From owner-freebsd-security@FreeBSD.ORG Sun Apr 6 20:13:52 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BAAE9106566B for ; Sun, 6 Apr 2008 20:13:52 +0000 (UTC) (envelope-from stheg_olloydson@yahoo.com) Received: from web32704.mail.mud.yahoo.com (web32704.mail.mud.yahoo.com [68.142.207.248]) by mx1.freebsd.org (Postfix) with SMTP id 5B8DE8FC1A for ; Sun, 6 Apr 2008 20:13:52 +0000 (UTC) (envelope-from stheg_olloydson@yahoo.com) Received: (qmail 37962 invoked by uid 60001); 6 Apr 2008 19:47:11 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=zlABvKvRxxnq4qYPRP5KUzdO8z25wUVNe4BFrYxG8vYDg0RYiPHA9XvC50g3EDNRMrPfCZJ6km9oPErhMkJ364yeRv75AfurSdNRjwh82MJIQC+rH68VTDchgL3DxHdEDNjw7FWu4bKHqM9CDFTZE+cNv3ugE1H8rnpUL+x+aMQ=; X-YMail-OSG: 05IrAL4VM1kMi8wlacgA4T4aWnMddw1J_tG8sptiej4oVHePWVrEFI5b3jl.YrCW5Qp3eOtzEbePTaXuX2jQXda5s8Hd.Y952ysrrhsk78uY3cA0TOTbNJR8A8SH6A-- Received: from [70.152.231.33] by web32704.mail.mud.yahoo.com via HTTP; Sun, 06 Apr 2008 12:47:11 PDT Date: Sun, 6 Apr 2008 12:47:11 -0700 (PDT) From: stheg olloydson To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Message-ID: <185727.37681.qm@web32704.mail.mud.yahoo.com> Subject: CVE-2008-1391 - Multiple BSD Platforms "strfmon()" Function Integer Overflow X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Apr 2008 20:13:52 -0000 Hello, According to the information at mitre.org, both 6.x and 7.0 are vulnerable. I see in NetBSD's CVS log for src/lib/libc/stdlib/strfmon.c, they have patched this on March 27. Looking at FreeBSD's CVS log at http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libc/stdlib/strfmon.c, shows that no changes have been made since Mon Sep 12, 2005. Is our strfmon() not vulnerable as reported? stheg ____________________________________________________________________________________ You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost. http://tc.deals.yahoo.com/tc/blockbuster/text5.com From owner-freebsd-security@FreeBSD.ORG Sun Apr 6 21:15:06 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 93B031065670 for ; Sun, 6 Apr 2008 21:15:05 +0000 (UTC) (envelope-from simon@zaphod.nitro.dk) Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.freebsd.org (Postfix) with ESMTP id BDD9C8FC20 for ; Sun, 6 Apr 2008 21:15:04 +0000 (UTC) (envelope-from simon@zaphod.nitro.dk) Received: from zaphod.nitro.dk (unknown [192.168.3.39]) by mx.nitro.dk (Postfix) with ESMTP id C31C61E8C43; Sun, 6 Apr 2008 20:54:52 +0000 (UTC) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id 03456114AE; Sun, 6 Apr 2008 22:55:06 +0200 (CEST) Date: Sun, 6 Apr 2008 22:55:06 +0200 From: "Simon L. Nielsen" To: stheg olloydson Message-ID: <20080406205506.GE1127@FreeBSD.org> References: <185727.37681.qm@web32704.mail.mud.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <185727.37681.qm@web32704.mail.mud.yahoo.com> User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-security@freebsd.org Subject: Re: CVE-2008-1391 - Multiple BSD Platforms "strfmon()" Function Integer Overflow X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Apr 2008 21:15:06 -0000 On 2008.04.06 12:47:11 -0700, stheg olloydson wrote: > According to the information at mitre.org, both 6.x and 7.0 are > vulnerable. I see in NetBSD's CVS log for > src/lib/libc/stdlib/strfmon.c, they have patched this on March > 27. Note that the change in NetBSD is possibly incomplete to fix the issue. I'm not sure what the final conclusion was on that. > Looking at FreeBSD's CVS log at > http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libc/stdlib/strfmon.c, > shows that no changes have been made since Mon Sep 12, 2005. > Is our strfmon() not vulnerable as reported? The FreeBSD version is affected and will be fixed in -CURRENT / HEAD shortly. The FreeBSD Security Team has yet to be able to come up with any real cases where this is an actual security issue, so unless we find any place where this is actually a problem, the issue will be handled as a normal bug and merged to -STABLE branches acordingly. Note that allowing untrusted format strings to be used is normally a bad idea, so any application where the strfmon issue is a problem are likely already broken. -- Simon L. Nielsen FreeBSD Security Team From owner-freebsd-security@FreeBSD.ORG Sun Apr 6 22:18:45 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0E41B1065676 for ; Sun, 6 Apr 2008 22:18:45 +0000 (UTC) (envelope-from adrianp@stindustries.net) Received: from mail.stindustries.net (abe.stindustries.net [216.32.89.252]) by mx1.freebsd.org (Postfix) with ESMTP id DB1768FC0A for ; Sun, 6 Apr 2008 22:18:44 +0000 (UTC) (envelope-from adrianp@stindustries.net) Received: from ned.stindustries.local (krusty.stindustries.net [81.187.204.225]) by mail.stindustries.net (Postfix) with ESMTPSA id B804716D123; Sun, 6 Apr 2008 23:01:30 +0100 (BST) X-DKIM: Sendmail DKIM Filter v2.5.2 mail.stindustries.net B804716D123 Message-ID: <47F94838.6060105@stindustries.net> Date: Sun, 06 Apr 2008 23:01:28 +0100 From: Adrian Portelli MIME-Version: 1.0 To: "Simon L. Nielsen" References: <185727.37681.qm@web32704.mail.mud.yahoo.com> <20080406205506.GE1127@FreeBSD.org> In-Reply-To: <20080406205506.GE1127@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, stheg olloydson Subject: Re: CVE-2008-1391 - Multiple BSD Platforms "strfmon()" Function Integer Overflow X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Apr 2008 22:18:45 -0000 Simon L. Nielsen wrote: > On 2008.04.06 12:47:11 -0700, stheg olloydson wrote: > >> According to the information at mitre.org, both 6.x and 7.0 are >> vulnerable. I see in NetBSD's CVS log for >> src/lib/libc/stdlib/strfmon.c, they have patched this on March >> 27. > > Note that the change in NetBSD is possibly incomplete to fix the > issue. I'm not sure what the final conclusion was on that. > The final conclusion was a subsequent commit on the 27th: http://archive.netbsd.se/?ml=netbsd-source-changes&a=2008-03&m=6750722 http://archive.netbsd.se/?ml=netbsd-source-changes&a=2008-03&m=6846592 We're still in the process of getting the changes pulled up. adrian. From owner-freebsd-security@FreeBSD.ORG Mon Apr 7 15:18:36 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 37AA4106566C; Mon, 7 Apr 2008 15:18:36 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 9F7518FC24; Mon, 7 Apr 2008 15:18:35 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Message-ID:MIME-Version:Content-Type:Content-Disposition:Sender:X-Spam-Status:Subject; b=mil93Zx8tUNinzPO7Cig9wg9y1hh5wotctNsic/oILaq951KkwULSlCPawW8rYMYDjoJyfY3eKyvmcrNAkjbxGJ/3IGujP0fD0tC9G4QiPE3FY6erd+saK9OQJoHsixNYyGxxXU5O4HpnKcY6RQz8fNKluOCNjOBQn0mQiNOTGU=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1Jit7C-000Kvb-IG; Mon, 07 Apr 2008 19:18:34 +0400 Date: Mon, 7 Apr 2008 19:18:33 +0400 From: Eygene Ryabinkin To: secteam@FreeBSD.org Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Sender: rea-fbsd@codelabs.ru X-Spam-Status: No, score=-1.8 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_40 Cc: freebsd-security@freebsd.org, security-officer@FreeBSD.org, des@freebsd.org Subject: CVE-2008-1483: OpenSSH X11 connection hijacking X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2008 15:18:36 -0000 Good day. I just read the security alert from the Globus Alliance and want to pass this information to the FreeBSD security people. Apologies if the issue is already known and is worked on. Since the information was already disclosed into the public, I am CC'ing to the freebsd-security mailing list. The following sources show that OpenBSD <= 4.9 are affected by the local X11 connection hijacking: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463011 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1483 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1483 http://www.openssh.org/txt/release-5.0 The following patch is said to cure the problem: http://cvs.fedora.redhat.com/viewcvs/rpms/openssh/devel/openssh-3.9p1-skip-used.patch?rev=1.1&view=markup Adding 'AddressFamily inet' or using IPv6-disabled system configuration shoud eliminate the issue. But the default configuration of SSH and/or FreeBSD kernel uses AddressFamily of 'any' and has IPv6 enabled in the GENERIC kernel, so it can be affected. Unable to test it by myself, since all FreeBSD systems I have at hand are running IPv4 only. -- Eygene From owner-freebsd-security@FreeBSD.ORG Sat Apr 12 00:23:12 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 163E31065672 for ; Sat, 12 Apr 2008 00:23:12 +0000 (UTC) (envelope-from budiyt@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.181]) by mx1.freebsd.org (Postfix) with ESMTP id F087C8FC15 for ; Sat, 12 Apr 2008 00:23:11 +0000 (UTC) (envelope-from budiyt@gmail.com) Received: by wa-out-1112.google.com with SMTP id k17so580214waf.3 for ; Fri, 11 Apr 2008 17:23:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=3vHvO4ULeOuWRnat6gkSVWlDe30ODthr8LdJRadZEeg=; b=eXmCLgh0X8gTPs7hA+CeVJUAYeFlnUZ43lY6juZ3Zqy6OdPKVkoT2MP845/t6v14fYpxYxM++aZZKixfmtQ7YIMwnYpU8+UqJX4RrwHskg5ggewutOxzci/IF5XB/Zev8T12uxEwilJ4qvyjF8VNcikvZxHQKTh3IrBZa8Y2YDw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=ussr9SR3sTeeD97XbPgLFodvF66b8hHXy0UU9Gc6b8xuFPSXJydDuwrAbgyhTyvHYkhcHpZ4OPxCw+LwhjNLqhPg2DVCYRZuRp6YBk7bzM0XYMpU89DScg2ykQ5uAjxjY801xx+TKkLcebDbEGHr/jzt+ylplsNUM4m4ONTeUWE= Received: by 10.114.176.1 with SMTP id y1mr907615wae.176.1207958287442; Fri, 11 Apr 2008 16:58:07 -0700 (PDT) Received: by 10.114.130.19 with HTTP; Fri, 11 Apr 2008 16:58:06 -0700 (PDT) Message-ID: <4d4dc3640804111658k16a4b27fr5b8dff7f3997f927@mail.gmail.com> Date: Sat, 12 Apr 2008 04:28:06 +0430 From: budsz To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: ARP Poisoning X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Apr 2008 00:23:12 -0000 Hallo, I've Lan with configure XP system and FreeBSD acting as router. So I get stranger troble is disconnecting each computer together. This happened with random time, maybe about 15 minutes after running as well. In /var/log/message I got movement ARP entry to other MAC ADDR on the same IP ADDR. Everyone know what happen is? Is that ARP Poisoning. If the answer yes, how to preventing or resoloving this problem? Thanks You For Advance. -- budsz From owner-freebsd-security@FreeBSD.ORG Sat Apr 12 01:38:49 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A78C51065672 for ; Sat, 12 Apr 2008 01:38:49 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp1.kolej.mff.cuni.cz (smtp1.kolej.mff.cuni.cz [78.128.192.10]) by mx1.freebsd.org (Postfix) with ESMTP id 404D58FC32 for ; Sat, 12 Apr 2008 01:38:49 +0000 (UTC) (envelope-from dan@obluda.cz) X-Envelope-From: dan@obluda.cz Received: from kgw.obluda.cz (openvpn.ms.mff.cuni.cz [195.113.20.87]) by smtp1.kolej.mff.cuni.cz (8.14.2/8.14.2) with ESMTP id m3C1JVA5032384 for ; Sat, 12 Apr 2008 03:19:33 +0200 (CEST) (envelope-from dan@obluda.cz) Message-ID: <48000E23.2000907@obluda.cz> Date: Sat, 12 Apr 2008 03:19:31 +0200 From: Dan Lukes User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.13) Gecko/20080403 SeaMonkey/1.1.9 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <4d4dc3640804111658k16a4b27fr5b8dff7f3997f927@mail.gmail.com> In-Reply-To: <4d4dc3640804111658k16a4b27fr5b8dff7f3997f927@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: ARP Poisoning X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Apr 2008 01:38:49 -0000 budsz napsal/wrote, On 04/12/08 01:58: > I got movement ARP entry to other MAC ADDR > on the same IP ADDR. Everyone know what happen is? Is that ARP > Poisoning. Not necessary. It may be misconfigured computer (configured statically to use an address assigned to another computer). Or there may be an unauthorized DHCP server - for example misconfigured Windows with two or more NICs may run one causing the IP conflicts. Yes, it may be intentional attack also. How to resolve ? You need to found the source of problem and disconnect it. If it is misconfiguration, you may identify the computer via MAC. If it is attack and your LAN is not so large, you may try to disconnect parts of them - when problem disappear you know the segment of the computer you are searching for. If your LAN isn't small you need to consult your switches from where the attacker MAC come. You can't build reliable large LAN with dumb switches, so I'm sure you have smart switches on your LAN. But it seems to me your question has nothing to do with FreeBSD with the exception that there is one computer with FreeBSD connected to problematic LAN. Dan