From owner-freebsd-security Sun Aug 16 01:07:53 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA11931 for freebsd-security-outgoing; Sun, 16 Aug 1998 01:07:53 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id BAA11925; Sun, 16 Aug 1998 01:07:44 -0700 (PDT) (envelope-from imp@village.org) Received: from harmony [10.0.0.6] by rover.village.org with esmtp (Exim 1.71 #1) id 0z7xpt-0000Aa-00; Sun, 16 Aug 1998 02:06:45 -0600 Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.8.8/8.8.3) with ESMTP id CAA15109; Sun, 16 Aug 1998 02:06:28 -0600 (MDT) Message-Id: <199808160806.CAA15109@harmony.village.org> To: "Gary Palmer" Subject: Re: Scans to ports 1090 and 1080 Cc: Roger Marquis , security@FreeBSD.ORG In-reply-to: Your message of "Sat, 15 Aug 1998 02:26:27 EDT." <4893.903162387@gjp.erols.com> References: <4893.903162387@gjp.erols.com> Date: Sun, 16 Aug 1998 02:06:27 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <4893.903162387@gjp.erols.com> "Gary Palmer" writes: : socks 1080/tcp Socks has also had some exploits against it for revs less than v1.0r6. Likely they are trying that... Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Aug 16 01:09:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA11989 for freebsd-security-outgoing; Sun, 16 Aug 1998 01:09:45 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id BAA11984 for ; Sun, 16 Aug 1998 01:09:43 -0700 (PDT) (envelope-from imp@village.org) Received: from harmony [10.0.0.6] by rover.village.org with esmtp (Exim 1.71 #1) id 0z7xs9-0000Ac-00; Sun, 16 Aug 1998 02:09:05 -0600 Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.8.8/8.8.3) with ESMTP id CAA15120; Sun, 16 Aug 1998 02:08:47 -0600 (MDT) Message-Id: <199808160808.CAA15120@harmony.village.org> To: Philippe Regnauld Subject: Re: Fwd: "Using capabilties aaginst shell code" Cc: rotel@indigo.ie, freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Sat, 15 Aug 1998 13:13:09 +0200." <19980815131309.14782@deepo.prosa.dk> References: <19980815131309.14782@deepo.prosa.dk> <19980814123240.63855@deepo.prosa.dk> <199808142212.XAA01134@indigo.ie> Date: Sun, 16 Aug 1998 02:08:46 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <19980815131309.14782@deepo.prosa.dk> Philippe Regnauld writes: : What do you call "making chroot secure" ? I'd say not being able to access or make raw device nodes, should you get root, not being able to bust out of the chroot jail with some clever chdiring, the ability to create "secure" (low port) sockets and likely several other holes that I'm forgetting at the moment. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Aug 16 01:23:44 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA13537 for freebsd-security-outgoing; Sun, 16 Aug 1998 01:23:44 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from banshee.cs.uow.edu.au (banshee.cs.uow.edu.au [130.130.188.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA13532 for ; Sun, 16 Aug 1998 01:23:41 -0700 (PDT) (envelope-from ncb05@banshee.cs.uow.edu.au) Received: (from ncb05@localhost) by banshee.cs.uow.edu.au (8.9.1/8.9.1) id SAA16340; Sun, 16 Aug 1998 18:22:57 +1000 (EST) Date: Sun, 16 Aug 1998 18:22:57 +1000 (EST) From: Nicholas Charles Brawn X-Sender: ncb05@banshee.cs.uow.edu.au To: Darren Reed cc: security@FreeBSD.ORG Subject: Re: inetd enhancements (fwd) In-Reply-To: <199808160440.VAA29668@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 16 Aug 1998, Darren Reed wrote: > > allowing different programs to bind to different IP addresses > (on a multi-ip# box) is something inetd does not do and can't > handle with packet filters and requires tcpd/fwtk type solution. > > however, I think that rather hacking that functionality into > inetd, look at xinetd (which already has numerous additions) > and leave inetd to be more standard... > > However, as others have pointed out before, there is a certain piece of mind gained when dealing with nice, neat, smaller programs. There are fewer places for things to go wrong: root@devel:/tmp/xinetd-2.2.1/xinetd# wc -l *.c |grep total 12104 total root@devel:/tmp/xinetd-2.2.1/xinetd# cd /usr/src/usr.sbin/inetd/ root@devel:/usr/src/usr.sbin/inetd# wc -l *.c |grep total 1883 total root@devel:/usr/src/usr.sbin/inetd# In this case, I believe a patch that augments inetd's functionality should be incorporated, so long as it is audited first. :) Nick -- Email: ncb05@uow.edu.au - http://rabble.uow.edu.au/~nick Key fingerprint = DE 30 33 D3 16 91 C8 8D A7 F8 70 03 B7 77 1A 2A "When in doubt, ask someone wiser than yourself..." -unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Aug 16 01:38:28 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA14527 for freebsd-security-outgoing; Sun, 16 Aug 1998 01:38:28 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.224.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA14520 for ; Sun, 16 Aug 1998 01:38:24 -0700 (PDT) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199808160838.BAA14520@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA203236624; Sun, 16 Aug 1998 18:37:04 +1000 From: Darren Reed Subject: Re: inetd enhancements (fwd) To: ncb05@uow.edu.au (Nicholas Charles Brawn) Date: Sun, 16 Aug 1998 18:37:04 +1000 (EST) Cc: security@FreeBSD.ORG In-Reply-To: from "Nicholas Charles Brawn" at Aug 16, 98 06:22:57 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Nicholas Charles Brawn, sie said: > > On Sun, 16 Aug 1998, Darren Reed wrote: > > > > > allowing different programs to bind to different IP addresses > > (on a multi-ip# box) is something inetd does not do and can't > > handle with packet filters and requires tcpd/fwtk type solution. > > > > however, I think that rather hacking that functionality into > > inetd, look at xinetd (which already has numerous additions) > > and leave inetd to be more standard... > > > > > > However, as others have pointed out before, there is a certain piece of > mind gained when dealing with nice, neat, smaller programs. There are > fewer places for things to go wrong: > root@devel:/tmp/xinetd-2.2.1/xinetd# wc -l *.c |grep total > 12104 total > root@devel:/tmp/xinetd-2.2.1/xinetd# cd /usr/src/usr.sbin/inetd/ > root@devel:/usr/src/usr.sbin/inetd# wc -l *.c |grep total > 1883 total > root@devel:/usr/src/usr.sbin/inetd# > > In this case, I believe a patch that augments inetd's functionality > should be incorporated, so long as it is audited first. :) You're missing the point I was making. xinetd is basically a collection of augmentations to inetd. I believe it is better that such development continue around it rather than pollute inetd. Otherwise, you'll just find yourself slowly making inetd grow to match what xinetd is. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Aug 16 04:04:38 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA29861 for freebsd-security-outgoing; Sun, 16 Aug 1998 04:04:38 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from haktar.siol.net (haktar.siol.net [193.189.160.17]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA29768 for ; Sun, 16 Aug 1998 04:04:27 -0700 (PDT) (envelope-from tomaz.borstnar@over.net) Received: from hang ([193.189.183.113]) by haktar.siol.net (Post.Office MTA v3.1 release PO203a ID# 0-0U10L2S100) with SMTP id AAA1620; Sun, 16 Aug 1998 12:52:38 +0200 Message-Id: <3.0.5.32.19980816125229.00a93920@haktar.siol.net> X-Sender: NA X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Sun, 16 Aug 1998 12:52:29 +0200 To: Darren Reed From: Tomaz Borstnar Subject: Re: Capturing IPFW denied packets Cc: security@FreeBSD.ORG In-Reply-To: <199808160420.VAA28267@hub.freebsd.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 02:20 PM 8/16/98 +1000, Darren Reed wrote: >ipfilter which will run on freebsd can do the above. using ordinary rules, >upto 128* data bytes from a packet will be logged or the blocked packet can >be sent to another IP# (fake or real). e.g. How much will keeping up with stable break ipfilter? How much work will be needed to keep it untouched and running? Tomaz ---- Tomaz Borstnar "Love is the answer to the final question you ask" - Unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Aug 16 06:12:14 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA09542 for freebsd-security-outgoing; Sun, 16 Aug 1998 06:12:14 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.ftf.dk (mail.ftf.dk [129.142.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA09537 for ; Sun, 16 Aug 1998 06:12:13 -0700 (PDT) (envelope-from regnauld@deepo.prosa.dk) Received: from mail.prosa.dk ([192.168.100.254]) by mail.ftf.dk (8.8.8/8.8.8/gw-ftf-1.0) with ESMTP id PAA21440; Sun, 16 Aug 1998 15:16:48 +0200 (CEST) (envelope-from regnauld@deepo.prosa.dk) Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10]) by mail.prosa.dk (8.8.8/8.8.5/prosa-1.1) with ESMTP id PAA24757; Sun, 16 Aug 1998 15:19:35 +0200 (CEST) Received: (from regnauld@localhost) by deepo.prosa.dk (8.8.8/8.8.5/prosa-1.1) id PAA23444; Sun, 16 Aug 1998 15:10:56 +0200 (CEST) Message-ID: <19980816151056.63692@deepo.prosa.dk> Date: Sun, 16 Aug 1998 15:10:56 +0200 From: Philippe Regnauld To: rotel@indigo.ie Cc: freebsd-security@FreeBSD.ORG Subject: Re: Fwd: "Using capabilties aaginst shell code" References: <19980815131309.14782@deepo.prosa.dk> <199808151348.OAA00655@indigo.ie> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.88e In-Reply-To: <199808151348.OAA00655@indigo.ie>; from Niall Smart on Sat, Aug 15, 1998 at 02:48:11PM +0000 X-Operating-System: FreeBSD 2.2.6-RELEASE i386 Phone: +45 3336 4148 Address: Ahlefeldtsgade 16, 1359 Copenhagen K, Denmark Organization: PROSA Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Niall Smart writes: > > > > The point was to limit the number of outside attacks on > > priviledged network daemons. Once the system has been broken > > into, it's over... "Just keep people out" > > I'm not sure what you mean by this; disabling execve doesn't prevent > outside attacks on network daemons. No, but it will prevent buffer overflows that spawn a root shell (i.e.: qpopper) -- or am I missing something ? -- -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]- The Internet is busy. Please try again later. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Aug 16 07:08:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA14389 for freebsd-security-outgoing; Sun, 16 Aug 1998 07:08:43 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA14384 for ; Sun, 16 Aug 1998 07:08:40 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id CAA07068; Mon, 17 Aug 1998 02:05:38 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Mon, 17 Aug 1998 02:05:38 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Philippe Regnauld cc: rotel@indigo.ie, freebsd-security@FreeBSD.ORG Subject: Re: Fwd: "Using capabilties aaginst shell code" In-Reply-To: <19980816151056.63692@deepo.prosa.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 16 Aug 1998, Philippe Regnauld wrote: > Niall Smart writes: > > > > > > The point was to limit the number of outside attacks on > > > priviledged network daemons. Once the system has been broken > > > into, it's over... "Just keep people out" > > > > I'm not sure what you mean by this; disabling execve doesn't prevent > > outside attacks on network daemons. > > No, but it will prevent buffer overflows that spawn a root shell > (i.e.: qpopper) -- or am I missing something ? As I understand it, this would mean that instead of getting a small piece of code with embedded shell code to execute, the attacker would have to do what they want to by using other system calls, requiring slightly more effort to customize the result of an attack. ie instead of spawning a rootshell, or executing a shell command, the exploit would include commands to perhaps open a file and modify it. Given root perms, and file access, it's not dificult to imagine places where a shell command could be written to disk in order to get it executed soon afterwards. if an interactive shell is needed, then code to modify /etc/master.passwd, or /etc/inetd.conf can be written into object code little bigger than used by current exploits. Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Aug 16 07:55:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA18523 for freebsd-security-outgoing; Sun, 16 Aug 1998 07:55:23 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from marta.arcom.spb.su (marta.arcom.spb.su [195.190.100.18]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA18493 for ; Sun, 16 Aug 1998 07:55:15 -0700 (PDT) (envelope-from snar@marta.arcom.spb.su) Received: (from snar@localhost) by marta.arcom.spb.su (8.8.8/t/97-Mar-14) id SAA20216; Sun, 16 Aug 1998 18:52:09 +0400 (MSD) Message-ID: <19980816185209.44808@nevalink.ru> Date: Sun, 16 Aug 1998 18:52:09 +0400 From: Alexandre Snarskii To: Darren Reed Cc: security@FreeBSD.ORG Subject: Re: inetd enhancements (fwd) References: <2983.901735734@verdi.nethelp.no> <199808160440.VAA29668@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89i In-Reply-To: <199808160440.VAA29668@hub.freebsd.org>; from Darren Reed on Sun, Aug 16, 1998 at 02:38:41PM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Aug 16, 1998 at 02:38:41PM +1000, Darren Reed wrote: > > allowing different programs to bind to different IP addresses > (on a multi-ip# box) is something inetd does not do and can't > handle with packet filters and requires tcpd/fwtk type solution. standard freebsd inetd can bind different programs to different addresses - see man inetd, option -a. -- Alexandre Snarskii the source code is included To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Aug 16 11:46:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA05993 for freebsd-security-outgoing; Sun, 16 Aug 1998 11:46:46 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id LAA05988 for ; Sun, 16 Aug 1998 11:46:44 -0700 (PDT) (envelope-from imp@village.org) Received: from harmony [10.0.0.6] by rover.village.org with esmtp (Exim 1.71 #1) id 0z87ob-0000Mb-00; Sun, 16 Aug 1998 12:46:05 -0600 Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.8.8/8.8.3) with ESMTP id MAA16986; Sun, 16 Aug 1998 12:45:52 -0600 (MDT) Message-Id: <199808161845.MAA16986@harmony.village.org> To: Philippe Regnauld Subject: Re: Fwd: "Using capabilties aaginst shell code" Cc: rotel@indigo.ie, freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Sun, 16 Aug 1998 15:10:56 +0200." <19980816151056.63692@deepo.prosa.dk> References: <19980816151056.63692@deepo.prosa.dk> <19980815131309.14782@deepo.prosa.dk> <199808151348.OAA00655@indigo.ie> Date: Sun, 16 Aug 1998 12:45:52 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <19980816151056.63692@deepo.prosa.dk> Philippe Regnauld writes: : No, but it will prevent buffer overflows that spawn a root shell : (i.e.: qpopper) -- or am I missing something ? Yes. It adds little to the security of the system. Currently it is all the rage for the egg to do setuid(0); exec /bin/sh. However, if you don't allow that, then there are other things that you'll have to make sure are plugged as well. If you should happen to overflow the stack, you can still execute any code that you want. You can bind to a port, accept connections and get enough of a world that not being able to exec isn't a huge deal. There is more work for the egg to do, but the size of the stack is large enough to have some rather complicated eggs that do things like malloc memory, copy code into that, jump to it, etc. You would still be able to do at least some system calls, even with the fine grain capabilities. Likely you could do enough "damage" to the system that needing a root shell becomes unnecessary. The egg that comes to mind: setuid(0); edit /etc/passwd, et all, to have another root entry then the penetrator can just telnet to the system and have root. There are many other variations on this theme. Sure, it will keep the script-bangers out, until the scrips improve then you are back where you are today. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Aug 16 16:01:47 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA03928 for freebsd-security-outgoing; Sun, 16 Aug 1998 16:01:47 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from relay.acadiau.ca (relay.acadiau.ca [131.162.2.90]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA03923 for ; Sun, 16 Aug 1998 16:01:46 -0700 (PDT) (envelope-from 026809r@dragon.acadiau.ca) Received: from dragon.acadiau.ca (dragon [131.162.1.79]) by relay.acadiau.ca (8.8.5/8.8.5) with SMTP id UAA06274 for ; Sun, 16 Aug 1998 20:01:13 -0300 (ADT) Received: by dragon.acadiau.ca id UAA09103; Sun, 16 Aug 1998 20:01:12 -0300 From: 026809r@dragon.acadiau.ca (Michael Richards) Message-Id: <199808162301.UAA09103@dragon.acadiau.ca> Subject: Why don't winblows program have buffer overruns? To: security@FreeBSD.ORG Date: Sun, 16 Aug 1998 20:01:11 -0300 (ADT) X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! I have been following the buffer overrun discussions for quite some time. One thing that I have always wondered is: Why aren't there buffer overruns for winblows that overrun the stack and execute nasty code? I realise that there is no way to get a shell, but being able to exec "format" is still a useful thing for a cracker to do on a windows box. Is there something different about the way those programs execute, and if so, other than the suid ability, what advantages does the BSD way of doing things have? -Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Aug 16 16:55:42 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA08861 for freebsd-security-outgoing; Sun, 16 Aug 1998 16:55:42 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from bright.fx.genx.net (bright.fx.genx.net [206.64.4.154]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA08856 for ; Sun, 16 Aug 1998 16:55:41 -0700 (PDT) (envelope-from bright@www.hotjobs.com) Received: from localhost (bright@localhost) by bright.fx.genx.net (8.9.1/8.8.8) with SMTP id TAA08799; Sun, 16 Aug 1998 19:53:32 -0500 (EST) (envelope-from bright@hotjobs.com) X-Authentication-Warning: bright.fx.genx.net: bright owned process doing -bs Date: Sun, 16 Aug 1998 19:53:31 -0500 (EST) From: Alfred Perlstein X-Sender: bright@bright.fx.genx.net To: Michael Richards <026809r@dragon.acadiau.ca> cc: security@FreeBSD.ORG Subject: Re: Why don't winblows program have buffer overruns? In-Reply-To: <199808162301.UAA09103@dragon.acadiau.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org yes it's quite possible, but noone really cares to code exploits for windows programs. there could be use for an exploited windows box, but urm... as you call it winblows, why would you want to? there was an overflow in WARftpD, the authors wrote something like: "we could have continued this hack, but we're unix coders and could care less about having access to a windows box, DoS is enough" (that is horribly paraphrased, but was the gist of it) Alfred Perlstein - Programmer, HotJobs Inc. - www.hotjobs.com -- There are operating systems, and then there's BSD. -- http://www.freebsd.org/ On Sun, 16 Aug 1998, Michael Richards wrote: > Hi! > I have been following the buffer overrun discussions for quite some time. > One thing that I have always wondered is: > Why aren't there buffer overruns for winblows that overrun the stack and > execute nasty code? I realise that there is no way to get a shell, but being > able to exec "format" is still a useful thing for a cracker to do on a > windows box. > > Is there something different about the way those programs execute, and if > so, other than the suid ability, what advantages does the BSD way of doing > things have? > > -Mike > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Aug 16 17:10:48 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA10741 for freebsd-security-outgoing; Sun, 16 Aug 1998 17:10:48 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dumont.neoplanos.com.br (dumont.neoplanos.com.br [200.249.209.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA10728 for ; Sun, 16 Aug 1998 17:10:38 -0700 (PDT) (envelope-from john@neoplanos.com.br) Received: from john (john@linha06.neoplanos.com.br [200.249.209.106]) by dumont.neoplanos.com.br (8.8.8/8.8.5) with SMTP id VAA06652 for ; Sun, 16 Aug 1998 21:22:40 -0300 (EST) Message-Id: <3.0.5.32.19980816210952.007c5b20@neoplanos.com.br> X-Sender: john@neoplanos.com.br (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Sun, 16 Aug 1998 21:09:52 -0300 To: security@FreeBSD.ORG From: Joao Paulo Campello Subject: hosts.deny/allow & ICMP Attacks In-Reply-To: <199807281910.MAA01540@burka.rdy.com> References: <3.0.5.32.19980728000808.007cb4f0@neoplanos.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hub.freebsd.org id RAA10736 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi all, #1 Does anybody here know if there's any way to break hosts.deny/allow protection in BSD or even Linux Systems? #2 Is there any filter/firewall/thing I can do for blocking ICMP Attacks? Like ICMP Type 8 (PING) or ICMP Type 3 (UNREACH) ?!?! Ooho, sorry... I know I can use *ifpw* to filter these packets and not to respond the PING, for example... But in this way my incoming link would be fully filled anyway... So how can I filter in the router level, and be sure the PINGs will not fill my incoming link? Thnx for help, João Paulo Caldas Campello Diretor Tecnico - Neo Planos Solution Provider http://www.neoplanos.com.br/ IRCAdmin NetLink - Recife/PE (ICQ # ASK-ME :)) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Aug 16 18:51:37 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA22215 for freebsd-security-outgoing; Sun, 16 Aug 1998 18:51:37 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from puck.nether.net (puck.nether.net [204.42.254.5]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA22208 for ; Sun, 16 Aug 1998 18:51:28 -0700 (PDT) (envelope-from jared@puck.nether.net) Received: (from jared@localhost) by puck.nether.net (8.9.0/8.7.3) id VAA03810; Sun, 16 Aug 1998 21:51:10 -0400 Message-ID: <19980816215110.B3703@puck.nether.net> Date: Sun, 16 Aug 1998 21:51:10 -0400 From: Jared Mauch To: Joao Paulo Campello Cc: security@FreeBSD.ORG Subject: Re: hosts.deny/allow & ICMP Attacks References: <3.0.5.32.19980728000808.007cb4f0@neoplanos.com.br> <199807281910.MAA01540@burka.rdy.com> <3.0.5.32.19980816210952.007c5b20@neoplanos.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.91.1i In-Reply-To: <3.0.5.32.19980816210952.007c5b20@neoplanos.com.br>; from Joao Paulo Campello on Sun, Aug 16, 1998 at 09:09:52PM -0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Aug 16, 1998 at 09:09:52PM -0300, Joao Paulo Campello wrote: > Does anybody here know if there's any way to break hosts.deny/allow > protection in BSD or even Linux Systems? Search the bugtraq archives, find out if you have the latest tcp_wrapper > So how can I filter in the router level, and be sure the PINGs will not > fill my incoming link? If your FreeBSD machine is your router, use IPFW. If not, contact your router vendor, Cisco, Bay, Lucent, whomever. We can't help you with your routers. (I'm sure that there are some people here that could, but you need to learn how to contact your router vendor, or a user-group that can help you with these types of things). - jared To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Aug 16 19:01:12 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA23125 for freebsd-security-outgoing; Sun, 16 Aug 1998 19:01:12 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mercury.webnology.com (mercury.webnology.com [209.155.51.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA23120 for ; Sun, 16 Aug 1998 19:01:10 -0700 (PDT) (envelope-from jooji@webnology.com) Received: from localhost (jooji@localhost) by mercury.webnology.com (8.9.0/8.8.7) with SMTP id UAA30600; Sun, 16 Aug 1998 20:59:59 -0500 Date: Sun, 16 Aug 1998 20:59:59 -0500 (CDT) From: "Jasper O'Malley" To: Michael Richards <026809r@dragon.acadiau.ca> cc: security@FreeBSD.ORG Subject: Re: Why don't winblows program have buffer overruns? In-Reply-To: <199808162301.UAA09103@dragon.acadiau.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 16 Aug 1998, Michael Richards wrote: > One thing that I have always wondered is: > Why aren't there buffer overruns for winblows that overrun the stack and > execute nasty code? Because nobody bothers to write them, and because the source code for most Winblows programs isn't published, so crackers can't readily peruse it for unchecked strcpy() calls. They have been written, and they're on the rise. See DilDog's "The Tao of the Windows Buffer Overflow" at: http://www.newhackcity.net/win_buff_overflow/index.html Most of the "invalid page faults" you see with Winblows are due to buffer overflows (or crummy bit-flipping RAM). All a cracker has to do is find a replicable overflow and exploit it. > Is there something different about the way those programs execute, and if > so, other than the suid ability, what advantages does the BSD way of doing > things have? Everyone's root on Winblows :) Cheers, Mick The Reverend Jasper P. O'Malley dotdot:jooji@webnology.com Systems Administrator ringring:asktheadmiral Webnology, LLC woowoo:http://www.webnology.com/~jooji To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Aug 16 19:02:39 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA23282 for freebsd-security-outgoing; Sun, 16 Aug 1998 19:02:39 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mercury.webnology.com (mercury.webnology.com [209.155.51.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA23277 for ; Sun, 16 Aug 1998 19:02:37 -0700 (PDT) (envelope-from jooji@webnology.com) Received: from localhost (jooji@localhost) by mercury.webnology.com (8.9.0/8.8.7) with SMTP id VAA30710; Sun, 16 Aug 1998 21:06:54 -0500 Date: Sun, 16 Aug 1998 21:06:54 -0500 (CDT) From: "Jasper O'Malley" To: Joao Paulo Campello cc: security@FreeBSD.ORG Subject: Re: hosts.deny/allow & ICMP Attacks In-Reply-To: <3.0.5.32.19980816210952.007c5b20@neoplanos.com.br> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 16 Aug 1998, Joao Paulo Campello wrote: > #1 > > Does anybody here know if there's any way to break hosts.deny/allow > protection in BSD or even Linux Systems? Find an exploit in tcpd or otherwise gain root on the system in question. > #2 > > Is there any filter/firewall/thing I can do for blocking ICMP Attacks? > Like ICMP Type 8 (PING) or ICMP Type 3 (UNREACH) ?!?! Ooho, sorry... I know > I can use *ifpw* to filter these packets and not to respond the PING, for > example... But in this way my incoming link would be fully filled anyway... > So how can I filter in the router level, and be sure the PINGs will not > fill my incoming link? Most modern routers provide packet filtering capabilities (a la ipfw); the better routers can do it at wire speed. With a Cisco, for instance, you can use an access-list to drop all ICMP packets before they make it onto your internal network. At that point, you only have to worry about having your external link flooded. If you have a decent router, even if your external link is completely overrun with non-legit traffic, your internal network should continue to work dandily (although you may not have external connectivity). Cheers, Mick The Reverend Jasper P. O'Malley dotdot:jooji@webnology.com Systems Administrator ringring:asktheadmiral Webnology, LLC woowoo:http://www.webnology.com/~jooji To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Aug 16 19:44:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA28972 for freebsd-security-outgoing; Sun, 16 Aug 1998 19:44:54 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA28966 for ; Sun, 16 Aug 1998 19:44:52 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id UAA18362; Sun, 16 Aug 1998 20:44:12 -0600 (MDT) Message-Id: <199808170244.UAA18362@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1.0.44 (Beta) Date: Sun, 16 Aug 1998 20:36:30 -0600 To: 026809r@dragon.acadiau.ca (Michael Richards), security@FreeBSD.ORG From: Brett Glass Subject: Re: Why don't winblows program have buffer overruns? In-Reply-To: <199808162301.UAA09103@dragon.acadiau.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 08:01 PM 8/16/98 -0300, Michael Richards wrote: >Hi! >I have been following the buffer overrun discussions for quite some time. >One thing that I have always wondered is: >Why aren't there buffer overruns for winblows that overrun the stack and >execute nasty code? There are. However, Windows machines are not generally run as servers, and therefore do not, for the most part, have daemons running that are easy to exploit (e.g. QPopper). You can still confuse them and possibly crash them via things like Winnuke (a program which exploits a flaw in Windows' built-in NetBIOS over TCP/IP implementation). But it's actually harder to take over the machine. This is why the recently published Outlook e-mail buffer overflow is a big deal; it's one of the few known holes that can potentially be used to take over a Windows machine that's a CLIENT rather than a SERVER. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Aug 16 21:35:04 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA12616 for freebsd-security-outgoing; Sun, 16 Aug 1998 21:35:04 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA12603 for ; Sun, 16 Aug 1998 21:35:00 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id OAA01913; Mon, 17 Aug 1998 14:40:57 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Mon, 17 Aug 1998 14:40:57 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Michael Richards <026809r@dragon.acadiau.ca> cc: security@FreeBSD.ORG Subject: Re: Why don't winblows program have buffer overruns? In-Reply-To: <199808162301.UAA09103@dragon.acadiau.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 16 Aug 1998, Michael Richards wrote: > Hi! > I have been following the buffer overrun discussions for quite some time. > One thing that I have always wondered is: > Why aren't there buffer overruns for winblows that overrun the stack and There have been lots of these. Try searching bugtraq for 'microsoft' > execute nasty code? I realise that there is no way to get a shell, but being > able to exec "format" is still a useful thing for a cracker to do on a > windows box. If they really care. Taking down a windows machine is more likely to appeal to a f***** off administrator. Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Aug 16 21:35:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA12650 for freebsd-security-outgoing; Sun, 16 Aug 1998 21:35:13 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from brooklyn.slack.net (brooklyn.slack.net [206.41.21.102]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA12641 for ; Sun, 16 Aug 1998 21:35:11 -0700 (PDT) (envelope-from andrewr@brooklyn.slack.net) Received: from localhost (andrewr@localhost) by brooklyn.slack.net (8.8.7/8.8.7) with SMTP id AAA15955; Mon, 17 Aug 1998 00:16:06 -0400 (EDT) Date: Mon, 17 Aug 1998 00:16:06 -0400 (EDT) From: andrewr To: Michael Richards <026809r@dragon.acadiau.ca> cc: security@FreeBSD.ORG Subject: Re: Why don't winblows program have buffer overruns? In-Reply-To: <199808162301.UAA09103@dragon.acadiau.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I believe there have been posts on bugtraq, specifically from people at the l0pht. So, just do a search from their archives at either geek-girls.com or at netspace.org. So, check it. Andrew On Sun, 16 Aug 1998, Michael Richards wrote: > Hi! > I have been following the buffer overrun discussions for quite some time. > One thing that I have always wondered is: > Why aren't there buffer overruns for winblows that overrun the stack and > execute nasty code? I realise that there is no way to get a shell, but being > able to exec "format" is still a useful thing for a cracker to do on a > windows box. > > Is there something different about the way those programs execute, and if > so, other than the suid ability, what advantages does the BSD way of doing > things have? > > -Mike > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Aug 16 23:45:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA27830 for freebsd-security-outgoing; Sun, 16 Aug 1998 23:45:54 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.224.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA27812 for ; Sun, 16 Aug 1998 23:45:48 -0700 (PDT) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199808170645.XAA27812@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA056806231; Mon, 17 Aug 1998 16:43:51 +1000 From: Darren Reed Subject: Re: ipfw log limits by connection vs. rule To: andrew@squiz.co.nz Date: Mon, 17 Aug 1998 16:43:51 +1000 (EST) Cc: j@lumiere.net, freebsd-security@FreeBSD.ORG In-Reply-To: from "Andrew McNaughton" at Aug 11, 98 02:12:47 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Andrew McNaughton, sie said: [...] > I've had this in mind for a while, but not yet had the time to write it. > Has anyone got a script set up to summarise this stuff as it comes in? The most recent versions of IP Filter `compress' log entries for "similar" packets. That is, if someone sent a flood of 50 ICMP packets (all the same) at you, with no other packets in between, it may become 1 log entry. The deciding factors are: - is this packet the same as the one before (checksum with private seed for comparison basis) ? - how often the kernel log is "polled" (that is, using the above example, if I read the log after the first 10, it would have a count of 10, and then again after it was finished, it would have a count of 40 with the total being 50 for the two log entries). Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Aug 17 02:05:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA09996 for freebsd-security-outgoing; Mon, 17 Aug 1998 02:05:31 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA09972 for ; Mon, 17 Aug 1998 02:05:22 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id VAA01131; Mon, 17 Aug 1998 21:02:24 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Mon, 17 Aug 1998 21:02:23 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Darren Reed cc: j@lumiere.net, freebsd-security@FreeBSD.ORG Subject: Re: ipfw log limits by connection vs. rule In-Reply-To: <199808170644.SAA04433@dawn.newsroom.co.nz> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 17 Aug 1998, Darren Reed wrote: > In some mail from Andrew McNaughton, sie said: > [...] > > I've had this in mind for a while, but not yet had the time to write it. > > Has anyone got a script set up to summarise this stuff as it comes in? > > The most recent versions of IP Filter `compress' log entries for "similar" > packets. That is, if someone sent a flood of 50 ICMP packets (all the > same) at you, with no other packets in between, it may become 1 log entry. It's a good feature. I had thought that this feature was provided by syslogd rather than ipfw? Anyway, what I had in mind was more along the lines of reporting: Starting at 12:34 pm NZST, there was a probable port scan from aaa.bbb.ccc.com [123.4.56.7] on ports 21,23,25,79-80,8080. There is an unsecured wingate running on that machine. Starting at 13:45 pm NZST a smurf attack appears to have been launched using your network. 1024 packets were recieved at 1.2.3.255, and the return address was 66.1.66.1 At 14:50 pm NZST, someone connected to the IMAP port from evil.org.mn [12.34.56.78], which is not in a C class network your users normally connect from. This address has been responsible for suspect activity before. Starting at 14:20 am NZST there was an FTP session from ppp-34.foo.isp.nz [12.12.12.6]. This address is in a C class network from which your users regularly connect. Etc etc. Doing it properly would take a bit of work in recognising the signatures of various kinds of attacks, and deciding what details need to be reported, but it need not all be done at once to be valuable. Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Aug 17 02:11:12 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA10644 for freebsd-security-outgoing; Mon, 17 Aug 1998 02:11:12 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.224.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA10619 for ; Mon, 17 Aug 1998 02:11:06 -0700 (PDT) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199808170911.CAA10619@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA077115021; Mon, 17 Aug 1998 19:10:21 +1000 From: Darren Reed Subject: Re: ipfw log limits by connection vs. rule To: andrew@squiz.co.nz Date: Mon, 17 Aug 1998 19:10:20 +1000 (EST) Cc: avalon@coombs.anu.edu.au, j@lumiere.net, freebsd-security@FreeBSD.ORG In-Reply-To: from "Andrew McNaughton" at Aug 17, 98 09:02:23 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Andrew McNaughton, sie said: > > On Mon, 17 Aug 1998, Darren Reed wrote: > > > In some mail from Andrew McNaughton, sie said: > > [...] > > > I've had this in mind for a while, but not yet had the time to write it. > > > Has anyone got a script set up to summarise this stuff as it comes in? > > > > The most recent versions of IP Filter `compress' log entries for "similar" > > packets. That is, if someone sent a flood of 50 ICMP packets (all the > > same) at you, with no other packets in between, it may become 1 log entry. > > It's a good feature. I had thought that this feature was provided by > syslogd rather than ipfw? What I described is in IP Filter, not ipfw nor syslogd (which has its own). > Etc etc. Doing it properly would take a bit of work in recognising the > signatures of various kinds of attacks, and deciding what details need to > be reported, but it need not all be done at once to be valuable. IDS type work. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Aug 17 02:16:27 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA11645 for freebsd-security-outgoing; Mon, 17 Aug 1998 02:16:27 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA11640 for ; Mon, 17 Aug 1998 02:16:22 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id VAA01212; Mon, 17 Aug 1998 21:10:53 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Mon, 17 Aug 1998 21:10:52 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Michael Richards <026809r@dragon.acadiau.ca> cc: security@FreeBSD.ORG Subject: Re: Why don't winblows program have buffer overruns? In-Reply-To: <199808162301.UAA09103@dragon.acadiau.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 16 Aug 1998, Michael Richards wrote: > Why aren't there buffer overruns for winblows that overrun the stack and > execute nasty code? I realise that there is no way to get a shell, but being > able to exec "format" is still a useful thing for a cracker to do on a > windows box. Thinking a bit more about this, I suppose it says something about hackers being motivated more by kudos than profit. While there isn't much publicity to be had in hitting someone's desktop machine, those machines probably account for most storage of sensitive data. Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Aug 17 02:52:53 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA14947 for freebsd-security-outgoing; Mon, 17 Aug 1998 02:52:53 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA14939 for ; Mon, 17 Aug 1998 02:52:50 -0700 (PDT) (envelope-from netadmin@fastnet.co.uk) Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22]) by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id KAA29332; Mon, 17 Aug 1998 10:52:14 +0100 (BST) Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22]) by bofh.fast.net.uk (8.8.8/8.8.8) with SMTP id KAA09107; Mon, 17 Aug 1998 10:52:18 +0100 (BST) (envelope-from netadmin@fastnet.co.uk) Date: Mon, 17 Aug 1998 10:52:18 +0100 (BST) From: Jay Tribick X-Sender: netadmin@bofh.fast.net.uk To: "Jasper O'Malley" cc: Joao Paulo Campello , security@FreeBSD.ORG Subject: Re: hosts.deny/allow & ICMP Attacks In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org | > #1 | > | > Does anybody here know if there's any way to break hosts.deny/allow | > protection in BSD or even Linux Systems? | | Find an exploit in tcpd or otherwise gain root on the system in question. There's always IP spoofing (although you'd have to do it blind as the packets wouldn't be able to get back to you) - plus, it's hard to implement. Regards, Jay Tribick -- [| Network Administrator | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact information |] [| T: +44 (0)1273 677633 F: +44 (0)1273 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Aug 17 04:41:36 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA26112 for freebsd-security-outgoing; Mon, 17 Aug 1998 04:41:36 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from kendra.ne.mediaone.net (kendra.ne.mediaone.net [24.128.94.182]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA26104 for ; Mon, 17 Aug 1998 04:41:33 -0700 (PDT) (envelope-from software@kew.com) Received: from ffactory.uucp.kew.com (ffactory.hh.kew.com [192.168.203.131]) by kendra.ne.mediaone.net (8.9.0/8.9.0) with SMTP id HAA22155; Mon, 17 Aug 1998 07:40:41 -0400 (EDT) Received: from kew.com by ffactory.uucp.kew.com (UUPC/extended 1.13c) with UUCP for multiple addressees; Mon, 17 Aug 1998 07:40:40 -0500 Received: from kew.com by ffactory.uucp.kew.com (UUPC/extended 1.13c) with ESMTP for multiple addresses; Mon, 17 Aug 1998 07:40:39 -0500 Message-ID: <35D816B6.DAD566EB@kew.com> Date: Mon, 17 Aug 1998 07:40:38 -0400 From: Drew Derbyshire Organization: Kendra Electronic Wonderworks, Stoneham, MA 02180 (http://www.kew.com) X-Mailer: Mozilla 4.05 [en] (WinNT; U) MIME-Version: 1.0 To: Darren Reed CC: security@FreeBSD.ORG Subject: Re: inetd enhancements (fwd) References: <199808160440.VAA29668@hub.freebsd.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Darren Reed wrote: > allowing different programs to bind to different IP addresses > (on a multi-ip# box) is something inetd does not do and can't > handle with packet filters and requires tcpd/fwtk type solution. A single instance of the stock inetd could not handle selecting specific servers for for specific ports, but you can bind it to a specific address via the -a flag, and so handle multiple server lists via multiple instances. Aside from the extra process overhead, this actually strikes me as cleaner since you can do things like kill the public interface inetd during maint and the like. (If you are running processes from inetd with the wait parameter, than your overhead does goes up, but in a firewall, I'm not sure want many of those you want running anyway.) -ahd- -- Drew Derbyshire UUPC/extended e-mail: software@kew.com Telephone: 617-279-9812 "And he was too old to Rock'n'Roll but he was too young to die. No, you're never too old to Rock'n'Roll if you're too young to die." -- Ian Anderson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Aug 17 04:56:48 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA27684 for freebsd-security-outgoing; Mon, 17 Aug 1998 04:56:48 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA27679 for ; Mon, 17 Aug 1998 04:56:47 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id FAA21164; Mon, 17 Aug 1998 05:53:07 -0600 (MDT) Message-Id: <199808171153.FAA21164@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1.0.44 (Beta) Date: Mon, 17 Aug 1998 05:52:58 -0600 To: andrew@squiz.co.nz, Michael Richards <026809r@dragon.acadiau.ca> From: Brett Glass Subject: Re: Why don't winblows program have buffer overruns? Cc: security@FreeBSD.ORG In-Reply-To: References: <199808162301.UAA09103@dragon.acadiau.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 09:10 PM 8/17/98 +1200, Andrew McNaughton wrote: >Thinking a bit more about this, I suppose it says something about hackers >being motivated more by kudos than profit. While there isn't much >publicity to be had in hitting someone's desktop machine, those machines >probably account for most storage of sensitive data. But that data is also the least concentrated. Crack a server, and you'll get hundreds of users' private e-mail at once (for example). Crack a client, and you'll get one person's letters to Aunt Tillie, interspersed with a very occasional intersting piece of data.... --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Aug 17 09:38:28 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA25379 for freebsd-security-outgoing; Mon, 17 Aug 1998 09:38:28 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ifi.uio.no (ifi.uio.no [129.240.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA25373 for ; Mon, 17 Aug 1998 09:38:26 -0700 (PDT) (envelope-from dag-erli@ifi.uio.no) Received: from hrotti.ifi.uio.no (2602@hrotti.ifi.uio.no [129.240.64.15]) by ifi.uio.no (8.8.8/8.8.7/ifi0.2) with ESMTP id SAA12653; Mon, 17 Aug 1998 18:30:59 +0200 (MET DST) Received: (from dag-erli@localhost) by hrotti.ifi.uio.no ; Mon, 17 Aug 1998 18:30:59 +0200 (MET DST) Mime-Version: 1.0 To: Brett Glass Cc: 026809r@dragon.acadiau.ca (Michael Richards), security@FreeBSD.ORG Subject: Re: Why don't winblows program have buffer overruns? References: <199808170244.UAA18362@lariat.lariat.org> Organization: University of Oslo, Department of Informatics X-url: http://www.stud.ifi.uio.no/~dag-erli/ X-other-addresses: 'finger dag-erli@ifi.uio.no' for a list X-disclaimer-1: The views expressed in this article are mine alone, and do X-disclaimer-2: not necessarily coincide with those of any organisation or X-disclaimer-3: company with which I am or have been affiliated. X-Stop-Spam: http://www.cauce.org/ From: dag-erli@ifi.uio.no (Dag-Erling Coidan =?iso-8859-1?Q?Sm=F8rgrav?= ) Date: 17 Aug 1998 18:30:58 +0200 In-Reply-To: Brett Glass's message of "Sun, 16 Aug 1998 20:36:30 -0600" Message-ID: Lines: 14 X-Mailer: Gnus v5.5/Emacs 19.34 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hub.freebsd.org id JAA25375 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brett Glass writes: > You can still confuse them and possibly crash > them via things like Winnuke (a program which exploits a flaw in Windows' > built-in NetBIOS over TCP/IP implementation). This is getting off-topic, but the bug is in the TCP/IP stack, not the NetBIOS code. The only reason WinNuke uses port 139 (the netbios-ssn port) is that you're pretty sure there'll be someone listening there. I've seen WinNuke scripts modified to use port 80 to attack Windows- based Web servers through firewalls that blocked NetBIOS traffic. DES -- Dag-Erling Smørgrav - dag-erli@ifi.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Aug 17 11:51:49 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA22390 for freebsd-security-outgoing; Mon, 17 Aug 1998 11:51:49 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA22379 for ; Mon, 17 Aug 1998 11:51:46 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id MAA24710; Mon, 17 Aug 1998 12:51:07 -0600 (MDT) Message-Id: <199808171851.MAA24710@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1.0.44 (Beta) Date: Mon, 17 Aug 1998 12:50:04 -0600 To: dag-erli@ifi.uio.no (Dag-Erling Coidan =?iso-8859-1?Q?Sm=F8rgrav?= ) From: Brett Glass Subject: Re: Why don't winblows program have buffer overruns? Cc: 026809r@dragon.acadiau.ca (Michael Richards), security@FreeBSD.ORG In-Reply-To: References: <199808170244.UAA18362@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hub.freebsd.org id LAA22383 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 06:30 PM 8/17/98 +0200, Dag-Erling Coidan Smørgrav wrote: >This is getting off-topic, but the bug is in the TCP/IP stack, not the >NetBIOS code. The only reason WinNuke uses port 139 (the netbios-ssn >port) is that you're pretty sure there'll be someone listening there. I don't turn on NetBIOS on any Windows machine I use or administer. In fact, about the only thing they'll respond to is a ping. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Aug 17 15:00:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA01330 for freebsd-security-outgoing; Mon, 17 Aug 1998 15:00:51 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from bastuba.partitur.se (bastuba.partitur.se [193.219.246.194]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA01302 for ; Mon, 17 Aug 1998 15:00:46 -0700 (PDT) (envelope-from girgen@partitur.se) Received: from partitur.se (solist.partitur.se [193.219.246.204]) by bastuba.partitur.se (8.8.8/8.8.8) with ESMTP id AAA05807; Tue, 18 Aug 1998 00:00:10 +0200 (CEST) (envelope-from girgen@partitur.se) Message-ID: <35D8A7E8.2DC50695@partitur.se> Date: Tue, 18 Aug 1998 00:00:08 +0200 From: Palle Girgensohn Organization: Partitur X-Mailer: Mozilla 4.5b1 [en] (X11; I; SunOS 5.6 sun4u) X-Accept-Language: sv,en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: private network on router's external NIC? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! I have a question. For some time, I've been filtering packages using ipfw. The setup is a FreeBSD machine with two NICes that routes between an external network, with this machine and a Cisco on, and our internal LAN (which also has TRUE internet addresses). No private network number stuff, no natd. Just plain routing. Every once in a while, packages from 192.168.x.y on the external interface are logged and deferred. They are mostly trying to reach the http port of one of our web servers (inside), but also sometimes port 137-139 (netbios-*) and a few others. Are they really attempted break-ins? All of them? They show up almost everyday, though in small numbers (10-20, perhaps, usually from different ip numbers different days). I have these commands in my ipfw setup, taken from the systems rc.firewall: # Stop RFC1918 nets on the outside interface $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif} Makes sense to me. So, how do these ip numbers get out on the Internet? How do they get routed anywhere; they're supposed to be private? /Palle To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Aug 17 15:16:39 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA04681 for freebsd-security-outgoing; Mon, 17 Aug 1998 15:16:39 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dumont.neoplanos.com.br (dumont.neoplanos.com.br [200.249.209.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA04547 for ; Mon, 17 Aug 1998 15:16:11 -0700 (PDT) (envelope-from john@dumont.neoplanos.com.br) Received: from localhost (john@localhost) by dumont.neoplanos.com.br (8.8.8/8.8.5) with SMTP id TAA12184; Mon, 17 Aug 1998 19:27:28 -0300 (EST) Date: Mon, 17 Aug 1998 19:27:28 -0300 (EST) From: Joao Paulo Caldas Campello To: Jay Tribick cc: "Jasper O'Malley" , security@FreeBSD.ORG Subject: Re: hosts.deny/allow & ICMP Attacks In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 17 Aug 1998, Jay Tribick wrote: Hi, > There's always IP spoofing (although you'd have to do it blind as the > packets wouldn't be able to get back to you) - plus, it's hard to > implement. Yeah... But working with tcp is nearly impossible to have a successful spoof... I cannot say impossible, for sure, `cause maybe there are some bugs in tcpd or any routing protocol (for instance, RIP) that I can use to obtain good spoof... If I do spoof with TCP just changing the frames in the packet I've to pretend I'm a 3rd host; which I have access to and is privileged in the victim system... If TCP wasn't a three-way connection type (as UDP that's one way) I would be able to do spoof faster!! Anyway, I'm just wanting to protect my own network from outsiders invasors, not planning to attack any box!! Thnx for all the help (all the people that answered me and I'm not replying... not to spam the list) Regards, J. Paulo To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Aug 17 15:57:25 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA12690 for freebsd-security-outgoing; Mon, 17 Aug 1998 15:57:25 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from kjsl.com (Limpia.KJSL.COM [198.137.202.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA12668 for ; Mon, 17 Aug 1998 15:57:16 -0700 (PDT) (envelope-from javier@kjsl.com) Received: (from javier@localhost) by kjsl.com (8.8.5/8.8.5) id PAA27265; Mon, 17 Aug 1998 15:56:36 -0700 (PDT) Date: Mon, 17 Aug 1998 15:56:36 -0700 (PDT) Message-Id: <199808172256.PAA27265@kjsl.com> From: Javier Henderson MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Palle Girgensohn Cc: freebsd-security@FreeBSD.ORG Subject: private network on router's external NIC? In-Reply-To: <35D8A7E8.2DC50695@partitur.se> References: <35D8A7E8.2DC50695@partitur.se> X-Mailer: VM 6.33 under Emacs 19.34.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Palle Girgensohn writes: > Makes sense to me. So, how do these ip numbers get out on the Internet? Talk to your upstream peer, he's the one sending them to you. They could originate from within his network. > How do they get routed anywhere; they're supposed to be private? I've seen packets destined for 172.16 also, another one of the "private" networks. They're probably crafted packets with a bogus source IP address. -jav To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Aug 17 16:02:27 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA13618 for freebsd-security-outgoing; Mon, 17 Aug 1998 16:02:27 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id QAA13611 for ; Mon, 17 Aug 1998 16:02:23 -0700 (PDT) (envelope-from sthaug@nethelp.no) From: sthaug@nethelp.no Received: (qmail 6849 invoked by uid 1001); 17 Aug 1998 23:01:49 +0000 (GMT) To: girgen@partitur.se Cc: freebsd-security@FreeBSD.ORG Subject: Re: private network on router's external NIC? In-Reply-To: Your message of "Tue, 18 Aug 1998 00:00:08 +0200" References: <35D8A7E8.2DC50695@partitur.se> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Tue, 18 Aug 1998 01:01:49 +0200 Message-ID: <6847.903394909@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I have these commands in my ipfw setup, taken from the systems > rc.firewall: > > # Stop RFC1918 nets on the outside interface > $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} > $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} > $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} > $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} > $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} > $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif} > > Makes sense to me. So, how do these ip numbers get out on the Internet? > How do they get routed anywhere; they're supposed to be private? Routing is normally done on *destination* address, so a *source* address within the RFC 1918 address ranges is irrelevant to routing. There are several reasons why such packets show up, e.g.: - ISPs with the (bad) idea that they can use RFC 1918 for their internal network links, because (supposedly) the addresses won't get out. Guess what happens when you do a traceroute along one of these paths? - Firewalls which leak internal addresses. I haven't seen these myself, but have heard of this happening. - Crackers using RFC 1918 addresses for breakins etc. because you won't be able to trace the source address. There are good reasons why some of us filter the RFC 1918 addresses on our border routers. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Aug 17 17:19:08 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA26959 for freebsd-security-outgoing; Mon, 17 Aug 1998 17:19:08 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gizmo.dimension.net (gizmo.dimension.net [209.12.7.20]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA26940 for ; Mon, 17 Aug 1998 17:19:01 -0700 (PDT) (envelope-from jaitken@dimension.net) Received: (from jaitken@localhost) by gizmo.dimension.net (8.8.8/8.8.8) id UAA14592; Mon, 17 Aug 1998 20:18:14 -0400 (EDT) From: Jeff Aitken Message-Id: <199808180018.UAA14592@gizmo.dimension.net> Subject: Re: private network on router's external NIC? In-Reply-To: <6847.903394909@verdi.nethelp.no> from "sthaug@nethelp.no" at "Aug 18, 98 01:01:49 am" To: sthaug@nethelp.no Date: Mon, 17 Aug 1998 20:18:14 -0400 (EDT) Cc: girgen@partitur.se, freebsd-security@FreeBSD.ORG Reply-to: jaitken@dimension.net X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org sthaug@nethelp.no writes: > > Makes sense to me. So, how do these ip numbers get out on the Internet? > > How do they get routed anywhere; they're supposed to be private? Those addresses are only private because we all consider them to be. There's nothing stopping an ISP from telling the world "The 10.0.0.0/8 network is reachable via ME!". Hell, there have been people who have announced "Hey, the ENTIRE INTERNET is reachable through ME!". ;-) What's stopping them is the fact that *most* people won't route to private network addresses. > Routing is normally done on *destination* address, so a *source* address > within the RFC 1918 address ranges is irrelevant to routing. > > There are several reasons why such packets show up, e.g.: > > - ISPs with the (bad) idea that they can use RFC 1918 for their internal > network links, because (supposedly) the addresses won't get out. Guess > what happens when you do a traceroute along one of these paths? Not to get off topic, but using private addresses for internal network links doesn't necessarily cause them to be advertised. If this guy is seeing attempted connections to WWW servers, they're not the result of someone running a traceroute. Only improperly configured routers (and less-than-clueful upstream providers) cause these networks to be advertised. I'm not defending the improper use of private network numbers, but it takes more than that to account for the observed behavior. --Jeff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Aug 17 21:40:27 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA28283 for freebsd-security-outgoing; Mon, 17 Aug 1998 21:40:27 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from critter.freebsd.dk (critter.freebsd.dk [195.8.129.14]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA28272 for ; Mon, 17 Aug 1998 21:40:10 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.1/8.8.5) with ESMTP id GAA00740; Tue, 18 Aug 1998 06:35:41 +0200 (CEST) To: jaitken@dimension.net cc: sthaug@nethelp.no, girgen@partitur.se, freebsd-security@FreeBSD.ORG Subject: Re: private network on router's external NIC? In-reply-to: Your message of "Mon, 17 Aug 1998 20:18:14 EDT." <199808180018.UAA14592@gizmo.dimension.net> Date: Tue, 18 Aug 1998 06:35:41 +0200 Message-ID: <738.903414941@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199808180018.UAA14592@gizmo.dimension.net>, Jeff Aitken writes: >sthaug@nethelp.no writes: >> > Makes sense to me. So, how do these ip numbers get out on the Internet? >> > How do they get routed anywhere; they're supposed to be private? > >Those addresses are only private because we all consider them to be. >There's nothing stopping an ISP from telling the world "The >10.0.0.0/8 network is reachable via ME!". Hell, there have been >people who have announced "Hey, the ENTIRE INTERNET is reachable >through ME!". ;-) But any moderately experienced BGP-gaffer will know not to accept any routes for: neighbor x.x.x.x distribute-list 4 in access-list 4 deny 0.0.0.0 access-list 4 deny 10.0.0.0 0.255.255.255 access-list 4 deny 172.16.0.0 0.0.15.255 access-list 4 deny 192.168.0.0 0.0.255.255 access-list 4 deny 127.0.0.0 0.255.255.255 access-list 4 deny access-list 4 deny access-list 4 deny -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." "ttyv0" -- What UNIX calls a $20K state-of-the-art, 3D, hi-res color terminal To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 18 00:06:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA10035 for freebsd-security-outgoing; Tue, 18 Aug 1998 00:06:51 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from inet.chipweb.ml.org (c1003518-a.plstn1.sfba.home.com [24.1.82.47]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id AAA10030 for ; Tue, 18 Aug 1998 00:06:50 -0700 (PDT) (envelope-from ludwigp@bigfoot.com) Message-Id: <199808180706.AAA10030@hub.freebsd.org> Received: (qmail 17064 invoked from network); 18 Aug 1998 07:06:15 -0000 Received: from speedy.chipweb.ml.org (172.16.1.1) by inet.chipweb.ml.org with SMTP; 18 Aug 1998 07:06:15 -0000 X-Sender: ludwigp2@mail-r X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.2 Date: Tue, 18 Aug 1998 00:05:36 -0700 To: sthaug@nethelp.no, girgen@partitur.se From: Ludwig Pummer Subject: Re: private network on router's external NIC? Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <6847.903394909@verdi.nethelp.no> References: <35D8A7E8.2DC50695@partitur.se> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 01:01 AM 8/18/98 +0200, sthaug@nethelp.no wrote: >- ISPs with the (bad) idea that they can use RFC 1918 for their internal >network links, because (supposedly) the addresses won't get out. Guess >what happens when you do a traceroute along one of these paths? @Home does this, and it really bothers me. Every time someone does a traceroute to me (or i do a traceroute), they/I get 2 "blanks" in the hop list and it goes into my kernel logs... Not to mention, I'm using 172.16.0.0/16, and they're using 172.16.4.0/24 (among some other RFC 1918 subnets)... --Ludwig Pummer ludwigp@bigfoot.com ludwigp@chipweb.ml.org ICQ UIN: 692441 http://chipweb.home.ml.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 18 01:01:34 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA15365 for freebsd-security-outgoing; Tue, 18 Aug 1998 01:01:34 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ifi.uio.no (ifi.uio.no [129.240.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA15356 for ; Tue, 18 Aug 1998 01:01:32 -0700 (PDT) (envelope-from dag-erli@ifi.uio.no) Received: from hrotti.ifi.uio.no (2602@hrotti.ifi.uio.no [129.240.64.15]) by ifi.uio.no (8.8.8/8.8.7/ifi0.2) with ESMTP id KAA18133; Tue, 18 Aug 1998 10:00:55 +0200 (MET DST) Received: (from dag-erli@localhost) by hrotti.ifi.uio.no ; Tue, 18 Aug 1998 10:00:55 +0200 (MET DST) Mime-Version: 1.0 To: Palle Girgensohn Cc: freebsd-security@FreeBSD.ORG Subject: Re: private network on router's external NIC? References: <35D8A7E8.2DC50695@partitur.se> Organization: University of Oslo, Department of Informatics X-url: http://www.stud.ifi.uio.no/~dag-erli/ X-other-addresses: 'finger dag-erli@ifi.uio.no' for a list X-disclaimer-1: The views expressed in this article are mine alone, and do X-disclaimer-2: not necessarily coincide with those of any organisation or X-disclaimer-3: company with which I am or have been affiliated. X-Stop-Spam: http://www.cauce.org/ From: dag-erli@ifi.uio.no (Dag-Erling Coidan =?iso-8859-1?Q?Sm=F8rgrav?= ) Date: 18 Aug 1998 10:00:54 +0200 In-Reply-To: Palle Girgensohn's message of "Tue, 18 Aug 1998 00:00:08 +0200" Message-ID: Lines: 13 X-Mailer: Gnus v5.5/Emacs 19.34 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hub.freebsd.org id BAA15361 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Palle Girgensohn writes: > Every once in a while, packages from 192.168.x.y on the external > interface are logged and deferred. They are mostly trying to reach the > http port of one of our web servers (inside), but also sometimes port > 137-139 (netbios-*) and a few others. Are they really attempted > break-ins? Forged packets to the NetBIOS ports are with 99% certainty attempted DoS attacks (which will only succeed against Winblows boxen) DES -- Dag-Erling Smørgrav - dag-erli@ifi.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 18 06:01:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA16237 for freebsd-security-outgoing; Tue, 18 Aug 1998 06:01:00 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (COPLAND.CODA.CS.CMU.EDU [128.2.222.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA16223 for ; Tue, 18 Aug 1998 06:00:57 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id JAA08326; Tue, 18 Aug 1998 09:00:12 -0400 (EDT) Date: Tue, 18 Aug 1998 09:00:12 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Philippe Regnauld cc: freebsd-security@FreeBSD.ORG Subject: Re: Fwd: "Using capabilties aaginst shell code" In-Reply-To: <19980814123240.63855@deepo.prosa.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Some work was going on at TIS Advanced Research and Engineering (now TISLabs at NAI) concerning a "Wrappers" project that involved replacing syscalls using an lkm to modify the security policy of a host. There was a paper at USENIX a while ago I believe; I'll try to send out URL references later today, but am not currently in the office. If I understand correctly, they had some problems with the mmap file IO mechanism as it is one of the read/write mechanisms that does not involve the syscall interface (once initiated). I have been thinking about implementing posix capabilities in BSD, but don't have a copy of the spec. Anyone have any pointers to where I could find it? From what I have heard, Posix capabilities are not the answer to the unix security problem (that is, the desired for fine-grained access controls), as it only addresses a few specific (but common) cases. Robert Watson On Fri, 14 Aug 1998, Philippe Regnauld wrote: > (see message below) > > Is this any form of restriction that can be implemented > in *BSD systems ? I.e.: restricting system calls to > certain classes of daemons ? > > As mentioned in the example below, why should POPd be allowed > to exec() ? This seems like a very sane approach (of course, > it implies knowledge/auditing of the code). > > Then we could have certain untrusted (i.e.: running as > root) daemons launched in such an environment, on top > of being chroot()ed. > > -----Forwarded message from Duncan Simpson ----- > > From: Duncan Simpson > Subject: Using capabilties aaginst shell code > To: BUGTRAQ@NETSPACE.ORG > Date: Wed, 12 Aug 1998 21:33:51 +0200 > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > The development of capabilities with Linux (and some section of POSIX, if the > header is to be believed) creates an opportunity for tightening security by > sandboxing daemons---imapd and popd have no legitimate use for various system > calls, for example. In particular exec is fundamental to most buffer overrun > shellcode and not required by many daemons. > > [...] > > -----End of forwarded message----- > > -- > -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]- > > The Internet is busy. Please try again later. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 18 07:05:57 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA22653 for freebsd-security-outgoing; Tue, 18 Aug 1998 07:05:57 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from bright.fx.genx.net (bright.fx.genx.net [206.64.4.154]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA22648 for ; Tue, 18 Aug 1998 07:05:55 -0700 (PDT) (envelope-from bright@www.hotjobs.com) Received: from localhost (bright@localhost) by bright.fx.genx.net (8.9.1/8.8.8) with SMTP id KAA16644 for ; Tue, 18 Aug 1998 10:06:12 -0500 (EST) (envelope-from bright@hotjobs.com) X-Authentication-Warning: bright.fx.genx.net: bright owned process doing -bs Date: Tue, 18 Aug 1998 10:06:12 -0500 (EST) From: Alfred Perlstein X-Sender: bright@bright.fx.genx.net To: freebsd-security@FreeBSD.ORG Subject: Re: Fwd: "Using capabilties aaginst shell code" In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org besideds time constraints, why hasn't someone coded a "rootd", it would use local domain sockets and allow root processes to connect and setup an ACL, then setuid to nobody and send a "registration done" to the root server. all syscalls that needed to be done would have to be passed through the ACL setup by the initial connection with "rootd", this could include: 1) a sort of FD passing to a chrooted dir as in: give me access to /var/run/mypid give me access to home directories 2) ability to bind ports or is this just silly? Alfred Perlstein - Programmer, HotJobs Inc. - www.hotjobs.com -- There are operating systems, and then there's BSD. -- http://www.freebsd.org/ On Tue, 18 Aug 1998, Robert Watson wrote: > > Some work was going on at TIS Advanced Research and Engineering (now > TISLabs at NAI) concerning a "Wrappers" project that involved replacing > syscalls using an lkm to modify the security policy of a host. There was > a paper at USENIX a while ago I believe; I'll try to send out URL > references later today, but am not currently in the office. > > If I understand correctly, they had some problems with the mmap file IO > mechanism as it is one of the read/write mechanisms that does not involve > the syscall interface (once initiated). > > I have been thinking about implementing posix capabilities in BSD, but > don't have a copy of the spec. Anyone have any pointers to where I could > find it? From what I have heard, Posix capabilities are not the answer to > the unix security problem (that is, the desired for fine-grained access > controls), as it only addresses a few specific (but common) cases. > > Robert Watson > > On Fri, 14 Aug 1998, Philippe Regnauld wrote: > > > (see message below) > > > > Is this any form of restriction that can be implemented > > in *BSD systems ? I.e.: restricting system calls to > > certain classes of daemons ? > > > > As mentioned in the example below, why should POPd be allowed > > to exec() ? This seems like a very sane approach (of course, > > it implies knowledge/auditing of the code). > > > > Then we could have certain untrusted (i.e.: running as > > root) daemons launched in such an environment, on top > > of being chroot()ed. > > > > -----Forwarded message from Duncan Simpson ----- > > > > From: Duncan Simpson > > Subject: Using capabilties aaginst shell code > > To: BUGTRAQ@NETSPACE.ORG > > Date: Wed, 12 Aug 1998 21:33:51 +0200 > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > > > > > The development of capabilities with Linux (and some section of POSIX, if the > > header is to be believed) creates an opportunity for tightening security by > > sandboxing daemons---imapd and popd have no legitimate use for various system > > calls, for example. In particular exec is fundamental to most buffer overrun > > shellcode and not required by many daemons. > > > > [...] > > > > -----End of forwarded message----- > > > > -- > > -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]- > > > > The Internet is busy. Please try again later. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe security" in the body of the message > > > > > Robert N Watson > > Carnegie Mellon University http://www.cmu.edu/ > TIS Labs at Network Associates, Inc. http://www.tis.com/ > SafePort Network Services http://www.safeport.com/ > robert@fledge.watson.org http://www.watson.org/~robert/ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 18 09:56:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA16666 for freebsd-security-outgoing; Tue, 18 Aug 1998 09:56:52 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from socrates.i-pi.com (socrates.i-pi.com [198.49.217.5]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA16660 for ; Tue, 18 Aug 1998 09:56:48 -0700 (PDT) (envelope-from ingham@i-pi.com) Received: (from ingham@localhost) by socrates.i-pi.com (8.8.8/8.8.7) id KAA22368; Tue, 18 Aug 1998 10:53:22 -0600 (MDT) (envelope-from ingham) Message-ID: <19980818105321.58178@i-pi.com> Date: Tue, 18 Aug 1998 10:53:21 -0600 From: Kenneth Ingham To: freebsd-security@FreeBSD.ORG Subject: Port 137 (was: Re: private network on router's external NIC?) References: <35D8A7E8.2DC50695@partitur.se> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 0.89i In-Reply-To: =?iso-8859-1?Q?=3Cxzp3eauu3bd=2Efsf=40hrotti=2Eifi=2Euio=2Eno=3E=3B_from?= =?iso-8859-1?Q?_Dag-Erling_Coidan_Sm=F8rgrav__on_Tue=2C_Aug_18=2C_1998_a?= =?iso-8859-1?Q?t_10=3A00=3A54AM_+0200?= Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Aug 18, 1998 at 10:00:54AM +0200, Dag-Erling Coidan Smørgrav wrote: > Forged packets to the NetBIOS ports are with 99% certainty attempted > DoS attacks (which will only succeed against Winblows boxen) Except that Newbios-NS (137) port lookups come from machines with WINS turned on doing web browsing. I tracked this down after I sent out email to someone who was bouncing off of my firewall. It appears that M$ trys a lookup with port 137 before the browser actually connects to get web info. So, port 137 may not be a denial of service attack, could be just mis-configured boxes. (but it could also be an attack...) Kenneth To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 18 15:59:01 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA21756 for freebsd-security-outgoing; Tue, 18 Aug 1998 15:59:01 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: (from jmb@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA21681; Tue, 18 Aug 1998 15:58:42 -0700 (PDT) (envelope-from jmb) From: "Jonathan M. Bresler" Message-Id: <199808182258.PAA21681@hub.freebsd.org> Subject: Re: private network on router's external NIC? In-Reply-To: <738.903414941@critter.freebsd.dk> from Poul-Henning Kamp at "Aug 18, 98 06:35:41 am" To: phk@critter.freebsd.dk (Poul-Henning Kamp) Date: Tue, 18 Aug 1998 15:58:42 -0700 (PDT) Cc: jaitken@dimension.net, sthaug@nethelp.no, girgen@partitur.se, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Poul-Henning Kamp wrote: > But any moderately experienced BGP-gaffer will know not to accept any > routes for: > > neighbor x.x.x.x distribute-list 4 in > > access-list 4 deny 0.0.0.0 > access-list 4 deny 10.0.0.0 0.255.255.255 > access-list 4 deny 172.16.0.0 0.0.15.255 > access-list 4 deny 192.168.0.0 0.0.255.255 > access-list 4 deny 127.0.0.0 0.255.255.255 > access-list 4 deny > access-list 4 deny > access-list 4 deny > and any ISP worth a damn will filter the BGP adverts it accepts from each of its customers...allowing customers to advert their own networks *only* jmb To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 18 18:01:49 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA15654 for freebsd-security-outgoing; Tue, 18 Aug 1998 18:01:49 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cal007109.student.utwente.nl (cal007109.student.utwente.nl [130.89.221.199]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA15625; Tue, 18 Aug 1998 18:01:29 -0700 (PDT) (envelope-from edwin-ml@woudt.nl) Received: from [192.168.1.2] (helo=desktop) by cal007109.student.utwente.nl with smtp (Exim 2.02 #2) id 0z8wbJ-0001Gf-00; Wed, 19 Aug 1998 02:59:45 +0200 From: "Edwin Woudt" To: freebsd-security@FreeBSD.ORG, freebsd-bugs@FreeBSD.ORG Date: Wed, 19 Aug 1998 03:02:53 +0100 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Gateway/firewall denial of service Reply-to: edwin-ml@woudt.nl X-mailer: Pegasus Mail for Win32 (v3.01a) Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I use a FreeBSD 2.2.7 machine as a gateway and firewall between a local network and a campus-wide network. Accidentally I discovered a way to change the routing table of the local network on the gateway from the campus network. The problem is that de kernel accepts ARP broadcasts on one interface of which the ip-adresses are on another interface and so making a machine on the local network unreachable for the gateway. I tried to find the bug in the source code, but i'm not a C expert. I hope somebody who is a better programmer would go trough the code and find the bug. As the code I thought to be related looked very old, this might be a problem in all versions of FreeBSD and even other BSD- operating systems. In more detail: This machine has two 3C509b card, of which ep0 is connected to the campus network and ep1 is connected to the local network. +---------------+ +-----------------+ | Win98 machine | |FreeBSD 2.2.7 | | |---------|<-192.168.1.1 | | 192.168.1.2 | |130.89.221.199 ->|-----Campus network +---------------+ +-----------------+ # ifconfig -a ep0: flags=8843 mtu 1500 inet 130.89.221.199 netmask 0xffff0000 broadcast 130.89.255.255 ether 00:a0:24:c7:7c:6e ep1: flags=8843 mtu 1500 inet 192.168.1.1 netmask 0xffff0000 broadcast 192.168.255.255 ether 00:20:af:5c:6b:ea Normally the entry for the win98 machine in the routing table (netstat -r) looks like this: Destination Gateway Flags Refs Use Netif Expire 192.168.1.2 0:80:ad:71:3c:fc UHLW 6 366621 ep1 1197 But if an other computer with the same ip address (192.168.1.2) connects to the campus network, i get the following kernel message: /kernel: arp: 192.168.1.2 moved from 00:80:ad:71:3c:fc to 00:00:e8:2f:c6:be After that the routing table is like this: Destination Gateway Flags Refs Use Netif Expire 192.168.1.2 0:00:e8:2f:c6:be UHLW 6 366621 ep1 1197 So, the interface is still the same, but the MAC address has changed to that of a network card on the campus network, which is on interface ep0. Result: 192.168.1.2 is unreachable on ep1.... This happend because a wrong configured machine connected to the campus network. But if someone wants, one can use this to make a complete local network (not just 1 machine) unreachable. Suggestion: Make it impossible to change a routing table entry on one interface trough another infterface. Edwin Woudt ===================================================================== Edwin Woudt ("`-''-/").___..--''"`-._ Calslaan 7-109 `6_ 6 ) `-. ( ).`-.__.`) 7522 MH Enschede edwin@woudt.nl (_Y_.)' ._ ) `._ `. ``-..-' The Netherlands _..`--'_..-_/ /--'_.' ,' ICQ: 1156462 (il),-'' (li),' ((!.-' +31 53 489 5010 ===================================================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 18 18:09:39 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA17018 for freebsd-security-outgoing; Tue, 18 Aug 1998 18:09:39 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ppc1.cybertime.ch (ppc1.cybertime.ch [194.191.120.136]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id SAA17009 for ; Tue, 18 Aug 1998 18:09:28 -0700 (PDT) (envelope-from pajarola@cybertime.ch) Received: from tyr.cybertime.ch by ppc1.cybertime.ch (AIX 4.1/UCB 5.64/4.03) id AA16914; Wed, 19 Aug 1998 03:08:28 +0200 Message-Id: <3.0.32.19980819030858.007ec2a0@www.dlc.cybertime.ch> X-Sender: pajarola@www.dlc.cybertime.ch X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 19 Aug 1998 03:09:32 +0200 To: security@FreeBSD.ORG From: Rico Pajarola Subject: Re: Why don't winblows program have buffer overruns? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org sometime in the past you wrote: >I don't turn on NetBIOS on any Windows machine I use or administer. In >fact, about the only thing they'll respond to is a ping. > >- --Brett Oh, I didn't know you can actually administer windows machines... I thought you could only reinstall them :) this thread is going off-topic... s/freebsd-security/freebsd-chat/ Rico To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 18 20:06:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA04485 for freebsd-security-outgoing; Tue, 18 Aug 1998 20:06:00 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.pinboard.com (mail.pinboard.com [194.209.195.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA04477 for ; Tue, 18 Aug 1998 20:05:58 -0700 (PDT) (envelope-from Kurt@pinboard.com) Received: (from uucp@localhost) by mail.pinboard.com (8.8.8-19984P01-KK/8.8.8-19984D01-KK) with UUCP id FAA23315 for freebsd-security@FreeBSD.ORG; Wed, 19 Aug 1998 05:03:53 +0200 (CEST) (envelope-from Kurt@pinboard.com) Received: from chibi (chibi.pbdhome.pinboard.com [192.168.0.3]) by squirrel.pbdhome.pinboard.com (8.9.1/8.9.1-19980817-01/KK) with SMTP id WAA27664 for ; Tue, 18 Aug 1998 22:54:39 +0200 (CEST) (envelope-from: Kurt@pinboard.com) Message-Id: <3.0.5.16.19980818221708.1a172ab4@pop.pbdhome.pinboard.com> Organization: PINBOARD - http://www.pinboard.com/ X-Sender: kurt@pop.pbdhome.pinboard.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (16) Date: Tue, 18 Aug 1998 22:17:08 To: freebsd-security@FreeBSD.ORG From: Kurt Keller Subject: Re: Port 137 (was: Re: private network on router's external NIC?) In-Reply-To: <19980818105321.58178@i-pi.com> References: <35D8A7E8.2DC50695@partitur.se> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-PINBOARD-SpamCheck: v19984P01/KK Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Except that Newbios-NS (137) port lookups come from machines with >WINS turned on doing web browsing. I tracked this down after I To me it seems web servers send out packets to port 137 as well. Not using WINS internally and browsing through a double proxy connection, we filter out lots of _incoming_ packets to port 137. From one site there are also such packets at night, when nobody is surfing. Contacting their administrator I was told that at night they process access and routing statistics on a WIN box. Oh, how much bandwith we'd save without those MS-boxes... Kurt -- Kurt@pinboard.com http://www.pinboard.com/ business http://www.pinboard.com/kurt/ private To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 19 02:18:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA14558 for freebsd-security-outgoing; Wed, 19 Aug 1998 02:18:23 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from rucus.ru.ac.za (rucus.ru.ac.za [146.231.29.2]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id CAA14454 for ; Wed, 19 Aug 1998 02:17:32 -0700 (PDT) (envelope-from nbm@rucus.ru.ac.za) Received: (qmail 19604 invoked by uid 1003); 19 Aug 1998 09:16:35 -0000 Message-ID: <19980819111635.A18535@rucus.ru.ac.za> Date: Wed, 19 Aug 1998 11:16:35 +0200 From: Neil Blakey-Milner To: Michael Richards <026809r@dragon.acadiau.ca>, security@FreeBSD.ORG Subject: Re: Why don't winblows program have buffer overruns? References: <199808162301.UAA09103@dragon.acadiau.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <199808162301.UAA09103@dragon.acadiau.ca>; from Michael Richards on Sun, Aug 16, 1998 at 08:01:11PM -0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun 1998-08-16 (20:01), Michael Richards wrote: > Why aren't there buffer overruns for winblows that overrun the stack and > execute nasty code? I realise that there is no way to get a shell, but being > able to exec "format" is still a useful thing for a cracker to do on a > windows box. On Bugtraq recently, a Microsoft bulletin (MS98-011): //------ Long strings do not normally occur in scripts and must be intentionally created by someone with malicious intent. A skilled hacker could use this malicious script message to run arbitrary computer code contained in the long string. The following software is affected by this vulnerability: - Microsoft Internet Explorer 4.0, 4.01, 4.01 SP1 on Windows 95 and Windows NT 4.0 - Microsoft Windows 98 Internet Explorer 4 for Windows 3.1, Windows NT 3.51, Macintosh and UNIX (Solaris) are not affected by this problem. Internet Explorer 3.x is not affected by this problem. //------ Neil -- Neil Blakey-Milner nbm@rucus.ru.ac.za To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 19 05:34:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA02853 for freebsd-security-outgoing; Wed, 19 Aug 1998 05:34:54 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from bright.fx.genx.net (bright.fx.genx.net [206.64.4.154]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA02837; Wed, 19 Aug 1998 05:34:50 -0700 (PDT) (envelope-from bright@www.hotjobs.com) Received: from localhost (bright@localhost) by bright.fx.genx.net (8.9.1/8.8.8) with SMTP id IAA18986; Wed, 19 Aug 1998 08:35:05 -0500 (EST) (envelope-from bright@hotjobs.com) X-Authentication-Warning: bright.fx.genx.net: bright owned process doing -bs Date: Wed, 19 Aug 1998 08:35:05 -0500 (EST) From: Alfred Perlstein X-Sender: bright@bright.fx.genx.net To: Edwin Woudt cc: freebsd-security@FreeBSD.ORG, freebsd-bugs@FreeBSD.ORG Subject: Re: Gateway/firewall denial of service In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org how about adding an option to ignore ARPs from certain IPs to ipfw? ala: ipfw add 10 deny arp from 192.168.0.0/16 to any via (outside interface) Alfred Perlstein - Programmer, HotJobs Inc. - www.hotjobs.com -- There are operating systems, and then there's BSD. -- http://www.freebsd.org/ On Wed, 19 Aug 1998, Edwin Woudt wrote: > I use a FreeBSD 2.2.7 machine as a gateway and firewall between a > local network and a campus-wide network. Accidentally I discovered a > way to change the routing table of the local network on the gateway > from the campus network. > > The problem is that de kernel accepts ARP broadcasts on one interface > of which the ip-adresses are on another interface and so making a > machine on the local network unreachable for the gateway. > > I tried to find the bug in the source code, but i'm not a C expert. I > hope somebody who is a better programmer would go trough the code and > find the bug. As the code I thought to be related looked very old, > this might be a problem in all versions of FreeBSD and even other BSD- > operating systems. ..... > Suggestion: Make it impossible to change a routing table entry on one > interface trough another infterface. > > > Edwin Woudt > > > > ===================================================================== > Edwin Woudt ("`-''-/").___..--''"`-._ Calslaan 7-109 > `6_ 6 ) `-. ( ).`-.__.`) 7522 MH Enschede > edwin@woudt.nl (_Y_.)' ._ ) `._ `. ``-..-' The Netherlands > _..`--'_..-_/ /--'_.' ,' > ICQ: 1156462 (il),-'' (li),' ((!.-' +31 53 489 5010 > ===================================================================== > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 19 05:48:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA04192 for freebsd-security-outgoing; Wed, 19 Aug 1998 05:48:43 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dana.clari.net.au (dana.clari.net.au [203.27.85.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA04176; Wed, 19 Aug 1998 05:48:37 -0700 (PDT) (envelope-from thepish@freebsd.org) Received: from localhost (thepish@localhost) by dana.clari.net.au (8.8.8/8.8.7) with SMTP id WAA15806; Wed, 19 Aug 1998 22:47:26 +1000 (EST) (envelope-from thepish@freebsd.org) X-Authentication-Warning: dana.clari.net.au: thepish owned process doing -bs Date: Wed, 19 Aug 1998 22:47:25 +1000 (EST) From: Peter Hawkins X-Sender: thepish@dana.clari.net.au To: Edwin Woudt cc: freebsd-security@FreeBSD.ORG, freebsd-bugs@FreeBSD.ORG Subject: Re: Gateway/firewall denial of service In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In general, when duplicate IPs are assigned on a segment, the router will commence routing to the new MAC address after it is ARPed which is precisely what FreeBSD did for you. Locking an address doesn't really constitute a solution as the router cannot determine which of the two machines has the correct mac address - one could deny service permanently by booting first. Flipping the mac address is correct as the most common cause of a mac address change is quite innocuous - a machine has been shut down for an ethernet card swap and rebooted. Locking an address to a mac address would make it very difficult to change ethernet cards in machines. Basically, the behaviour you saw is correct. Peter Hilink Internet Peter Hawkins 381 Swan St Richmond, Vic, Australia Ph: +61-3-9421 2006 Fax: +61-3-9421 2007 http://www.hilink.com.au Peter@hilink.com.au FreeBSD Project: thepish@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 19 06:41:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA11294 for freebsd-security-outgoing; Wed, 19 Aug 1998 06:41:33 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cal007109.student.utwente.nl (cal007109.student.utwente.nl [130.89.221.199]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA11258; Wed, 19 Aug 1998 06:41:22 -0700 (PDT) (envelope-from edwin-ml@woudt.nl) Received: from [192.168.1.2] (helo=desktop) by cal007109.student.utwente.nl with smtp (Exim 2.02 #2) id 0z98Sg-0001u7-00; Wed, 19 Aug 1998 15:39:38 +0200 From: "Edwin Woudt" To: Edwin Woudt , Peter Hawkins Date: Wed, 19 Aug 1998 15:42:47 +0100 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Gateway/firewall denial of service Reply-to: edwin@woudt.nl CC: freebsd-security@FreeBSD.ORG, freebsd-bugs@FreeBSD.ORG References: In-reply-to: X-mailer: Pegasus Mail for Win32 (v3.01a) Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > In general, when duplicate IPs are assigned on a segment, the router > will commence routing to the new MAC address after it is ARPed which > is precisely what FreeBSD did for you. Locking an address doesn't really > constitute a solution as the router cannot determine which of the two > machines has the correct mac address - one could deny service permanently > by booting first. Flipping the mac address is correct as the most common > cause of a mac address change is quite innocuous - a machine has been > shut down for an ethernet card swap and rebooted. Locking an address to > a mac address would make it very difficult to change ethernet cards in > machines. Those duplicate IP's are not on the same segment. My local computer is on my local segment (192.168.0.0/16). This segment is connected to network card 'ep1'. The problem is that it accepts new MAC addresses for this segment on the other interface: 'ep0'. Though it changes the MAC address, it doesn't change the interface in teh routing table. So after this happends it tries to contact my local machine via ep1, but the MAC address in it's routing table is from a network card on ep0 (the campus network). Edwin Woudt ===================================================================== Edwin Woudt ("`-''-/").___..--''"`-._ Calslaan 7-109 `6_ 6 ) `-. ( ).`-.__.`) 7522 MH Enschede edwin@woudt.nl (_Y_.)' ._ ) `._ `. ``-..-' The Netherlands _..`--'_..-_/ /--'_.' ,' ICQ: 1156462 (il),-'' (li),' ((!.-' +31 53 489 5010 ===================================================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 19 08:26:56 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA01015 for freebsd-security-outgoing; Wed, 19 Aug 1998 08:26:56 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from relay.hq.tis.com (relay.hq.tis.com [192.94.214.100]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA01009 for ; Wed, 19 Aug 1998 08:26:54 -0700 (PDT) (envelope-from feldman@tis.com) Received: by relay.hq.tis.com; id LAA09360; Wed, 19 Aug 1998 11:20:59 -0400 (EDT) Received: from clipper.hq.tis.com(10.33.1.2) by relay.hq.tis.com via smap (4.0a) id xma009279; Wed, 19 Aug 98 11:20:05 -0400 Received: from clipper (localhost [127.0.0.1]) by clipper.hq.tis.com (8.7.5/8.7.3) with ESMTP id LAA26697; Wed, 19 Aug 1998 11:14:18 -0400 (EDT) Message-Id: <199808191514.LAA26697@clipper.hq.tis.com> To: Philippe Regnauld cc: freebsd-security@FreeBSD.ORG, badger@tis.com, feldman@tis.com, Robert Watson Subject: Re: Fwd: "Using capabilties aaginst shell code" (fwd) Date: Wed, 19 Aug 1998 11:14:17 -0400 From: Mark S Feldman Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Philippe, Your message to the freebsd-security list was passed to me. I'm the project leader for the Generic Software Wrappers project at TIS Labs at Network Associates. In short, under DARPA contract F30602-96-C-0333, we have developed a Wrapper Definition Language (WDL) based on 'C' which makes it easy to identify system events of interest (e.g., named system calls, all system calls containing a path parameter, system calls available only to root), to intercept them, and to deny, augment, or transform those events. We have developed a prototype under FreeBSD, including a wrapper compiler which compiles WDL into 'C', a Wrapper Support Subsystem implemented as a Loadable Kernel Module, and various support programs. We are currently porting to Solaris and Windows NT. Our source is not currently organized for distribution, but, once it is, it will be made available for free for non-commercial use. > Is this any form of restriction that can be implemented > in *BSD systems ? I.e.: restricting system calls to > certain classes of daemons ? One of our simpler wrappers is the noadmin wrapper, which prevents a wrapped process, even one running as root, from executing certain administrative system calls:: /* * $Id: noadmin.wr,v 1.5 1998/04/20 19:05:08 ko Exp $ * * noadmin.wr * * A wrapper that denies certain administrative syscalls. */ #include "../../wr.include/bsd.ch" wrapper noadmin { bsd::op{mount || unmount || ptrace || quotactl || acct || swapon || mknod || adjtime || ktrace || reboot || settimeofday} pre { return WR_DENY | WR_BADPERM; }; } In the wrapper, bsd.ch contains a characterization of the system API. It starts with the 'C' prototype, and then adds additional attributes that make it possible to group system calls and to deal with their parameters. The wrapper runs in the bsd domain and looks for the named operations. It intercepts before the operation occurs (pre keyword), prevents it from executing, making it appear to be a permission denied-type error. > As mentioned in the example below, why should POPd be allowed > to exec() ? This seems like a very sane approach (of course, > it implies knowledge/auditing of the code). In addition to our wrappers, which specify what events to look for and how to handle them, we have activation criteria, which determine which wrappers wrap a process. Activation criteria are simple boolean expressions which can be based on the uid, gid, program name, etc. If the pop daemon were named popd, the following activation criteria would cause it to be wrapped by the noadmin wrapper: prog == popd ==> noadmin As for not knowing what system calls a process needs to get the job done, it could first be run under a wrapper like dbcallcount, which tracks all system calls made by wrapped processes and uses Wrapper Query Language (WQL) to store call counts in our fast, lightweight database which can be viewed using our GUI or CLI from user space: /* * $Id: dbcallcount.wr,v 1.7 1998/08/06 19:45:17 ko Exp $ * * dbcallcount.wr * * This wrapper keeps track of the number of times each syscall is * attempted. * * Use the "wrselect" program to view the tables created. * */ #include "../../wr.include/bsd.ch" #include "../../wr.include/libwr.h" wrapper dbcallcount { DBTABLE callcountTable { char(20) key name; int count; }; callcountTable callcount; wr_activate() { int i; /* create the table. */ i = wql { create table callcount; }; if (i < 0) wr_printf("Error creating table.\n"); } wr_duplicate() { /* create the table. */ wql { create table callcount; }; } wr_deactivate() { /* Drop the table. */ wql { drop table callcount; }; } /* Catch all syscalls */ bsd::op{*} pre { int retVal; /* If syscall in in the db, increment count. */ /* If not, add the syscall to the database. */ retVal = wql { update callcount set .count = .count + 1 where .name = $$; }; if (retVal <= 0) { wql { insert into callcount values ($$, 1); }; } }; } > > Then we could have certain untrusted (i.e.: running as > root) daemons launched in such an environment, on top > of being chroot()ed. ... Yup. And wrappers provide a mechanism to do that. Take a look at the following wrapper which creates a simple, if silly, synthetic environment: /* * $Id: dbsynthetic.wr,v 1.5 1998/08/19 15:30:08 feldman Exp $ * * This wrapper provides a synthetic environment, doing string * substitutions on path names. * */ #include "../../wr.include/bsd.ch" #include "../../wr.include/libwr.h" wrapper dbsynthetic { /* Null-terminated array of substition string pairs. Each target * entry, if found in a path, will be replaced by the replacement * entry. Regular expressions, as defined in WDL, can be used for * the targets. */ DBTABLE path_table { char(256) target; char(256) replacement; }; DBTABLE alert_table { char(256) path; char(256) fullname; int pid; int uid; }; path_table global pathnames; alert_table global alerts; wr_install() { DBROW::path_table row; wql { create table pathnames; create table alerts; insert into pathnames values ( "/etc/master.passwd", "/etc/passwd"), ( "/kernel", "/etc/motd"), ( "/lkm", "/tmp"), ( "/usr/games", "/usr/bin"), ( "/usr/tmp", "/tmp"), ( "/var/tmp", "/tmp") ; select into row from pathnames; }; } wr_uninstall() { wql { drop table pathnames; drop table alerts; }; } /* Intercept all syscalls containing paths before they run */ bsd::pattr{path} pre { DBROW::path_table row; string fullname; int changed = 0; /* Attempt to convert path from relative to absolute. If * the conversion doesn't succeed, it's a bad path. This * would normally be the end, but since we may be * redirecting from a non-existent path to one that exists, * we'll proceed */ if ((fullname = wr_abspath($path)) == NULL) { fullname = wr_strdup($path); } wql { select into row from pathnames; }; do { /* Do string substitutions for each pair of pathnames * and remember if any occurred. */ if (fullname =~ s|row.target|row.replacement|) changed++; } while (row.next()); /* Write out an alert to the database and change the path * parameter if any substitutions occurred. */ if (changed) { wql { insert into alerts values ($path, fullname, _pid, _uid); }; $path = fullname; } /* Cleanup */ wr_free(fullname); }; } My response is undoubtedly way too long. I'll make sure that a message is sent to this list when we make our source available. In the mean time, if you have any questions, let me know. Mark ----- Mark S. Feldman TIS Labs at Network Associates, Inc. phone: +1 301 854 6889 3060 Washington Road fax: +1 301 854 5363 Glenwood, Maryland 21738 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 19 10:08:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA17321 for freebsd-security-outgoing; Wed, 19 Aug 1998 10:08:23 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hosting.doublesquare.com (hosting.doublesquare.com [195.5.128.151]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA17295 for ; Wed, 19 Aug 1998 10:08:18 -0700 (PDT) (envelope-from ark@eltex.ru) From: ark@eltex.ru Received: from eltex.ru (eltex-spiiras.nw.ru [195.19.204.46] (may be forged)) by hosting.doublesquare.com (8.8.8/8.8.8) with ESMTP id VAA00721 for ; Wed, 19 Aug 1998 21:07:29 +0400 (MSD) Received: from paranoid.eltex.spb.ru (root@border.eltex.ru [195.19.198.2]) by eltex.ru (8.8.8/8.8.8) with ESMTP id VAA26424 for ; Wed, 19 Aug 1998 21:07:43 +0400 (MSD) Received: (from ark@localhost) by paranoid.eltex.spb.ru (8.8.8/8.7.3) id VAA17086; Wed, 19 Aug 1998 21:06:22 GMT Date: Wed, 19 Aug 1998 21:06:22 GMT Message-Id: <199808192106.VAA17086@paranoid.eltex.spb.ru> Organization: "Klingon Imperial Intelligence Service" Subject: ipsec and swipe? To: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- nuqneH, Did anybody try to port NetBSD ipsec and/or swIPe to freebsd? _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNds+TKH/mIJW9LeBAQEeCgP/SJORsdgR0U0o2039WOhgMWUHIEXTer6m 5LL3RtIWqH4qQAUX+UkqnXFU8bweRNhw3CZpoBjncic2QUYd0MnzxY4J0nrYVWbD yee7PwcG0P7gjN3Ez6vAhex2i/o3+mAf24eruvsMWb0LCnkqRTtg3nJKx9jfDd64 zxsvhLpYv+w= =sD8S -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 19 12:01:49 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA06949 for freebsd-security-outgoing; Wed, 19 Aug 1998 12:01:49 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from axl.training.iafrica.com (axl.training.iafrica.com [196.31.1.175]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA06907 for ; Wed, 19 Aug 1998 12:01:24 -0700 (PDT) (envelope-from sheldonh@axl.training.iafrica.com) Received: from sheldonh (helo=axl.training.iafrica.com) by axl.training.iafrica.com with local-esmtp (Exim 1.92 #1) for freebsd-security@freebsd.org id 0z9DTQ-0005Rj-00; Wed, 19 Aug 1998 21:00:44 +0200 From: Sheldon Hearn To: freebsd-security@FreeBSD.ORG Subject: REQ: free pop3 daemon recommendations Date: Wed, 19 Aug 1998 21:00:44 +0200 Message-ID: <20938.903553244@axl.training.iafrica.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi folks, Having followed the bloated and eventually off-topic discussions that spawned off the qpopper vulnerability announcement, I don't recall anyone mentioning free alternatives. >From the comments that I remember, both cucipop and qpopper are horribly written and untrusted by people whose opinions I respect. The question is, can anyone with a clue recommend a free POP3 daemon that he or she considers well-written and "tight"? Ideally, something that supports the POP3 TOP command would be great, but that's not essential. To avoid the sort of off-topic crap that developed the last time anyone came near this issue, I propose that answers come to me directly (not the list) and I'll post a digest of feedback to the list. Thanks, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 19 12:57:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA17587 for freebsd-security-outgoing; Wed, 19 Aug 1998 12:57:43 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from alpha.xerox.com (omega.Xerox.COM [13.1.64.95]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id MAA17555; Wed, 19 Aug 1998 12:57:35 -0700 (PDT) (envelope-from fenner@parc.xerox.com) Received: from crevenia.parc.xerox.com ([13.2.116.11]) by alpha.xerox.com with SMTP id <40657(2)>; Wed, 19 Aug 1998 12:56:54 PDT Received: from localhost by crevenia.parc.xerox.com with SMTP id <177531>; Wed, 19 Aug 1998 12:56:39 -0700 To: edwin@woudt.nl cc: Edwin Woudt , Peter Hawkins , freebsd-security@FreeBSD.ORG, freebsd-bugs@FreeBSD.ORG Subject: Re: Gateway/firewall denial of service In-reply-to: Your message of "Wed, 19 Aug 98 07:42:47 PDT." Date: Wed, 19 Aug 1998 12:56:24 PDT From: Bill Fenner Message-Id: <98Aug19.125639pdt.177531@crevenia.parc.xerox.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I think the proper fix is for arp to ignore ARP replies for an address that the routing table routes to a different interface. Bill To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 19 13:41:07 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA26877 for freebsd-security-outgoing; Wed, 19 Aug 1998 13:41:07 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from anne.crossfields.com (anne.crossfields.com [205.241.85.170]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA26870 for ; Wed, 19 Aug 1998 13:41:04 -0700 (PDT) (envelope-from pparri@crossfields.com) Received: from [207.43.27.74] (dial44.brazoria.tgn.net [207.43.27.74]) by anne.crossfields.com (8.8.8/8.8.5) with SMTP id PAA02719; Wed, 19 Aug 1998 15:43:07 -0500 (CDT) Message-Id: <199808192043.PAA02719@anne.crossfields.com> Subject: denial of unsubscribe Date: Wed, 19 Aug 98 15:44:28 -0500 x-mailer: Claris Emailer 1.1 From: Pat Parrinello To: "Bill Fenner" cc: Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org How does one get off this list? doing: "To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message" does not work. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 19 14:19:19 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA04828 for freebsd-security-outgoing; Wed, 19 Aug 1998 14:19:19 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA04821; Wed, 19 Aug 1998 14:19:11 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.1/8.9.1) id RAA07353; Wed, 19 Aug 1998 17:18:12 -0400 (EDT) (envelope-from wollman) Date: Wed, 19 Aug 1998 17:18:12 -0400 (EDT) From: Garrett Wollman Message-Id: <199808192118.RAA07353@khavrinen.lcs.mit.edu> To: Bill Fenner Cc: freebsd-security@FreeBSD.ORG, freebsd-bugs@FreeBSD.ORG Subject: Re: Gateway/firewall denial of service In-Reply-To: <98Aug19.125639pdt.177531@crevenia.parc.xerox.com> References: <98Aug19.125639pdt.177531@crevenia.parc.xerox.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > I think the proper fix is for arp to ignore ARP replies for an address > that the routing table routes to a different interface. This seems reasonable. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 19 18:09:36 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA15310 for freebsd-security-outgoing; Wed, 19 Aug 1998 18:09:36 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hme0.smtp05.sprint.ca (hme0.smtp05.sprint.ca [207.107.250.75]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA15268 for ; Wed, 19 Aug 1998 18:09:20 -0700 (PDT) (envelope-from wettoast@sprint.ca) Received: from sprint.ca (spc-isp-tor-uas-17-18.sprint.ca [209.5.19.69]) by hme0.smtp05.sprint.ca (8.8.8/8.8.8) with ESMTP id VAA27837; Wed, 19 Aug 1998 21:08:31 -0400 (EDT) Message-ID: <35DB7639.36B47832@sprint.ca> Date: Wed, 19 Aug 1998 21:04:59 -0400 From: wettoast X-Mailer: Mozilla 4.5b1 [en] (Win95; I) X-Accept-Language: en MIME-Version: 1.0 To: Pat Parrinello CC: Bill Fenner , freebsd-security@FreeBSD.ORG Subject: Re: denial of unsubscribe References: <199808192043.PAA02719@anne.crossfields.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Pat Parrinello wrote: > How does one get off this list? > > doing: "To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message" > > does not work. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > hi, im getting the same problem here, i unsubscribed from the other FreeBSD lists fine, this one is evil :P Just reply's with >>unsubscribe security... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 19 19:27:20 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA25184 for freebsd-security-outgoing; Wed, 19 Aug 1998 19:27:20 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from bilbo.indcom.gov.au (bilbo.indcom.gov.au [203.0.25.164]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA25176 for ; Wed, 19 Aug 1998 19:27:12 -0700 (PDT) (envelope-from ktealby@pc.gov.au) Received: (from smap@localhost) by bilbo.indcom.gov.au (8.8.5/8.8.5) id MAA05552 for ; Thu, 20 Aug 1998 12:29:15 +1000 (EST) Message-Id: <199808200229.MAA05552@bilbo.indcom.gov.au> X-Authentication-Warning: bilbo.indcom.gov.au: smap set sender to using -f Received: from exchmel1.pc.gov.au(203.0.41.226) by bilbo.indcom.gov.au via smap (V2.0) id xma005543; Thu, 20 Aug 98 12:29:07 +1000 Received: by intrapc.pc.gov.au with Internet Mail Service (5.5.1960.3) id ; Thu, 20 Aug 1998 12:26:39 +1000 From: "Tealby, Kevin" To: "'smtp:freebsd-security@freebsd.org'" Subject: Re: denial of unsubscribe Date: Thu, 20 Aug 1998 12:22:00 +1000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Me too All the best Kevin ---------- > From: wettoast > To: Pat Parrinello > Cc: Bill Fenner; freebsd-security@FreeBSD.ORG > Subject: Re: denial of unsubscribe > Date: Thursday, 20 August 1998 11:04AM > > Pat Parrinello wrote: > > > How does one get off this list? > > > > doing: "To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe security" in the body of the message" > > > > does not work. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe security" in the body of the message > > > > hi, im getting the same problem here, i unsubscribed from the other > FreeBSD lists fine, this one is evil :P Just reply's with >>unsubscribe > security... > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 19 19:58:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA28082 for freebsd-security-outgoing; Wed, 19 Aug 1998 19:58:58 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from empnet.com (empnet.com [12.7.96.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA28075 for ; Wed, 19 Aug 1998 19:58:53 -0700 (PDT) (envelope-from scex@dqc.org) Received: from dqc.org (scex@dqc.org [12.7.119.10]) by empnet.com (8.8.8/EmpireNet-1) with SMTP id UAA17069; Wed, 19 Aug 1998 20:00:04 -0700 (PDT) Date: Wed, 19 Aug 1998 20:02:40 -0700 (PDT) From: scex To: "Tealby, Kevin" cc: "'smtp:freebsd-security@freebsd.org'" Subject: Re: denial of unsubscribe In-Reply-To: <199808200229.MAA05552@bilbo.indcom.gov.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org echo 'unsubscribe freebsd-security' |mail majordomo@freebsd.org. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 19 19:59:55 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA28264 for freebsd-security-outgoing; Wed, 19 Aug 1998 19:59:55 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from echonyc.com (echonyc.com [198.67.15.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA28238; Wed, 19 Aug 1998 19:59:52 -0700 (PDT) (envelope-from benedict@echonyc.com) Received: from localhost (benedict@localhost) by echonyc.com (8.8.7/8.8.7) with SMTP id WAA27716; Wed, 19 Aug 1998 22:59:02 -0400 (EDT) Date: Wed, 19 Aug 1998 22:59:02 -0400 (EDT) From: Snob Art Genre Reply-To: ben@rosengart.com To: Garrett Wollman cc: Bill Fenner , freebsd-security@FreeBSD.ORG, freebsd-bugs@FreeBSD.ORG Subject: Re: Gateway/firewall denial of service In-Reply-To: <199808192118.RAA07353@khavrinen.lcs.mit.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 19 Aug 1998, Garrett Wollman wrote: > < said: > > > I think the proper fix is for arp to ignore ARP replies for an address > > that the routing table routes to a different interface. > > This seems reasonable. Why not just ignore replies on interfaces other than the one the request was sent on? Is connecting to the same segment with more than one interface supported, btw? Ben "You have your mind on computers, it seems." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 19 21:06:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA08484 for freebsd-security-outgoing; Wed, 19 Aug 1998 21:06:43 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from obie.softweyr.com ([204.68.178.33]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA08478 for ; Wed, 19 Aug 1998 21:06:30 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from obie.softweyr.com (zaphod.softweyr.com [204.68.178.35]) by obie.softweyr.com (8.8.8/8.8.8) with SMTP id WAA07418; Wed, 19 Aug 1998 22:07:46 -0600 (MDT) (envelope-from wes@softweyr.com) Date: Wed, 19 Aug 1998 22:07:46 -0600 (MDT) Message-Id: <199808200407.WAA07418@obie.softweyr.com> Subject: Re: denial of unsubscribe From: Wes Peters To: fenner@parc.xerox.com, pparri@crossfields.com Cc: freebsd-security@FreeBSD.ORG Reply-To: Wes Peters In-Reply-To: <199808192043.PAA02719@anne.crossfields.com> References: <199808192043.PAA02719@anne.crossfields.com> X-Priority: 3 (Normal) X-Mailer: BeatWare Mail-It 1.6 X-BeOS-Platform: Intel or clone Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hub.freebsd.org id VAA08480 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org My hidden microphone recorded Pat Parrinello (pparri@crossfields.com) saying: % % How does one get off this list? % % doing: "To Unsubscribe: send mail to majordomo@FreeBSD.org % with "unsubscribe security" in the body of the message" % % does not work. % % To Unsubscribe: send mail to majordomo@FreeBSD.org % with "unsubscribe security" in the body of the message This is a *security* list. You could unsubscribe, but then we'd have to shoot you. ;^) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 19 21:19:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA10999 for freebsd-security-outgoing; Wed, 19 Aug 1998 21:19:33 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA10994 for ; Wed, 19 Aug 1998 21:19:32 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id VAA23768; Wed, 19 Aug 1998 21:18:50 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Wed, 19 Aug 1998 21:18:49 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: Wes Peters cc: fenner@parc.xerox.com, pparri@crossfields.com, freebsd-security@FreeBSD.ORG Subject: Re: denial of unsubscribe In-Reply-To: <199808200407.WAA07418@obie.softweyr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org IMHO anyone running freebsd should be on this list. :) -- Yan www.best.com/~jkb/ Unix users of the world unite: www.{free,open,net}bsd.org | www.linux.org | www.apache.org | www.perl.com "Turn up the lights, I don't want to go home in the dark." On Wed, 19 Aug 1998, Wes Peters wrote: >My hidden microphone recorded Pat Parrinello (pparri@crossfields.com) saying: > >% >% How does one get off this list? >% >% doing: "To Unsubscribe: send mail to majordomo@FreeBSD.org >% with "unsubscribe security" in the body of the message" >% >% does not work. >% >% To Unsubscribe: send mail to majordomo@FreeBSD.org >% with "unsubscribe security" in the body of the message > >This is a *security* list. You could unsubscribe, but then we'd have >to shoot you. ;^) > >-- > "Where am I, and what am I doing in this handbasket?" > >Wes Peters Softweyr LLC >http://www.softweyr.com/~softweyr wes@softweyr.com > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 19 23:02:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA25600 for freebsd-security-outgoing; Wed, 19 Aug 1998 23:02:52 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from alpha.xerox.com (omega.Xerox.COM [13.1.64.95]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id XAA25572; Wed, 19 Aug 1998 23:02:47 -0700 (PDT) (envelope-from fenner@parc.xerox.com) Received: from mango.parc.xerox.com ([13.1.102.232]) by alpha.xerox.com with SMTP id <40672(1)>; Wed, 19 Aug 1998 23:02:00 PDT Received: from mango.parc.xerox.com (localhost [127.0.0.1]) by mango.parc.xerox.com (8.8.8/8.8.8) with ESMTP id XAA10197; Wed, 19 Aug 1998 23:01:58 -0700 (PDT) (envelope-from fenner@mango.parc.xerox.com) Message-Id: <199808200601.XAA10197@mango.parc.xerox.com> To: ben@rosengart.com cc: freebsd-security@FreeBSD.ORG, freebsd-bugs@FreeBSD.ORG Subject: Re: Gateway/firewall denial of service In-reply-to: Your message of "Wed, 19 Aug 1998 19:59:02 PDT." Date: Wed, 19 Aug 1998 23:01:57 PDT From: Bill Fenner Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message you write: >Why not just ignore replies on interfaces other than the one the request >was sent on? This doesn't handle unsolicited replies (which was what the original situation was about). >Is connecting to the same segment with more than one >interface supported, btw? Not really. Bill To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Aug 20 01:09:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA13409 for freebsd-security-outgoing; Thu, 20 Aug 1998 01:09:23 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA13397 for ; Thu, 20 Aug 1998 01:09:18 -0700 (PDT) (envelope-from netadmin@fastnet.co.uk) Received: from na.nu.na.nu (bofh.fast.net.uk [194.207.104.22]) by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id JAA21228 for ; Thu, 20 Aug 1998 09:08:38 +0100 (BST) Received: from na.nu.na.nu (bofh.fast.net.uk [194.207.104.22]) by na.nu.na.nu (8.8.8/8.8.8) with SMTP id JAA01081 for ; Thu, 20 Aug 1998 09:09:26 +0100 (BST) (envelope-from netadmin@fastnet.co.uk) Date: Thu, 20 Aug 1998 09:09:26 +0100 (BST) From: Jay Tribick X-Sender: netadmin@na.nu.na.nu To: freebsd-security@FreeBSD.ORG Subject: Re: denial of unsubscribe In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org | >My hidden microphone recorded Pat Parrinello (pparri@crossfields.com) saying: | > | >% | >% How does one get off this list? | >% | >% doing: "To Unsubscribe: send mail to majordomo@FreeBSD.org | >% with "unsubscribe security" in the body of the message" | >% | >% does not work. | >% | >% To Unsubscribe: send mail to majordomo@FreeBSD.org | >% with "unsubscribe security" in the body of the message | > | >This is a *security* list. You could unsubscribe, but then we'd have | >to shoot you. ;^) | IMHO anyone running freebsd should be on this list. :) Maybe they should include an option to register with freebsd-security and bugtraq on the post-install menu of FreeBSD. Just a thought.. Regards, Jay Tribick -- [| Network Administrator | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact information |] [| T: +44 (0)1273 677633 F: +44 (0)1273 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Aug 20 04:57:39 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA06290 for freebsd-security-outgoing; Thu, 20 Aug 1998 04:57:39 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.craxx.com (craxx.com [195.108.198.119]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA06283 for ; Thu, 20 Aug 1998 04:57:34 -0700 (PDT) (envelope-from alphen@craxx.com) Received: from uptight (classless.student.utwente.nl [130.89.230.96]) by mail.craxx.com (8.9.1/8.9.1) with SMTP id NAA23744 for ; Thu, 20 Aug 1998 13:56:52 +0200 From: "laurens van alphen" To: Subject: natd and ipfw rules not working together Date: Thu, 20 Aug 1998 13:56:31 +0200 Message-ID: <000201bdcc31$926e5510$0a00a8c0@uptight.student.utwente.nl> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hi all, this is my setup external net: 130.89/16 (ed0) internal net: 192.168.0/24 (ed1) running natd and ipfw on the router rc.firewall contains: $fwcmd add divert natd all from any to any via ${natd_interface} where natd _interface is ed0 next the default rc.firewall contained these rules: $fwcmd add deny all from 192.168.0.0/16 to any via ${oif} $fwcmd add deny all from any to 192.168.0.0/16 via ${oif} when i apply those, natd clients (on the internal network) can no longer talk to the outside world. they can however talk to ${oip} and ${iip}. any clues? it seems to me natd should translate the packets coming from the internal network before the 192.168/16 rule sees 'em. right? thanks for you opinions, -- laurens van alphen craxx e-consultants alphen@craxx.com http://craxx.com/ -- de informatie verzonden met dit e-mail bericht is uitsluitend bestemd voor de geadresseerde. gebruik van deze informatie door anderen dan de geadresseerde is verboden. openbaarmaking, vermenigvuldiging, verspreiding en/of verstrekking van deze informatie aan derden is niet toegestaan. craxx staat niet in voor de juiste en volledige verbrenging van de inhoud van een verzonden e-mail, noch voor tijdige ontvangst daarvan. -- the information contained in this communication is confidential and may be legally privileged. it is intended solely for the use of the individual or entity to whom it is addressed and others authorised to receive it. if you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance of the contents of this information is strictly prohibited and may be unlawful. craxx is either liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Aug 20 08:55:27 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA00589 for freebsd-security-outgoing; Thu, 20 Aug 1998 08:55:27 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Tyr.office.EFN.org ([204.214.99.45]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA00582 for ; Thu, 20 Aug 1998 08:55:24 -0700 (PDT) (envelope-from spy@tyr.office.efn.org) Received: from Tyr.office.EFN.org (IDENT:spy@Tyr.office.EFN.org [204.214.99.45]) by Tyr.office.EFN.org (8.9.1/8.9.1) with SMTP id IAA25097; Thu, 20 Aug 1998 08:54:22 -0700 (PDT) Date: Thu, 20 Aug 1998 08:54:22 -0700 (PDT) From: Ben Reply-To: ben@efn.org To: laurens van alphen cc: ben@efn.org, freebsd-security@FreeBSD.ORG Subject: Re: natd and ipfw rules not working together In-Reply-To: <000201bdcc31$926e5510$0a00a8c0@uptight.student.utwente.nl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 20 Aug 1998, laurens van alphen wrote: > > rc.firewall contains: > $fwcmd add divert natd all from any to any via ${natd_interface} > where natd _interface is ed0 > > next the default rc.firewall contained these rules: > > $fwcmd add deny all from 192.168.0.0/16 to any via ${oif} > $fwcmd add deny all from any to 192.168.0.0/16 via ${oif} Check to see if the deny rules are indeed being hit(ipfw -a l will show a counter of how many packets it has denied/allowed). You should also add numerics to the rules: $fwcmd add 1 divert natd all from any to any via $nat_interface I might also change these rules to: $fwcmd add 100 deny all from 192.168.0.0/16 to any via ${oif} in $fwcmd add 101 deny all from any to 192.168.0.0/16 via ${oif} in > -- > laurens van alphen > craxx e-consultants > alphen@craxx.com > http://craxx.com/ > > -- the information contained in this communication is confidential and > may be legally privileged. it is intended solely for the use of the > individual or entity to whom it is addressed and others authorised to You mispelled authorized. > receive it. if you are not the intended recipient you are hereby notified > that any disclosure, copying, distribution or taking any action in > reliance of the contents of this information is strictly prohibited and > may be unlawful. craxx is either liable for the proper and complete > transmission of the information contained in this communication nor > for any delay in its receipt. -ben@efn.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 20 09:37:49 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA08657 for freebsd-security-outgoing; Thu, 20 Aug 1998 09:37:49 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ifi.uio.no (ifi.uio.no [129.240.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA08649 for ; Thu, 20 Aug 1998 09:37:39 -0700 (PDT) (envelope-from dag-erli@ifi.uio.no) Received: from skejdbrimir.ifi.uio.no (skejdbrimir.ifi.uio.no [129.240.65.2]) by ifi.uio.no (8.8.8/8.8.7/ifi0.2) with SMTP id SAA19623; Thu, 20 Aug 1998 18:36:56 +0200 (MET DST) Received: from localhost (dag-erli@localhost) by skejdbrimir.ifi.uio.no ; Thu, 20 Aug 1998 16:36:55 GMT Mime-Version: 1.0 To: Kenneth Ingham Cc: freebsd-security@FreeBSD.ORG Subject: Re: Port 137 (was: Re: private network on router's external NIC?) References: <35D8A7E8.2DC50695@partitur.se> <19980818105321.58178@i-pi.com> Organization: University of Oslo, Department of Informatics X-url: http://www.stud.ifi.uio.no/~dag-erli/ X-other-addresses: 'finger dag-erli@ifi.uio.no' for a list X-disclaimer-1: The views expressed in this article are mine alone, and do X-disclaimer-2: not necessarily coincide with those of any organisation or X-disclaimer-3: company with which I am or have been affiliated. X-Stop-Spam: http://www.cauce.org/ From: dag-erli@ifi.uio.no (Dag-Erling Coidan =?iso-8859-1?Q?Sm=F8rgrav?= ) Date: 20 Aug 1998 16:36:50 +0000 In-Reply-To: Kenneth Ingham's message of "Tue, 18 Aug 1998 10:53:21 -0600" Message-ID: Lines: 14 X-Mailer: Gnus v5.5/Emacs 19.34 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hub.freebsd.org id JAA08652 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kenneth Ingham writes: > On Tue, Aug 18, 1998 at 10:00:54AM +0200, Dag-Erling Coidan Smørgrav wrote: > > Forged packets to the NetBIOS ports are with 99% certainty attempted > > DoS attacks (which will only succeed against Winblows boxen) > Except that Newbios-NS (137) port lookups come from machines with > WINS turned on doing web browsing. [...] > So, port 137 may not be a denial of service attack, could be just > mis-configured boxes. I said *forged*, didn't I? DES -- Dag-Erling Smørgrav - dag-erli@ifi.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 20 09:39:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA08997 for freebsd-security-outgoing; Thu, 20 Aug 1998 09:39:59 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ifi.uio.no (ifi.uio.no [129.240.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA08986 for ; Thu, 20 Aug 1998 09:39:57 -0700 (PDT) (envelope-from dag-erli@ifi.uio.no) Received: from skejdbrimir.ifi.uio.no (skejdbrimir.ifi.uio.no [129.240.65.2]) by ifi.uio.no (8.8.8/8.8.7/ifi0.2) with SMTP id SAA19842; Thu, 20 Aug 1998 18:39:17 +0200 (MET DST) Received: from localhost (dag-erli@localhost) by skejdbrimir.ifi.uio.no ; Thu, 20 Aug 1998 16:39:15 GMT Mime-Version: 1.0 To: Sheldon Hearn Cc: freebsd-security@FreeBSD.ORG Subject: Re: REQ: free pop3 daemon recommendations References: <20938.903553244@axl.training.iafrica.com> Organization: University of Oslo, Department of Informatics X-url: http://www.stud.ifi.uio.no/~dag-erli/ X-other-addresses: 'finger dag-erli@ifi.uio.no' for a list X-disclaimer-1: The views expressed in this article are mine alone, and do X-disclaimer-2: not necessarily coincide with those of any organisation or X-disclaimer-3: company with which I am or have been affiliated. X-Stop-Spam: http://www.cauce.org/ From: dag-erli@ifi.uio.no (Dag-Erling Coidan =?iso-8859-1?Q?Sm=F8rgrav?= ) Date: 20 Aug 1998 16:39:08 +0000 In-Reply-To: Sheldon Hearn's message of "Wed, 19 Aug 1998 21:00:44 +0200" Message-ID: Lines: 12 X-Mailer: Gnus v5.5/Emacs 19.34 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hub.freebsd.org id JAA08993 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sheldon Hearn writes: > Having followed the bloated and eventually off-topic discussions that > spawned off the qpopper vulnerability announcement, I don't recall > anyone mentioning free alternatives. You should read more carefully. Both Cyrus IMAP and imap-uw were mentioned early in the thread. The general consensus seems to be that Cyrus is fast while imap-uw is easy to set up. DES -- Dag-Erling Smørgrav - dag-erli@ifi.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 20 10:04:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA12603 for freebsd-security-outgoing; Thu, 20 Aug 1998 10:04:23 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from iq.org (violentanaldilation.ai.mit.edu [203.4.184.222]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id KAA12594 for ; Thu, 20 Aug 1998 10:04:20 -0700 (PDT) (envelope-from proff@iq.org) From: proff@iq.org Received: (qmail 28624 invoked by uid 110); 20 Aug 1998 17:03:35 -0000 Message-ID: <19980820170335.28623.qmail@iq.org> Subject: Re: REQ: free pop3 daemon recommendations In-Reply-To: from =?ISO-8859-1?Q?Dag=2DErling_Coidan_Sm=F8rgrav?= at "Aug 20, 98 04:39:08 pm" To: dag-erli@ifi.uio.no (Dag-Erling Coidan =?iso-8859-1?Q?Sm=F8rgrav?=) Date: Fri, 21 Aug 1998 03:03:35 +1000 (EST) Cc: axl@iafrica.com, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > You should read more carefully. Both Cyrus IMAP and imap-uw were > mentioned early in the thread. The general consensus seems to be that > Cyrus is fast while imap-uw is easy to set up. > > DES > -- > Dag-Erling Smørgrav - dag-erli@ifi.uio.no Support bozotic coding styles: /usr/ports/mail/cucipop Cheers, Julian. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 20 10:39:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA18603 for freebsd-security-outgoing; Thu, 20 Aug 1998 10:39:51 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from echonyc.com (echonyc.com [198.67.15.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA18594 for ; Thu, 20 Aug 1998 10:39:48 -0700 (PDT) (envelope-from benedict@echonyc.com) Received: from localhost (benedict@localhost) by echonyc.com (8.8.7/8.8.7) with SMTP id NAA28882; Thu, 20 Aug 1998 13:38:52 -0400 (EDT) Date: Thu, 20 Aug 1998 13:38:51 -0400 (EDT) From: Snob Art Genre Reply-To: ben@rosengart.com To: ben@efn.org cc: laurens van alphen , freebsd-security@FreeBSD.ORG Subject: Re: natd and ipfw rules not working together In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 20 Aug 1998, Ben wrote: > > individual or entity to whom it is addressed and others authorised to > > You mispelled authorized. Oh please, not this again. Ben "You have your mind on computers, it seems." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 20 12:58:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA12724 for freebsd-security-outgoing; Thu, 20 Aug 1998 12:58:31 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from feoh.nmarcom.com (feoh.nmarcom.com [209.146.217.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA12717 for ; Thu, 20 Aug 1998 12:58:28 -0700 (PDT) (envelope-from thelab@nmarcom.com) Received: from localhost (thelab@localhost) by feoh.nmarcom.com (8.8.8/8.8.5) with SMTP id PAA04791 for ; Thu, 20 Aug 1998 15:57:49 -0400 (EDT) Date: Thu, 20 Aug 1998 15:57:48 -0400 (EDT) From: The Lab To: freebsd-security@FreeBSD.ORG Subject: Re: natd and ipfw rules not working together In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 20 Aug 1998, Snob Art Genre wrote: > On Thu, 20 Aug 1998, Ben wrote: > > > > individual or entity to whom it is addressed and others authorised to > > > > You mispelled authorized. > > Oh please, not this again. Hmm.. my dictionary says authorised. Perhaps i should tell the publisher? :) Take it from a former student of Historical Linguistics--English... there is no One True Way. Just ask Chaucer. :) -Mit ================================================================ Will 'Mit' Rowe Systems Administrator/Programmer Neray MarCom, Inc. vox: (416)481-5405 25 Imperial Street, Suite 210 fax: (416)481-3741 Toronto, Ontario, Canada http://www.nmarcom.com M5P 1B9 ICQ: 7161728 Imagination is the one weapon in the war against reality. -- Jules de Gaultier To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 20 19:08:25 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA12666 for freebsd-security-outgoing; Thu, 20 Aug 1998 19:08:25 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA12641 for ; Thu, 20 Aug 1998 19:08:20 -0700 (PDT) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.1/frmug-2.3/nospam) with UUCP id EAA00796 for security@FreeBSD.ORG; Fri, 21 Aug 1998 04:07:38 +0200 (CEST) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (VMailer, from userid 101) id 334B1156A; Fri, 21 Aug 1998 00:16:44 +0200 (CEST) Message-ID: <19980821001644.A20349@keltia.freenix.fr> Date: Fri, 21 Aug 1998 00:16:44 +0200 From: Ollivier Robert To: security@FreeBSD.ORG Subject: Re: Sendmail greeting Mail-Followup-To: security@FreeBSD.ORG References: <199808141929.MAA12324@kjsl.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93i In-Reply-To: <199808141929.MAA12324@kjsl.com>; from Javier Henderson on Fri, Aug 14, 1998 at 12:29:56PM -0700 X-Operating-System: FreeBSD 3.0-CURRENT ctm#4527 AMD-K6 MMX @ 200 MHz Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Javier Henderson: > Some of us don't even run sendmail (or qmail, etc.): While we're on that subject: 392 [23:54] roberto@keltia:/build/vmailer-snap> telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 keltia.freenix.fr ESMTP VMailer (19980818-pl03) quit 221 Bye -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 3.0-CURRENT #62: Mon Jul 27 20:47:08 CEST 1998 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 20 21:19:02 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA00373 for freebsd-security-outgoing; Thu, 20 Aug 1998 21:19:02 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA00366 for ; Thu, 20 Aug 1998 21:18:59 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id QAA01541 for ; Fri, 21 Aug 1998 16:18:05 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Fri, 21 Aug 1998 16:18:04 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: security@FreeBSD.ORG Subject: cucipop / APOP not working Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Using the cucipop package as distributed with freebsd 2.2.5-release, I've had no luck in getting the APOP authentication going. -ERR cucipop: Invalid password or username (check case) I'm sure the password and username are in fact correct. Any ideas? Does this work for other people? Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 21 00:03:28 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA20122 for freebsd-security-outgoing; Fri, 21 Aug 1998 00:03:28 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA20117 for ; Fri, 21 Aug 1998 00:03:27 -0700 (PDT) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.8/8.8.8) with ESMTP id AAA29371 for ; Fri, 21 Aug 1998 00:02:54 -0700 (PDT) (envelope-from jkh@time.cdrom.com) To: security@FreeBSD.ORG Subject: Scaring the bezeesus out of your system admin as a normal user: Date: Fri, 21 Aug 1998 00:02:54 -0700 Message-ID: <29367.903682974@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org % logger -p auth.notice -t su crackman to root on ttyp1 I'd suggest that /var/run/log should have 0600 permissions but that would certainly screw over a few of syslog(3)'s current users. Hmmmm. No quick ideas here. :) - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 21 00:47:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA28178 for freebsd-security-outgoing; Fri, 21 Aug 1998 00:47:45 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA28170 for ; Fri, 21 Aug 1998 00:47:43 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id BAA09394; Fri, 21 Aug 1998 01:46:59 -0600 (MDT) Message-Id: <199808210746.BAA09394@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1.0.44 (Beta) Date: Fri, 21 Aug 1998 01:46:58 -0600 To: "Jordan K. Hubbard" , security@FreeBSD.ORG From: Brett Glass Subject: Re: Scaring the bezeesus out of your system admin as a normal user: In-Reply-To: <29367.903682974@time.cdrom.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Not to mention what you can do if you feed it an absurdly long string in some UNIX implementations. (Oops, just mentioned it.) --Brett At 12:02 AM 8/21/98 -0700, Jordan K. Hubbard wrote: >% logger -p auth.notice -t su crackman to root on ttyp1 > >I'd suggest that /var/run/log should have 0600 permissions but that >would certainly screw over a few of syslog(3)'s current users. > >Hmmmm. No quick ideas here. :) > >- Jordan > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 21 04:46:07 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA21109 for freebsd-security-outgoing; Fri, 21 Aug 1998 04:46:07 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (COPLAND.CODA.CS.CMU.EDU [128.2.222.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA21058 for ; Fri, 21 Aug 1998 04:46:02 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id HAA21293; Fri, 21 Aug 1998 07:45:15 -0400 (EDT) Date: Fri, 21 Aug 1998 07:45:14 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: "Jordan K. Hubbard" cc: security@FreeBSD.ORG Subject: Re: Scaring the bezeesus out of your system admin as a normal user: In-Reply-To: <29367.903682974@time.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 21 Aug 1998, Jordan K. Hubbard wrote: > % logger -p auth.notice -t su crackman to root on ttyp1 > > I'd suggest that /var/run/log should have 0600 permissions but that > would certainly screw over a few of syslog(3)'s current users. > > Hmmmm. No quick ideas here. :) > > - Jordan I noticed this possibility a while back, and the only conclusion I reached was that sticking the uid of the source process in the log line might be useful. That is, before accepting any log lines, the log daemon requires that the process on the other end of unix domain socket pass the credentials using SOL_SOCKET/SCM_CREDS and sendmsg. Then, all log entries have the numeric uid attached somewhere. Modify the log library calls to do this. Then move any logging lines as appropriate -- that is, a successful su will generate all of its log messages either as the destination user, or as root. Now any forged messages will have the wrong uid associated with them. There are still opportunities for abuse (such as network logging, suid programs, etc) but this does specifically address the su issue. Of course, then someone will have to forward the log message to freebsd-security so we can answer "oh, it's forged" for them. Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 21 04:54:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA22557 for freebsd-security-outgoing; Fri, 21 Aug 1998 04:54:43 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.craxx.com (craxx.com [195.108.198.119]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA22544 for ; Fri, 21 Aug 1998 04:54:39 -0700 (PDT) (envelope-from lva@dds.nl) Received: from uptight (classless.student.utwente.nl [130.89.230.96]) by mail.craxx.com (8.9.1/8.9.1) with ESMTP id NAA26887 for ; Fri, 21 Aug 1998 13:53:54 +0200 From: "laurens van alphen" To: Subject: RE: Scaring the bezeesus out of your system admin as a normal user: Date: Fri, 21 Aug 1998 13:53:44 +0200 Message-ID: <001701bdccfa$593e3020$0a00a8c0@uptight.student.utwente.nl> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 In-Reply-To: <29367.903682974@time.cdrom.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hi, here's what i did (after reading your message): root@pebbles:~# ls -l /var/run/log srw-rw---- 1 root log 0 Aug 20 23:28 /var/run/log root@pebbles:~# cat /etc/group | grep log log:*:10:shutdown,auth,mail,named,www,sql,pop,ftp those are daemons that run around here (www is apache and actually doesn't need syslog i just remembered, besides it's chrooted so it doesn't even have a socket, as is sql). you get the idea. if i encounter any problems with this setup, i will report them here. logger doesn't give an error message but doesn't log anything either. -- laurens van alphen craxx e-consultants alphen@craxx.com http://craxx.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 21 05:04:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA24321 for freebsd-security-outgoing; Fri, 21 Aug 1998 05:04:52 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA24304 for ; Fri, 21 Aug 1998 05:04:50 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.1/8.9.1) id IAA14546; Fri, 21 Aug 1998 08:04:07 -0400 (EDT) (envelope-from wollman) Date: Fri, 21 Aug 1998 08:04:07 -0400 (EDT) From: Garrett Wollman Message-Id: <199808211204.IAA14546@khavrinen.lcs.mit.edu> To: "Jordan K. Hubbard" Cc: security@FreeBSD.ORG Subject: Scaring the bezeesus out of your system admin as a normal user: In-Reply-To: <29367.903682974@time.cdrom.com> References: <29367.903682974@time.cdrom.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > % logger -p auth.notice -t su crackman to root on ttyp1 > I'd suggest that /var/run/log should have 0600 permissions but that > would certainly screw over a few of syslog(3)'s current users. > Hmmmm. No quick ideas here. :) It would be fairly simple for us to simply pass the user's credentials along with the message, and then have syslogd differentiate. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 21 05:18:02 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA25516 for freebsd-security-outgoing; Fri, 21 Aug 1998 05:18:02 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: (from jmb@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA25449; Fri, 21 Aug 1998 05:17:57 -0700 (PDT) (envelope-from jmb) From: "Jonathan M. Bresler" Message-Id: <199808211217.FAA25449@hub.freebsd.org> Subject: Re: denial of unsubscribe In-Reply-To: <35DB7639.36B47832@sprint.ca> from wettoast at "Aug 19, 98 09:04:59 pm" To: wettoast@sprint.ca (wettoast) Date: Fri, 21 Aug 1998 05:17:57 -0700 (PDT) Cc: pparri@crossfields.com, fenner@parc.xerox.com, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org (i know i am two days late on this, helluva week ;) "security" is just a link to freebsd-security. all subscribes and unsubscribes must use the real list: freebsd-security. i have changed the "unsubscribe" note at the end of the messages to reflect this. jmb wettoast wrote: > Pat Parrinello wrote: > > > How does one get off this list? > > > > doing: "To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe security" in the body of the message" > > > > does not work. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe security" in the body of the message > > > > hi, im getting the same problem here, i unsubscribed from the other > FreeBSD lists fine, this one is evil :P Just reply's with >>unsubscribe > security... > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 21 06:05:57 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA01025 for freebsd-security-outgoing; Fri, 21 Aug 1998 06:05:57 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id GAA01019 for ; Fri, 21 Aug 1998 06:05:55 -0700 (PDT) (envelope-from sthaug@nethelp.no) From: sthaug@nethelp.no Received: (qmail 12711 invoked by uid 1001); 21 Aug 1998 13:05:14 +0000 (GMT) To: security@FreeBSD.ORG Subject: www.news.com article which mentions FreeBSD and security in a positive way X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Fri, 21 Aug 1998 15:05:13 +0200 Message-ID: <12709.903704713@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org FreeBSD is mentioned in a rather positive way in the following article: http://www.news.com/News/Item/0,4,25526,00.html?st.ne.ni.lh Just thought I'd let you know... Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 21 06:51:38 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA06544 for freebsd-security-outgoing; Fri, 21 Aug 1998 06:51:38 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.ilstu.edu (mail.ilstu.edu [138.87.4.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA06534; Fri, 21 Aug 1998 06:51:34 -0700 (PDT) (envelope-from mgolear@ilstu.edu) Received: from mail.ilstu.edu (mail.ilstu.edu [138.87.4.2]) by mail.ilstu.edu (8.9.1/8.9.1) with SMTP id IAA20287; Fri, 21 Aug 1998 08:50:22 -0500 (CDT) Date: Fri, 21 Aug 1998 08:50:22 -0500 (CDT) From: "Mark O'Lear" To: "Jonathan M. Bresler" cc: wettoast , pparri@crossfields.com, fenner@parc.xerox.com, freebsd-security@FreeBSD.ORG Subject: Re: denial of unsubscribe In-Reply-To: <199808211217.FAA25449@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I think the part of the unsubscribe that is failing is when the "auth" part is sent back on two lines. I tried several times to unsubscribe using the two line version of the "auth" reply, with failure each time: auth xxxxxxxx unsubscribe freebsd-security \ Mark.Olear@Colorado.EDU Finally I tried again using the one line "auth" version and everything worked fine: auth xxxxxxxx unsubscribe freebsd-security Mark.Olear@Colorado.EDU This is not a problem with any other list, only the freebsd-security list, as I sent all of my "auth" replies back with two lines on the other lists. Please note that I am _not_ looking to get off of any list any more, so please don't remove me from any. Mark On Fri, 21 Aug 1998, Jonathan M. Bresler wrote: > (i know i am two days late on this, helluva week ;) > > "security" is just a link to freebsd-security. > all subscribes and unsubscribes must use the > real list: freebsd-security. > > i have changed the "unsubscribe" note at the end of > the messages to reflect this. > > jmb > > wettoast wrote: > > Pat Parrinello wrote: > > > > > How does one get off this list? > > > > > > doing: "To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe security" in the body of the message" > > > > > > does not work. > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe security" in the body of the message > > > > > > > hi, im getting the same problem here, i unsubscribed from the other > > FreeBSD lists fine, this one is evil :P Just reply's with >>unsubscribe > > security... > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 21 06:52:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA06721 for freebsd-security-outgoing; Fri, 21 Aug 1998 06:52:33 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA06716 for ; Fri, 21 Aug 1998 06:52:32 -0700 (PDT) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.8.8/8.6.10) id GAA07604; Fri, 21 Aug 1998 06:51:52 -0700 (PDT) Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by passer.osg.gov.bc.ca, id smtpdZB7602; Fri Aug 21 06:51:27 1998 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.1/8.6.10) id GAA08941; Fri, 21 Aug 1998 06:51:23 -0700 (PDT) Message-Id: <199808211351.GAA08941@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdSH8933; Fri Aug 21 06:51:13 1998 X-Mailer: exmh version 2.0.2 2/24/98 Reply-to: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: cy To: "Jordan K. Hubbard" cc: security@FreeBSD.ORG Subject: Re: Scaring the bezeesus out of your system admin as a normal user: In-reply-to: Your message of "Fri, 21 Aug 1998 00:02:54 PDT." <29367.903682974@time.cdrom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 21 Aug 1998 06:51:07 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: cschuber@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Government of BC > % logger -p auth.notice -t su crackman to root on ttyp1 > > I'd suggest that /var/run/log should have 0600 permissions but that > would certainly screw over a few of syslog(3)'s current users. > > Hmmmm. No quick ideas here. :) Gene Spafford talks about a similar prank he did in college in his book Practical UNIX Security. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: cschuber@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Government of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 21 09:38:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA29639 for freebsd-security-outgoing; Fri, 21 Aug 1998 09:38:23 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from burka.rdy.com (burka.rdy.com [205.149.163.30]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA29633 for ; Fri, 21 Aug 1998 09:38:20 -0700 (PDT) (envelope-from dima@burka.rdy.com) Received: (from dima@localhost) by burka.rdy.com (8.8.8/RDY&DVV) id JAA25475; Fri, 21 Aug 1998 09:37:28 -0700 (PDT) Message-Id: <199808211637.JAA25475@burka.rdy.com> Subject: Re: Scaring the bezeesus out of your system admin as a normal user: In-Reply-To: <199808211204.IAA14546@khavrinen.lcs.mit.edu> from Garrett Wollman at "Aug 21, 1998 8: 4: 7 am" To: wollman@khavrinen.lcs.mit.edu (Garrett Wollman) Date: Fri, 21 Aug 1998 09:37:28 -0700 (PDT) Cc: jkh@time.cdrom.com, security@FreeBSD.ORG X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL45 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Garrett Wollman writes: > < said: > > > % logger -p auth.notice -t su crackman to root on ttyp1 > > I'd suggest that /var/run/log should have 0600 permissions but that > > would certainly screw over a few of syslog(3)'s current users. > > > Hmmmm. No quick ideas here. :) > > It would be fairly simple for us to simply pass the user's credentials > along with the message, and then have syslogd differentiate. I don't think it will solve the problem. Sending log message doesn't require any special priveleges, so if you'll force logger to send user credentials, someone can simply write a program that will go around it. > > -GAWollman > > -- > Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same > wollman@lcs.mit.edu | O Siem / The fires of freedom > Opinions not those of| Dance in the burning flame > MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 21 09:39:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA29754 for freebsd-security-outgoing; Fri, 21 Aug 1998 09:39:52 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA29749 for ; Fri, 21 Aug 1998 09:39:48 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.1/8.9.1) id MAA15257; Fri, 21 Aug 1998 12:38:59 -0400 (EDT) (envelope-from wollman) Date: Fri, 21 Aug 1998 12:38:59 -0400 (EDT) From: Garrett Wollman Message-Id: <199808211638.MAA15257@khavrinen.lcs.mit.edu> To: dima@best.net Cc: wollman@khavrinen.lcs.mit.edu (Garrett Wollman), jkh@time.cdrom.com, security@FreeBSD.ORG Subject: Re: Scaring the bezeesus out of your system admin as a normal user: In-Reply-To: <199808211637.JAA25475@burka.rdy.com> References: <199808211204.IAA14546@khavrinen.lcs.mit.edu> <199808211637.JAA25475@burka.rdy.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org <> It would be fairly simple for us to simply pass the user's credentials >> along with the message, and then have syslogd differentiate. > I don't think it will solve the problem. Sending log message doesn't require > any special priveleges, so if you'll force logger to send user credentials, > someone can simply write a program that will go around it. You missed the point. Credentials passed over PF_LOCAL sockets are by design unforgeable. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 21 12:16:02 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA18468 for freebsd-security-outgoing; Fri, 21 Aug 1998 12:16:02 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from pobox.com (jaresh-58.mdm.mke.execpc.com [169.207.81.186]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id MAA18409 for ; Fri, 21 Aug 1998 12:15:58 -0700 (PDT) (envelope-from hamilton@pobox.com) Message-Id: <199808211915.MAA18409@hub.freebsd.org> Received: (qmail 27011 invoked from network); 21 Aug 1998 14:19:00 -0500 Received: from localhost (HELO pobox.com) (127.0.0.1) by localhost with SMTP; 21 Aug 1998 14:19:00 -0500 To: Garrett Wollman cc: dima@best.net, jkh@time.cdrom.com, security@FreeBSD.ORG Subject: Re: Scaring the bezeesus out of your system admin as a normal user: In-reply-to: Your message of "Fri, 21 Aug 1998 12:38:59 EDT." <199808211638.MAA15257@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 21 Aug 1998 14:19:00 -0500 From: Jon Hamilton Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199808211638.MAA15257@khavrinen.lcs.mit.edu>, Garrett Wollman wrote : } <> It would be fairly simple for us to simply pass the user's credentials } >> along with the message, and then have syslogd differentiate. } } > I don't think it will solve the problem. Sending log message doesn't requir } e } > any special priveleges, so if you'll force logger to send user credentials, } > someone can simply write a program that will go around it. } } You missed the point. Credentials passed over PF_LOCAL sockets are by } design unforgeable. That doesn't address remote logging, however. -- Jon Hamilton hamilton@pobox.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 21 12:48:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA21849 for freebsd-security-outgoing; Fri, 21 Aug 1998 12:48:54 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA21840 for ; Fri, 21 Aug 1998 12:48:52 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.1/8.9.1) id PAA15656; Fri, 21 Aug 1998 15:47:48 -0400 (EDT) (envelope-from wollman) Date: Fri, 21 Aug 1998 15:47:48 -0400 (EDT) From: Garrett Wollman Message-Id: <199808211947.PAA15656@khavrinen.lcs.mit.edu> To: Jon Hamilton Cc: Garrett Wollman , dima@best.net, jkh@time.cdrom.com, security@FreeBSD.ORG Subject: Re: Scaring the bezeesus out of your system admin as a normal user: In-Reply-To: <199808211915.MAA18409@hub.freebsd.org> References: <199808211638.MAA15257@khavrinen.lcs.mit.edu> <199808211915.MAA18409@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > } You missed the point. Credentials passed over PF_LOCAL sockets are by > } design unforgeable. > That doesn't address remote logging, however. Surely not. Remote logging, in the syslog mode, is inescapably insecure. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 21 17:35:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA23287 for freebsd-security-outgoing; Fri, 21 Aug 1998 17:35:58 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from xylan.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA23279 for ; Fri, 21 Aug 1998 17:35:56 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com by xylan.com (8.8.7/SMI-SVR4 (xylan-mgw 2.1 [OUT])) id RAA07291; Fri, 21 Aug 1998 17:37:22 -0700 (PDT) Received: from utah.XYLAN.COM by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id RAA06188; Fri, 21 Aug 1998 17:34:33 -0700 Received: from softweyr.com by utah.XYLAN.COM (SMI-8.6/SMI-SVR4 (xylan utah [SPOOL])) id SAA06566; Fri, 21 Aug 1998 18:34:32 -0600 Message-ID: <35DE1217.8472B1A1@softweyr.com> Date: Fri, 21 Aug 1998 18:34:31 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.04 [en] (X11; I; FreeBSD 2.2.6-RELEASE i386) MIME-Version: 1.0 To: "Dag-Erling Coidan Smørgrav" , freebsd-security@FreeBSD.ORG Subject: Re: REQ: free pop3 daemon recommendations References: <20938.903553244@axl.training.iafrica.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dag-Erling Coidan Smørgrav wrote: > > Sheldon Hearn writes: > > Having followed the bloated and eventually off-topic discussions that > > spawned off the qpopper vulnerability announcement, I don't recall > > anyone mentioning free alternatives. > > You should read more carefully. Both Cyrus IMAP and imap-uw were > mentioned early in the thread. The general consensus seems to be that > Cyrus is fast while imap-uw is easy to set up. imap-uw has had more than it's share of security exploits of late, too. The FreeBSD version has (hopefully) been patched to keep up with them. Both implement POP2 and POP3 as well. The other caveat about Cyrus is that (most) command-line mailers will no longer work; imap-uw uses the UNIX mailboxes and is therefore compabitible with "legacy" mail clients. I picked imap-uw because it took two minutes to install and zero to configure. If I get hacked seriously it'd take me little time to restore the machine; it's a 486/66 that runs mail and little else, for my 5-person company. ;^) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 21 18:41:10 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA02887 for freebsd-security-outgoing; Fri, 21 Aug 1998 18:41:10 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Tyr.office.EFN.org ([204.214.99.45]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA02878 for ; Fri, 21 Aug 1998 18:41:08 -0700 (PDT) (envelope-from spy@tyr.office.efn.org) Received: from Tyr.office.EFN.org (IDENT:spy@Tyr.office.EFN.org [204.214.99.45]) by Tyr.office.EFN.org (8.9.1/8.9.1) with SMTP id SAA04268; Fri, 21 Aug 1998 18:39:45 -0700 (PDT) Date: Fri, 21 Aug 1998 18:39:45 -0700 (PDT) From: Ben Reply-To: ben@efn.org To: Jon Hamilton cc: Garrett Wollman , dima@best.net, jkh@time.cdrom.com, security@FreeBSD.ORG Subject: Re: Scaring the bezeesus out of your system admin as a normal user: In-Reply-To: <199808211915.MAA18409@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 21 Aug 1998, Jon Hamilton wrote: > > That doesn't address remote logging, however. No, but I think this does help that. -s Operate in secure mode. Do not listen for log message from re- mote machines. Of course, if you specify this you have no remote troubles at all. If you specify this and -a you only have to deal with people spoofing udp datagrams which is almost unavoidable unless you firewall incoming udp packets at your border router. -ben@efn.org > > Jon Hamilton > hamilton@pobox.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 21 22:05:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA25605 for freebsd-security-outgoing; Fri, 21 Aug 1998 22:05:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA25594 for ; Fri, 21 Aug 1998 22:05:03 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id WAA28140; Fri, 21 Aug 1998 22:04:11 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Fri, 21 Aug 1998 22:04:11 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: ben@efn.org cc: Jon Hamilton , Garrett Wollman , dima@best.net, jkh@time.cdrom.com, security@FreeBSD.ORG Subject: Shipping syslogd with "-s" (Was: Re: Scaring the bezeesus ..) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I vote to have FreeBSD ship syslogd with "-s" by default. Reason: any user cluefull enough to use and custom config syslog to do over the net logging will be cluefull enough to know how to either add "-a" or take "-s" out of rc.conf. -- Yan www.best.com/~jkb/ Unix users of the world unite: www.{free,open,net}bsd.org | www.linux.org | www.apache.org | www.perl.com "Turn up the lights, I don't want to go home in the dark." On Fri, 21 Aug 1998, Ben wrote: >On Fri, 21 Aug 1998, Jon Hamilton wrote: >> >> That doesn't address remote logging, however. > >No, but I think this does help that. > > -s Operate in secure mode. Do not listen for log message from re- > mote machines. > >Of course, if you specify this you have no remote troubles at all. If you >specify this and -a you only have to deal with people spoofing udp datagrams >which is almost unavoidable unless you firewall incoming udp packets at your >border router. > > -ben@efn.org > >> >> Jon Hamilton >> hamilton@pobox.com > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 21 23:15:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA02936 for freebsd-security-outgoing; Fri, 21 Aug 1998 23:15:22 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA02917 for ; Fri, 21 Aug 1998 23:15:18 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id SAA13503; Sat, 22 Aug 1998 18:13:28 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Sat, 22 Aug 1998 18:13:28 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: "Jan B. Koum " cc: ben@efn.org, Jon Hamilton , Garrett Wollman , dima@best.net, jkh@time.cdrom.com, security@FreeBSD.ORG Subject: Re: Shipping syslogd with "-s" (Was: Re: Scaring the bezeesus ..) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 21 Aug 1998, Jan B. Koum wrote: > Date: Fri, 21 Aug 1998 22:04:11 -0700 (PDT) > From: "Jan B. Koum " > To: ben@efn.org > Cc: Jon Hamilton , > Garrett Wollman , dima@best.net, > jkh@time.cdrom.com, security@FreeBSD.ORG > Subject: Shipping syslogd with "-s" (Was: Re: Scaring the bezeesus ..) > > > I vote to have FreeBSD ship syslogd with "-s" by default. > > Reason: any user cluefull enough to use and custom config syslog to > do over the net logging will be cluefull enough to know how to either add > "-a" or take "-s" out of rc.conf. >From the syslogd man page I'm not entirely clear on how these options interact. > -a allowed_peer > Allow allowed_peer to log to this syslogd using UDP datagrams. > Multiple -a options may be specified. If one has to specify that a host is allowed to log packets to this host, then it seems reasonable to assume that this is not allowed unless so specified ... or perhaps that's only the case if -s is used? > -s Operate in secure mode. Do not listen for log message from > remote machines. I'd have thought that meant syslogd didn't even look at incoming packets if this was set, which I suppose reduces the chance of some bug turning up in it ... or perhaps the default is that packets are accepted? Could someone clarify this? Preferably the man page should be clarified. Is there a way to send log entries to a remote machine from the command line so I can more easily test how this works? Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 21 23:38:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA04779 for freebsd-security-outgoing; Fri, 21 Aug 1998 23:38:52 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Tyr.office.EFN.org ([204.214.99.45]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA04773 for ; Fri, 21 Aug 1998 23:38:50 -0700 (PDT) (envelope-from spy@tyr.office.efn.org) Received: from Tyr.office.EFN.org (IDENT:spy@Tyr.office.EFN.org [204.214.99.45]) by Tyr.office.EFN.org (8.9.1/8.9.1) with SMTP id XAA05476; Fri, 21 Aug 1998 23:37:48 -0700 (PDT) Date: Fri, 21 Aug 1998 23:37:48 -0700 (PDT) From: Ben Reply-To: ben@efn.org To: "Jan B. Koum " cc: ben@efn.org, Jon Hamilton , Garrett Wollman , dima@best.net, jkh@time.cdrom.com, security@FreeBSD.ORG Subject: Re: Shipping syslogd with "-s" (Was: Re: Scaring the bezeesus ..) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Along these lines we should ship it without sendmail running and services turned off too, but *I* again am paranoid :) -ben@efn.org On Fri, 21 Aug 1998, Jan B. Koum wrote: > > I vote to have FreeBSD ship syslogd with "-s" by default. > > Reason: any user cluefull enough to use and custom config syslog to > do over the net logging will be cluefull enough to know how to either add > "-a" or take "-s" out of rc.conf. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 22 00:05:12 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA06621 for freebsd-security-outgoing; Sat, 22 Aug 1998 00:05:12 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Tyr.office.EFN.org ([204.214.99.45]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA06616 for ; Sat, 22 Aug 1998 00:05:10 -0700 (PDT) (envelope-from spy@tyr.office.efn.org) Received: from Tyr.office.EFN.org (IDENT:spy@Tyr.office.EFN.org [204.214.99.45]) by Tyr.office.EFN.org (8.9.1/8.9.1) with SMTP id AAA05621; Sat, 22 Aug 1998 00:03:38 -0700 (PDT) Date: Sat, 22 Aug 1998 00:03:38 -0700 (PDT) From: Ben Reply-To: ben@efn.org To: Andrew McNaughton cc: "Jan B. Koum " , ben@efn.org, Jon Hamilton , Garrett Wollman , dima@best.net, jkh@time.cdrom.com, security@FreeBSD.ORG Subject: Re: Shipping syslogd with "-s" (Was: Re: Scaring the bezeesus ..) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 22 Aug 1998, Andrew McNaughton wrote: > Subject: Re: Shipping syslogd with "-s" (Was: Re: Scaring the bezeesus ..) > > On Fri, 21 Aug 1998, Jan B. Koum wrote: > > >From the syslogd man page I'm not entirely clear on how these options > interact. > > > -a allowed_peer > > Allow allowed_peer to log to this syslogd using UDP datagrams. > > Multiple -a options may be specified. > > If one has to specify that a host is allowed to log packets to this host, > then it seems reasonable to assume that this is not allowed unless so > specified ... or perhaps that's only the case if -s is used? >From syslogd.c: case 'a': /* allow specific network addresses only */ if (allowaddr(optarg) == -1) usage(); break; So, deny all, except these host's you specify with -a host.org -a ip.ip.ip.ip > > > -s Operate in secure mode. Do not listen for log message from > > remote machines. > > I'd have thought that meant syslogd didn't even look at incoming packets > if this was set, which I suppose reduces the chance of some bug turning up > in it ... or perhaps the default is that packets are accepted? >From syslogd.c: case 's': /* no network mode */ SecureMode++; break; Specifying both -s and -a is like fueling up your car and taking out the engine. > > > Could someone clarify this? Preferably the man page should be clarified. The man page does need a bit of clarification, adding the fact that 'a' and 's' are mutually exclusive, that -s kills all network activity, and that 'a's policy is default DENY would be very helpful. > > Is there a way to send log entries to a remote machine from the command > line so I can more easily test how this works? No just add a @host in syslogd.conf and HUP it. > Andrew McNaughton -ben@efn.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 22 00:11:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA07345 for freebsd-security-outgoing; Sat, 22 Aug 1998 00:11:13 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Tyr.office.EFN.org ([204.214.99.45]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA07339 for ; Sat, 22 Aug 1998 00:11:10 -0700 (PDT) (envelope-from spy@tyr.office.efn.org) Received: from Tyr.office.EFN.org (IDENT:spy@Tyr.office.EFN.org [204.214.99.45]) by Tyr.office.EFN.org (8.9.1/8.9.1) with SMTP id AAA05672; Sat, 22 Aug 1998 00:10:25 -0700 (PDT) Date: Sat, 22 Aug 1998 00:10:25 -0700 (PDT) From: Ben Reply-To: ben@efn.org To: security@FreeBSD.ORG cc: ben@efn.org Subject: libkvm and user-info tools patches (was ps(1)) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org A few weeks ago I released a patch to make ps -a 'break' for normal user's preventing them from seeing other people that are logged in, and what they are doing. I finshed those patches for w, who and top too. After taking a look at libkvm I've decided it would be easier if kvm_getprocs was controlled by a sysctl oid(kern.usersecure). This would prevent user's from using it in any program that called it, by checking if kern.usersecure was a certian number, much like securelevel is now. Take a look at what I came up with and give me some feedback. I've been using it for 3 days now with no problems at all. Text info on it: http://www.efn.org/~ben/security/README.txt The tarball of source diff's (diff -c against 2.2.7 stable): http://www.efn.org/~ben/security/kvm.tgz -ben@efn.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 22 05:55:44 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA27222 for freebsd-security-outgoing; Sat, 22 Aug 1998 05:55:44 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from speedy.nethampton.com (speedy.nethampton.com [207.252.75.40]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id FAA27199 for ; Sat, 22 Aug 1998 05:55:35 -0700 (PDT) (envelope-from tplatt@nethampton.com) Date: Sat, 22 Aug 1998 05:55:35 -0700 (PDT) Received: (qmail 12836 invoked from network); 22 Aug 1998 12:54:24 -0000 Received: from teebee.hamptons.com (HELO ?204.141.112.245?) (204.141.112.245) by speedy.nethampton.com with SMTP; 22 Aug 1998 12:54:24 -0000 X-Sender: tplatt@nethampton.com (Unverified) Message-Id: In-Reply-To: References: <199808211915.MAA18409@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: security@FreeBSD.ORG From: "Timothy R. Platt" Subject: Re: Scaring the bezeesus out of your system admin as a normal user: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Seems to me that if you specify -s, not only do you reject incoming packets, but you are prevented from sending packets to a remote logging machine as well. -a will cause syslog to accept packets from a remote machine which would be ignored by default. Tim >On Fri, 21 Aug 1998, Jon Hamilton wrote: >> >> That doesn't address remote logging, however. > >No, but I think this does help that. > > -s Operate in secure mode. Do not listen for log message from re- > mote machines. > >Of course, if you specify this you have no remote troubles at all. If you >specify this and -a you only have to deal with people spoofing udp datagrams >which is almost unavoidable unless you firewall incoming udp packets at your >border router. > > -ben@efn.org > >> >> Jon Hamilton >> hamilton@pobox.com > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 22 06:01:11 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA27689 for freebsd-security-outgoing; Sat, 22 Aug 1998 06:01:11 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from po8.andrew.cmu.edu (PO8.ANDREW.CMU.EDU [128.2.10.108]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA27683 for ; Sat, 22 Aug 1998 06:01:09 -0700 (PDT) (envelope-from tcrimi+@andrew.cmu.edu) Received: (from postman@localhost) by po8.andrew.cmu.edu (8.8.5/8.8.2) id JAA06982 for freebsd-security@freebsd.org; Sat, 22 Aug 1998 09:00:26 -0400 (EDT) Received: via switchmail; Sat, 22 Aug 1998 09:00:25 -0400 (EDT) Received: from unix14.andrew.cmu.edu via qmail ID ; Sat, 22 Aug 1998 08:58:53 -0400 (EDT) Received: from unix14.andrew.cmu.edu via qmail ID ; Sat, 22 Aug 1998 08:58:52 -0400 (EDT) Received: from mms.4.60.Jun.27.1996.03.02.53.sun4.51.EzMail.2.0.CUILIB.3.45.SNAP.NOT.LINKED.unix14.andrew.cmu.edu.sun4m.54 via MS.5.6.unix14.andrew.cmu.edu.sun4_51; Sat, 22 Aug 1998 08:58:52 -0400 (EDT) Message-ID: Date: Sat, 22 Aug 1998 08:58:52 -0400 (EDT) From: Thomas Valentino Crimi To: freebsd-security@FreeBSD.ORG Subject: Re: Scaring the bezeesus out of your system admin as a normal user: In-Reply-To: References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Of course, one could also build an authentication system into syslogd ( using ssh with RSAauth as a portal comes to mind as a quick way to accomplish this. ) syslogd would have to be modified to use long-lived TCP sockets, or, a second daemon could be written for the sole purpose of passing syslogd messages around. Say, a named pipe which syslogd logs to, then that info is sent to the daemon on the next machine via secure means, which then uses it's PF_LOCAL auth to pass the messages to the the second machine's syslogd. All of this of course is as reliable as the root account on all the machines, as always with syslogd, at least it woudl make forgery a cryptographic challenge, though. Tom To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 22 06:04:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA28036 for freebsd-security-outgoing; Sat, 22 Aug 1998 06:04:23 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (COPLAND.CODA.CS.CMU.EDU [128.2.222.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA28029 for ; Sat, 22 Aug 1998 06:04:22 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id JAA00551; Sat, 22 Aug 1998 09:03:36 -0400 (EDT) Date: Sat, 22 Aug 1998 09:03:36 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: ben@efn.org cc: security@FreeBSD.ORG Subject: Re: libkvm and user-info tools patches (was ps(1)) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It seems like a preferred method of attack here might be through /procfs. That is, taking this opportunity to strip the kvm-walking code from these and other utilities, and adding access control in a kernel-mediated security mechanism, as opposed to relying on the security of setuid binaries checking sysctl entries? This, of course, has been discussed a number of times. The steps would include adding any last required features to procfs, exposing a little more information in sysctl, etc. Restricting access to utmp information, however, doesn't seem as useful to me. The cost of restricting read access would probably be adding a new uid (or such), making w/etc suid to that uid and so on. Yet another uid equivilent to root on most systems. On Sat, 22 Aug 1998, Ben wrote: > A few weeks ago I released a patch to make ps -a 'break' for normal user's > preventing them from seeing other people that are logged in, and what they > are doing. I finshed those patches for w, who and top too. After taking > a look at libkvm I've decided it would be easier if kvm_getprocs was > controlled by a sysctl oid(kern.usersecure). This would prevent user's > from using it in any program that called it, by checking if kern.usersecure > was a certian number, much like securelevel is now. Take a look at what I > came up with and give me some feedback. I've been using it for 3 days now > with no problems at all. > > Text info on it: > http://www.efn.org/~ben/security/README.txt > The tarball of source diff's (diff -c against 2.2.7 stable): > http://www.efn.org/~ben/security/kvm.tgz > > -ben@efn.org > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 22 06:08:20 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA28517 for freebsd-security-outgoing; Sat, 22 Aug 1998 06:08:20 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (COPLAND.CODA.CS.CMU.EDU [128.2.222.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA28504 for ; Sat, 22 Aug 1998 06:08:18 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id JAA00562; Sat, 22 Aug 1998 09:07:21 -0400 (EDT) Date: Sat, 22 Aug 1998 09:07:20 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Dima Ruban cc: Garrett Wollman , jkh@time.cdrom.com, security@FreeBSD.ORG Subject: Re: Scaring the bezeesus out of your system admin as a normal user: In-Reply-To: <199808211637.JAA25475@burka.rdy.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 21 Aug 1998, Dima Ruban wrote: > Garrett Wollman writes: > > < said: > > > > > % logger -p auth.notice -t su crackman to root on ttyp1 > > > I'd suggest that /var/run/log should have 0600 permissions but that > > > would certainly screw over a few of syslog(3)'s current users. > > > > > Hmmmm. No quick ideas here. :) > > > > It would be fairly simple for us to simply pass the user's credentials > > along with the message, and then have syslogd differentiate. > > I don't think it will solve the problem. Sending log message doesn't require > any special priveleges, so if you'll force logger to send user credentials, > someone can simply write a program that will go around it. It would solve the problem if you *required* that credentials be passed with log messages before accepting them. Add credential passing to the syslog library, etc. Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message