULD READ THIS MESSAGE In-reply-to: Your message of "Wed, 05 Feb 1997 14:06:13 CST." <199702052006.OAA11778@Jupiter.Mcs.Net> Date: Wed, 05 Feb 1997 16:09:08 -0500 From: Dan Cross Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > I will EXPECT that these will show up in the CVS tree within 48 hours > unless there are VERY good reasons expressed for them not being included. > I WILL be looking for them to appear. Well, for -current, they are somewhat unnecessary. I made a complete fool out of myself last night on freebsd-bugs, thus implicitly demons- trating this. :-) Remember, folks, not *all* calls to strcpy() are bad; sometimes range checking can be accomplished in non-intuitive ways. I expect that just back-porting the code from -current into 2.1 and 2.2 will be enough to solve the problem. However, if I am incorrect and you have an exploit that runs against -current, please let me know, as I would like to see where the error lies. However, I poured over the -current code last night, and while I agree that it needs a bath, I'm pretty certain that it's secure. Thanks! - Dan C. (...whose actually gotten some sleep now, and isn't so quick to make stupid mistakes in his trains of thought... :-) From owner-freebsd-security Wed Feb 5 13:16:05 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id NAA12482 for security-outgoing; Wed, 5 Feb 1997 13:16:05 -0800 (PST) Received: from Mailbox.mcs.com (Mailbox.mcs.com [192.160.127.87]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA12449 for ; Wed, 5 Feb 1997 13:15:59 -0800 (PST) Received: from Jupiter.Mcs.Net (karl@Jupiter.mcs.net [192.160.127.88]) by Mailbox.mcs.com (8.8.5/8.8.2) with ESMTP id PAA06642; Wed, 5 Feb 1997 15:15:56 -0600 (CST) Received: (from karl@localhost) by Jupiter.Mcs.Net (8.8.5/8.8.2) id PAA14224; Wed, 5 Feb 1997 15:15:55 -0600 (CST) From: Karl Denninger Message-Id: <199702052115.PAA14224@Jupiter.Mcs.Net> Subject: Re: PATCH for *ALL* FreeBSD Setlocale() problems - EVERYONE SHOULD READ THIS MESSAGE To: tenser@spitfire.ecsel.psu.edu (Dan Cross) Date: Wed, 5 Feb 1997 15:15:55 -0600 (CST) Cc: karl@mcs.net, security@freebsd.org In-Reply-To: <19970205210908.417.qmail@spitfire.ecsel.psu.edu> from "Dan Cross" at Feb 5, 97 04:09:08 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > > I will EXPECT that these will show up in the CVS tree within 48 hours > > unless there are VERY good reasons expressed for them not being included. > > I WILL be looking for them to appear. > > Well, for -current, they are somewhat unnecessary. I made a complete > fool out of myself last night on freebsd-bugs, thus implicitly demons- > trating this. :-) > > Remember, folks, not *all* calls to strcpy() are bad; sometimes range > checking can be accomplished in non-intuitive ways. I expect that just > back-porting the code from -current into 2.1 and 2.2 will be enough to > solve the problem. > > However, if I am incorrect and you have an exploit that runs against > -current, please let me know, as I would like to see where the error > lies. However, I poured over the -current code last night, and while > I agree that it needs a bath, I'm pretty certain that it's secure. > > Thanks! > > - Dan C. > > (...whose actually gotten some sleep now, and isn't so quick to make > stupid mistakes in his trains of thought... :-) No. Try the exploit against an unpatched system's "at" program. It dumps core, which means that you're vulnerable (the stack got blasted). -- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | 99 Analog numbers, 77 ISDN, Web servers $75/mo Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ Fax: [+1 773 248-9865] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal From owner-freebsd-security Wed Feb 5 13:34:33 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id NAA13483 for security-outgoing; Wed, 5 Feb 1997 13:34:33 -0800 (PST) Received: from root.com (implode.root.com [198.145.90.17]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA13473 for ; Wed, 5 Feb 1997 13:34:22 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by root.com (8.7.6/8.6.5) with SMTP id NAA11176; Wed, 5 Feb 1997 13:34:18 -0800 (PST) Message-Id: <199702052134.NAA11176@root.com> X-Authentication-Warning: implode.root.com: Host localhost [127.0.0.1] didn't use HELO protocol To: tqbf@enteract.com cc: karl@mcs.net, freebsd-security@freebsd.org Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE In-reply-to: Your message of "05 Feb 1997 19:03:33 GMT." <19970205190333.11804.qmail@char-star.rdist.org> From: David Greenman Reply-To: dg@root.com Date: Wed, 05 Feb 1997 13:34:18 -0800 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >>Note that Tom Ptaeck WILL be releasing *EXPLOITS AND DETAILS* within one >>week. Either this gets fixed or the world knows how to break in. > >I'm not concerned about the "fix" for the problem in question, since >they're already out there (just remove locale processing altogether). I'm >concerned that the FreeBSD project is not going to inform their users of >this problem. This is, in my opinion, probably the most severe problem >with FreeBSD that has been brought to public attention. > >An advisory for this problem needs to be released immediately. The FreeBSD >project needs to come to grips with the fact that there are many, many >people who won't act on a problem until CERT releases an advisory. Until >that happens, people will remain vulnerable to the problem, regardless of >how much effort goes into finding "the right fix". > >I'll repeat myself, again: everyone that you should be worried about >having exploit details to this problem ALREADY DOES. People are being >broken into with this as we speak. There's a vast amount of 2.1 systems >out there, and those 2.1 systems are on networks with other systems, and >their vulnerabilites are going to seed the comprimise of entire networks. > >This is not good. > >Please, please, please alert the public (and the incident response teams) >about this problem. The problem is fixed in all of our source branches by removing the support for PATH_LOCALE. It was there only as a debugging aid in the first place. An announcement including a proper patch for the problem is being worked on. It's taken much longer to put together an accurate announcement because of uncertainties about just exactly which versions are effected and just exactly how. It's not as simple as you might first think and we don't won't to provide dis-information to the public about this problem. -DG David Greenman Core-team/Principal Architect, The FreeBSD Project From owner-freebsd-security Wed Feb 5 13:34:32 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id NAA13482 for security-outgoing; Wed, 5 Feb 1997 13:34:32 -0800 (PST) Received: from root.com (implode.root.com [198.145.90.17]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA13229; Wed, 5 Feb 1997 13:30:24 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by root.com (8.7.6/8.6.5) with SMTP id NAA11127; Wed, 5 Feb 1997 13:28:12 -0800 (PST) Message-Id: <199702052128.NAA11127@root.com> X-Authentication-Warning: implode.root.com: Host localhost [127.0.0.1] didn't use HELO protocol To: Karl Denninger cc: jgreco@solaria.sol.net (Joe Greco), Guido.vanRooij@nl.cis.philips.com, joerg_wunsch@uriah.heep.sax.de, core@freebsd.org, security@freebsd.org, jkh@freebsd.org Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE In-reply-to: Your message of "Wed, 05 Feb 1997 12:46:16 CST." <199702051846.MAA08211@Jupiter.Mcs.Net> From: David Greenman Reply-To: dg@root.com Date: Wed, 05 Feb 1997 13:28:11 -0800 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >I don't have commit access, and won't wait long for those who do to play >with this. If I had it you'd have already seen the commit; I would have >stayed up all night last night to code a REAL fix. Well, I *did* stay up all night working on this and committed a fix. If people BOTHERED to read their commit email, they would have noticed that the call too read PATH_LOCALE was completely and totally REMOVED from the 2.1-stable, 2.2, and -current. (Yes, my capslock works, too). As for the announcement, it's been delayed because of some uncertainty about whether 2.2 through 3.0-SNAP is actually affected since this code: 1) Doesn't call setlocale() from crt0 2) Checks the uid != euid before using the environment PATH_LOCALE We will make an announcement when we have accurate information for people. -DG David Greenman Core-team/Principal Architect, The FreeBSD Project From owner-freebsd-security Wed Feb 5 13:43:04 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id NAA14153 for security-outgoing; Wed, 5 Feb 1997 13:43:04 -0800 (PST) Received: from Mailbox.mcs.com (Mailbox.mcs.com [192.160.127.87]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA14148 for ; Wed, 5 Feb 1997 13:42:58 -0800 (PST) Received: from Jupiter.Mcs.Net (karl@Jupiter.mcs.net [192.160.127.88]) by Mailbox.mcs.com (8.8.5/8.8.2) with ESMTP id PAA13136; Wed, 5 Feb 1997 15:42:56 -0600 (CST) Received: (from karl@localhost) by Jupiter.Mcs.Net (8.8.5/8.8.2) id PAA15082; Wed, 5 Feb 1997 15:42:56 -0600 (CST) From: Karl Denninger Message-Id: <199702052142.PAA15082@Jupiter.Mcs.Net> Subject: Re: While we're on the subject... To: tqbf@enteract.com Date: Wed, 5 Feb 1997 15:42:56 -0600 (CST) Cc: freebsd-security@freebsd.org In-Reply-To: <199702052042.OAA27560@enteract.com> from "Thomas H. Ptacek" at Feb 5, 97 02:42:07 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > OpenBSD has the locale issue resolved reliably already. > > OpenBSD supports issetugid(). > > Thus, I can tell, even when I'm deep in libc, if I was called from an SUID > program. I can do that because execve() flipped a bit in my proc structure > when it noticed that I was SUID. > > This is a good thing. > > Meaningless UID checks probably aren't. Anything could have happened to my > creds, depending on the programmer calling the library, and I have no way > of determining what happened. > > What's holding FreeBSD up on supporting issetugid()? > > ---------------- > Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] > ---------------- > "I'm standing alone, I'm watching you all, I'm seeing you sinking." If euid != uid, then you're running SUID *NOW*. If euid = 0, then you're running as root *NOW*. Why does it matter what you might have been sometime before? The issue is what you are running as at the time the call is made, no? -- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | 99 Analog numbers, 77 ISDN, Web servers $75/mo Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ Fax: [+1 773 248-9865] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal From owner-freebsd-security Wed Feb 5 13:54:04 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id NAA14829 for security-outgoing; Wed, 5 Feb 1997 13:54:04 -0800 (PST) Received: from enteract.com (root@enteract.com [206.54.252.1]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA14823 for ; Wed, 5 Feb 1997 13:54:00 -0800 (PST) Received: (from tqbf@localhost) by enteract.com (8.8.5/8.7.6) id PAA06787; Wed, 5 Feb 1997 15:53:58 -0600 (CST) From: "Thomas H. Ptacek" Message-Id: <199702052153.PAA06787@enteract.com> Subject: Re: While we're on the subject... To: karl@Mcs.Net (Karl Denninger) Date: Wed, 5 Feb 1997 15:53:16 -0600 (CST) Cc: tqbf@enteract.com, freebsd-security@freebsd.org Reply-To: tqbf@enteract.com In-Reply-To: <199702052142.PAA15082@Jupiter.Mcs.Net> from "Karl Denninger" at Feb 5, 97 03:42:56 pm X-Mailer: ELM [version 2.4 PL24 ME8a] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > If euid != uid, then you're running SUID *NOW*. > If euid = 0, then you're running as root *NOW*. Saved credentials. Processes that temporarily suspend privilege are just as vulnerable as processes that maintain it. There's no good way to figure out exactly what your credentials are from within libc. ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- "I'm standing alone, I'm watching you all, I'm seeing you sinking." From owner-freebsd-security Wed Feb 5 13:57:27 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id NAA15102 for security-outgoing; Wed, 5 Feb 1997 13:57:27 -0800 (PST) Received: from enteract.com (root@enteract.com [206.54.252.1]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA15096 for ; Wed, 5 Feb 1997 13:57:24 -0800 (PST) Received: (from tqbf@localhost) by enteract.com (8.8.5/8.7.6) id PAA07003; Wed, 5 Feb 1997 15:56:03 -0600 (CST) From: "Thomas H. Ptacek" Message-Id: <199702052156.PAA07003@enteract.com> Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE To: dg@root.com Date: Wed, 5 Feb 1997 15:55:21 -0600 (CST) Cc: tqbf@enteract.com, karl@mcs.net, freebsd-security@freebsd.org Reply-To: tqbf@enteract.com In-Reply-To: <199702052134.NAA11176@root.com> from "David Greenman" at Feb 5, 97 01:34:18 pm X-Mailer: ELM [version 2.4 PL24 ME8a] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > The problem is fixed in all of our source branches by removing the support > for PATH_LOCALE. It was there only as a debugging aid in the first place. ... > how. It's not as simple as you might first think and we don't won't to > provide dis-information to the public about this problem. I believe "remove PATH_LOCALE support" has been my suggestion from the start, so I'll disagree and say that it was exactly as simple as I first thought. Thank you for your work on this problem, I look forward to the announcement. ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- "I'm standing alone, I'm watching you all, I'm seeing you sinking." From owner-freebsd-security Wed Feb 5 14:09:25 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id OAA15883 for security-outgoing; Wed, 5 Feb 1997 14:09:25 -0800 (PST) Received: from root.com (implode.root.com [198.145.90.17]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA15878 for ; Wed, 5 Feb 1997 14:09:19 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by root.com (8.7.6/8.6.5) with SMTP id OAA11453; Wed, 5 Feb 1997 14:08:03 -0800 (PST) Message-Id: <199702052208.OAA11453@root.com> X-Authentication-Warning: implode.root.com: Host localhost [127.0.0.1] didn't use HELO protocol To: tqbf@enteract.com cc: karl@mcs.net, freebsd-security@freebsd.org Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE In-reply-to: Your message of "Wed, 05 Feb 1997 15:55:21 CST." <199702052156.PAA07003@enteract.com> From: David Greenman Reply-To: dg@root.com Date: Wed, 05 Feb 1997 14:08:03 -0800 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >> The problem is fixed in all of our source branches by removing the support >> for PATH_LOCALE. It was there only as a debugging aid in the first place. > >... > >> how. It's not as simple as you might first think and we don't won't to >> provide dis-information to the public about this problem. > >I believe "remove PATH_LOCALE support" has been my suggestion from the >start, so I'll disagree and say that it was exactly as simple as I first >thought. Thank you for your work on this problem, I look forward to the >announcement. Yes, I personally didn't see that suggestion, but nonetheless, it took a little time to see through the dozens of suggested fixes and decide on the right one. An announcement will be out as soon as we decide on the final wording (almost there). I don't like how this whole mess has come down. There is an awful lot of ill-will being passed out that will have long term ramifications. It didn't need to happen this way. -DG David Greenman Core-team/Principal Architect, The FreeBSD Project From owner-freebsd-security Wed Feb 5 14:11:55 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id OAA16071 for security-outgoing; Wed, 5 Feb 1997 14:11:55 -0800 (PST) Received: from root.com (implode.root.com [198.145.90.17]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA16064 for ; Wed, 5 Feb 1997 14:11:48 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by root.com (8.7.6/8.6.5) with SMTP id OAA11478; Wed, 5 Feb 1997 14:11:36 -0800 (PST) Message-Id: <199702052211.OAA11478@root.com> X-Authentication-Warning: implode.root.com: Host localhost [127.0.0.1] didn't use HELO protocol To: tqbf@enteract.com cc: freebsd-security@FreeBSD.ORG Subject: Re: While we're on the subject... In-reply-to: Your message of "Wed, 05 Feb 1997 14:42:07 CST." <199702052042.OAA27560@enteract.com> From: David Greenman Reply-To: dg@root.com Date: Wed, 05 Feb 1997 14:11:36 -0800 Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk >OpenBSD has the locale issue resolved reliably already. > >OpenBSD supports issetugid(). > >Thus, I can tell, even when I'm deep in libc, if I was called from an SUID >program. I can do that because execve() flipped a bit in my proc structure >when it noticed that I was SUID. > >This is a good thing. > >Meaningless UID checks probably aren't. Anything could have happened to my >creds, depending on the programmer calling the library, and I have no way >of determining what happened. > >What's holding FreeBSD up on supporting issetugid()? It might not be a sufficient interface to solve the problem, but it is being considered and will likely be implemented once we get beyond this current mess. -DG David Greenman Core-team/Principal Architect, The FreeBSD Project From owner-freebsd-security Wed Feb 5 14:14:09 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id OAA16269 for security-outgoing; Wed, 5 Feb 1997 14:14:09 -0800 (PST) Received: from narnia.plutotech.com (narnia.plutotech.com [206.168.67.130]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA16247; Wed, 5 Feb 1997 14:14:00 -0800 (PST) Received: from narnia (localhost [127.0.0.1]) by narnia.plutotech.com (8.8.5/8.7.3) with ESMTP id OAA00829; Wed, 5 Feb 1997 14:13:37 -0800 (PST) Message-Id: <199702052213.OAA00829@narnia.plutotech.com> X-Mailer: exmh version 2.0beta 12/23/96 To: Karl Denninger cc: guido@gvr.win.tue.nl (Guido van Rooij), tqbf@enteract.com, freebsd-security@freebsd.org, current@freebsd.org Subject: Re: PATCH VERIFIED AGAINST CRONTAB AND AT FOR -CURRENT BRANCH In-reply-to: Your message of "Wed, 05 Feb 1997 14:45:57 CST." <199702052045.OAA13118@Jupiter.Mcs.Net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 05 Feb 1997 14:13:36 -0800 From: "Justin T. Gibbs" Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Critique away. If there isn't a DAMN GOOD reason not to commit that >fix, I believe it should go in. > >Like now. As David Greenman pointed out, a patch has already been applied to current that closes this particular hole in a more complete manner than yours: To: CVS-committers, cvs-all, cvs-lib Subject: cvs commit: src/lib/libc/locale setlocale.c Sender: owner-cvs-lib@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk davidg 97/02/05 01:53:29 Modified: lib/libc/locale setlocale.c Log: Killed getenv of PATH_LOCALE per Andrey's suggestion. It was intended for debugging locale stuff, but was rarely if ever used...and of course just bit a big chunk out of our collective hind-ends. Revision Changes Path 1.14 +2 -11 src/lib/libc/locale/setlocale.c Similar patches have been applied to the 2.2 and stable branches. >-- >Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity >http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service > | 99 Analog numbers, 77 ISDN, Web servers $75/mo >Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net >/ >Fax: [+1 773 248-9865] | 2 FULL DS-3 Internet links; 400Mbps B/W Interna >l > -- Justin T. Gibbs =========================================== FreeBSD: Turning PCs into workstations =========================================== From owner-freebsd-security Wed Feb 5 14:14:33 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id OAA16335 for security-outgoing; Wed, 5 Feb 1997 14:14:33 -0800 (PST) Received: from dedicavia.inetcan.net (dreamer@dedicavia.inetcan.net [206.186.215.200]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA16310 for ; Wed, 5 Feb 1997 14:14:26 -0800 (PST) Received: (from dreamer@localhost) by dedicavia.inetcan.net (8.8.5/8.7.3) id PAA00442; Wed, 5 Feb 1997 15:16:13 -0700 Date: Wed, 5 Feb 1997 15:16:10 -0700 (MST) From: Digital Dreamer Reply-To: dreamer@flatline.gateway.com To: Karl Denninger cc: Richard Wackerbarth , karl@mcs.net, freebsd-security@freebsd.org Subject: Re: REPLACE LAST MESSAGE REGARDING PATCHES - I posted the wrong In-Reply-To: <199702052055.OAA13523@Jupiter.Mcs.Net> Message-ID: X-chromosones: One. MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Wed, 5 Feb 1997, Karl Denninger wrote: > I'm not backing off on anything. > > -- > Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity Karl, I think you might just want to take a second and cool down here.. the Core team has a lot on their minds just right now in light of this rather serious hole, and I strongly doubt your upper case replies spur them on at all. If I was them, your behaviour would give me quite a sense of apathy about the whole thing ; you're just being unreasonable. dreamer From owner-freebsd-security Wed Feb 5 14:16:10 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id OAA16550 for security-outgoing; Wed, 5 Feb 1997 14:16:10 -0800 (PST) Received: from root.com (implode.root.com [198.145.90.17]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA16523; Wed, 5 Feb 1997 14:16:00 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by root.com (8.7.6/8.6.5) with SMTP id OAA11524; Wed, 5 Feb 1997 14:15:25 -0800 (PST) Message-Id: <199702052215.OAA11524@root.com> X-Authentication-Warning: implode.root.com: Host localhost [127.0.0.1] didn't use HELO protocol To: Karl Denninger cc: guido@gvr.win.tue.nl (Guido van Rooij), tqbf@enteract.com, freebsd-security@freebsd.org, current@freebsd.org Subject: Re: PATCH VERIFIED AGAINST CRONTAB AND AT FOR -CURRENT BRANCH In-reply-to: Your message of "Wed, 05 Feb 1997 14:45:57 CST." <199702052045.OAA13118@Jupiter.Mcs.Net> From: David Greenman Reply-To: dg@root.com Date: Wed, 05 Feb 1997 14:15:25 -0800 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Critique away. If there isn't a DAMN GOOD reason not to commit that >fix, I believe it should go in. ...because the problem is already fixed by me last night? -DG David Greenman Core-team/Principal Architect, The FreeBSD Project From owner-freebsd-security Wed Feb 5 14:23:26 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id OAA17123 for security-outgoing; Wed, 5 Feb 1997 14:23:26 -0800 (PST) Received: from root.com (implode.root.com [198.145.90.17]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA17113 for ; Wed, 5 Feb 1997 14:23:16 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by root.com (8.7.6/8.6.5) with SMTP id OAA11687; Wed, 5 Feb 1997 14:23:09 -0800 (PST) Message-Id: <199702052223.OAA11687@root.com> X-Authentication-Warning: implode.root.com: Host localhost [127.0.0.1] didn't use HELO protocol To: Karl Denninger cc: tqbf@enteract.com, freebsd-security@freebsd.org Subject: Re: While we're on the subject... In-reply-to: Your message of "Wed, 05 Feb 1997 15:42:56 CST." <199702052142.PAA15082@Jupiter.Mcs.Net> From: David Greenman Reply-To: dg@root.com Date: Wed, 05 Feb 1997 14:23:09 -0800 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >> What's holding FreeBSD up on supporting issetugid()? >> >> ---------------- >> Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] >> ---------------- >> "I'm standing alone, I'm watching you all, I'm seeing you sinking." > >If euid != uid, then you're running SUID *NOW*. >If euid = 0, then you're running as root *NOW*. > >Why does it matter what you might have been sometime before? The issue is >what you are running as at the time the call is made, no? Programs that were once privileged might have read sensitive information into memory which could possibly be read out if some hole were exploited. -DG David Greenman Core-team/Principal Architect, The FreeBSD Project From owner-freebsd-security Wed Feb 5 14:24:35 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id OAA17218 for security-outgoing; Wed, 5 Feb 1997 14:24:35 -0800 (PST) Received: from Mailbox.mcs.com (Mailbox.mcs.com [192.160.127.87]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA17212 for ; Wed, 5 Feb 1997 14:24:32 -0800 (PST) Received: from Jupiter.Mcs.Net (karl@Jupiter.mcs.net [192.160.127.88]) by Mailbox.mcs.com (8.8.5/8.8.2) with ESMTP id QAA22789; Wed, 5 Feb 1997 16:24:30 -0600 (CST) Received: (from karl@localhost) by Jupiter.Mcs.Net (8.8.5/8.8.2) id QAA16588; Wed, 5 Feb 1997 16:24:30 -0600 (CST) From: Karl Denninger Message-Id: <199702052224.QAA16588@Jupiter.Mcs.Net> Subject: Re: While we're on the subject... To: dg@root.com Date: Wed, 5 Feb 1997 16:24:30 -0600 (CST) Cc: karl@Mcs.Net, tqbf@enteract.com, freebsd-security@freebsd.org In-Reply-To: <199702052223.OAA11687@root.com> from "David Greenman" at Feb 5, 97 02:23:09 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > >> What's holding FreeBSD up on supporting issetugid()? > >> > >> ---------------- > >> Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] > >> ---------------- > >> "I'm standing alone, I'm watching you all, I'm seeing you sinking." > > > >If euid != uid, then you're running SUID *NOW*. > >If euid = 0, then you're running as root *NOW*. > > > >Why does it matter what you might have been sometime before? The issue is > >what you are running as at the time the call is made, no? > > Programs that were once privileged might have read sensitive information > into memory which could possibly be read out if some hole were exploited. > > -DG > > David Greenman > Core-team/Principal Architect, The FreeBSD Project Sure, but you can't fix that without a flag in the process structure. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | 99 Analog numbers, 77 ISDN, Web servers $75/mo Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ Fax: [+1 773 248-9865] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal From owner-freebsd-security Wed Feb 5 14:30:38 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id OAA17559 for security-outgoing; Wed, 5 Feb 1997 14:30:38 -0800 (PST) Received: from root.com (implode.root.com [198.145.90.17]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA17553 for ; Wed, 5 Feb 1997 14:30:36 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by root.com (8.7.6/8.6.5) with SMTP id OAA11775; Wed, 5 Feb 1997 14:30:31 -0800 (PST) Message-Id: <199702052230.OAA11775@root.com> X-Authentication-Warning: implode.root.com: Host localhost [127.0.0.1] didn't use HELO protocol To: Karl Denninger cc: tqbf@enteract.com, freebsd-security@freebsd.org Subject: Re: While we're on the subject... In-reply-to: Your message of "Wed, 05 Feb 1997 16:24:30 CST." <199702052224.QAA16588@Jupiter.Mcs.Net> From: David Greenman Reply-To: dg@root.com Date: Wed, 05 Feb 1997 14:30:31 -0800 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >> >If euid != uid, then you're running SUID *NOW*. >> >If euid = 0, then you're running as root *NOW*. >> > >> >Why does it matter what you might have been sometime before? The issue is >> >what you are running as at the time the call is made, no? >> >> Programs that were once privileged might have read sensitive information >> into memory which could possibly be read out if some hole were exploited. >> >> -DG >> >> David Greenman >> Core-team/Principal Architect, The FreeBSD Project > >Sure, but you can't fix that without a flag in the process structure. Right, we have P_SUGID that indicates whenever a process might have been messing with uid/gid's. It's currently set more often than it needs to be, but this can/will be fixed. At the moment it's used for several things, preventing core dumps of processes with the flag set is one of them. -DG David Greenman Core-team/Principal Architect, The FreeBSD Project From owner-freebsd-security Wed Feb 5 14:32:19 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id OAA17763 for security-outgoing; Wed, 5 Feb 1997 14:32:19 -0800 (PST) Received: from enteract.com (root@enteract.com [206.54.252.1]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA17753 for ; Wed, 5 Feb 1997 14:32:13 -0800 (PST) Received: (from tqbf@localhost) by enteract.com (8.8.5/8.7.6) id QAA12057; Wed, 5 Feb 1997 16:32:05 -0600 (CST) From: "Thomas H. Ptacek" Message-Id: <199702052232.QAA12057@enteract.com> Subject: Re: While we're on the subject... To: dg@root.com Date: Wed, 5 Feb 1997 16:31:19 -0600 (CST) Cc: freebsd-security@freebsd.org, karl@mcs.net Reply-To: tqbf@enteract.com In-Reply-To: <199702052223.OAA11687@root.com> from "David Greenman" at Feb 5, 97 02:23:09 pm X-Mailer: ELM [version 2.4 PL24 ME8a] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Programs that were once privileged might have read sensitive information > into memory which could possibly be read out if some hole were exploited. Programs that were once privileged could become privileged again with one system call. ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- "I'm standing alone, I'm watching you all, I'm seeing you sinking." From owner-freebsd-security Wed Feb 5 14:39:05 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id OAA18263 for security-outgoing; Wed, 5 Feb 1997 14:39:05 -0800 (PST) Received: from root.com (implode.root.com [198.145.90.17]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA18254 for ; Wed, 5 Feb 1997 14:39:03 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by root.com (8.7.6/8.6.5) with SMTP id OAA11880; Wed, 5 Feb 1997 14:38:55 -0800 (PST) Message-Id: <199702052238.OAA11880@root.com> X-Authentication-Warning: implode.root.com: Host localhost [127.0.0.1] didn't use HELO protocol To: tqbf@enteract.com cc: freebsd-security@freebsd.org, karl@mcs.net Subject: Re: While we're on the subject... In-reply-to: Your message of "Wed, 05 Feb 1997 16:31:19 CST." <199702052232.QAA12057@enteract.com> From: David Greenman Reply-To: dg@root.com Date: Wed, 05 Feb 1997 14:38:55 -0800 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >> Programs that were once privileged might have read sensitive information >> into memory which could possibly be read out if some hole were exploited. > >Programs that were once privileged could become privileged again with one >system call. Right, that too. :-) -DG David Greenman Core-team/Principal Architect, The FreeBSD Project From owner-freebsd-security Wed Feb 5 14:48:44 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id OAA18956 for security-outgoing; Wed, 5 Feb 1997 14:48:44 -0800 (PST) Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA18949 for ; Wed, 5 Feb 1997 14:48:39 -0800 (PST) Message-Id: <199702052248.OAA18949@freefall.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA203372883; Thu, 6 Feb 1997 09:48:03 +1100 From: Darren Reed Subject: Re: While we're on the subject... To: tqbf@enteract.com Date: Thu, 6 Feb 1997 09:48:03 +1100 (EDT) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <199702052042.OAA27560@enteract.com> from "Thomas H. Ptacek" at Feb 5, 97 02:42:07 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk In some mail from Thomas H. Ptacek, sie said: > > OpenBSD has the locale issue resolved reliably already. > > OpenBSD supports issetugid(). > > Thus, I can tell, even when I'm deep in libc, if I was called from an SUID > program. I can do that because execve() flipped a bit in my proc structure > when it noticed that I was SUID. > > This is a good thing. > > Meaningless UID checks probably aren't. Anything could have happened to my > creds, depending on the programmer calling the library, and I have no way > of determining what happened. > > What's holding FreeBSD up on supporting issetugid()? Has anyone done a send-pr to send it to freebsd ? From owner-freebsd-security Wed Feb 5 15:23:45 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id PAA21820 for security-outgoing; Wed, 5 Feb 1997 15:23:45 -0800 (PST) Received: from Mailbox.mcs.com (Mailbox.mcs.com [192.160.127.87]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id PAA21774; Wed, 5 Feb 1997 15:23:27 -0800 (PST) Received: from Jupiter.Mcs.Net (karl@Jupiter.mcs.net [192.160.127.88]) by Mailbox.mcs.com (8.8.5/8.8.2) with ESMTP id RAA06414; Wed, 5 Feb 1997 17:23:19 -0600 (CST) Received: (from karl@localhost) by Jupiter.Mcs.Net (8.8.5/8.8.2) id RAA18464; Wed, 5 Feb 1997 17:23:04 -0600 (CST) From: Karl Denninger Message-Id: <199702052323.RAA18464@Jupiter.Mcs.Net> Subject: Blacklisting and being "asked" to deinstall FreeBSD - you heard that right! To: spork@super-g.com (spork) Date: Wed, 5 Feb 1997 17:23:04 -0600 (CST) Cc: dg@root.com, tqbf@enteract.com, karl@mcs.net, freebsd-chat@FreeBSD.ORG, current@FreeBSD.ORG, security@FreeBSD.ORG In-Reply-To: from "spork" at Feb 5, 97 06:27:01 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > On Wed, 5 Feb 1997, David Greenman wrote: > > > I don't like how this whole mess has come down. There is an awful lot of > > ill-will being passed out that will have long term ramifications. It didn't > > need to happen this way. > > > > -DG > > I think most of the ill-will comes from the following sources: .... Well, the core team just added to that ill will. Deliberately. I have just received a voice phone call from one of the core members asking me to leave FreeBSD, transition our machines off the operating system, and walk away. Obviously, I will do none of the above. But I thought you should know that the response of the core team is to these kinds of issues. A parallel code track will be online within a few days for those who believe that THIS kind of response is unwarranted under ANY circumstances. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | 99 Analog numbers, 77 ISDN, Web servers $75/mo Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ Fax: [+1 773 248-9865] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal From owner-freebsd-security Wed Feb 5 15:37:15 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id PAA23249 for security-outgoing; Wed, 5 Feb 1997 15:37:15 -0800 (PST) Received: from root.com (implode.root.com [198.145.90.17]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id PAA23238; Wed, 5 Feb 1997 15:37:12 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by root.com (8.7.6/8.6.5) with SMTP id PAA12468; Wed, 5 Feb 1997 15:36:34 -0800 (PST) Message-Id: <199702052336.PAA12468@root.com> X-Authentication-Warning: implode.root.com: Host localhost [127.0.0.1] didn't use HELO protocol To: Karl Denninger cc: spork@super-g.com (spork), tqbf@enteract.com, freebsd-chat@FreeBSD.ORG, current@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: Blacklisting and being "asked" to deinstall FreeBSD - you heard that right! In-reply-to: Your message of "Wed, 05 Feb 1997 17:23:04 CST." <199702052323.RAA18464@Jupiter.Mcs.Net> From: David Greenman Reply-To: dg@root.com Date: Wed, 05 Feb 1997 15:36:34 -0800 Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk >> On Wed, 5 Feb 1997, David Greenman wrote: >> >> > I don't like how this whole mess has come down. There is an awful lot of >> > ill-will being passed out that will have long term ramifications. It didn't >> > need to happen this way. >> > >> > -DG >> >> I think most of the ill-will comes from the following sources: > >.... > >Well, the core team just added to that ill will. Deliberately. The "core team" did no such thing. You are not being blacklisted and the core team did not ask you to de-install FreeBSD. >I have just received a voice phone call from one of the core members asking >me to leave FreeBSD, transition our machines off the operating system, >and walk away. > >Obviously, I will do none of the above. > >But I thought you should know that the response of the core team is to these >kinds of issues. The is not the response of the core team and I had no knowledge that anyone representing us called you until just a couple of minutes ago. Jordan is not representing the core team if he has told you to do the above, and he does not have the support of any of us in this issue. -DG David Greenman Core-team/Principal Architect, The FreeBSD Project From owner-freebsd-security Wed Feb 5 16:34:08 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id QAA28618 for security-outgoing; Wed, 5 Feb 1997 16:34:08 -0800 (PST) Received: from mole.mole.org (marmot.mole.org [204.216.57.191]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id QAA28554; Wed, 5 Feb 1997 16:33:26 -0800 (PST) Received: (from mail@localhost) by mole.mole.org (8.6.12/8.6.12) id AAA17293; Thu, 6 Feb 1997 00:33:49 GMT Received: from meerkat.mole.org(206.197.192.110) by mole.mole.org via smap (V1.3) id sma017291; Thu Feb 6 00:33:45 1997 Received: (from mrm@localhost) by meerkat.mole.org (8.6.11/8.6.9) id QAA01767; Wed, 5 Feb 1997 16:32:39 -0800 Date: Wed, 5 Feb 1997 16:32:39 -0800 From: "M.R.Murphy" Message-Id: <199702060032.QAA01767@meerkat.mole.org> To: karl@mcs.net, spork@super-g.com Subject: Re: Blacklisting and being "asked" to deinstall FreeBSD - you heard that right! Cc: current@freebsd.org, dg@root.com, freebsd-chat@freebsd.org, security@freebsd.org, tqbf@enteract.com Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > A parallel code track will be online within a few days for those who believe > that THIS kind of response is unwarranted under ANY circumstances. > It's not often that I ask publicly for a reconsideration of position. I'd like to do so in this case. I think creation of a parallel code track would be detrimental to FreeBSD development effort at this time. There are many out here who have considered such action from time to time... counting to ten helps. A loosely-coupled collaborative effort such as FreeBSD is an amazing thing. I'd be really disappointed to see it fragment over hot words. -- Mike Murphy mrm@Mole.ORG +1 619 598 5874 Better is the enemy of Good From owner-freebsd-security Wed Feb 5 16:36:54 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id QAA28781 for security-outgoing; Wed, 5 Feb 1997 16:36:54 -0800 (PST) Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA28772; Wed, 5 Feb 1997 16:36:43 -0800 (PST) Received: from current1.whistle.com (current1.whistle.com [207.76.205.22]) by alpo.whistle.com (8.8.5/8.8.4) with SMTP id QAA10125; Wed, 5 Feb 1997 16:32:09 -0800 (PST) Message-ID: <32F9261C.2781E494@whistle.com> Date: Wed, 05 Feb 1997 16:30:20 -0800 From: Julian Elischer Organization: Whistle Communications X-Mailer: Mozilla 3.0Gold (X11; I; FreeBSD 2.2-CURRENT i386) MIME-Version: 1.0 To: Karl Denninger CC: spork , dg@root.com, tqbf@enteract.com, freebsd-chat@FreeBSD.ORG, current@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: Blacklisting and being "asked" to deinstall FreeBSD - you heard that right! References: <199702052323.RAA18464@Jupiter.Mcs.Net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Karl Denninger wrote: > > > .... > > Well, the core team just added to that ill will. Deliberately. > > I have just received a voice phone call from one of the core members asking > me to leave FreeBSD, transition our machines off the operating system, > and walk away. Oh damn.. which loonie? if their threshhold for pain is crossed by one irate and worried user then they must have a lot of other pent up frustrations making them that sensitive. I've basically bet my future on FreeBSD, and I'm doing all I can to keep it running and successful. I wish people wouldn't do things like this.. (of course it's always your OPTION to decide to use some other OS, but no one can TELL you to do so, and I hope that all this settles down eventually as a bad memeory) > > Obviously, I will do none of the above. good > > But I thought you should know that the response of the core team is to these > kinds of issues. > > A parallel code track will be online within a few days for those who believe > that THIS kind of response is unwarranted under ANY circumstances. I hope you don't call it XXXBSD but rather FreeBSD "security track" or something... 3 is enough already. CVSUP would be good for this.. hopefully > > -- > -- > Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity > http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service > | 99 Analog numbers, 77 ISDN, Web servers $75/mo > Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ > Fax: [+1 773 248-9865] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal From owner-freebsd-security Wed Feb 5 17:12:28 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id RAA01218 for security-outgoing; Wed, 5 Feb 1997 17:12:28 -0800 (PST) Received: from dns.pinpt.com (dns.pinpt.com [205.179.195.1]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id RAA01213 for ; Wed, 5 Feb 1997 17:12:24 -0800 (PST) Received: from journeyman (gatemaster.pinpt.com [205.179.195.65]) by dns.pinpt.com (8.6.12/8.6.12) with SMTP id RAA07419; Wed, 5 Feb 1997 17:11:15 -0800 Date: Wed, 5 Feb 97 17:06:45 Pacific Standard Time From: "Sean J. Schluntz" Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE To: freebsd-security@freebsd.org, Karl Denninger X-Mailer: Chameleon ATX 6.0, Standards Based IntraNet Solutions, NetManage Inc. X-Priority: 3 (Normal) References: <199702051846.MAA08211@Jupiter.Mcs.Net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > I AM PART OF THE SOLUTION. > And yes, I WILL submit a pr on this as soon as I can find a few hours to > do the fix, verify it, and make world to test. At the same time I post > it to the committers I'll post it publically, and 24 hours later I post > the exploit which takes advantage of the problem. This is being part of the solution? Telling the world how to hack the systems of people who don't watch the lists or don't have enough time to patch a network of systems? 24 hours is not enough time for people to get the patch implemented. You would be personally sentencing people and their business to death by doing this. Would you like it if you were sick for two days and came back to find your network toast because someone pulled a stunt like that? -Sean ---------------------------------------------------------------------- Sean J. Schluntz Manager, Support Services ph. 408.997.6900 x222 PinPoint Software Corporation fx. 408.323.2300 6155 Almaden Expressway, Suite 100 San Jose, CA. 95120 http://www.pinpt.com/ Local Time Sent: 02/05/97 17:06:45 ---------------------------------------------------------------------- From owner-freebsd-security Wed Feb 5 17:16:57 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id RAA01983 for security-outgoing; Wed, 5 Feb 1997 17:16:57 -0800 (PST) Received: from Mailbox.mcs.com (Mailbox.mcs.com [192.160.127.87]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA01970 for ; Wed, 5 Feb 1997 17:16:48 -0800 (PST) Received: from Jupiter.Mcs.Net (karl@Jupiter.mcs.net [192.160.127.88]) by Mailbox.mcs.com (8.8.5/8.8.2) with ESMTP id TAA29642; Wed, 5 Feb 1997 19:16:46 -0600 (CST) Received: (from karl@localhost) by Jupiter.Mcs.Net (8.8.5/8.8.2) id TAA21953; Wed, 5 Feb 1997 19:16:46 -0600 (CST) From: Karl Denninger Message-Id: <199702060116.TAA21953@Jupiter.Mcs.Net> Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE To: schluntz@pinpt.com (Sean J. Schluntz) Date: Wed, 5 Feb 1997 19:16:45 -0600 (CST) Cc: freebsd-security@freebsd.org, karl@Mcs.Net In-Reply-To: from "Sean J. Schluntz" at Feb 5, 97 05:06:45 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > > I AM PART OF THE SOLUTION. > > > And yes, I WILL submit a pr on this as soon as I can find a few hours to > > do the fix, verify it, and make world to test. At the same time I post > > it to the committers I'll post it publically, and 24 hours later I post > > the exploit which takes advantage of the problem. > > This is being part of the solution? Telling the world how to hack the systems > of people who don't watch the lists or don't have enough time to patch a > network of systems? > > 24 hours is not enough time for people to get the patch implemented. You > would be personally sentencing people and their business to death by doing > this. > > Would you like it if you were sick for two days and came back to find your > network toast because someone pulled a stunt like that? > > -Sean > ---------------------------------------------------------------------- > Sean J. Schluntz Uh, excuse me, but the EXPLOIT has been in ACTIVE use for *TWO MONTHS* now. Its *NOT* new. It is being *ACTIVELY* used by the hacker contingent. Therefore, hiding *ANYTHING* at this point serves no purpose. How can I possibly "hurt" things at this point... -- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | 99 Analog numbers, 77 ISDN, Web servers $75/mo Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ Fax: [+1 773 248-9865] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal From owner-freebsd-security Wed Feb 5 17:29:29 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id RAA02912 for security-outgoing; Wed, 5 Feb 1997 17:29:29 -0800 (PST) Received: from dns.pinpt.com (dns.pinpt.com [205.179.195.1]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id RAA02902 for ; Wed, 5 Feb 1997 17:29:23 -0800 (PST) Received: from journeyman (gatemaster.pinpt.com [205.179.195.65]) by dns.pinpt.com (8.6.12/8.6.12) with SMTP id RAA07495; Wed, 5 Feb 1997 17:28:14 -0800 Date: Wed, 5 Feb 97 17:24:40 Pacific Standard Time From: "Sean J. Schluntz" Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE To: Karl Denninger Cc: freebsd-security@freebsd.org, karl@Mcs.Net X-Mailer: Chameleon ATX 6.0, Standards Based IntraNet Solutions, NetManage Inc. X-Priority: 3 (Normal) References: <199702060116.TAA21953@Jupiter.Mcs.Net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > > I AM PART OF THE SOLUTION. > > > > > And yes, I WILL submit a pr on this as soon as I can find a few hours to > > > do the fix, verify it, and make world to test. At the same time I post > > > it to the committers I'll post it publically, and 24 hours later I post > > > the exploit which takes advantage of the problem. > > > > This is being part of the solution? Telling the world how to hack the systems > > of people who don't watch the lists or don't have enough time to patch a > > network of systems? > > > > 24 hours is not enough time for people to get the patch implemented. You > > would be personally sentencing people and their business to death by doing > > this. > > > > Would you like it if you were sick for two days and came back to find your > > network toast because someone pulled a stunt like that? > > > Uh, excuse me, but the EXPLOIT has been in ACTIVE use for *TWO MONTHS* now. > > Its *NOT* new. It is being *ACTIVELY* used by the hacker contingent. > Therefore, hiding *ANYTHING* at this point serves no purpose. > > How can I possibly "hurt" things at this point... If the exploit is already public then what difference to the FBSD community make by you posting it? By giving a large pointer saying, look here, come after us!! Again, this will be of no help to those who do not monitor the lists and just rely on the CD that is shipped automatically (As mine is) when it is ready. Being part of the problem is not being part of the solution. If you want to follow up, do so in private, that way we don't waist other people time. -Sean ---------------------------------------------------------------------- Sean J. Schluntz Manager, Support Services ph. 408.997.6900 x222 PinPoint Software Corporation fx. 408.323.2300 6155 Almaden Expressway, Suite 100 San Jose, CA. 95120 http://www.pinpt.com/ Local Time Sent: 02/05/97 17:24:40 ---------------------------------------------------------------------- From owner-freebsd-security Wed Feb 5 17:47:19 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id RAA03771 for security-outgoing; Wed, 5 Feb 1997 17:47:19 -0800 (PST) Received: from nightmare.dreamchaser.org (nightmare.dreamchaser.org [206.230.42.65]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id RAA03766 for ; Wed, 5 Feb 1997 17:47:12 -0800 (PST) Received: from imagination (imagination.dreamchaser.org [206.230.42.83]) by nightmare.dreamchaser.org (8.6.12/8.6.12) with SMTP id SAA26680; Wed, 5 Feb 1997 18:45:47 -0700 Message-ID: <32F939C2.172F@dreamchaser.org> Date: Wed, 05 Feb 1997 18:54:10 -0700 From: Gary Aitken Reply-To: garya@dreamchaser.org X-Mailer: Mozilla 3.01 (WinNT; I) MIME-Version: 1.0 To: Karl Denninger CC: "Sean J. Schluntz" , freebsd-security@freebsd.org Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE References: <199702060116.TAA21953@Jupiter.Mcs.Net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Karl Denninger wrote: > Uh, excuse me, but the EXPLOIT has been in ACTIVE use for *TWO MONTHS* now. > > Its *NOT* new. It is being *ACTIVELY* used by the hacker contingent. > Therefore, hiding *ANYTHING* at this point serves no purpose. > > How can I possibly "hurt" things at this point... It seems to me that while obviously some hackers are using the exploit, there is a very real possibility that some are not yet aware of it. It would seem wise to delay publicly posting it for a longer period of time. -- Gary Aitken garya@dreamchaser.org (personal) From owner-freebsd-security Wed Feb 5 17:51:46 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id RAA03966 for security-outgoing; Wed, 5 Feb 1997 17:51:46 -0800 (PST) Received: from phaeton.artisoft.com (phaeton.Artisoft.COM [198.17.250.211]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id RAA03959; Wed, 5 Feb 1997 17:51:42 -0800 (PST) Received: (from terry@localhost) by phaeton.artisoft.com (8.6.11/8.6.9) id SAA16257; Wed, 5 Feb 1997 18:46:37 -0700 From: Terry Lambert Message-Id: <199702060146.SAA16257@phaeton.artisoft.com> Subject: Re: Blacklisting and being "asked" to deinstall FreeBSD - you heard that right! To: karl@mcs.net (Karl Denninger) Date: Wed, 5 Feb 1997 18:46:37 -0700 (MST) Cc: spork@super-g.com, dg@root.com, tqbf@enteract.com, karl@mcs.net, freebsd-chat@FreeBSD.ORG, current@FreeBSD.ORG, security@FreeBSD.ORG In-Reply-To: <199702052323.RAA18464@Jupiter.Mcs.Net> from "Karl Denninger" at Feb 5, 97 05:23:04 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > But I thought you should know that the response of the core team is to these > kinds of issues. > > A parallel code track will be online within a few days for those who believe > that THIS kind of response is unwarranted under ANY circumstances. Ugh. I hate this. I have to ask the question: How will you organize, such that you don't eventually end up in the exact same boat, with just the names on the crew's quarters changed? I believe this is an organizational problem, and I have yet to see anyone *do* anything about it, other than threaten to reiterate it by starting a parallel code track. Sometimes they follow through on their threats. Mostly, they don't think of starting someting non-parallel because their thinking is already constrained by the organization they are splintering from. Sort of a "parting gift". Now I have to ask: Why start your own parallel code track? What is wrong with the parallel code track OpenBSD is running? Now I have to play scientist: i Run an experiment (386BSD). Note that it results in splinter organizations because the structure of the organization can't equitably reconcile dissent. ii Run it again (NetBSD). Note that it results in splinter organizations because the structure of the organization can't equitably reconcile dissent. iii Run it again (FreeBSD). ... iv Run it again (OpenBSD). ... v Now run it again, only run it several times in parallel, with the inter-group synchronization happening at a (miraculously) agreed upon mutex. Call this mutex "Linus_Torvalds" because it's easy to spell. Note that running it in parallel delays, but does not prevent, the inevitable results. Call the splinter organizations "Red Hat" and other colorful names. Like "Lignux". And then ask from the perspective this provides: What value is in running the experiment a sixth time? Is it reasonable to expect the results to be any different from the other five times it was run? Is the only value in the commemorative life preserver you get, the one with the new boat's name proudly stenciled around its rim? If every time you start a game of Conway's "life", you start from an arrangement that gives you a "traffic light", then restarting the game from the same initial conditions with the same rules is bound to result in another "traffic light". You don't have to be Conway himself to figure this out, any more than you have to be Newton to predict that when you drop a rock, it won't hang there in the air "in very much the same way a brick doesn't". Since you can't change the initial conditions (free software groups agregate for the same reasons free software groups have always agregated), then the only thing you have to work with is the rules. Before you go off on a half-cocked "New Reformed Church Of XXX" crusade, think twice about this. Then if you are still intent on doing it, think a third time about HOW you are going to do it, and HOW you are going to prevent the same inequities, so someone doesn't start the same crusade against you some day because your similarly structured organization of similarly minded people ends up running the social automaton to the same steady state. Then delay implementation until you've addressed all of the issues your thinking has raised, or you will find yourself in the Captain's cabin with a bottle of rum wondering "how did things turn out this way?". Regards, Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. From owner-freebsd-security Wed Feb 5 18:45:45 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id SAA06692 for security-outgoing; Wed, 5 Feb 1997 18:45:45 -0800 (PST) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id SAA06685; Wed, 5 Feb 1997 18:45:39 -0800 (PST) Received: (from jkh@localhost) by time.cdrom.com (8.8.5/8.6.9) id SAA26311; Wed, 5 Feb 1997 18:45:36 -0800 (PST) Date: Wed, 5 Feb 1997 18:45:36 -0800 (PST) From: "Jordan K. Hubbard" Message-Id: <199702060245.SAA26311@time.cdrom.com> To: announce@freebsd.org Subject: setlocale() bug in all released versions of FreeBSD (SA-97:01) Cc: first-teams@first.org, freebsd-security-notification@freebsd.org, freebsd-security@freebsd.org Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk ============================================================================= FreeBSD-SA-97:01 Security Advisory Revised: Wed Feb 05 09:58:56 PDT 1997 FreeBSD, Inc. Topic: setlocale() bug in all released versions of FreeBSD Category: core Module: libc Announced: 1997-02-05 Affects: FreeBSD 2.1.6 and earlier systems suffer from this vulnerability for all binaries due to setlocale() being called from crt0.o. Corrected: 1997-02-05 -stable, 1996-11-27 -current and RELENG_2_2 sources Source: FreeBSD specific bug FreeBSD only: unknown Patches: ftp://freebsd.org/pub/CERT/patches/SA-97:01/ ============================================================================= I. Background The setlocale() call contains a number of potential exploits through string overflows during environment variable expansion. Because the 2.1.6 and earlier versions of FreeBSD called setlocale() in the C runtime code, the problem is especially acute there in that it essentially effects all binaries on the system. In FreeBSD 2.2 BETA and later releases, the setlocale() call was removed from crt0.c and the exploit closed through additional checks. There has also been some confusion over the implications of loading locale data by privileged programs. The facility for a user to supply their own (possibly corrupt or abused) locale data to non-privileged processes was removed in all releases on 1997-02-04. This was originally a debugging facility that got little use and the user can now only direct system binaries to load system administrator sanctioned locale files. This problem is present in all source code and binary distributions of FreeBSD released on or before 1996-11-27. II. Problem Description The setlocale() library function looks for the environment variable "PATH_LOCALE" in the current process's environment, and if it exists, later copies the contents of this variable to a stack buffer without doing proper bounds checking. If the environment variable was specially initialized with the proper amount and type of data prior to running a setuid program, it is possible to cause the program to overflow its stack and execute arbitrary code which could allow the user to become root. III. Impact Any binary linked on a system with setlocale() built into crt0.c (see list of affected releases in section I above) or which calls setlocale() directly has the buffer overrun vulnerability. If this binary has the setuid or setgid bits set, or is called by another setuid/setgid binary (even if that other setuid/setgid binary does not have this vulnerability), unauthorized access may be allowed. IV. Solution(s) Recompiling libc with the following patches and then recompiling all staticly linked binaries (all in /sbin and /bin as well as chflags, gunzip, gzcat, gzip, ld, tar and zcat in /usr/bin) eliminates this vulnerability in FreeBSD 2.1.6 and earlier releases: However, a full solution may require a re-link of all setuid/setgid local binaries or all local binaries likely to be called from another setuid/setgid program that were originally linked statically under one of the affected OSs. Dynamically linked executables will benefit directly from this patch once libc is rebuilt and reinstalled and do not need to be relinked. Because of the severity of this security hole, a full update release for FreeBSD 2.1.6 will also be released very shortly, that release being provisionally assigned the version number of 2.1.7. Index: lib/libc/locale/collate.c =================================================================== RCS file: /home/ncvs/src/lib/libc/locale/collate.c,v retrieving revision 1.4.4.2 diff -c -r1.4.4.2 collate.c *** collate.c 1996/06/05 02:47:55 1.4.4.2 --- collate.c 1997/02/05 10:21:59 *************** *** 64,70 **** __collate_load_error = 1; if (!encoding) return -1; ! if (!path_locale && !(path_locale = getenv("PATH_LOCALE"))) path_locale = _PATH_LOCALE; strcpy(buf, path_locale); strcat(buf, "/"); --- 64,70 ---- __collate_load_error = 1; if (!encoding) return -1; ! if (!path_locale) path_locale = _PATH_LOCALE; strcpy(buf, path_locale); strcat(buf, "/"); Index: lib/libc/locale/rune.c =================================================================== RCS file: /home/ncvs/src/lib/libc/locale/rune.c,v retrieving revision 1.2.6.3 diff -c -r1.2.6.3 rune.c *** rune.c 1996/06/05 02:47:59 1.2.6.3 --- rune.c 1997/02/05 10:22:00 *************** *** 71,77 **** return(0); } ! if (!PathLocale && !(PathLocale = getenv("PATH_LOCALE"))) PathLocale = _PATH_LOCALE; (void) strcpy(name, PathLocale); --- 71,77 ---- return(0); } ! if (!PathLocale) PathLocale = _PATH_LOCALE; (void) strcpy(name, PathLocale); Index: lib/libc/locale/setlocale.c =================================================================== RCS file: /home/ncvs/src/lib/libc/locale/setlocale.c,v retrieving revision 1.3.4.2.2.1 diff -c -r1.3.4.2.2.1 setlocale.c *** setlocale.c 1996/06/05 02:48:03 1.3.4.2.2.1 --- setlocale.c 1997/02/05 10:22:00 *************** *** 58,64 **** int found, i, len; char *env, *r; ! if (!PathLocale && !(PathLocale = getenv("PATH_LOCALE"))) PathLocale = _PATH_LOCALE; if (category < 0 || category >= _LC_LAST) --- 58,64 ---- int found, i, len; char *env, *r; ! if (!PathLocale) PathLocale = _PATH_LOCALE; if (category < 0 || category >= _LC_LAST) Index: lib/libc/locale/startup_setlocale.c =================================================================== RCS file: /home/ncvs/src/lib/libc/locale/Attic/startup_setlocale.c,v retrieving revision 1.2.4.2 diff -c -r1.2.4.2 startup_setlocale.c *** startup_setlocale.c 1995/08/28 05:06:50 1.2.4.2 --- startup_setlocale.c 1997/02/05 10:22:00 *************** *** 23,29 **** int found, i, len; char *env, *r; ! if (!PathLocale && !(PathLocale = getenv("PATH_LOCALE"))) PathLocale = _PATH_LOCALE; if (category < 0 || category >= _LC_LAST) --- 23,29 ---- int found, i, len; char *env, *r; ! if (!PathLocale) PathLocale = _PATH_LOCALE; if (category < 0 || category >= _LC_LAST) ============================================================================= FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officer@freebsd.org PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc Security notifications: security-notifications@freebsd.org Security public discussion: security@freebsd.org Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================= From owner-freebsd-security Wed Feb 5 19:15:30 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id TAA00493 for security-outgoing; Wed, 5 Feb 1997 19:15:30 -0800 (PST) Received: from rover.village.org (rover.village.org [204.144.255.49]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id TAA00485 for ; Wed, 5 Feb 1997 19:15:26 -0800 (PST) Received: from rover.village.org [127.0.0.1] by rover.village.org with esmtp (Exim 0.56 #1) id E0vsKIm-0002zi-00; Wed, 5 Feb 1997 20:15:08 -0700 To: garya@dreamchaser.org Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE Cc: freebsd-security@freebsd.org In-reply-to: Your message of "Wed, 05 Feb 1997 18:54:10 MST." <32F939C2.172F@dreamchaser.org> References: <32F939C2.172F@dreamchaser.org> <199702060116.TAA21953@Jupiter.Mcs.Net> Date: Wed, 05 Feb 1997 20:15:08 -0700 From: Warner Losh Message-Id: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message <32F939C2.172F@dreamchaser.org> Gary Aitken writes: : It seems to me that while obviously some hackers are using the exploit, : there is a very real possibility that some are not yet aware of it. : It would seem wise to delay publicly posting it for a longer period : of time. That's why I just commit the fixes, quietly tell the security officer and let them deal with it. Warner From owner-freebsd-security Wed Feb 5 20:39:10 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id UAA05547 for security-outgoing; Wed, 5 Feb 1997 20:39:10 -0800 (PST) Received: from tyger.inna.net (root@tyger.inna.net [206.151.66.1]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id UAA05540; Wed, 5 Feb 1997 20:38:57 -0800 (PST) Received: from tyger.inna.net (jamie@tyger.inna.net [206.151.66.1]) by tyger.inna.net (8.8.3/8.7.3) with SMTP id XAA05499; Wed, 5 Feb 1997 23:53:04 -0500 (EST) Date: Wed, 5 Feb 1997 23:53:04 -0500 (EST) From: Jamie Bowden To: Karl Denninger cc: spork , dg@root.com, tqbf@enteract.com, karl@mcs.net, freebsd-chat@freebsd.org, current@freebsd.org, security@freebsd.org Subject: Re: Blacklisting and being "asked" to deinstall FreeBSD - you heard that right! In-Reply-To: <199702052323.RAA18464@Jupiter.Mcs.Net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Why is this half quoted thread being sent to -chat? This is something I would expect from theo. Do we really need this? As I have stated many times when the aforementioned OpenBSD developer feels the need to do this: So what? Jamie Bowden Network Administrator, TBI Ltd. On Wed, 5 Feb 1997, Karl Denninger wrote: > > On Wed, 5 Feb 1997, David Greenman wrote: > > > > > I don't like how this whole mess has come down. There is an awful lot of > > > ill-will being passed out that will have long term ramifications. It didn't > > > need to happen this way. > > > > > > -DG > > > > I think most of the ill-will comes from the following sources: > > .... > > Well, the core team just added to that ill will. Deliberately. > > I have just received a voice phone call from one of the core members asking > me to leave FreeBSD, transition our machines off the operating system, > and walk away. > > Obviously, I will do none of the above. > > But I thought you should know that the response of the core team is to these > kinds of issues. > > A parallel code track will be online within a few days for those who believe > that THIS kind of response is unwarranted under ANY circumstances. > > -- > -- > Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity > http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service > | 99 Analog numbers, 77 ISDN, Web servers $75/mo > Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ > Fax: [+1 773 248-9865] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal > From owner-freebsd-security Wed Feb 5 22:45:07 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id WAA06668 for security-outgoing; Wed, 5 Feb 1997 22:45:07 -0800 (PST) Received: from narcissus.ml.org (root@brosenga.Pitzer.edu [134.173.120.201]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id WAA06624 for ; Wed, 5 Feb 1997 22:45:02 -0800 (PST) Received: (from ben@localhost) by narcissus.ml.org (8.7.5/8.7.3) id WAA03783; Wed, 5 Feb 1997 22:44:59 -0800 (PST) Date: Wed, 5 Feb 1997 22:44:59 -0800 (PST) From: Stranger Bone To: Karl Denninger cc: "Sean J. Schluntz" , freebsd-security@freebsd.org, karl@Mcs.Net Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE In-Reply-To: <199702060116.TAA21953@Jupiter.Mcs.Net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Wed, 5 Feb 1997, Karl Denninger wrote: > > > > > I AM PART OF THE SOLUTION. > > > > > And yes, I WILL submit a pr on this as soon as I can find a few hours to > > > do the fix, verify it, and make world to test. At the same time I post > > > it to the committers I'll post it publically, and 24 hours later I post > > > the exploit which takes advantage of the problem. > > > > This is being part of the solution? Telling the world how to hack the systems > > of people who don't watch the lists or don't have enough time to patch a > > network of systems? > > > > 24 hours is not enough time for people to get the patch implemented. You > > would be personally sentencing people and their business to death by doing > > this. > > > > Would you like it if you were sick for two days and came back to find your > > network toast because someone pulled a stunt like that? > > > > -Sean > > ---------------------------------------------------------------------- > > Sean J. Schluntz > > Uh, excuse me, but the EXPLOIT has been in ACTIVE use for *TWO MONTHS* now. > > Its *NOT* new. It is being *ACTIVELY* used by the hacker contingent. > Therefore, hiding *ANYTHING* at this point serves no purpose. > > How can I possibly "hurt" things at this point... Don't be ridiculous. There's a huge difference between not hiding something and shouting it from the rooftops. Just because some people have an exploit doesn't mean everyone does. I resent your playing games with *my* security just to satisfy your self-image as the Security Avenger. I'm not saying that's necessarily your motive, but it sure looks that way. Be careful before you let any genies out of bottles. They're hard to stuff back in, and that applies to lost credibility as much as it does to lost security. > -- > -- > Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity > http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service > | 99 Analog numbers, 77 ISDN, Web servers $75/mo > Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ > Fax: [+1 773 248-9865] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal > Ben "You have your mind on computers, it seems." From owner-freebsd-security Wed Feb 5 22:52:29 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id WAA10507 for security-outgoing; Wed, 5 Feb 1997 22:52:29 -0800 (PST) Received: from mailserv.tversu.ac.ru (mailserv.tversu.ac.ru [193.233.128.3]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id WAA10458 for ; Wed, 5 Feb 1997 22:52:22 -0800 (PST) Received: from localhost (vadim@localhost) by mailserv.tversu.ac.ru (8.6.12/8.6.12) with SMTP id JAA00329 for ; Thu, 6 Feb 1997 09:53:30 +0300 Date: Thu, 6 Feb 1997 09:53:28 +0300 (MSK) From: Vadim Kolontsov To: freebsd-security@freebsd.org Subject: summury: holes in locale In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hello, the summary about patchkit. Patchkit must understand all versions of FreeBSD, and make a correct changes in the system. It must contain: 1) corrected /usr/lib/libc.a, libc.so.* 2) corrected /usr/lib/crt0.o 3) lfix, which patches statically linked binaries (why to patch dinamically linked bins? we already fixed this bug placing patched libc in /usr/lib, isn't it?) 4) some script, which can make all modification automatically; it must check if we are working in single-user mode (to avoid problem with running binaries) 5) good README My part of project: lfix/ltest. I have to make changes in it, because at this time lfix/ltest tested only on FreeBSD 2.1.0 (by me). Also checking for static/dyn linking can be added.. and chflag handling.. I still don't know what we need to do with statically linked binaries which calls locale stuff by itself.. may be we can patch libc, contained in binary (pattern search for _startup_locale code etc)?... of course, recompiling is the solution... Anybody knows, how many statically linked setuid binaries call locale routines by itself? (not by their C startup module) May be, we can include corrected (recompiled) versions of them into the patchkit?.. For all versions of FreeBSD? Any ideas, suggestions, volunteers?.. Best regards, Vadim. -------------------------------------------------------------------------- Vadim Kolontsov SysAdm/Programmer Tver Regional Center of New Information Technologies Networks Lab From owner-freebsd-security Wed Feb 5 23:21:34 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id XAA21749 for security-outgoing; Wed, 5 Feb 1997 23:21:34 -0800 (PST) Received: (from mpp@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id XAA21738; Wed, 5 Feb 1997 23:21:24 -0800 (PST) From: Mike Pritchard Message-Id: <199702060721.XAA21738@freefall.freebsd.org> Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE To: karl@Mcs.Net (Karl Denninger) Date: Wed, 5 Feb 1997 23:21:24 -0800 (PST) Cc: security@freebsd.org In-Reply-To: <199702052036.OAA12786@Jupiter.Mcs.Net> from "Karl Denninger" at Feb 5, 97 02:36:11 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > From: Karl Denninger > Look. I've submitted prs before which have been flamed because they weren't > "stylized" the way people wanted them, or were just ignored until some time > later -- even when SEVERE and SECURITY have shown up in them. > > Frankly, I'm tired of tilting at windmills. What PRs were those? I checked, and can only find about 5 or so PRs that I can determine were written by you. All but one were fixed within one week of submission. Most were responded to within 48 hours. The one that was not acted on immediately was a non-security problem. Please correct me if I am wrong. With that said, yes, there are security related PRs that have remained open for too long. However, all of this work is being done by VOLUNTEERS! Some of these problems require rebuilding the entire system for testing. That takes time. Especially if you are trying to do a complete job and make sure that the changes are correct for multiple releases. I would rather wait and have the correct fix the first time, and not a series of fixes that fix the previous fix because it was rushed out the door without enough thought or testing. >> From: "Justin T. Gibbs" >> Not true. Simply because you are not privy to the discussions about this >> issue does not mean that we are ignoring anything. Our announcement will >> have information on *all* versions of FreeBSD that have this problem. > Keeping the discussion private (ie: "not privvy") means you believe there's > something to hide. I disagree. Either discourse in public or it doesn't > count in my book. Just because you aren't in the loop, someone is hiding something? I fail to see the logic in this. I'm a FreeBSD developer and I wasn't included in any of the private core team discussions and I don't feel that anything was being hidden from me. As someone from the core team pointed out, a lot of what was initially discussed was either wrong or did not apply. This type of misinformation would only tend to cause even more confusion than has already taken place. E.g. if someone mentioned that the xyzzy() routine seemed to have a similar problem and it really did not, I'm sure that someone would misread it and then start demanding why xyzzy() hasn't been fixed, when in reality there was never a problem at all. I'm happy to have access to an actively developed operating system with a large number of enthusiastic developers. I've had to work on large vendor operating systems in the past where you were lucky if your very critical crash or security problem was addressed in the next binary only release a year later. -Mike -- Mike Pritchard mpp@FreeBSD.org "Go that way. Really fast. If something gets in your way, turn" From owner-freebsd-security Thu Feb 6 00:09:55 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id AAA09220 for security-outgoing; Thu, 6 Feb 1997 00:09:55 -0800 (PST) Received: from narcissus.ml.org (root@brosenga.Pitzer.edu [134.173.120.201]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id AAA09186; Thu, 6 Feb 1997 00:09:46 -0800 (PST) Received: (from ben@localhost) by narcissus.ml.org (8.7.5/8.7.3) id AAA10305; Thu, 6 Feb 1997 00:09:44 -0800 (PST) Date: Thu, 6 Feb 1997 00:09:42 -0800 (PST) From: Stranger Bone To: "Jordan K. Hubbard" cc: announce@freebsd.org, first-teams@first.org, freebsd-security-notification@freebsd.org, freebsd-security@freebsd.org Subject: Re: setlocale() bug in all released versions of FreeBSD (SA-97:01) In-Reply-To: <199702060245.SAA26311@time.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Wed, 5 Feb 1997, Jordan K. Hubbard wrote: > ============================================================================= > FreeBSD-SA-97:01 Security Advisory > Revised: Wed Feb 05 09:58:56 PDT 1997 FreeBSD, Inc. > > Topic: setlocale() bug in all released versions of FreeBSD > > Category: core > Module: libc > Announced: 1997-02-05 > Affects: FreeBSD 2.1.6 and earlier systems suffer from this > vulnerability for all binaries due to setlocale() being > called from crt0.o. > > Corrected: 1997-02-05 -stable, 1996-11-27 -current and RELENG_2_2 sources > Source: FreeBSD specific bug > FreeBSD only: unknown > > Patches: ftp://freebsd.org/pub/CERT/patches/SA-97:01/ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This directory doesn't appear to exist. Ben "You have your mind on computers, it seems." From owner-freebsd-security Thu Feb 6 00:17:10 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id AAA10330 for security-outgoing; Thu, 6 Feb 1997 00:17:10 -0800 (PST) Received: from precipice.shockwave.com (ppp-206-170-5-59.rdcy01.pacbell.net [206.170.5.59]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id AAA10290; Thu, 6 Feb 1997 00:17:00 -0800 (PST) Received: from shockwave.com (localhost.shockwave.com [127.0.0.1]) by precipice.shockwave.com (8.8.4/8.7.3) with ESMTP id AAA07457; Thu, 6 Feb 1997 00:15:58 -0800 (PST) Message-Id: <199702060815.AAA07457@precipice.shockwave.com> To: freebsd-security-notifications@freebsd.org cc: freebsd-security@freebsd.org, freebsd-announce@freebsd.org From: FreeBSD Security Officer Subject: REPOST: FreeBSD Security Advisory SA-97:01 - setlocale() bug Date: Thu, 06 Feb 1997 00:15:58 -0800 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk The following message is just a signed repost of the earlier advisory released today. There is no new information present. -- Paul -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-97:01 Security Advisory Revised: Wed Feb 05 09:58:56 PDT 1997 FreeBSD, Inc. Topic: setlocale() bug in all released versions of FreeBSD Category: core Module: libc Announced: 1997-02-05 Affects: FreeBSD 2.1.6 and earlier systems suffer from this vulnerability for all binaries due to setlocale() being called from crt0.o. Corrected: 1997-02-05 -stable, 1996-11-27 -current and RELENG_2_2 sources Source: FreeBSD specific bug FreeBSD only: unknown Patches: ftp://freebsd.org/pub/CERT/patches/SA-97:01/ ============================================================================= I. Background The setlocale() call contains a number of potential exploits through string overflows during environment variable expansion. Because the 2.1.6 and earlier versions of FreeBSD called setlocale() in the C runtime code, the problem is especially acute there in that it essentially effects all binaries on the system. In FreeBSD 2.2 BETA and later releases, the setlocale() call was removed from crt0.c and the exploit closed through additional checks. There has also been some confusion over the implications of loading locale data by privileged programs. The facility for a user to supply their own (possibly corrupt or abused) locale data to non-privileged processes was removed in all releases on 1997-02-04. This was originally a debugging facility that got little use and the user can now only direct system binaries to load system administrator sanctioned locale files. This problem is present in all source code and binary distributions of FreeBSD released on or before 1996-11-27. II. Problem Description The setlocale() library function looks for the environment variable "PATH_LOCALE" in the current process's environment, and if it exists, later copies the contents of this variable to a stack buffer without doing proper bounds checking. If the environment variable was specially initialized with the proper amount and type of data prior to running a setuid program, it is possible to cause the program to overflow its stack and execute arbitrary code which could allow the user to become root. III. Impact Any binary linked on a system with setlocale() built into crt0.c (see list of affected releases in section I above) or which calls setlocale() directly has the buffer overrun vulnerability. If this binary has the setuid or setgid bits set, or is called by another setuid/setgid binary (even if that other setuid/setgid binary does not have this vulnerability), unauthorized access may be allowed. IV. Solution(s) Recompiling libc with the following patches and then recompiling all staticly linked binaries (all in /sbin and /bin as well as chflags, gunzip, gzcat, gzip, ld, tar and zcat in /usr/bin) eliminates this vulnerability in FreeBSD 2.1.6 and earlier releases: However, a full solution may require a re-link of all setuid/setgid local binaries or all local binaries likely to be called from another setuid/setgid program that were originally linked statically under one of the affected OSs. Dynamically linked executables will benefit directly from this patch once libc is rebuilt and reinstalled and do not need to be relinked. Because of the severity of this security hole, a full update release for FreeBSD 2.1.6 will also be released very shortly, that release being provisionally assigned the version number of 2.1.7. Index: lib/libc/locale/collate.c =================================================================== RCS file: /home/ncvs/src/lib/libc/locale/collate.c,v retrieving revision 1.4.4.2 diff -c -r1.4.4.2 collate.c *** collate.c 1996/06/05 02:47:55 1.4.4.2 --- collate.c 1997/02/05 10:21:59 *************** *** 64,70 **** __collate_load_error = 1; if (!encoding) return -1; ! if (!path_locale && !(path_locale = getenv("PATH_LOCALE"))) path_locale = _PATH_LOCALE; strcpy(buf, path_locale); strcat(buf, "/"); --- 64,70 ---- __collate_load_error = 1; if (!encoding) return -1; ! if (!path_locale) path_locale = _PATH_LOCALE; strcpy(buf, path_locale); strcat(buf, "/"); Index: lib/libc/locale/rune.c =================================================================== RCS file: /home/ncvs/src/lib/libc/locale/rune.c,v retrieving revision 1.2.6.3 diff -c -r1.2.6.3 rune.c *** rune.c 1996/06/05 02:47:59 1.2.6.3 --- rune.c 1997/02/05 10:22:00 *************** *** 71,77 **** return(0); } ! if (!PathLocale && !(PathLocale = getenv("PATH_LOCALE"))) PathLocale = _PATH_LOCALE; (void) strcpy(name, PathLocale); --- 71,77 ---- return(0); } ! if (!PathLocale) PathLocale = _PATH_LOCALE; (void) strcpy(name, PathLocale); Index: lib/libc/locale/setlocale.c =================================================================== RCS file: /home/ncvs/src/lib/libc/locale/setlocale.c,v retrieving revision 1.3.4.2.2.1 diff -c -r1.3.4.2.2.1 setlocale.c *** setlocale.c 1996/06/05 02:48:03 1.3.4.2.2.1 --- setlocale.c 1997/02/05 10:22:00 *************** *** 58,64 **** int found, i, len; char *env, *r; ! if (!PathLocale && !(PathLocale = getenv("PATH_LOCALE"))) PathLocale = _PATH_LOCALE; if (category < 0 || category >= _LC_LAST) --- 58,64 ---- int found, i, len; char *env, *r; ! if (!PathLocale) PathLocale = _PATH_LOCALE; if (category < 0 || category >= _LC_LAST) Index: lib/libc/locale/startup_setlocale.c =================================================================== RCS file: /home/ncvs/src/lib/libc/locale/Attic/startup_setlocale.c,v retrieving revision 1.2.4.2 diff -c -r1.2.4.2 startup_setlocale.c *** startup_setlocale.c 1995/08/28 05:06:50 1.2.4.2 --- startup_setlocale.c 1997/02/05 10:22:00 *************** *** 23,29 **** int found, i, len; char *env, *r; ! if (!PathLocale && !(PathLocale = getenv("PATH_LOCALE"))) PathLocale = _PATH_LOCALE; if (category < 0 || category >= _LC_LAST) --- 23,29 ---- int found, i, len; char *env, *r; ! if (!PathLocale) PathLocale = _PATH_LOCALE; if (category < 0 || category >= _LC_LAST) ============================================================================= FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officer@freebsd.org PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc Security notifications: security-notifications@freebsd.org Security public discussion: security@freebsd.org Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================= -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBMvmSjFUuHi5z0oilAQEqfQP/dDbKxFn2i1jr2mfd2RNoqhi+v7iu8+Gx Tt9rKtPebjA+/I3qWkt9nLs7W/2pnOJ1Wb7O8zvbvN0zdvqkKkCoV5j6U41TmSde oLKdUu9LyUSOQRlDVDtgVB0SskyIRxGdES4tTaT5qRBaZ7XPOtKWsz+jhch8zYyu iHaVnXN8u9I= =XSmz -----END PGP SIGNATURE----- From owner-freebsd-security Thu Feb 6 00:28:23 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id AAA12387 for security-outgoing; Thu, 6 Feb 1997 00:28:23 -0800 (PST) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id AAA12366 for ; Thu, 6 Feb 1997 00:28:18 -0800 (PST) Received: from time.cdrom.com (localhost [127.0.0.1]) by time.cdrom.com (8.8.5/8.6.9) with ESMTP id AAA28756; Thu, 6 Feb 1997 00:28:14 -0800 (PST) To: Stranger Bone cc: freebsd-security@freebsd.org Subject: Re: setlocale() bug in all released versions of FreeBSD (SA-97:01) In-reply-to: Your message of "Thu, 06 Feb 1997 00:09:42 PST." Date: Thu, 06 Feb 1997 00:28:13 -0800 Message-ID: <28752.855217693@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > Patches: ftp://freebsd.org/pub/CERT/patches/SA-97:01/ > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > This directory doesn't appear to exist. All of this will come to pass once Paul Traina gets a chance to release the advisory fully (with attached PGP signature), I'm sure. My announcement was just an interim measure to get the word out quickly. Jordan From owner-freebsd-security Thu Feb 6 01:20:16 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id BAA24945 for security-outgoing; Thu, 6 Feb 1997 01:20:16 -0800 (PST) Received: from haywire.DIALix.COM (news@haywire.DIALix.COM [192.203.228.65]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id BAA24853 for ; Thu, 6 Feb 1997 01:20:00 -0800 (PST) Received: (from news@localhost) by haywire.DIALix.COM (8.8.4/8.8.2) id RAA21094 for freebsd-security@freebsd.org; Thu, 6 Feb 1997 17:19:39 +0800 (WST) X-Authentication-Warning: haywire.DIALix.COM: news set sender to usenet-request@haywire.dialix.com using -f Received: from GATEWAY by haywire.DIALix.COM with netnews for freebsd-security@freebsd.org (problems to: usenet@haywire.dialix.com) To: freebsd-security@freebsd.org Date: 6 Feb 1997 09:19:38 GMT From: peter@spinner.DIALix.COM (Peter Wemm) Message-ID: <855220778.617480@haywire.DIALix.COM> Organization: DIALix Internet Services References: <199702052042.OAA27560@enteract.com> Subject: Re: While we're on the subject... Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In article <199702052248.OAA18949@freefall.freebsd.org>, avalon@coombs.anu.edu.au (Darren Reed) writes: > In some mail from Thomas H. Ptacek, sie said: >> >> OpenBSD has the locale issue resolved reliably already. >> >> OpenBSD supports issetugid(). >> >> Thus, I can tell, even when I'm deep in libc, if I was called from an SUID >> program. I can do that because execve() flipped a bit in my proc structure >> when it noticed that I was SUID. >> >> This is a good thing. >> >> Meaningless UID checks probably aren't. Anything could have happened to my >> creds, depending on the programmer calling the library, and I have no way >> of determining what happened. >> >> What's holding FreeBSD up on supporting issetugid()? > > Has anyone done a send-pr to send it to freebsd ? I've been running with a version of it for what seems like 6 months now, but my version was tied in with fixes to the P_SUGID flag rather than create a new flag. -Peter From owner-freebsd-security Thu Feb 6 03:22:13 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id DAA03735 for security-outgoing; Thu, 6 Feb 1997 03:22:13 -0800 (PST) Received: from sovcom.kiae.su (sovcom.kiae.su [193.125.152.1]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id DAA03694 for ; Thu, 6 Feb 1997 03:22:07 -0800 (PST) Received: by sovcom.kiae.su id AA02124 (5.65.kiae-1 ); Thu, 6 Feb 1997 14:13:58 +0300 Received: by sovcom.KIAE.su (UUMAIL/2.0); Thu, 6 Feb 97 14:13:57 +0300 Received: (from ache@localhost) by nagual.ru (8.8.5/8.8.5) id OAA03898; Thu, 6 Feb 1997 14:12:02 +0300 (MSK) Date: Thu, 6 Feb 1997 14:11:59 +0300 (MSK) From: =?KOI8-R?B?4c7E0sXKIP7F0s7P1w==?= To: Peter Wemm Cc: freebsd-security@freebsd.org Subject: Re: While we're on the subject... In-Reply-To: <855220778.617480@haywire.DIALix.COM> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On 6 Feb 1997, Peter Wemm wrote: > I've been running with a version of it for what seems like 6 months now, but > my version was tied in with fixes to the P_SUGID flag rather than create > a new flag. As I already say in previous reply, I don't understand how it can be tied to P_SUGID flag. P_SUGID is set _after_ the code issue set*id() call and P_SUGIDEXEC is set immediately after suid binary launched even it not call set*id(). -- Andrey A. Chernov http://www.nagual.ru/~ache/ From owner-freebsd-security Thu Feb 6 03:31:02 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id DAA07063 for security-outgoing; Thu, 6 Feb 1997 03:31:02 -0800 (PST) Received: from relay-7.mail.demon.net (relay-7.mail.demon.net [194.217.242.9]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id DAA07038; Thu, 6 Feb 1997 03:30:55 -0800 (PST) Received: from runcirc.demon.co.uk ([158.152.9.225]) by relay-5.mail.demon.net id aa508554; 6 Feb 97 10:40 GMT Received: (from roger@localhost) by runcirc.demon.co.uk (8.7.5/8.7.3) id KAA00214; Thu, 6 Feb 1997 10:31:06 GMT Received: from relay-10.mail.demon.net (punt.demon.co.uk [194.217.242.133]) by runcirc.demon.co.uk (8.7.5/8.7.3) with SMTP id KAA00192 for ; Thu, 6 Feb 1997 10:30:23 GMT Received: from relay-9.mail.demon.net by mailstore for roger@runcirc.demon.co.uk id 855201683:9:11344:3; Thu, 06 Feb 97 04:01:23 GMT Received: from ceres.brunel.ac.uk ([134.83.176.3]) by relay-10.mail.demon.net id aa1012511; 6 Feb 97 4:01 GMT Received: from freefall.freebsd.org by ceres.brunel.ac.uk with SMTP (PP); Thu, 6 Feb 1997 04:00:55 +0000 Received: from localhost (daemon@localhost) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id TAA00748; Wed, 5 Feb 1997 19:18:08 -0800 (PST) Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id SAA06708 for freebsd-announce-outgoing; Wed, 5 Feb 1997 18:45:49 -0800 (PST) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id SAA06685; Wed, 5 Feb 1997 18:45:39 -0800 (PST) Received: (from jkh@localhost) by time.cdrom.com (8.8.5/8.6.9) id SAA26311; Wed, 5 Feb 1997 18:45:36 -0800 (PST) Date: Wed, 5 Feb 1997 18:45:36 -0800 (PST) From: "Jordan K. Hubbard" Message-Id: <199702060245.SAA26311@time.cdrom.com> Old-To: announce@FreeBSD.ORG Subject: setlocale() bug in all released versions of FreeBSD (SA-97:01) Cc: first-teams@first.org, freebsd-security-notification@freebsd.org, freebsd-security@freebsd.org Old-X-Loop: FreeBSD.org X-Loop: roger@runcirc.demon.co.uk To: r.mccalman@elsevier.co.uk Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk ============================================================================= FreeBSD-SA-97:01 Security Advisory Revised: Wed Feb 05 09:58:56 PDT 1997 FreeBSD, Inc. Topic: setlocale() bug in all released versions of FreeBSD Category: core Module: libc Announced: 1997-02-05 Affects: FreeBSD 2.1.6 and earlier systems suffer from this vulnerability for all binaries due to setlocale() being called from crt0.o. Corrected: 1997-02-05 -stable, 1996-11-27 -current and RELENG_2_2 sources Source: FreeBSD specific bug FreeBSD only: unknown Patches: ftp://freebsd.org/pub/CERT/patches/SA-97:01/ ============================================================================= I. Background The setlocale() call contains a number of potential exploits through string overflows during environment variable expansion. Because the 2.1.6 and earlier versions of FreeBSD called setlocale() in the C runtime code, the problem is especially acute there in that it essentially effects all binaries on the system. In FreeBSD 2.2 BETA and later releases, the setlocale() call was removed from crt0.c and the exploit closed through additional checks. There has also been some confusion over the implications of loading locale data by privileged programs. The facility for a user to supply their own (possibly corrupt or abused) locale data to non-privileged processes was removed in all releases on 1997-02-04. This was originally a debugging facility that got little use and the user can now only direct system binaries to load system administrator sanctioned locale files. This problem is present in all source code and binary distributions of FreeBSD released on or before 1996-11-27. II. Problem Description The setlocale() library function looks for the environment variable "PATH_LOCALE" in the current process's environment, and if it exists, later copies the contents of this variable to a stack buffer without doing proper bounds checking. If the environment variable was specially initialized with the proper amount and type of data prior to running a setuid program, it is possible to cause the program to overflow its stack and execute arbitrary code which could allow the user to become root. III. Impact Any binary linked on a system with setlocale() built into crt0.c (see list of affected releases in section I above) or which calls setlocale() directly has the buffer overrun vulnerability. If this binary has the setuid or setgid bits set, or is called by another setuid/setgid binary (even if that other setuid/setgid binary does not have this vulnerability), unauthorized access may be allowed. IV. Solution(s) Recompiling libc with the following patches and then recompiling all staticly linked binaries (all in /sbin and /bin as well as chflags, gunzip, gzcat, gzip, ld, tar and zcat in /usr/bin) eliminates this vulnerability in FreeBSD 2.1.6 and earlier releases: However, a full solution may require a re-link of all setuid/setgid local binaries or all local binaries likely to be called from another setuid/setgid program that were originally linked statically under one of the affected OSs. Dynamically linked executables will benefit directly from this patch once libc is rebuilt and reinstalled and do not need to be relinked. Because of the severity of this security hole, a full update release for FreeBSD 2.1.6 will also be released very shortly, that release being provisionally assigned the version number of 2.1.7. Index: lib/libc/locale/collate.c =================================================================== RCS file: /home/ncvs/src/lib/libc/locale/collate.c,v retrieving revision 1.4.4.2 diff -c -r1.4.4.2 collate.c *** collate.c 1996/06/05 02:47:55 1.4.4.2 --- collate.c 1997/02/05 10:21:59 *************** *** 64,70 **** __collate_load_error = 1; if (!encoding) return -1; ! if (!path_locale && !(path_locale = getenv("PATH_LOCALE"))) path_locale = _PATH_LOCALE; strcpy(buf, path_locale); strcat(buf, "/"); --- 64,70 ---- __collate_load_error = 1; if (!encoding) return -1; ! if (!path_locale) path_locale = _PATH_LOCALE; strcpy(buf, path_locale); strcat(buf, "/"); Index: lib/libc/locale/rune.c =================================================================== RCS file: /home/ncvs/src/lib/libc/locale/rune.c,v retrieving revision 1.2.6.3 diff -c -r1.2.6.3 rune.c *** rune.c 1996/06/05 02:47:59 1.2.6.3 --- rune.c 1997/02/05 10:22:00 *************** *** 71,77 **** return(0); } ! if (!PathLocale && !(PathLocale = getenv("PATH_LOCALE"))) PathLocale = _PATH_LOCALE; (void) strcpy(name, PathLocale); --- 71,77 ---- return(0); } ! if (!PathLocale) PathLocale = _PATH_LOCALE; (void) strcpy(name, PathLocale); Index: lib/libc/locale/setlocale.c =================================================================== RCS file: /home/ncvs/src/lib/libc/locale/setlocale.c,v retrieving revision 1.3.4.2.2.1 diff -c -r1.3.4.2.2.1 setlocale.c *** setlocale.c 1996/06/05 02:48:03 1.3.4.2.2.1 --- setlocale.c 1997/02/05 10:22:00 *************** *** 58,64 **** int found, i, len; char *env, *r; ! if (!PathLocale && !(PathLocale = getenv("PATH_LOCALE"))) PathLocale = _PATH_LOCALE; if (category < 0 || category >= _LC_LAST) --- 58,64 ---- int found, i, len; char *env, *r; ! if (!PathLocale) PathLocale = _PATH_LOCALE; if (category < 0 || category >= _LC_LAST) Index: lib/libc/locale/startup_setlocale.c =================================================================== RCS file: /home/ncvs/src/lib/libc/locale/Attic/startup_setlocale.c,v retrieving revision 1.2.4.2 diff -c -r1.2.4.2 startup_setlocale.c *** startup_setlocale.c 1995/08/28 05:06:50 1.2.4.2 --- startup_setlocale.c 1997/02/05 10:22:00 *************** *** 23,29 **** int found, i, len; char *env, *r; ! if (!PathLocale && !(PathLocale = getenv("PATH_LOCALE"))) PathLocale = _PATH_LOCALE; if (category < 0 || category >= _LC_LAST) --- 23,29 ---- int found, i, len; char *env, *r; ! if (!PathLocale) PathLocale = _PATH_LOCALE; if (category < 0 || category >= _LC_LAST) ============================================================================= FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officer@freebsd.org PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc Security notifications: security-notifications@freebsd.org Security public discussion: security@freebsd.org Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================= From owner-freebsd-security Thu Feb 6 07:15:00 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id HAA18750 for security-outgoing; Thu, 6 Feb 1997 07:15:00 -0800 (PST) Received: from sys4.cambridge.uk.psi.net (sys4.cambridge.uk.psi.net [154.32.106.14]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id HAA18730 for ; Thu, 6 Feb 1997 07:14:52 -0800 (PST) Received: from nadt.org.uk by sys4.cambridge.uk.psi.net (8.7.5/SMI-5.5-UKPSINet) id MAA07296; Thu, 6 Feb 1997 12:43:32 GMT Received: from infodev.nadt.org.uk (infodev.nadt.org.uk [194.155.224.205]) by charlie.nadt.org.uk (8.6.12/8.6.12) with SMTP id MAA06912 for ; Thu, 6 Feb 1997 12:22:41 GMT Date: Thu, 6 Feb 1997 12:22:41 GMT Posted-Date: Thu, 6 Feb 1997 12:22:41 GMT Message-Id: <199702061222.MAA06912@charlie.nadt.org.uk> X-Website: http://www.innotts.co.uk/~nadt X-Sender: robmel@wrcmail X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: security@freefall.freebsd.org From: Robin Melville Subject: Re: security-digest V3 #12 Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk As a careful follower of the security digest I feel moved to add a pennyworth of complaint. I'm getting very tired of wading through the arrogant, hypercritical screeds posted by some correspondents. Any user of FreeBSD must be aware that it's an exeptional piece of work provided by volunteers who work their butts off. Our organisation is particularly grateful to them since it enables us to provide clinical IT which we couldn't possibly afford to do if the only option was commercial Unices/Novell/NT. The setlocale() security hole is unfortunate, but I'm sure not unexeptional in the context of any huge project written in C. Now it's known about and is being/has been fixed. There will be others. Security holes are a problem but also a fact of life for all system managers. I don't have any complaint about the (unpaid) work of the core team in attempting to patch them as they arise. What /would/ be tiresome would be the widespread dissemination of exploits to make a (malicious?) point. Highly skilled hackers will probably always be able to get into systems, this is also a fact of life. Telling (the much larger number) of less skilled/inquisitive users exactly how to get a # seems to me to be monstrously unhelpful. Unskilled hackers with root access are much more likely to do considerable damage by mistake than a passing wizard "bagging" your system or surreptitiously stealing CPU/disk space. If these correspondents have a personal beef with members of the FreeBSD core team would they please conduct it with private email. Thanks. Robin Melville -------------------------------------------------------- Robin Melville, Addiction & Forensic Information Service Nottingham Alcohol & Drug Team (Extn. 49178) Vox: +44 (0)115 952 9478 Fax: +44 (0)115 952 9421 Email: robmel@nadt.org.uk WWW: http://www.innotts.co.uk/nadt/ --------------------------------------------------------- From owner-freebsd-security Thu Feb 6 07:58:02 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id HAA03198 for security-outgoing; Thu, 6 Feb 1997 07:58:02 -0800 (PST) Received: from ns.ge.com (ns.ge.com [192.35.39.24]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id HAA03157 for ; Thu, 6 Feb 1997 07:57:55 -0800 (PST) Received: from thomas.ge.com (thomas.ge.com [3.47.28.21]) by ns.ge.com (8.8.4/8.7.3) with ESMTP id KAA03187; Thu, 6 Feb 1997 10:55:50 -0500 (EST) Received: from crissy.gemis.ge.com (crissy-ether.gemis.ge.com [3.29.7.204]) by thomas.ge.com (8.8.4/8.7.5) with SMTP id KAA10926; Thu, 6 Feb 1997 10:58:39 -0500 (EST) Received: from terrapin.salem.ge.com (terrapin.salem.ge.com [3.29.6.145]) by crissy.gemis.ge.com (8.6.11/8.6.11) with ESMTP id KAA16310; Thu, 6 Feb 1997 10:51:25 -0500 Received: from combs.salem.ge.com (combs.salem.ge.com [3.29.5.200]) by terrapin.salem.ge.com (8.8.3/8.8.3) with ESMTP id KAA28609; Thu, 6 Feb 1997 10:51:25 -0500 (EST) Received: (from steve@localhost) by combs.salem.ge.com (8.8.3/8.8.3) id KAA00889; Thu, 6 Feb 1997 10:51:25 -0500 (EST) Message-ID: X-Mailer: XFMail 1.0 [p0] on SunOS Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <199702061222.MAA06912@charlie.nadt.org.uk> Date: Thu, 06 Feb 1997 10:49:00 -0500 (EST) Organization: GE Motors & Industrial Systems From: "Stephen F. Combs" To: Robin Melville Subject: Re: security-digest V3 #12 Cc: security@freefall.freebsd.org Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Hear, Hear! I've been using FreeBSD since the first available pre-release snapshot and I've NO PROBLEMS with the core developers! Jordan and the core team have been EXTREEMLY responsive to problems/security holes/etc..... Anything thought of by man can be circumvented by man!(don't remember WHO was the originator of that but 'TIS TRUE!). Guys (and gals, if there are any) KEEP UP THE GOOD WORK! On 06-Feb-97 Robin Melville wrote: >As a careful follower of the security digest I feel moved to add a >pennyworth of complaint. > >I'm getting very tired of wading through the arrogant, hypercritical screeds >posted by some correspondents. > >Any user of FreeBSD must be aware that it's an exeptional piece of work >provided by volunteers who work their butts off. Our organisation is >particularly grateful to them since it enables us to provide clinical IT >which we couldn't possibly afford to do if the only option was commercial >Unices/Novell/NT. > >The setlocale() security hole is unfortunate, but I'm sure not unexeptional >in the context of any huge project written in C. Now it's known about and is >being/has been fixed. There will be others. > >Security holes are a problem but also a fact of life for all system >managers. I don't have any complaint about the (unpaid) work of the core >team in attempting to patch them as they arise. What /would/ be tiresome >would be the widespread dissemination of exploits to make a (malicious?) point. > >Highly skilled hackers will probably always be able to get into systems, >this is also a fact of life. Telling (the much larger number) of less >skilled/inquisitive users exactly how to get a # seems to me to be >monstrously unhelpful. Unskilled hackers with root access are much more >likely to do considerable damage by mistake than a passing wizard "bagging" >your system or surreptitiously stealing CPU/disk space. > >If these correspondents have a personal beef with members of the FreeBSD >core team would they please conduct it with private email. > >Thanks. > >Robin Melville >-------------------------------------------------------- >Robin Melville, Addiction & Forensic Information Service >Nottingham Alcohol & Drug Team (Extn. 49178) >Vox: +44 (0)115 952 9478 Fax: +44 (0)115 952 9421 >Email: robmel@nadt.org.uk >WWW: http://www.innotts.co.uk/nadt/ >--------------------------------------------------------- > ---- Stephen F. Combs Internet: CombsSF@Salem.GE.COM GE Industrial Systems Voice: 540.387.8828 Network Services Home: CombsSF-Home@Salem.GE.COM 1501 Roanoke Blvd FAX: 540.387.7106 Salem, VA 24153 LapTop: CombsSF-Mobile@Salem.GE.COM From owner-freebsd-security Thu Feb 6 08:10:23 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id IAA07737 for security-outgoing; Thu, 6 Feb 1997 08:10:23 -0800 (PST) Received: from coven.queeg.com (queeg.com [204.95.70.218]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA07689 for ; Thu, 6 Feb 1997 08:10:10 -0800 (PST) Received: (from brion@localhost) by coven.queeg.com (8.8.5/8.8.4) id IAA13359; Thu, 6 Feb 1997 08:07:59 -0800 (PST) Date: Thu, 6 Feb 1997 08:07:59 -0800 (PST) Message-Id: <199702061607.IAA13359@coven.queeg.com> From: Brion Moss To: Vadim Kolontsov Cc: freebsd-security@freebsd.org Subject: Re:summury: holes in locale In-Reply-To: References: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Any patchkit should also include the patches to the source; otherwise the security-patched binary version may be clobbered by someone rebuilding from source later on. I think it would be a big win if the security patch system worked using the pkg system; that way it would be easy to tell what patches had been applied (all you would need to do is run pkg_info). Maybe even add a -P option to pkg_info to show all installed patches...the solaris patch system works this way, and it's one of the nicer things about solaris. -Brion Vadim Kolontsov writes: > Hello, > > the summary about patchkit. > > Patchkit must understand all versions of FreeBSD, and make a correct > changes in the system. It must contain: > > 1) corrected /usr/lib/libc.a, libc.so.* > 2) corrected /usr/lib/crt0.o > 3) lfix, which patches statically linked binaries (why to > patch dinamically linked bins? we already fixed this bug placing patched > libc in /usr/lib, isn't it?) > 4) some script, which can make all modification automatically; it must > check if we are working in single-user mode (to avoid problem with > running binaries) > 5) good README > > My part of project: lfix/ltest. I have to make changes in it, because at > this time lfix/ltest tested only on FreeBSD 2.1.0 (by me). Also checking > for static/dyn linking can be added.. and chflag handling.. > > I still don't know what we need to do with statically linked binaries > which calls locale stuff by itself.. may be we can patch libc, contained > in binary (pattern search for _startup_locale code etc)?... of course, > recompiling is the solution... > > Anybody knows, how many statically linked setuid binaries call locale > routines by itself? (not by their C startup module) May be, we can include > corrected (recompiled) versions of them into the patchkit?.. For all > versions of FreeBSD? > > Any ideas, suggestions, volunteers?.. > > Best regards, Vadim. > -------------------------------------------------------------------------- > Vadim Kolontsov SysAdm/Programmer > Tver Regional Center of New Information Technologies Networks Lab > > From owner-freebsd-security Thu Feb 6 09:36:59 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id JAA17254 for security-outgoing; Thu, 6 Feb 1997 09:36:59 -0800 (PST) Received: from host.bemarnet.es (host.bemarnet.es [194.179.67.1]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id JAA17243 for ; Thu, 6 Feb 1997 09:36:50 -0800 (PST) Received: from [194.179.67.2] by host.bemarnet.es (SMTPD32-3.03) id A6AD2D501CC; Thu, 06 Feb 1997 18:36:45 +0100 Message-Id: <3.0.32.19970206184105.009fda30@host.bemarnet.es> X-Sender: antonio@host.bemarnet.es X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 06 Feb 1997 18:41:06 +0100 To: security@freefall.freebsd.org From: Antonio Navarro Navarro Subject: UNSUBSCRIBE Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk UNSUBSCRIBE UNSUBSCRIBE hostmaster@bemarnet.es PLEASE! UNSUBSCRIBE ME! From owner-freebsd-security Thu Feb 6 11:37:29 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id LAA24709 for security-outgoing; Thu, 6 Feb 1997 11:37:29 -0800 (PST) Received: from relay-7.mail.demon.net (relay-7.mail.demon.net [194.217.242.9]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id LAA24698; Thu, 6 Feb 1997 11:37:24 -0800 (PST) Received: from runcirc.demon.co.uk ([158.152.9.225]) by relay-6.mail.demon.net id aa621474; 6 Feb 97 18:40 GMT Received: (from roger@localhost) by runcirc.demon.co.uk (8.7.5/8.7.3) id SAA00537; Thu, 6 Feb 1997 18:31:05 GMT Received: from relay-6.mail.demon.net (punt2.demon.co.uk [194.217.242.5]) by runcirc.demon.co.uk (8.7.5/8.7.3) with SMTP id SAA00516 for ; Thu, 6 Feb 1997 18:30:33 GMT Received: from relay-6.mail.demon.net by mailstore for roger@runcirc.demon.co.uk id 855201813:6:17884:5; Thu, 06 Feb 97 04:03:33 GMT Received: from etamin.brunel.ac.uk ([134.83.128.61]) by relay-5.mail.demon.net id aa502148; 6 Feb 97 4:03 GMT Received: from freefall.freebsd.org by etamin.brunel.ac.uk with SMTP (PP); Thu, 6 Feb 1997 04:03:02 +0000 Received: from localhost (daemon@localhost) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id SAA06951; Wed, 5 Feb 1997 18:49:26 -0800 (PST) Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id SAA06708 for freebsd-announce-outgoing; Wed, 5 Feb 1997 18:45:49 -0800 (PST) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id SAA06685; Wed, 5 Feb 1997 18:45:39 -0800 (PST) Received: (from jkh@localhost) by time.cdrom.com (8.8.5/8.6.9) id SAA26311; Wed, 5 Feb 1997 18:45:36 -0800 (PST) Date: Wed, 5 Feb 1997 18:45:36 -0800 (PST) From: "Jordan K. Hubbard" Message-Id: <199702060245.SAA26311@time.cdrom.com> Old-To: announce@freebsd.org Subject: setlocale() bug in all released versions of FreeBSD (SA-97:01) Cc: first-teams@first.org, freebsd-security-notification@freebsd.org, freebsd-security@freebsd.org Old-X-Loop: FreeBSD.org X-Loop: roger@runcirc.demon.co.uk To: r.mccalman@elsevier.co.uk Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk ============================================================================= FreeBSD-SA-97:01 Security Advisory Revised: Wed Feb 05 09:58:56 PDT 1997 FreeBSD, Inc. Topic: setlocale() bug in all released versions of FreeBSD Category: core Module: libc Announced: 1997-02-05 Affects: FreeBSD 2.1.6 and earlier systems suffer from this vulnerability for all binaries due to setlocale() being called from crt0.o. Corrected: 1997-02-05 -stable, 1996-11-27 -current and RELENG_2_2 sources Source: FreeBSD specific bug FreeBSD only: unknown Patches: ftp://freebsd.org/pub/CERT/patches/SA-97:01/ ============================================================================= I. Background The setlocale() call contains a number of potential exploits through string overflows during environment variable expansion. Because the 2.1.6 and earlier versions of FreeBSD called setlocale() in the C runtime code, the problem is especially acute there in that it essentially effects all binaries on the system. In FreeBSD 2.2 BETA and later releases, the setlocale() call was removed from crt0.c and the exploit closed through additional checks. There has also been some confusion over the implications of loading locale data by privileged programs. The facility for a user to supply their own (possibly corrupt or abused) locale data to non-privileged processes was removed in all releases on 1997-02-04. This was originally a debugging facility that got little use and the user can now only direct system binaries to load system administrator sanctioned locale files. This problem is present in all source code and binary distributions of FreeBSD released on or before 1996-11-27. II. Problem Description The setlocale() library function looks for the environment variable "PATH_LOCALE" in the current process's environment, and if it exists, later copies the contents of this variable to a stack buffer without doing proper bounds checking. If the environment variable was specially initialized with the proper amount and type of data prior to running a setuid program, it is possible to cause the program to overflow its stack and execute arbitrary code which could allow the user to become root. III. Impact Any binary linked on a system with setlocale() built into crt0.c (see list of affected releases in section I above) or which calls setlocale() directly has the buffer overrun vulnerability. If this binary has the setuid or setgid bits set, or is called by another setuid/setgid binary (even if that other setuid/setgid binary does not have this vulnerability), unauthorized access may be allowed. IV. Solution(s) Recompiling libc with the following patches and then recompiling all staticly linked binaries (all in /sbin and /bin as well as chflags, gunzip, gzcat, gzip, ld, tar and zcat in /usr/bin) eliminates this vulnerability in FreeBSD 2.1.6 and earlier releases: However, a full solution may require a re-link of all setuid/setgid local binaries or all local binaries likely to be called from another setuid/setgid program that were originally linked statically under one of the affected OSs. Dynamically linked executables will benefit directly from this patch once libc is rebuilt and reinstalled and do not need to be relinked. Because of the severity of this security hole, a full update release for FreeBSD 2.1.6 will also be released very shortly, that release being provisionally assigned the version number of 2.1.7. Index: lib/libc/locale/collate.c =================================================================== RCS file: /home/ncvs/src/lib/libc/locale/collate.c,v retrieving revision 1.4.4.2 diff -c -r1.4.4.2 collate.c *** collate.c 1996/06/05 02:47:55 1.4.4.2 --- collate.c 1997/02/05 10:21:59 *************** *** 64,70 **** __collate_load_error = 1; if (!encoding) return -1; ! if (!path_locale && !(path_locale = getenv("PATH_LOCALE"))) path_locale = _PATH_LOCALE; strcpy(buf, path_locale); strcat(buf, "/"); --- 64,70 ---- __collate_load_error = 1; if (!encoding) return -1; ! if (!path_locale) path_locale = _PATH_LOCALE; strcpy(buf, path_locale); strcat(buf, "/"); Index: lib/libc/locale/rune.c =================================================================== RCS file: /home/ncvs/src/lib/libc/locale/rune.c,v retrieving revision 1.2.6.3 diff -c -r1.2.6.3 rune.c *** rune.c 1996/06/05 02:47:59 1.2.6.3 --- rune.c 1997/02/05 10:22:00 *************** *** 71,77 **** return(0); } ! if (!PathLocale && !(PathLocale = getenv("PATH_LOCALE"))) PathLocale = _PATH_LOCALE; (void) strcpy(name, PathLocale); --- 71,77 ---- return(0); } ! if (!PathLocale) PathLocale = _PATH_LOCALE; (void) strcpy(name, PathLocale); Index: lib/libc/locale/setlocale.c =================================================================== RCS file: /home/ncvs/src/lib/libc/locale/setlocale.c,v retrieving revision 1.3.4.2.2.1 diff -c -r1.3.4.2.2.1 setlocale.c *** setlocale.c 1996/06/05 02:48:03 1.3.4.2.2.1 --- setlocale.c 1997/02/05 10:22:00 *************** *** 58,64 **** int found, i, len; char *env, *r; ! if (!PathLocale && !(PathLocale = getenv("PATH_LOCALE"))) PathLocale = _PATH_LOCALE; if (category < 0 || category >= _LC_LAST) --- 58,64 ---- int found, i, len; char *env, *r; ! if (!PathLocale) PathLocale = _PATH_LOCALE; if (category < 0 || category >= _LC_LAST) Index: lib/libc/locale/startup_setlocale.c =================================================================== RCS file: /home/ncvs/src/lib/libc/locale/Attic/startup_setlocale.c,v retrieving revision 1.2.4.2 diff -c -r1.2.4.2 startup_setlocale.c *** startup_setlocale.c 1995/08/28 05:06:50 1.2.4.2 --- startup_setlocale.c 1997/02/05 10:22:00 *************** *** 23,29 **** int found, i, len; char *env, *r; ! if (!PathLocale && !(PathLocale = getenv("PATH_LOCALE"))) PathLocale = _PATH_LOCALE; if (category < 0 || category >= _LC_LAST) --- 23,29 ---- int found, i, len; char *env, *r; ! if (!PathLocale) PathLocale = _PATH_LOCALE; if (category < 0 || category >= _LC_LAST) ============================================================================= FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officer@freebsd.org PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc Security notifications: security-notifications@freebsd.org Security public discussion: security@freebsd.org Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================= From owner-freebsd-security Thu Feb 6 12:17:02 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id MAA01807 for security-outgoing; Thu, 6 Feb 1997 12:17:02 -0800 (PST) Received: from blackfire.com (hill153.uwyo.edu [129.72.150.153]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id MAA01801 for ; Thu, 6 Feb 1997 12:16:58 -0800 (PST) Received: (qmail 8912 invoked from network); 6 Feb 1997 20:17:15 -0000 Received: from localhost (127.0.0.1) by localhost with SMTP; 6 Feb 1997 20:17:15 -0000 Date: Thu, 6 Feb 1997 13:17:15 -0700 (MST) From: Joel Maslak X-Sender: jmaslak@babel.blackfire.com Reply-To: Joel Maslak To: security@freefall.freebsd.org Subject: BLISS Virus Message-ID: Organization: Not Likely! MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk I just completed some tests on the Bliss virus (available first for Linux). I tested it on FreeBSD, with Linux emulation. With emulation, the binary can infect EVEN FREEBSD FILES. Apparently we got something right with our emulation. (Note that the infected files will, from that point onward, need Linux emulation to run) If you try this, and manage to infect yourself (tisk, tisk), then the following bliss command will remove infection: bliss --bliss-disinfect-files-please I will not mention where to get bliss, nor will I respond to mail asking. Currently, it is relatively safe, as it displays hundreds of messages on your screen when you get it, but I would hate to see that modified. Joel Maslak Caution: When copying and pasting text, work with only a few lines at a time. If you copy too many lines, you may trigger a bug in the system, and your window will become unstable. Pg. 129, "A Practical Guide to the Unix System" From owner-freebsd-security Thu Feb 6 15:15:35 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id PAA13761 for security-outgoing; Thu, 6 Feb 1997 15:15:35 -0800 (PST) Received: from maslow.cia-g.com (root@maslow.cia-g.com [206.206.162.5]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id PAA13756 for ; Thu, 6 Feb 1997 15:15:29 -0800 (PST) Received: from maslow.cia-g.com (lithium@maslow.cia-g.com [206.206.162.5]) by maslow.cia-g.com (8.8.5/8.7.3) with SMTP id QAA11701; Thu, 6 Feb 1997 16:13:13 -0700 (MST) Date: Thu, 6 Feb 1997 16:13:13 -0700 (MST) From: Stephen Fisher Reply-To: Stephen Fisher To: Karl Denninger cc: Joe Greco , Guido.vanRooij@nl.cis.philips.com, joerg_wunsch@uriah.heep.sax.de, security@freebsd.org Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE In-Reply-To: <199702051846.MAA08211@Jupiter.Mcs.Net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk [CC: List trimmed to keep the conversation between relevant people and to prevent many duplicate messages]. On Wed, 5 Feb 1997, Karl Denninger wrote: > No chance. I happen to have already notified people of several related > problems, including those in "at" and "crontab". > > I AM PART OF THE SOLUTION. > > Look. I've submitted prs before which have been flamed because they weren't > "stylized" the way people wanted them, or were just ignored until some time > later -- even when SEVERE and SECURITY have shown up in them. > > Frankly, I'm tired of tilting at windmills. Karl, you may be submitting useful fixes and ideas, but you are also making a fool of yourself. Seriously. Calm down, back off, you are trying to rush something that will only break if you push it too fast. You get what you pay for, however this is an excellent VOLUNTEER project. Get BSD/OS from BSDI if you want a commerical BSD operating system. - Steve - Systems Manager - Community Internet Access, Inc. - Gallup and Grants, New Mexico From owner-freebsd-security Fri Feb 7 20:22:15 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id UAA22724 for security-outgoing; Fri, 7 Feb 1997 20:22:15 -0800 (PST) Received: from scanners.tec.mn.us (scanners.Tec.MN.US [199.199.83.67]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id UAA22704; Fri, 7 Feb 1997 20:22:06 -0800 (PST) Received: (from walth@localhost) by scanners.tec.mn.us (8.6.12/8.6.12) id WAA01698; Fri, 7 Feb 1997 22:21:51 -0600 Date: Fri, 7 Feb 1997 22:21:51 -0600 (CST) From: Chris Walth To: questions@freebsd.org cc: isp@freebsd.org, security@freebsd.org Subject: Problems? or denial of service attack? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hello, I am running a server currently with FreeBSD 2.1.0-RELEASE. Yes I know that it is outdated ;) What I have is someone connecting to port 25 and sending a lot of email messages from a dialup port. I am currently tracing the dialup port. In the process of looking into this problem I noticed many pages of log entries that state the vm_??? has killed a process and also some about out of swap space. Here are a couple of the messages: Feb 7 00:07:51 scanners /kernel: Process 26028 killed by vm_fault -- out of swap Feb 7 00:07:51 scanners /kernel: swap_pager: out of space Feb 7 00:07:52 scanners /kernel: Process 25867 killed by vm_pageout -- out of swap Feb 7 00:07:52 scanners /kernel: swap_pager: out of space Feb 7 00:07:52 scanners /kernel: Process 25811 killed by vm_fault -- out of swap Feb 7 00:07:52 scanners /kernel: Process 26035 killed by vm_fault -- out of swap Feb 7 00:07:52 scanners /kernel: Process 25979 killed by vm_fault -- out of swap Feb 7 00:07:53 scanners /kernel: Process 25961 killed by vm_fault -- out of swap Feb 7 00:07:53 scanners /kernel: Process 25986 killed by vm_fault -- out of swap Any info about this would be greatly appreciated. I am currently planning on upgrading the system to 2.2 when it is released, but I have to do the upgrade remotely or else wait until I can get to the machine. This problem is bugging me, and I do not know where to start on this one. Thanks for your time.. Chris Walth ............................................................................ Chris Walth Scanners/netco UNIX System Administrator email: walth@scanners.tec.mn.us phone: 701-280-0922 finger walth@scanners.tec.mn.us to get PGP public Key. ............................................................................ From owner-freebsd-security Fri Feb 7 21:13:24 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id VAA24420 for security-outgoing; Fri, 7 Feb 1997 21:13:24 -0800 (PST) Received: from excel.tnet.com.au (excel.tnet.com.au [203.15.94.3]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id VAA24380; Fri, 7 Feb 1997 21:13:06 -0800 (PST) Received: (from slaterm@localhost) by excel.tnet.com.au (8.7.4/8.7.3) id NAA01187; Sat, 8 Feb 1997 13:18:00 +0800 Date: Sat, 8 Feb 1997 13:18:00 +0800 (WST) From: Michael Slater To: Chris Walth cc: questions@freebsd.org, isp@freebsd.org, security@freebsd.org Subject: Re: Problems? or denial of service attack? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > I am running a server currently with FreeBSD 2.1.0-RELEASE. Yes I know > that it is outdated ;) > > What I have is someone connecting to port 25 and sending a lot of email > messages from a dialup port. I am currently tracing the dialup port. > > In the process of looking into this problem I noticed many pages of log > entries that state the vm_??? has killed a process and also some about > out of swap space. > > Here are a couple of the messages: > > Feb 7 00:07:51 scanners /kernel: Process 26028 killed by vm_fault -- > out of swap > Feb 7 00:07:51 scanners /kernel: swap_pager: out of space > Feb 7 00:07:52 scanners /kernel: Process 25867 killed by vm_pageout -- > out of swap > Feb 7 00:07:52 scanners /kernel: swap_pager: out of space It looks like you are out of Swap space... Michael Slater slaterm@tnet.com.au From owner-freebsd-security Sat Feb 8 07:34:22 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id HAA16850 for security-outgoing; Sat, 8 Feb 1997 07:34:22 -0800 (PST) Received: from scanners.tec.mn.us (scanners.Tec.MN.US [199.199.83.67]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id HAA16776; Sat, 8 Feb 1997 07:34:11 -0800 (PST) Received: (from walth@localhost) by scanners.tec.mn.us (8.6.12/8.6.12) id JAA05098; Sat, 8 Feb 1997 09:33:45 -0600 Date: Sat, 8 Feb 1997 09:33:45 -0600 (CST) From: Chris Walth To: Michael Slater cc: questions@freebsd.org, isp@freebsd.org, security@freebsd.org Subject: Re: Problems? or denial of service attack? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Sat, 8 Feb 1997, Michael Slater wrote: > > It looks like you are out of Swap space... > > Michael Slater > slaterm@tnet.com.au > This machine is a web server and email server. There was nobody logged in at these times. I have 32 megs of ram and 43 megs of swap. There was also about 20 pages of messages having to do with sendmail. Here are a few of those attached below. I have never had any problems before, and now when I was getting these sendmail problems I was getting all these messages. I do not think that it is just a swap problem.. Feb 7 00:06:32 scanners sendmail[26007]: NOQUEUE: SYSERR: putoutmsg (dialup-1a. co.net): error on output channel sending "451 entering initmaps: fd 1 not open: Invalid argument": Broken pipe Feb 7 00:06:32 scanners sendmail[26007]: NOQUEUE: SYSERR(root): entering initma ps: fd 1 not open: Invalid argument Feb 7 00:06:32 scanners sendmail[25996]: NOQUEUE: SYSERR: putoutmsg (dialup-1a. co.net): error on output channel sending "451 entering initmaps: fd 1 not open: Invalid argument": Broken pipe Feb 7 00:06:32 scanners sendmail[25996]: NOQUEUE: SYSERR(root): entering initma ps: fd 1 not open: Invalid argument Feb 7 00:06:34 scanners sendmail[25867]: AAA25867: SYSERR: putoutmsg (dialup-1a .co.net): error on output channel sending "354 Enter mail, end with "." on a lin e by itself": Broken pipe Feb 7 00:06:34 scanners sendmail[25867]: AAA25867: SYSERR(root): Out of memory! !: Cannot allocate memory Feb 7 00:06:30 scanners sendmail[25999]: NOQUEUE: SYSERR: putoutmsg (dialup-1a. co.net): error on output channel sending "451 entering initmaps: fd 1 not open: Invalid argument": Broken pipe Feb 7 00:06:34 scanners sendmail[26012]: NOQUEUE: SYSERR: putoutmsg (dialup-1a. co.net): error on output channel sending "451 entering initmaps: fd 1 not open: Invalid argument": Broken pipe What are these initmaps? Did someone possiably gain access to the system? I don't see any evidence. Mail was generated and sent to one person. He got about 200 messages from this person. Thanks. Chris ............................................................................ Chris Walth Scanners/netco UNIX System Administrator email: walth@scanners.tec.mn.us phone: 701-280-0922 finger walth@scanners.tec.mn.us to get PGP public Key. ............................................................................ From owner-freebsd-security Sat Feb 8 08:56:28 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id IAA19602 for security-outgoing; Sat, 8 Feb 1997 08:56:28 -0800 (PST) Received: from mail.id.net (mail.id.net [199.125.1.6]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA19556; Sat, 8 Feb 1997 08:56:19 -0800 (PST) Received: from server.id.net (server.id.net [199.125.2.20]) by mail.id.net (8.7.5/ID-Net) with ESMTP id MAA08350; Sat, 8 Feb 1997 12:03:37 -0500 (EST) From: Robert Shady Received: (from rls@localhost) by server.id.net (8.8.2/8.7.3) id LAA03084; Sat, 8 Feb 1997 11:56:42 -0500 (EST) Message-Id: <199702081656.LAA03084@server.id.net> Subject: Re: Problems? or denial of service attack? In-Reply-To: from Chris Walth at "Feb 8, 97 09:33:45 am" To: walth@scanners.tec.mn.us (Chris Walth) Date: Sat, 8 Feb 1997 11:56:42 -0500 (EST) Cc: slaterm@excel.tnet.com.au, questions@freebsd.org, isp@freebsd.org, security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL25 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > It looks like you are out of Swap space... > > This machine is a web server and email server. There was nobody logged > in at these times. I have 32 megs of ram and 43 megs of swap. There was > also about 20 pages of messages having to do with sendmail. Here are a > few of those attached below. > > I have never had any problems before, and now when I was getting these > sendmail problems I was getting all these messages. I do not think that > it is just a swap problem.. I thought the first poster was being sarcastic (He probably was), because it's so obvious that your problem *IS* that your running out of memory. I don't build a machine with less than 128MB of swap, 43 is nothing, especially for a machine that's acting as a web server/mail server... -- Rob === _/_/_/_/_/ _/_/_/_/ _/_/ _/ _/_/_/_/_/ _/_/_/_/_/ _/ _/ _/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/_/_/_/_/ _/_/_/_/ _/ _/ _/_/_/_/_/ _/ Innovative Data Services Serving South-Eastern Michigan Internet Service Provider / Hardware Sales / Consulting Services Voice: (810)855-0404 / Fax: (810)855-3268 / Web: http://www.id.net From owner-freebsd-security Sat Feb 8 09:43:49 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id JAA21878 for security-outgoing; Sat, 8 Feb 1997 09:43:49 -0800 (PST) Received: from alpha.risc.org (trt-on7-45.netcom.ca [207.181.82.173]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA21843; Sat, 8 Feb 1997 09:42:28 -0800 (PST) Received: from localhost (taob@localhost) by alpha.risc.org (8.8.4/8.8.4) with SMTP id MAA17372; Sat, 8 Feb 1997 12:42:07 -0500 (EST) Date: Sat, 8 Feb 1997 12:42:06 -0500 (EST) From: Brian Tao To: "Jordan K. Hubbard" , pst@freebsd.org, FREEBSD-SECURITY-L Subject: Don't fulminate, be productive (was Re: Karl fulminates, film at 11. == thanks) In-Reply-To: <20667.855188567@time.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Wed, 5 Feb 1997, Jordan K. Hubbard wrote: > > Thank you, this offer is kindly received. Paul Traina, our > co-security officer, is currently working on a sign-up roster for a > more complete code review, a piece of which I and many of the other > core members have also committed to taking. What sort of requirements would you insist on for a code reviewer? I wouldn't mind poking around some code, but how much proficiency do you need? I can read/write C, but that's like saying "he understands English" and expecting the person to appreciate Shakespeare. I take it there is more to this job than replacing all sprintf's with snprintf's? :) -- Brian Tao (BT300, taob@risc.org) "Though this be madness, yet there is method in't" From owner-freebsd-security Sat Feb 8 09:51:20 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id JAA22272 for security-outgoing; Sat, 8 Feb 1997 09:51:20 -0800 (PST) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA22267; Sat, 8 Feb 1997 09:51:16 -0800 (PST) Received: from time.cdrom.com (localhost [127.0.0.1]) by time.cdrom.com (8.8.5/8.6.9) with ESMTP id JAA07614; Sat, 8 Feb 1997 09:50:59 -0800 (PST) To: Brian Tao cc: pst@freebsd.org, FREEBSD-SECURITY-L Subject: Re: Don't fulminate, be productive (was Re: Karl fulminates, film at 11. == thanks) In-reply-to: Your message of "Sat, 08 Feb 1997 12:42:06 EST." MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <7609.855424259.1@time.cdrom.com> Date: Sat, 08 Feb 1997 09:50:59 -0800 Message-ID: <7610.855424259@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > What sort of requirements would you insist on for a code reviewer? > I wouldn't mind poking around some code, but how much proficiency do > you need? I can read/write C, but that's like saying "he understands > English" and expecting the person to appreciate Shakespeare. I take I think just a simple & correct understanding of english is probably more than sufficient for this. :-) > it there is more to this job than replacing all sprintf's with > snprintf's? :) Actually, that's a good 50% of it. The other 50% is replacing strcpy()'s with strncpy()'s. :-) Seriously, looking for bufffer overflows is not rocket science, though if you spot more serious bugs along then way then you are more than free to fix them. :-) I'm still waiting for Paul to give me us accumulated archive of volunteers before kicking this off - we had a slight communications failure and both ended up thinking that the other was keeping the master list. :) Jordan From owner-freebsd-security Sat Feb 8 12:54:19 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id MAA28530 for security-outgoing; Sat, 8 Feb 1997 12:54:19 -0800 (PST) Received: from char-star.rdist.org (char-star.rdist.org [206.54.252.22]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id MAA28522 for ; Sat, 8 Feb 1997 12:54:16 -0800 (PST) From: tqbf@enteract.com Received: (qmail 3817 invoked by uid 1001); 8 Feb 1997 20:54:49 -0000 Date: 8 Feb 1997 20:54:49 -0000 Message-ID: <19970208205449.3816.qmail@char-star.rdist.org> To: jkh@time.cdrom.com, freebsd-security@freebsd.org Subject: Re: Don't fulminate, be productive (was Re: Karl fulminates, film at 11. == thanks) In-Reply-To: <7610.855424259@time.cdrom.com> Reply-To: tqbf@enteract.com Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In article <7610.855424259@time.cdrom.com>, you wrote: >Actually, that's a good 50% of it. The other 50% is replacing >strcpy()'s with strncpy()'s. :-) Don't forget those strvis() overflows. That's at least 3% right there. -- ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- exit(main(kfp->kargc, argv, environ)); From owner-freebsd-security Sat Feb 8 12:56:42 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id MAA28745 for security-outgoing; Sat, 8 Feb 1997 12:56:42 -0800 (PST) Received: from roundtable.cif.rochester.edu (sadmin@roundtable.cif.rochester.edu [128.151.220.14]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA28738; Sat, 8 Feb 1997 12:56:37 -0800 (PST) Received: (from sadmin@localhost) by roundtable.cif.rochester.edu (8.8.5/8.8.3) id PAA21546; Sat, 8 Feb 1997 15:55:41 -0500 (EST) From: Security Administrator Message-Id: <199702082055.PAA21546@roundtable.cif.rochester.edu> Subject: Re: Problems? or denial of service attack? To: rls@mail.id.net (Robert Shady) Date: Sat, 8 Feb 1997 15:55:41 -0500 (EST) Cc: walth@scanners.tec.mn.us, slaterm@excel.tnet.com.au, questions@freebsd.org, isp@freebsd.org, security@freebsd.org In-Reply-To: <199702081656.LAA03084@server.id.net> from "Robert Shady" at Feb 8, 97 11:56:42 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk 2-8-97 > > > > It looks like you are out of Swap space... > > > > This machine is a web server and email server. There was nobody logged > > in at these times. I have 32 megs of ram and 43 megs of swap. There was > > also about 20 pages of messages having to do with sendmail. Here are a > > few of those attached below. > > > > I have never had any problems before, and now when I was getting these > > sendmail problems I was getting all these messages. I do not think that > > it is just a swap problem.. > > I thought the first poster was being sarcastic (He probably was), because > it's so obvious that your problem *IS* that your running out of memory. > I don't build a machine with less than 128MB of swap, 43 is nothing, > especially for a machine that's acting as a web server/mail server... > We've got a machine with 128 Megs of on-board RAM. We STILL decided to install twice the amount of cache (256 megs) split between two disks in the SCSI chain. Splitting up the cache between the two disks should, in theory, speed up your performance. The conventional wisdom is to have at least twice your memory as swap. In SunOS, for instance, it was hard to even get a machine to work unless you had an equal amount of swap and memory, no matter how much RAM was shoved into the box. JP -- System Security Administrator Computer Interest Floor University of Rochester Rochester, NY 14627 sadmin@roundtable.cif.rochester.edu From owner-freebsd-security Sat Feb 8 13:01:49 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id NAA29165 for security-outgoing; Sat, 8 Feb 1997 13:01:49 -0800 (PST) Received: from roundtable.cif.rochester.edu (sadmin@roundtable.cif.rochester.edu [128.151.220.14]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA29157 for ; Sat, 8 Feb 1997 13:01:46 -0800 (PST) Received: (from sadmin@localhost) by roundtable.cif.rochester.edu (8.8.5/8.8.3) id QAA21606 for freebsd-security@freebsd.org; Sat, 8 Feb 1997 16:01:08 -0500 (EST) From: Security Administrator Message-Id: <199702082101.QAA21606@roundtable.cif.rochester.edu> Subject: 2.1.7? To: freebsd-security@freebsd.org (FreeBSD Security) Date: Sat, 8 Feb 1997 16:01:08 -0500 (EST) X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Is there a date for the release of the sources for 2.1.7? We're running 2.1.6 right now, and we're quivering in our boots. Once one retrieves the source, would be it sufficient to replace merely /usr/lib, /usr/libexec, /usr/sbin, /usr/bin, /sbin, and the kernel sources? I would prefer to do a minimal re-install since that would require a messy back-up process. Also, I suppose it is safe to recompile the libaries and binaries using gcc-2.7.2.1 or gcc-2.6.3 (cc), both of which are already on the system? Thanks, JP -- System Security Administrator Computer Interest Floor University of Rochester Rochester, NY 14627 sadmin@roundtable.cif.rochester.edu From owner-freebsd-security Sat Feb 8 13:05:51 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id NAA29502 for security-outgoing; Sat, 8 Feb 1997 13:05:51 -0800 (PST) Received: from rover.village.org (rover.village.org [204.144.255.49]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id NAA29480 for ; Sat, 8 Feb 1997 13:05:41 -0800 (PST) Received: from rover.village.org [127.0.0.1] by rover.village.org with esmtp (Exim 0.56 #1) id E0vtJxM-0002dm-00; Sat, 8 Feb 1997 14:05:08 -0700 To: Brian Tao Subject: Re: Don't fulminate, be productive (was Re: Karl fulminates, film at 11. == thanks) Cc: FREEBSD-SECURITY-L In-reply-to: Your message of "Sat, 08 Feb 1997 12:42:06 EST." References: Date: Sat, 08 Feb 1997 14:05:08 -0700 From: Warner Losh Message-Id: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message Brian Tao writes: : English" and expecting the person to appreciate Shakespeare. I take : it there is more to this job than replacing all sprintf's with : snprintf's? :) Yes. Buffer overflows are only one small problem. Creative abuse of features is another, much harder problem to find. Warner From owner-freebsd-security Sat Feb 8 13:27:13 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id NAA00655 for security-outgoing; Sat, 8 Feb 1997 13:27:13 -0800 (PST) Received: from cwsys.cwent.com (0@cschuber.net.gov.bc.ca [142.31.240.113]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA00644 for ; Sat, 8 Feb 1997 13:27:06 -0800 (PST) Received: (from uucp@localhost) by cwsys.cwent.com (8.8.5/8.6.10) id NAA04237; Sat, 8 Feb 1997 13:26:21 -0800 (PST) Message-Id: <199702082126.NAA04237@cwsys.cwent.com> Received: from localhost.cwent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwent.com, id smtpd004234; Sat Feb 8 21:26:20 1997 Reply-to: cy@uumail.gov.bc.ca X-Mailer: Xmh To: "Stephen F. Combs" cc: Robin Melville , security@freefall.freebsd.org, jkh@freebsd.org, security-officer@freebsd.org Subject: Re: security-digest V3 #12 In-reply-to: Your message of "Thu, 06 Feb 1997 10:49:00 EST." Date: Sat, 08 Feb 1997 13:26:19 -0800 From: Cy Schubert Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I don't want to speak for Jordan but I belive that the constant griping and complaing by a few on this list may have had, in addition to the reasons he outlined, something to do with his resignation as President of the FreeBSD project. I'm sure the core and development teams are doing their best to provide a well written and secure operating system. I for one would like third your motion. Keep up the good work. My switch from Linux to FreeBSD approximately two years ago was for the very reason that I could see a quality product being developed in the project in a cohesive and coherent manner, (as opposed to the Linux model of many independent and unrelated or semi-related projects). I'd like to point out that my experience with free UNIX operating systems has been more productive than with the commercial vendors. The telnetd, syslog(), and numerous sendmail bugs have usually taken the various commercial vendors I deal with months to come out with patches. A good example is the syslog() bug. It took one vendor three months, another four months, and yet another six months to deliver patches to me, while the FreeBSD project had a patch within a week of the bug's announcement. The FreeBSD project is giving us better service than many of the vendors at no or very little cost to us. To you complainers: Why are you intent on pissing off the FreeBSD core and devlopment teams and ruining a good thing? Do you want everyone who has been developing this fine operating system to resign just like Jordan did? If they did we'd have to switch to other operating systems. I've done that too many times to want to do this again. I'm sure most people on this list would agree. To those of you who insist on broadcasting exploits: Would you not be more effective in distributing these exploits to your intended audience via #warez or #hackers? To security-officer@freebsd.org: Please relay my appreciation to the core and development teams for all of the hard work they've put into making FreeBSD as stable as it is. I'm sure I speak for the majority of people who use FreeBSD that we appreciate the effort, especially over the last few days to fix the setlocale() bug. Cy Schubert cschuber@uumail.gov.bc.ca cys@mailhost.wlc.com > Hear, Hear! I've been using FreeBSD since the first available pre-release > snapshot and I've NO PROBLEMS with the core developers! Jordan and the core > team have been EXTREEMLY responsive to problems/security holes/etc..... > Anything thought of by man can be circumvented by man!(don't remember WHO > was the originator of that but 'TIS TRUE!). > > Guys (and gals, if there are any) KEEP UP THE GOOD WORK! > > On 06-Feb-97 Robin Melville wrote: > >As a careful follower of the security digest I feel moved to add a > >pennyworth of complaint. > > > >I'm getting very tired of wading through the arrogant, hypercritical screeds > >posted by some correspondents. > > > >Any user of FreeBSD must be aware that it's an exeptional piece of work > >provided by volunteers who work their butts off. Our organisation is > >particularly grateful to them since it enables us to provide clinical IT > >which we couldn't possibly afford to do if the only option was commercial > >Unices/Novell/NT. > > > >The setlocale() security hole is unfortunate, but I'm sure not unexeptional > >in the context of any huge project written in C. Now it's known about and is > >being/has been fixed. There will be others. > > > >Security holes are a problem but also a fact of life for all system > >managers. I don't have any complaint about the (unpaid) work of the core > >team in attempting to patch them as they arise. What /would/ be tiresome > >would be the widespread dissemination of exploits to make a (malicious?) poi nt. > > > > >Highly skilled hackers will probably always be able to get into systems, > >this is also a fact of life. Telling (the much larger number) of less > >skilled/inquisitive users exactly how to get a # seems to me to be > >monstrously unhelpful. Unskilled hackers with root access are much more > >likely to do considerable damage by mistake than a passing wizard "bagging" > >your system or surreptitiously stealing CPU/disk space. > > > >If these correspondents have a personal beef with members of the FreeBSD > >core team would they please conduct it with private email. > > > >Thanks. > > > >Robin Melville > >-------------------------------------------------------- > >Robin Melville, Addiction & Forensic Information Service > >Nottingham Alcohol & Drug Team (Extn. 49178) > >Vox: +44 (0)115 952 9478 Fax: +44 (0)115 952 9421 > >Email: robmel@nadt.org.uk > >WWW: http://www.innotts.co.uk/nadt/ > >--------------------------------------------------------- > > > > ---- > Stephen F. Combs Internet: CombsSF@Salem.GE.COM > GE Industrial Systems Voice: 540.387.8828 > Network Services Home: CombsSF-Home@Salem.GE.COM > 1501 Roanoke Blvd FAX: 540.387.7106 > Salem, VA 24153 LapTop: CombsSF-Mobile@Salem.GE.COM > From owner-freebsd-security Sat Feb 8 13:34:11 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id NAA01148 for security-outgoing; Sat, 8 Feb 1997 13:34:11 -0800 (PST) Received: from alpha.risc.org (trt-on7-45.netcom.ca [207.181.82.173]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA01123; Sat, 8 Feb 1997 13:34:01 -0800 (PST) Received: from localhost (taob@localhost) by alpha.risc.org (8.8.4/8.8.4) with SMTP id QAA17490; Sat, 8 Feb 1997 16:33:41 -0500 (EST) Date: Sat, 8 Feb 1997 16:33:40 -0500 (EST) From: Brian Tao To: "Jordan K. Hubbard" cc: pst@freebsd.org, FREEBSD-SECURITY-L Subject: Re: Don't fulminate, be productive (was Re: Karl fulminates, film at 11. == thanks) In-Reply-To: <7610.855424259@time.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Sat, 8 Feb 1997, Jordan K. Hubbard wrote: > > Actually, that's a good 50% of it. The other 50% is replacing > strcpy()'s with strncpy()'s. :-) I'm sure a perl hacker could come up with a script that can at least flag some sort of warning where it suspects a line of code may be susceptible. A grep through the sources only finds about 6000 occurrences of sprintf or strcpy. ;-) BTW, has anyone been able to get a FreeBSD version of Insure++ or Purify (or whichever product it was) and run the source tree through it? > Seriously, looking for bufffer overflows is not rocket science, > though if you spot more serious bugs along then way then you are > more than free to fix them. :-) I'm definitely no code hacker, so I think I'd be limited to standalone user space utilities and leave library routines and kernel stuff to the experts. Still, it would be an instructional exercise, even if no potential holes are found. I think Marc Slemko went over the Apache sources in similar fashion and submitted a bunch of security-related patches. > I'm still waiting for Paul to give me us accumulated archive of > volunteers before kicking this off - we had a slight communications > failure and both ended up thinking that the other was keeping the > master list. :) Doh. :) -- Brian Tao (BT300, taob@risc.org) "Though this be madness, yet there is method in't" From owner-freebsd-security Sat Feb 8 14:06:03 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id OAA03027 for security-outgoing; Sat, 8 Feb 1997 14:06:03 -0800 (PST) Received: from char-star.rdist.org (char-star.rdist.org [206.54.252.22]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id OAA03019 for ; Sat, 8 Feb 1997 14:05:50 -0800 (PST) From: tqbf@enteract.com Received: (qmail 5503 invoked by uid 1001); 8 Feb 1997 22:06:18 -0000 Date: 8 Feb 1997 22:06:18 -0000 Message-ID: <19970208220618.5502.qmail@char-star.rdist.org> To: sadmin@roundtable.cif.rochester.edu, freebsd-security@freebsd.org Subject: Re: 2.1.7 In-Reply-To: <199702082101.QAA21606@roundtable.cif.rochester.edu> Reply-To: tqbf@enteract.com Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In article <199702082101.QAA21606@roundtable.cif.rochester.edu>, you wrote: >Once one retrieves the source, would be it sufficient to replace merely >/usr/lib, /usr/libexec, /usr/sbin, /usr/bin, /sbin, and the kernel >sources? I would prefer to do a minimal re-install since that would require a Anything you've compiled since installing the system is afflicted with the crt0 bug. You need to rebuild everything on the system. -- ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- exit(main(kfp->kargc, argv, environ)); From owner-freebsd-security Sat Feb 8 14:15:33 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id OAA03580 for security-outgoing; Sat, 8 Feb 1997 14:15:33 -0800 (PST) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA03562; Sat, 8 Feb 1997 14:15:13 -0800 (PST) Received: from time.cdrom.com (localhost [127.0.0.1]) by time.cdrom.com (8.8.5/8.6.9) with ESMTP id OAA08347; Sat, 8 Feb 1997 14:14:54 -0800 (PST) To: Brian Tao cc: pst@freebsd.org, FREEBSD-SECURITY-L Subject: Re: Don't fulminate, be productive (was Re: Karl fulminates, film at 11. == thanks) In-reply-to: Your message of "Sat, 08 Feb 1997 16:33:40 EST." Date: Sat, 08 Feb 1997 14:14:54 -0800 Message-ID: <8342.855440094@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > occurrences of sprintf or strcpy. ;-) BTW, has anyone been able to > get a FreeBSD version of Insure++ or Purify (or whichever product it > was) and run the source tree through it? No such animal exists yet, hence that call for survey participants WRT Insure a few weeks back. Someday, perhaps. Jordan From owner-freebsd-security Sat Feb 8 14:39:59 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id OAA05042 for security-outgoing; Sat, 8 Feb 1997 14:39:59 -0800 (PST) Received: from seabass.progroup.com (catfish.progroup.com [206.24.122.2]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA05037 for ; Sat, 8 Feb 1997 14:39:55 -0800 (PST) Received: from seabass.progroup.com (seabass.progroup.com [206.24.122.1]) by seabass.progroup.com (8.7.5/8.7.3) with SMTP id OAA25680; Sat, 8 Feb 1997 14:38:48 -0800 (PST) Message-ID: <32FD0078.3F54BC7E@progroup.com> Date: Sat, 08 Feb 1997 14:38:48 -0800 From: Craig Shaver Organization: Productivity Group, Inc. X-Mailer: Mozilla 3.01 (X11; I; FreeBSD 2.1.5-RELEASE i386) MIME-Version: 1.0 To: Brian Tao CC: security@FreeBSD.ORG Subject: Re: Don't fulminate, be productive References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Did Marc Slemko use perl scripts? Do you have an email addr for Marc? Do you think he would let others have access to the tools he used? Brian Tao wrote: > > On Sat, 8 Feb 1997, Jordan K. Hubbard wrote: > > > > Actually, that's a good 50% of it. The other 50% is replacing > > strcpy()'s with strncpy()'s. :-) > > I'm sure a perl hacker could come up with a script that can at > least flag some sort of warning where it suspects a line of code may > be susceptible. A grep through the sources only finds about 6000 > occurrences of sprintf or strcpy. ;-) BTW, has anyone been able to > get a FreeBSD version of Insure++ or Purify (or whichever product it > was) and run the source tree through it? > > > Seriously, looking for bufffer overflows is not rocket science, > > though if you spot more serious bugs along then way then you are > > more than free to fix them. :-) > > I'm definitely no code hacker, so I think I'd be limited to > standalone user space utilities and leave library routines and kernel > stuff to the experts. Still, it would be an instructional exercise, > even if no potential holes are found. I think Marc Slemko went over > the Apache sources in similar fashion and submitted a bunch of > security-related patches. del ... > Brian Tao (BT300, taob@risc.org) > "Though this be madness, yet there is method in't" -- Craig Shaver (craig@progroup.com) (415)390-0654 Productivity Group POB 60458 Sunnyvale, CA 94088 From owner-freebsd-security Sat Feb 8 14:41:43 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id OAA05165 for security-outgoing; Sat, 8 Feb 1997 14:41:43 -0800 (PST) Received: from cwsys.cwent.com (0@lpm145.wlc.com [204.239.181.45]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA05157; Sat, 8 Feb 1997 14:41:31 -0800 (PST) Received: (from uucp@localhost) by cwsys.cwent.com (8.8.5/8.6.10) id OAA01047; Sat, 8 Feb 1997 14:41:03 -0800 (PST) Message-Id: <199702082241.OAA01047@cwsys.cwent.com> Received: from localhost.cwent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwent.com, id smtpd001044; Sat Feb 8 22:41:02 1997 Reply-to: cys@mailhost.wlc.com X-Mailer: Xmh To: "Jordan K. Hubbard" cc: Brian Tao , pst@freebsd.org, FREEBSD-SECURITY-L Subject: Re: Don't fulminate, be productive (was Re: Karl fulminates, film at 11. == thanks) In-reply-to: Your message of "Sat, 08 Feb 1997 09:50:59 PST." <7610.855424259@time.cdrom.com> Date: Sat, 08 Feb 1997 14:41:02 -0800 From: Cy Schubert Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > What sort of requirements would you insist on for a code reviewer? > > I wouldn't mind poking around some code, but how much proficiency do > > you need? I can read/write C, but that's like saying "he understands > > English" and expecting the person to appreciate Shakespeare. I take > > I think just a simple & correct understanding of english is probably > more than sufficient for this. :-) > > > it there is more to this job than replacing all sprintf's with > > snprintf's? :) > > Actually, that's a good 50% of it. The other 50% is replacing > strcpy()'s with strncpy()'s. :-) > > Seriously, looking for bufffer overflows is not rocket science, though > if you spot more serious bugs along then way then you are more than free > to fix them. :-) > > I'm still waiting for Paul to give me us accumulated archive of volunteers > before kicking this off - we had a slight communications failure and > both ended up thinking that the other was keeping the master list. :) > > Jordan > I would like to help out. I am currently running a 2.1.6 system. Is that too old? Cy Schubert cschuber@uumail.gov.bc.ca cy@uumail.gov.bc.ca cys@mailhost.wlc.com From owner-freebsd-security Sat Feb 8 14:51:01 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id OAA05514 for security-outgoing; Sat, 8 Feb 1997 14:51:01 -0800 (PST) Received: from rhiannon.clari.net.au (dns1.clari.net.au [203.27.85.9]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA05491 for ; Sat, 8 Feb 1997 14:50:52 -0800 (PST) Received: (from root@localhost) by rhiannon.clari.net.au (8.8.5/8.6.12) id KAA11404 for security@freebsd.org; Sun, 9 Feb 1997 10:02:20 +1100 (EST) Date: Sun, 9 Feb 1997 10:02:20 +1100 (EST) From: Peter Hawkins Message-Id: <199702082302.KAA11404@rhiannon.clari.net.au> To: security@freebsd.org Subject: Re: security-digest V3 #12 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I want to fourth the motion on the basis that I deal with a number of commercial vendors and (on the machine over which I have complete control for my private business where *my* rear is on the line) FreeBSD. I was introduced to this operating system only 8 months ago and have been stunned by both its stability and its security. Exploiting holes in the commercial machines we run is simple. When someone mucks up the root password on a box we cannot afford to reboot, that is precisely what we do. Under FreeBSD, those standard exploits (and many others besides) have been plugged very effectively. That a non-commercial product outperforms it's commercially produced counterparts consistently may surprise some, but the reason is straightforward; to get the "better than average" developer, pay him/her well. To get the cream and then to get the cream of their work, offer them an ideal. FreeBSD is and will remain the operating system of choice for Clarinet Internet Services. Should a time windfall blow my way, I will endevour to be more proactive in assisting in the development of this system. Peter Hawkins, Clarinet From owner-freebsd-security Sat Feb 8 16:22:25 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id QAA10094 for security-outgoing; Sat, 8 Feb 1997 16:22:25 -0800 (PST) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA10005 for ; Sat, 8 Feb 1997 16:22:14 -0800 (PST) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.8.5/8.7.3) with UUCP id RAA00919; Sat, 8 Feb 1997 17:22:02 -0700 (MST) Received: from localhost (marcs@localhost) by alive.ampr.ab.ca (8.7.5/8.7.3) with SMTP id RAA05080; Sat, 8 Feb 1997 17:22:22 -0700 (MST) Date: Sat, 8 Feb 1997 17:22:21 -0700 (MST) From: Marc Slemko X-Sender: marcs@alive.ampr.ab.ca To: Craig Shaver cc: security@freebsd.org Subject: Re: Don't fulminate, be productive In-Reply-To: <32FD0078.3F54BC7E@progroup.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Sat, 8 Feb 1997, Craig Shaver wrote: > Did Marc Slemko use perl scripts? Do you have an email addr for Marc? > Do you think he would let others have access to the tools he used? I did not use any automated tools to assist me when I went through the Apache source. The Apache source base is small enough that it just didn't make sense. Essentially what I did is go through the entire source line by line, looking for anything that stood out as being suspicious. Those things include: gets strcpy strcat sprintf scanf system popen exec mktemp any file creation memcpy Not all uses of the above are problems, but many are. After I fixed the things I noticed, I did a grep on the file to be sure I hadn't missed any of the above. Some of the fixes can be annoying, eg. if you have a function that is passed a pointer to a string without any length info, but the basic problems are generally trivial to fix. In some ways, FreeBSD fixes are easier than the Apache ones because for Apache we needed to create a snprintf() first; with FreeBSD you already have that. It is difficult to describe all the things which can be possible security problems in any way which can be scanned for automatically. You can get most of them, sure, but if I'm going through something I may as well go all the way. For example, simply scanning for buffer overflows won't find you the cases where a program insecurely creates a temp file. The more you look the easier it is to find things. IMHO, an automated tool isn't overly worth it. I had started going through the FreeBSD source tree a couple of months ago, and got a few fixes in but I got interrupted before I got that far. Hopefully I will get some time to help with some more FreeBSD fixes. > > Brian Tao wrote: > > > > On Sat, 8 Feb 1997, Jordan K. Hubbard wrote: > > > > > > Actually, that's a good 50% of it. The other 50% is replacing > > > strcpy()'s with strncpy()'s. :-) > > > > I'm sure a perl hacker could come up with a script that can at > > least flag some sort of warning where it suspects a line of code may > > be susceptible. A grep through the sources only finds about 6000 > > occurrences of sprintf or strcpy. ;-) BTW, has anyone been able to > > get a FreeBSD version of Insure++ or Purify (or whichever product it > > was) and run the source tree through it? > > > > > Seriously, looking for bufffer overflows is not rocket science, > > > though if you spot more serious bugs along then way then you are > > > more than free to fix them. :-) > > > > I'm definitely no code hacker, so I think I'd be limited to > > standalone user space utilities and leave library routines and kernel > > stuff to the experts. Still, it would be an instructional exercise, > > even if no potential holes are found. I think Marc Slemko went over > > the Apache sources in similar fashion and submitted a bunch of > > security-related patches. > del ... > > Brian Tao (BT300, taob@risc.org) > > "Though this be madness, yet there is method in't" > > -- > Craig Shaver (craig@progroup.com) (415)390-0654 > Productivity Group POB 60458 Sunnyvale, CA 94088 > From owner-freebsd-security Sat Feb 8 17:20:27 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id RAA12825 for security-outgoing; Sat, 8 Feb 1997 17:20:27 -0800 (PST) Received: from root.com (implode.root.com [198.145.90.17]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA12817 for ; Sat, 8 Feb 1997 17:20:23 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by root.com (8.7.6/8.6.5) with SMTP id RAA05433; Sat, 8 Feb 1997 17:21:20 -0800 (PST) Message-Id: <199702090121.RAA05433@root.com> X-Authentication-Warning: implode.root.com: Host localhost [127.0.0.1] didn't use HELO protocol To: tqbf@enteract.com cc: sadmin@roundtable.cif.rochester.edu, freebsd-security@freebsd.org Subject: Re: 2.1.7 In-reply-to: Your message of "08 Feb 1997 22:06:18 GMT." <19970208220618.5502.qmail@char-star.rdist.org> From: David Greenman Reply-To: dg@root.com Date: Sat, 08 Feb 1997 17:21:20 -0800 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >In article <199702082101.QAA21606@roundtable.cif.rochester.edu>, you wrote: >>Once one retrieves the source, would be it sufficient to replace merely >>/usr/lib, /usr/libexec, /usr/sbin, /usr/bin, /sbin, and the kernel >>sources? I would prefer to do a minimal re-install since that would require a > >Anything you've compiled since installing the system is afflicted with the >crt0 bug. You need to rebuild everything on the system. Installing the fixed libc should solve the problem for everything that is built the standard, dynamic/'shared library' way. -DG David Greenman Core-team/Principal Architect, The FreeBSD Project From owner-freebsd-security Sat Feb 8 20:14:54 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id UAA24137 for security-outgoing; Sat, 8 Feb 1997 20:14:54 -0800 (PST) Received: from labs.usn.blaze.net.au (labs.usn.blaze.net.au [203.17.53.30]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id UAA24127 for ; Sat, 8 Feb 1997 20:14:46 -0800 (PST) Received: (from davidn@localhost) by labs.usn.blaze.net.au (8.8.5/8.8.5) id PAA00381; Sun, 9 Feb 1997 15:13:37 +1100 (EST) Message-ID: <19970209151337.60980@usn.blaze.net.au> Date: Sun, 9 Feb 1997 15:13:37 +1100 From: David Nugent To: Security Administrator Cc: FreeBSD Security Subject: Re: 2.1.7? References: <199702082101.QAA21606@roundtable.cif.rochester.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.61 In-Reply-To: <199702082101.QAA21606@roundtable.cif.rochester.edu>; from Security Administrator on Feb 02, 1997 at 04:01:08PM Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Feb 02, 1997 at 04:01:08PM, Security Administrator wrote: > Is there a date for the release of the sources for 2.1.7? Soon, I think. However, since this started I set up cvsup on client systems where security was critical and started tracking it. I built what will be effectively 2.1.7 with the major security patches within hours of their being committed to the source tree. So, it really doesn't require a "release" to obtain the sources - just set up CVSUP and go. > Once one retrieves the source, would be it sufficient to replace merely > /usr/lib, /usr/libexec, /usr/sbin, /usr/bin, /sbin, and the kernel > sources? I would prefer to do a minimal re-install since that would > require a messy back-up process. unpack sources into /usr/src and type "make world". This will replace all FreeBSD-related libraries and binaries on system. > Also, I suppose it is safe to recompile the libaries and binaries using > gcc-2.7.2.1 or gcc-2.6.3 (cc), both of which are already on the system? Yes. Regards, David Nugent - Unique Computing Pty Ltd - Melbourne, Australia Voice +61-3-9791-9547 Data/BBS +61-3-9792-3507 3:632/348@fidonet davidn@freebsd.org davidn@blaze.net.au http://www.blaze.net.au/~davidn/ From owner-freebsd-security Sat Feb 8 22:28:40 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id WAA00247 for security-outgoing; Sat, 8 Feb 1997 22:28:40 -0800 (PST) Received: from enteract.com (root@enteract.com [206.54.252.1]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id WAA00242 for ; Sat, 8 Feb 1997 22:28:37 -0800 (PST) Received: (from tqbf@localhost) by enteract.com (8.8.5/8.7.6) id AAA18562; Sun, 9 Feb 1997 00:25:33 -0600 (CST) From: "Thomas H. Ptacek" Message-Id: <199702090625.AAA18562@enteract.com> Subject: Re: 2.1.7 To: dg@root.com Date: Sun, 9 Feb 1997 00:24:46 -0600 (CST) Cc: tqbf@enteract.com, sadmin@roundtable.cif.rochester.edu, freebsd-security@freebsd.org Reply-To: tqbf@enteract.com In-Reply-To: <199702090121.RAA05433@root.com> from "David Greenman" at Feb 8, 97 05:21:20 pm X-Mailer: ELM [version 2.4 PL24 ME8a] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Installing the fixed libc should solve the problem for everything that is > built the standard, dynamic/'shared library' way. crt0 is dynamically linked? I don't see the kernel resolving dynamic loading - I thought that was crt0's job. Am I wrong? ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- "I'm standing alone, I'm watching you all, I'm seeing you sinking." From owner-freebsd-security Sat Feb 8 22:54:14 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id WAA02183 for security-outgoing; Sat, 8 Feb 1997 22:54:14 -0800 (PST) Received: from root.com (implode.root.com [198.145.90.17]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id WAA02178 for ; Sat, 8 Feb 1997 22:54:11 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by root.com (8.7.6/8.6.5) with SMTP id WAA07032; Sat, 8 Feb 1997 22:55:01 -0800 (PST) Message-Id: <199702090655.WAA07032@root.com> X-Authentication-Warning: implode.root.com: Host localhost [127.0.0.1] didn't use HELO protocol To: tqbf@enteract.com cc: sadmin@roundtable.cif.rochester.edu, freebsd-security@freebsd.org Subject: Re: 2.1.7 In-reply-to: Your message of "Sun, 09 Feb 1997 00:24:46 CST." <199702090625.AAA18562@enteract.com> From: David Greenman Reply-To: dg@root.com Date: Sat, 08 Feb 1997 22:55:01 -0800 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >> Installing the fixed libc should solve the problem for everything that is >> built the standard, dynamic/'shared library' way. > >crt0 is dynamically linked? I don't see the kernel resolving dynamic >loading - I thought that was crt0's job. Am I wrong? crt0 is static and part of every binary. The real problem is with what crt0 calls - _startup_setlocale() in libc, which does a getenv of PATH_LOCALE and copies it to a stack buffer without bounds checking. I removed the getenv call from the libc code, so this attack simply doesn't exist anymore. Anything that is built shared/dynamic will get the new libc and thus will no longer be vulnerable. -DG David Greenman Core-team/Principal Architect, The FreeBSD Project From owner-freebsd-security Sat Feb 8 23:29:42 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id XAA04124 for security-outgoing; Sat, 8 Feb 1997 23:29:42 -0800 (PST) Received: from enteract.com (root@enteract.com [206.54.252.1]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id XAA04119 for ; Sat, 8 Feb 1997 23:29:40 -0800 (PST) Received: (from tqbf@localhost) by enteract.com (8.8.5/8.7.6) id BAA19357; Sun, 9 Feb 1997 01:29:15 -0600 (CST) From: "Thomas H. Ptacek" Message-Id: <199702090729.BAA19357@enteract.com> Subject: Re: 2.1.7 To: dg@root.com Date: Sun, 9 Feb 1997 01:28:34 -0600 (CST) Cc: tqbf@enteract.com, sadmin@roundtable.cif.rochester.edu, freebsd-security@freebsd.org Reply-To: tqbf@enteract.com In-Reply-To: <199702090655.WAA07032@root.com> from "David Greenman" at Feb 8, 97 10:55:01 pm X-Mailer: ELM [version 2.4 PL24 ME8a] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > crt0 is static and part of every binary. For a second there I thought I was crazy. =) > The real problem is with what crt0 calls - _startup_setlocale() in libc, > which does a getenv of PATH_LOCALE and copies it to a stack buffer without You're right, obviously, the real problem is the locale routines themselves, not the call to them in crt0. Sorry. ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- "I'm standing alone, I'm watching you all, I'm seeing you sinking."