From owner-freebsd-security@FreeBSD.ORG Sat Mar 1 23:17:21 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1F304106566C for ; Sat, 1 Mar 2008 23:17:21 +0000 (UTC) (envelope-from rea-sec@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id C0AD88FC13 for ; Sat, 1 Mar 2008 23:17:20 +0000 (UTC) (envelope-from rea-sec@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender:X-Spam-Status:Subject; b=nbM89/kUkqSTQ6TLuhr8Na/Afb1eHx8nc6K9abdHf7w5b0rHab4Y+6r76R8GBA0U5fJ3vkg/U09rBE9FUW4XOYdHRwGWQQekeSfM4dHocxpcVa8UDEafVpeIqajVc86QIV7FqRBn4414+mj7D8D4eL77Xm7fUuJMXmyyvnT3flA=; Received: from amnesiac.at.no.dns (ppp83-237-106-48.pppoe.mtu-net.ru [83.237.106.48]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1JVamp-0001z5-WA; Sun, 02 Mar 2008 02:06:36 +0300 Date: Sun, 2 Mar 2008 02:06:34 +0300 From: Eygene Ryabinkin To: sipherr@gmail.com Message-ID: References: <20080229163903.3680.qmail@securityfocus.com> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <20080229163903.3680.qmail@securityfocus.com> Sender: rea-sec@codelabs.ru X-Spam-Status: No, score=-2.5 required=4.0 tests=ALL_TRUSTED,BAYES_20 X-Mailman-Approved-At: Sun, 02 Mar 2008 00:39:00 +0000 Cc: freebsd-security@freebsd.org, vuln-dev@securityfocus.com Subject: Re: *BSD user-ppp local root (when conditions permit) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Mar 2008 23:17:21 -0000 Good day. Fri, Feb 29, 2008 at 04:39:03PM -0000, sipherr@gmail.com wrote: > I just tested this on FreeBSD 6.3. This bug was discovered on NetBSD. It also works on OpenBSD (unconfirmed on 4.2) > > Steps to reproduce: > > 1. Run ppp > > 2. type the following (or atleat some variation of) > > ~/~/~/~/~/~/~/~/~/~/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > > > > This will produce a segmentation violation (Core dumped). Yes, good catch: looks like stack-based buffer overflow. Also works on FreeBSD 7.0. Could you please test the following rough patch -- it seem to cure the situation. Although it is a bit late for today and I will recheck it more carefully tomorrow. diff --git a/usr.sbin/ppp/systems.c b/usr.sbin/ppp/systems.c index 77f06a1..0cf01d1 100644 --- a/usr.sbin/ppp/systems.c +++ b/usr.sbin/ppp/systems.c @@ -82,6 +82,10 @@ InterpretArg(const char *from, char *to) from++; while (*from != '\0') { + if (to >= endto) { + *endto = '\0'; + return from; + } switch (*from) { case '"': instring = !instring; @@ -97,6 +101,10 @@ InterpretArg(const char *from, char *to) *to++ = '\\'; /* Pass the escapes on, maybe skipping \# */ break; } + if (to >= endto) { + *endto = '\0'; + return from; + } *to++ = *from++; break; case '$': @@ -127,6 +135,10 @@ InterpretArg(const char *from, char *to) *ptr++ = *from; *ptr = '\0'; } + if (to >= endto) { + *endto = '\0'; + return from; + } if (*to == '\0') *to++ = '$'; else if ((env = getenv(to)) != NULL) { @@ -142,6 +154,10 @@ InterpretArg(const char *from, char *to) if (len == 0) pwd = getpwuid(ID0realuid()); else { + if (to + len >= endto) { + *to = '\0'; + return from; + } strncpy(to, from, len); to[len] = '\0'; pwd = getpwnam(to); Thank you! -- Eygene From owner-freebsd-security@FreeBSD.ORG Sun Mar 2 01:25:11 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B09141065670 for ; Sun, 2 Mar 2008 01:25:11 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp1.kolej.mff.cuni.cz (smtp1.kolej.mff.cuni.cz [78.128.192.10]) by mx1.freebsd.org (Postfix) with ESMTP id 3C9FC8FC14 for ; Sun, 2 Mar 2008 01:25:11 +0000 (UTC) (envelope-from dan@obluda.cz) X-Envelope-From: dan@obluda.cz Received: from kgw.obluda.cz (openvpn.ms.mff.cuni.cz [195.113.20.87]) by smtp1.kolej.mff.cuni.cz (8.14.2/8.14.2) with ESMTP id m220mHLS007556; Sun, 2 Mar 2008 01:48:18 +0100 (CET) (envelope-from dan@obluda.cz) Message-ID: <47C9F951.3090408@obluda.cz> Date: Sun, 02 Mar 2008 01:48:17 +0100 From: Dan Lukes User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.11) Gecko/20080210 SeaMonkey/1.1.7 MIME-Version: 1.0 To: Eygene Ryabinkin References: <20080229163903.3680.qmail@securityfocus.com> In-Reply-To: Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, sipherr@gmail.com Subject: Re: *BSD user-ppp local root (when conditions permit) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Mar 2008 01:25:11 -0000 Eygene Ryabinkin napsal/wrote, On 03/02/08 00:06: >> 1. Run ppp >> 2. type the following (or atleat some variation of) ... > Yes, good catch: looks like stack-based buffer overflow > Could you please test the following rough patch It seems you are going to cut of part of line silently. IMHO - the line shall be rejected as invalid at all or warning needs to be issued at least ... Someone may create so long line (unintentionally), it will not work for him with no hint why - it's not so polite ... Dan From owner-freebsd-security@FreeBSD.ORG Sun Mar 2 05:59:57 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C7FEF106566B for ; Sun, 2 Mar 2008 05:59:57 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 798978FC12 for ; Sun, 2 Mar 2008 05:59:57 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender:X-Spam-Status:Subject; b=ByoYX4Yfpz0q3eJI+/3U7JBOzlR68mUaKZigOSP24rbq2k0+/V5Vkr9aKtSDvKnpq/M2K95e1rIt3quuD2Sic7bQPrPM4q3bv0pHA6i7iSrcWhSl4jvj7cTRpJLmgAdNk4RJc9LTURlL6MU3XV8GWG4VGX70d9USbJbjy2lpW8c=; Received: from amnesiac.at.no.dns (ppp83-237-104-209.pppoe.mtu-net.ru [83.237.104.209]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1JVhEo-0004X8-GE; Sun, 02 Mar 2008 08:59:54 +0300 Date: Sun, 2 Mar 2008 08:59:53 +0300 From: Eygene Ryabinkin To: Dan Lukes Message-ID: References: <20080229163903.3680.qmail@securityfocus.com> <47C9F951.3090408@obluda.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <47C9F951.3090408@obluda.cz> Sender: rea-fbsd@codelabs.ru X-Spam-Status: No, score=-2.2 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_50 Cc: freebsd-security@freebsd.org, sipherr@gmail.com Subject: Re: *BSD user-ppp local root (when conditions permit) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Mar 2008 05:59:57 -0000 Dan, good day. Sun, Mar 02, 2008 at 01:48:17AM +0100, Dan Lukes wrote: > Eygene Ryabinkin napsal/wrote, On 03/02/08 00:06: >>> 1. Run ppp >>> 2. type the following (or atleat some variation of) > ... > >> Yes, good catch: looks like stack-based buffer overflow > >> Could you please test the following rough patch > > It seems you are going to cut of part of line silently. > > IMHO - the line shall be rejected as invalid at all or warning needs to be > issued at least ... Yes, I will add the neccessary statements. But first I want to verify that the exploitation path is not available anymore. > Someone may create so long line (unintentionally), it will not work for him > with no hint why - it's not so polite ... May be the buffer should even be dynamically resized -- will look into it. Thanks! -- Eygene From owner-freebsd-security@FreeBSD.ORG Sun Mar 2 06:11:47 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EFA631065670 for ; Sun, 2 Mar 2008 06:11:47 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id A1B8C8FC12 for ; Sun, 2 Mar 2008 06:11:47 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender:X-Spam-Status:Subject; b=DSMsT5tHoCsk0tsGjxmZURPPqokzltJ5lfFjncf82pZ/2v/32dei3tvmXYodcFf4PhxnbilKgOhccnxyR9Tl/6ky/0fSynmK+XvjGm45rl+P+0HnhVEEC6M7b657WMoiHKYKBzbbF9lmFvJyYBPVXFLZnKOkd9R78VX0eIaLhgs=; Received: from amnesiac.at.no.dns (ppp83-237-104-209.pppoe.mtu-net.ru [83.237.104.209]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1JVhQH-0004bU-Rl; Sun, 02 Mar 2008 09:11:46 +0300 Date: Sun, 2 Mar 2008 09:11:44 +0300 From: Eygene Ryabinkin To: freebsd-security@freebsd.org Message-ID: References: <20080229163903.3680.qmail@securityfocus.com> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: Sender: rea-fbsd@codelabs.ru X-Spam-Status: No, score=-2.1 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_40 Cc: sipherr@gmail.com Subject: Re: *BSD user-ppp local root (when conditions permit) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Mar 2008 06:11:48 -0000 Me again. Sun, Mar 02, 2008 at 02:06:34AM +0300, Eygene Ryabinkin wrote: > Fri, Feb 29, 2008 at 04:39:03PM -0000, sipherr@gmail.com wrote: > > I just tested this on FreeBSD 6.3. This bug was discovered on NetBSD. It also works on OpenBSD (unconfirmed on 4.2) > > > > Steps to reproduce: > > > > 1. Run ppp > > > > 2. type the following (or atleat some variation of) > > > > ~/~/~/~/~/~/~/~/~/~/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > > > > > > > > This will produce a segmentation violation (Core dumped). > > Yes, good catch: looks like stack-based buffer overflow. Also works > on FreeBSD 7.0. Could you please test the following rough patch -- > it seem to cure the situation. Although it is a bit late for > today and I will recheck it more carefully tomorrow. About the possible exploitation scenarios: I see two of them in the default FreeBSD installation, when ppp is setuid root and permitted to run only for root and the 'network' group. a) Trusted users from the group 'network': interactive privilege escalation and local root exploit. b) Trusted users who can modify ppp's configuration files: non-interactive escalation and local root exploit (remote root exploit in the setups where some Web interface to the PPP configuration and like exists). Had I missed something? -- Eygene From owner-freebsd-security@FreeBSD.ORG Sun Mar 2 11:35:49 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5D7631065677; Sun, 2 Mar 2008 11:35:49 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id E68618FC23; Sun, 2 Mar 2008 11:35:48 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender:X-Spam-Status:Subject; b=pu4Revs6Eo/Qj/q0Fb2uHdsKD4RvRkyszHXtlBLIi1xrm45lgUIo8ptxZF/l6L5pAFvRNzQFByRWjujYwPC/KgmxGIBsS0LjZ3vlirdGvr01M6A7mp+IOYAEQLFT/bJc+aE1af8GKZ4baHXfWnPhj94TFQOwL4XTUnSfz4QVQxI=; Received: from amnesiac.at.no.dns (ppp83-237-104-209.pppoe.mtu-net.ru [83.237.104.209]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1JVmTo-0006Q4-Ly; Sun, 02 Mar 2008 14:35:45 +0300 Date: Sun, 2 Mar 2008 14:35:41 +0300 From: Eygene Ryabinkin To: Dan Lukes Message-ID: References: <20080229163903.3680.qmail@securityfocus.com> <47C9F951.3090408@obluda.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: Sender: rea-fbsd@codelabs.ru X-Spam-Status: No, score=-2.1 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_40 Cc: freebsd-security@freebsd.org, security-officer@FreeBSD.org, secteam@FreeBSD.org, sipherr@gmail.com Subject: Re: *BSD user-ppp local root (when conditions permit) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Mar 2008 11:35:49 -0000 Me again. Sun, Mar 02, 2008 at 08:59:53AM +0300, Eygene Ryabinkin wrote: > >> Could you please test the following rough patch > > > > It seems you are going to cut of part of line silently. > > > > IMHO - the line shall be rejected as invalid at all or warning needs to be > > issued at least ... > > Yes, I will add the neccessary statements. But first I want to > verify that the exploitation path is not available anymore. OK, here we go: the above patch seem to fix all issues with the InterpretArg function and it properly warns the user that the expansion was failed due to the lack of the free buffer space. But if someone will ask me, then I am in mood to check the rest of the ppp's code: maybe other issues will arise. But it won't be very quick. > > Someone may create so long line (unintentionally), it will not work for him > > with no hint why - it's not so polite ... > > May be the buffer should even be dynamically resized -- will look > into it. Did not messed with this: too long for now. Please, test the new patch and report back in any case. ----- >From dd38bd346faf42a528f32e0f3fb01ad1dbd95b4f Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin Date: Sun, 2 Mar 2008 10:26:48 +0300 Subject: [PATCH] Fix buffer overflow in the InterpretArg code. No destination buffer boundary checks were done, so tilde and environment variable expansions could lead to the buffer overflows. Ordinary strings were not generally affected, since the length of the input (uninterpreted) buffer is at most equal to the length of the destination (interpreted) buffer. Signed-off-by: Eygene Ryabinkin --- usr.sbin/ppp/command.c | 5 ++++- usr.sbin/ppp/systems.c | 41 ++++++++++++++++++++++++++++++++++++++++- 2 files changed, 44 insertions(+), 2 deletions(-) diff --git a/usr.sbin/ppp/command.c b/usr.sbin/ppp/command.c index ed4866c..5f90888 100644 --- a/usr.sbin/ppp/command.c +++ b/usr.sbin/ppp/command.c @@ -1132,7 +1132,10 @@ command_Expand_Interpret(char *buff, int nb, char *argv[MAXARGS], int offset) { char buff2[LINE_LEN-offset]; - InterpretArg(buff, buff2); + if (InterpretArg(buff, buff2) == NULL) { + log_Printf(LogWARN, "Failed to expand command '%s': too long for the destination buffer\n", buff); + return -1; + } strncpy(buff, buff2, LINE_LEN - offset - 1); buff[LINE_LEN - offset - 1] = '\0'; diff --git a/usr.sbin/ppp/systems.c b/usr.sbin/ppp/systems.c index 77f06a1..1025e02 100644 --- a/usr.sbin/ppp/systems.c +++ b/usr.sbin/ppp/systems.c @@ -64,7 +64,14 @@ CloseSecret(FILE *fp) fclose(fp); } -/* Move string from ``from'' to ``to'', interpreting ``~'' and $.... */ +/* + * Move string from ``from'' to ``to'', interpreting ``~'' and $.... + * Returns NULL is string expansion failed due to the lack of + * free space. + * + * NB: destination buffer size is hardcoded, so we rely it to be + * no less then LINE_LEN characters. + */ const char * InterpretArg(const char *from, char *to) { @@ -82,6 +89,10 @@ InterpretArg(const char *from, char *to) from++; while (*from != '\0') { + if (to >= endto) { + *endto = '\0'; + return NULL; + } switch (*from) { case '"': instring = !instring; @@ -97,6 +108,10 @@ InterpretArg(const char *from, char *to) *to++ = '\\'; /* Pass the escapes on, maybe skipping \# */ break; } + if (to >= endto) { + *endto = '\0'; + return NULL; + } *to++ = *from++; break; case '$': @@ -127,9 +142,17 @@ InterpretArg(const char *from, char *to) *ptr++ = *from; *ptr = '\0'; } + if (to >= endto) { + *endto = '\0'; + return NULL; + } if (*to == '\0') *to++ = '$'; else if ((env = getenv(to)) != NULL) { + if ((int)strlen(env) >= endto - to) { + *endto = '\0'; + return NULL; + } strncpy(to, env, endto - to); *endto = '\0'; to += strlen(to); @@ -142,13 +165,25 @@ InterpretArg(const char *from, char *to) if (len == 0) pwd = getpwuid(ID0realuid()); else { + if (to + len >= endto) { + *to = '\0'; + return NULL; + } strncpy(to, from, len); to[len] = '\0'; pwd = getpwnam(to); } + if (to >= endto) { + *endto = '\0'; + return NULL; + } if (pwd == NULL) *to++ = '~'; else { + if ((int)strlen(pwd->pw_dir) >= endto - to) { + *endto = '\0'; + return NULL; + } strncpy(to, pwd->pw_dir, endto - to); *endto = '\0'; to += strlen(to); @@ -185,6 +220,10 @@ DecodeCtrlCommand(char *line, char *arg) if (!strncasecmp(line, "include", 7) && issep(line[7])) { end = InterpretArg(line+8, arg); + if (end == NULL) { + log_Printf(LogWARN, "Failed to expand command '%s': too long for the destination buffer\n", line); + return CTRL_UNKNOWN; + } if (*end && *end != '#') log_Printf(LogWARN, "usage: !include filename\n"); else -- 1.5.3.8 ----- Thanks! -- Eygene From owner-freebsd-security@FreeBSD.ORG Thu Mar 6 11:28:29 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7EFEE1065673 for ; Thu, 6 Mar 2008 11:28:29 +0000 (UTC) (envelope-from kamolpat@dmaccess.net) Received: from irgb12.truemail.co.th (irgb12.truemail.co.th [203.144.173.228]) by mx1.freebsd.org (Postfix) with ESMTP id 26A518FC19 for ; Thu, 6 Mar 2008 11:28:27 +0000 (UTC) (envelope-from kamolpat@dmaccess.net) X-TRUEINTERNET: TRUE X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgAAAMtcz0d8ePDJ/2dsb2JhbAAIq30 X-IronPort-AV: E=Sophos;i="4.25,455,1199638800"; d="scan'208";a="310369983" Received: from ppp-124-120-240-201.revip2.asianet.co.th (HELO [192.168.1.100]) ([124.120.240.201]) by irp4.truemail.co.th with ESMTP; 06 Mar 2008 17:58:20 +0700 Message-ID: <47CFCE4C.7010200@dmaccess.net> Date: Thu, 06 Mar 2008 17:58:20 +0700 From: "kamolpat@dmaccess.net" User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: freebsd-security@FreeBSD.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Thu, 06 Mar 2008 12:24:09 +0000 Cc: Subject: DDOS problem from Bangkok, Thailand X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2008 11:28:29 -0000 Dear Security team, I'm Kamolpat Pornatiwiwat, Sys admin of DMaccess Co., Ltd. I'm got the problem, My FreeBSD 6.0 got Dos attacked. What should I do? At the present, I decide to stop apache and leave only mail feature on functioning. Any guide/recommend/solution will be appreciated. More detail about my server: ====================== FreeBSD 6.0 apache-1.3.34_4 php5-5.1.2_1 MySQL 5.0.20 php.ini ====== ;;;;;;;;;;;;;;;;;;; ; Resource Limits ; ;;;;;;;;;;;;;;;;;;; max_execution_time = 30 ; Maximum execution time of each script, in seconds max_input_time = 60 ; Maximum amount of time each script may spend parsing r memory_limit = 32M (at the beginning it is 8M, I change to 32MB since the cause of httpd-error.log, however, it still the error as the following showed on httpd-error.log FILE:/var/log/httpd-error.log ===================== Allowed memory size of 33554432 bytes exhausted .... happend like this all over the log Thanks in Advanced, Kamolpat Pornatiwiwat, Sys admin DMaccess Co., Ltd. From owner-freebsd-security@FreeBSD.ORG Thu Mar 6 12:46:06 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0C91A106566B for ; Thu, 6 Mar 2008 12:46:06 +0000 (UTC) (envelope-from marcs@draenor.org) Received: from hu-out-0506.google.com (hu-out-0506.google.com [72.14.214.232]) by mx1.freebsd.org (Postfix) with ESMTP id 7A5488FC1F for ; Thu, 6 Mar 2008 12:46:05 +0000 (UTC) (envelope-from marcs@draenor.org) Received: by hu-out-0506.google.com with SMTP id 28so1306375hub.8 for ; Thu, 06 Mar 2008 04:46:03 -0800 (PST) Received: by 10.86.52.1 with SMTP id z1mr4653261fgz.52.1204806752046; Thu, 06 Mar 2008 04:32:32 -0800 (PST) Received: by 10.86.82.8 with HTTP; Thu, 6 Mar 2008 04:32:32 -0800 (PST) Message-ID: Date: Thu, 6 Mar 2008 14:32:32 +0200 From: "Marc Silver" To: "kamolpat@dmaccess.net" In-Reply-To: <47CFCE4C.7010200@dmaccess.net> MIME-Version: 1.0 References: <47CFCE4C.7010200@dmaccess.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: DDOS problem from Bangkok, Thailand X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2008 12:46:06 -0000 Hi, I assume the DoS is coming from multiple machines all hitting you on port 80? If it's from a specific address or range of addresses you should use ipfw or pf to block it at a firewall level before it hits your machine. Is the DoS hitting one specific page or a whole bunch of different ones? Sadly there is very little you may be able to do but if you provide more information people on this list may be able to help you mitigate the threat slightly. Most importantly, you should also consider contacting your upstream providers so that they can take action. Cheers, Marc On Thu, Mar 6, 2008 at 12:58 PM, kamolpat@dmaccess.net < kamolpat@dmaccess.net> wrote: > Dear Security team, > > I'm Kamolpat Pornatiwiwat, Sys admin of DMaccess Co., Ltd. I'm got the > problem, My FreeBSD 6.0 got Dos attacked. What should I do? At the > present, I decide to stop apache and leave only mail feature on > functioning. Any guide/recommend/solution will be appreciated. > > More detail about my server: > ====================== > FreeBSD 6.0 > apache-1.3.34_4 > php5-5.1.2_1 > MySQL 5.0.20 > > > php.ini > ====== > ;;;;;;;;;;;;;;;;;;; > ; Resource Limits ; > ;;;;;;;;;;;;;;;;;;; > > max_execution_time = 30 ; Maximum execution time of each script, in > seconds > max_input_time = 60 ; Maximum amount of time each script may spend > parsing r > memory_limit = 32M (at the beginning it is 8M, I change to 32MB since > the cause of httpd-error.log, however, it still the error as the following > showed on httpd-error.log > > > FILE:/var/log/httpd-error.log > ===================== > Allowed memory size of 33554432 bytes exhausted .... happend like this > all over the log > > Thanks in Advanced, > Kamolpat Pornatiwiwat, > Sys admin > DMaccess Co., Ltd. > > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " > -- Light up the Darkness. - Bob Marley From owner-freebsd-security@FreeBSD.ORG Thu Mar 6 13:04:35 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A6E0D1065671 for ; Thu, 6 Mar 2008 13:04:35 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 3BDB48FC1F for ; Thu, 6 Mar 2008 13:04:34 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (F72c0.f.ppp-pool.de [195.4.114.192]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 49719128844; Thu, 6 Mar 2008 14:04:26 +0100 (CET) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 95D283F439; Thu, 6 Mar 2008 14:02:50 +0100 (CET) Message-ID: <47CFEBC6.20808@vwsoft.com> Date: Thu, 06 Mar 2008 14:04:06 +0100 From: Volker User-Agent: Thunderbird 2.0.0.12 (X11/20080305) MIME-Version: 1.0 To: "kamolpat@dmaccess.net" References: <47CFCE4C.7010200@dmaccess.net> In-Reply-To: <47CFCE4C.7010200@dmaccess.net> X-Enigmail-Version: 0.95.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit MailScanner-NULL-Check: 1205413376.06224@woLmsBLoOM5Lz4MrDBTahw X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-security@FreeBSD.org Subject: Re: DDOS problem from Bangkok, Thailand X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2008 13:04:35 -0000 On 03/06/08 11:58, kamolpat@dmaccess.net wrote: > Dear Security team, > > I'm Kamolpat Pornatiwiwat, Sys admin of DMaccess Co., Ltd. I'm got the > problem, My FreeBSD 6.0 got Dos attacked. What should I do? At the > present, I decide to stop apache and leave only mail feature on > functioning. Any guide/recommend/solution will be appreciated. > > More detail about my server: > ====================== > FreeBSD 6.0 apache-1.3.34_4 php5-5.1.2_1 MySQL 5.0.20 > > > php.ini > ====== > ;;;;;;;;;;;;;;;;;;; > ; Resource Limits ; > ;;;;;;;;;;;;;;;;;;; > > max_execution_time = 30 ; Maximum execution time of each script, in > seconds > max_input_time = 60 ; Maximum amount of time each script may spend > parsing r > memory_limit = 32M (at the beginning it is 8M, I change to 32MB since > the cause of httpd-error.log, however, it still the error as the > following showed on httpd-error.log > > > FILE:/var/log/httpd-error.log > ===================== > Allowed memory size of 33554432 bytes exhausted .... happend like this > all over the log > > Thanks in Advanced, > Kamolpat Pornatiwiwat, Sys admin DMaccess Co., Ltd. Kamolpat, without being a member of the secteam, I like to jump in here. ${subject} contains "DDoS" but I don't see any signs of a DDoS from what you're describing. Sure it might be a DoS attack but that needs carefully inspection of your log file (look for specially crafted URLs being requested). To me, exhausted memory situations are more likely looking like application problems (read as: bad code). With just that exhausted memory message given, it's guesswork to tell more but you may want to check PHP's bug database. BTW (not related to your problem), you might also want to consider migrating to Apache 2.x as support for Apache 1.3x will end soon, IIRC. Also FreeBSD 6.0 will be EOL'd in less then 3 months. If you still think it's DoS attack you're seeing, you should query upstream (either PHP or Apache folks) for help on that. Regards, Volker From owner-freebsd-security@FreeBSD.ORG Thu Mar 6 16:00:18 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9A8161065686 for ; Thu, 6 Mar 2008 16:00:18 +0000 (UTC) (envelope-from ady@ady.ro) Received: from gv-out-0910.google.com (gv-out-0910.google.com [216.239.58.186]) by mx1.freebsd.org (Postfix) with ESMTP id 1209A8FC5F for ; Thu, 6 Mar 2008 16:00:17 +0000 (UTC) (envelope-from ady@ady.ro) Received: by gv-out-0910.google.com with SMTP id n40so2339651gve.39 for ; Thu, 06 Mar 2008 08:00:15 -0800 (PST) Received: by 10.142.106.18 with SMTP id e18mr1331316wfc.111.1204819214074; Thu, 06 Mar 2008 08:00:14 -0800 (PST) Received: by 10.143.37.8 with HTTP; Thu, 6 Mar 2008 08:00:14 -0800 (PST) Message-ID: <78cb3d3f0803060800n22254040qcacb0aa1836f2179@mail.gmail.com> Date: Thu, 6 Mar 2008 18:00:14 +0200 From: "Adrian Penisoara" Sender: ady@ady.ro To: Volker In-Reply-To: <47CFEBC6.20808@vwsoft.com> MIME-Version: 1.0 References: <47CFCE4C.7010200@dmaccess.net> <47CFEBC6.20808@vwsoft.com> X-Google-Sender-Auth: 3e50413a783a65b8 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: "kamolpat@dmaccess.net" , freebsd-security@freebsd.org Subject: Re: DDOS problem from Bangkok, Thailand X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2008 16:00:18 -0000 Hi, On Thu, Mar 6, 2008 at 3:04 PM, Volker wrote: > On 03/06/08 11:58, kamolpat@dmaccess.net wrote: > > Dear Security team, > > > > I'm Kamolpat Pornatiwiwat, Sys admin of DMaccess Co., Ltd. I'm got the > > problem, My FreeBSD 6.0 got Dos attacked. What should I do? At the > > present, I decide to stop apache and leave only mail feature on > > functioning. Any guide/recommend/solution will be appreciated. > > > > More detail about my server: > > ====================== > > FreeBSD 6.0 apache-1.3.34_4 php5-5.1.2_1 MySQL 5.0.20 > > > > > > php.ini > > ====== > > ;;;;;;;;;;;;;;;;;;; > > ; Resource Limits ; > > ;;;;;;;;;;;;;;;;;;; > > > > max_execution_time = 30 ; Maximum execution time of each script, in > > seconds > > max_input_time = 60 ; Maximum amount of time each script may spend > > parsing r > > memory_limit = 32M (at the beginning it is 8M, I change to 32MB since > > the cause of httpd-error.log, however, it still the error as the > > following showed on httpd-error.log > > > > > > FILE:/var/log/httpd-error.log > > ===================== > > Allowed memory size of 33554432 bytes exhausted .... happend like this > > all over the log > > > > Thanks in Advanced, > > Kamolpat Pornatiwiwat, Sys admin DMaccess Co., Ltd. > > Kamolpat, > > without being a member of the secteam, I like to jump in here. > > ${subject} contains "DDoS" but I don't see any signs of a DDoS from what > you're describing. Sure it might be a DoS attack but that needs > carefully inspection of your log file (look for specially crafted URLs > being requested). > > To me, exhausted memory situations are more likely looking like > application problems (read as: bad code). With just that exhausted > memory message given, it's guesswork to tell more but you may want to > check PHP's bug database. > > Hmm, I'm wandering -- if you see a simple SYN flood attack (just opening connections without sending an HTTP request) then you should try enabling the accf_http(9) mechanism in kernel and using the " AcceptFilter http" Apache configuration. My 5 cents, Adrian Penisoara ROFUG / EnterpriseBSD