From owner-freebsd-security Mon Oct 7 7: 9:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1CCA837B406; Mon, 7 Oct 2002 07:09:18 -0700 (PDT) Received: from veldy.net (veldy-host33.dsl.visi.com [209.98.200.33]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6319743E77; Mon, 7 Oct 2002 07:09:17 -0700 (PDT) (envelope-from veldy@veldy.net) Received: from VELDYLT (localhost.veldy.net [127.0.0.1]) by veldy.net (Postfix) with SMTP id C213F173; Mon, 7 Oct 2002 09:09:14 -0500 (CDT) Message-ID: <00e401c26e0b$1ec7ee70$8204dca7@northamerica.corp.microsoft.com> From: "Thomas T. Veldhouse" To: "Roman Neuhauser" , "FreeBSD-Questions, " Cc: References: <20021007152425.GA55526@piranha.bsdsi.com> <20021007135033.GN51897@freepuppy.bellavista.cz> Subject: Re: SSH asks strange questions... Date: Mon, 7 Oct 2002 09:09:12 -0500 MIME-Version: 1.0 Content-Type: multipart/signed; boundary="----=_NextPart_000_00E0_01C26DE1.33F7EB30"; micalg=SHA1; protocol="application/x-pkcs7-signature" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-Mimeole: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_00E0_01C26DE1.33F7EB30 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit You an also change your default protocol to ssh 2 rather than ssh 1 (so that it tries using ssh 2 first). For freebsd-security: Why is the default still ssh 1? Tom Veldhouse ----- Original Message ----- From: "Roman Neuhauser" To: "Martin Moeller" Cc: "FreeBSD Questions" Sent: Monday, October 07, 2002 8:50 AM Subject: Re: SSH asks strange questions... > # mm@bsdsi.com / 2002-10-07 17:24:25 +0200: > > > > Hi all, > > after switching to 4.7-RC something strange happens, > > whenever I try to connect to another host via ssh. > > Before I can enter my password, I get the following > > output: > > > > # ssh -l someone some.sshhost.foo > > Password: > > Response: > > > > The cursor remains behind the "Response:". > > If I press RETURN, I get the normal: > > > > someone@some.sshhost.foo's password: > > > > What's that about? Am I dreaming or have I really > > overlooked it for years??? > > ChallengeResponseAuthentication, archives, /etc/sshsshd_config > > -- > ------=_NextPart_000_00E0_01C26DE1.33F7EB30 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII6TCCAngw ggHhoAMCAQICAwhnxDANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl c3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsT FENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAw MC44LjMwMB4XDTAyMTAwMzE3NTUxOFoXDTAzMTAwMzE3NTUxOFowQTEfMB0GA1UEAxMWVGhhd3Rl IEZyZWVtYWlsIE1lbWJlcjEeMBwGCSqGSIb3DQEJARYPdmVsZHlAdmVsZHkubmV0MIGfMA0GCSqG SIb3DQEBAQUAA4GNADCBiQKBgQDHIGbJ6qNe0Ka74DBwn+GF/9zRa7PrseCUFlhCrmh07fMVSNP5 MyAkKSpdQmdTFcEw/i3n+ItdI1jEROZhI+lK4upWq2UkB1NfWrPhKIxgOWe8byNhlrmYwzi64Zvd GhcvPUtH1Y9I0kTMiem4nHg4j5cO2KwY/GXZDXU6RpiAIQIDAQABoywwKjAaBgNVHREEEzARgQ92 ZWxkeUB2ZWxkeS5uZXQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQBnP2VZ7NLRoqjY 7KjL6mespTBBjSof8tfOdexvelMQir9m8rUMF+Gw43umeL6xWrFHgjshztYOlZ14HxZqAxLG+SFj aWiT1iLK9X3oxo0qU8ROYWDPW8CBXb99vc90Ri1YFKgsHPF1h/ld6DT6Z/qtaZqx3oMo9GVd1uEL Se7PDzCCAy0wggKWoAMCAQICAQAwDQYJKoZIhvcNAQEEBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYD VQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENv bnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNV BAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwt ZnJlZW1haWxAdGhhd3RlLmNvbTAeFw05NjAxMDEwMDAwMDBaFw0yMDEyMzEyMzU5NTlaMIHRMQsw CQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAY BgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2Vz IERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG 9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBANRp19SwlGRbcelH2AxRtupykbCEXn0tDY97Et+FJXUodDpCLGMnn5V7S+9+GYcdhuqj 3bnOlmQawhRuRKx85o/oTQ9xH0A4pgCjh3j2+ZSGXq3qwF5269kUo11uenwMpUtVfwYZKX+emibV ars4JAhqmMex2qOYkf152+VaxBy5AgMBAAGjEzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcN AQEEBQADgYEAx+ySfk749ZalZ2IqpPBNEWDQb41gWGGsJrtSNVwIzzD7qEqWih9iQiOMFw/0umSc F6xHKd+dmF7SbGBxXKKs3Hnj524ARx+1DSjoAp3kmv0T9KbZfLH43F8jJgmRgHPQFBveQ6mDJfLm nC8Vyv6mq4oHdYsM3VGEa+T40c53ooEwggM4MIICoaADAgECAhBmRXK3zHT1z2N2RYTQLpEBMA0G CSqGSIb3DQEBBAUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYD VQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0 aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJl ZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcN MDAwODMwMDAwMDAwWhcNMDQwODI3MjM1OTU5WjCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl c3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsT FENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAw MC44LjMwMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDeMzKmY8cJJUU+0m54J2eBxdqIGYKX DuNEKYpjNSptcDz63K737nRvMLwzkH/5NHGgo22Y8cNPomXbDfpL8dbdYaX5hc1VmjUanZJ1qCeu 2HL5ugL217CR3hzpq+AYA6h8Q0JQUYeDPPA5tJtUihOH/7ObnUlmAC0JieyUa+mhaQIDAQABo04w TDApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMS0yOTcwEgYDVR0TAQH/BAgw BgEB/wIBADALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAMbFLR135AXHl9VNsXXnWPZjA JhNigSKnEvgilegbSbcnewQ5uvzm8iTrkfq97A0qOPdQVahs9w2tTBu8A/S166JHn2yiDFiNMUIJ EWywGmnRKxKyQF1q+XnQ6i4l3Yrk/NsNH50C81rbyjz2ROomaYd/SJ7OpZ/nhNjJYmKtBcYxggH+ MIIB+gIBATCBmjCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UE BxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZp Y2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwAgMIZ8QwCQYFKw4D AhoFAKCBujAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wMjEwMDcx NDA5MTJaMCMGCSqGSIb3DQEJBDEWBBSXrWBW04QXptKpQ5V3WzsvMU6VyjBbBgkqhkiG9w0BCQ8x TjBMMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzAN BggqhkiG9w0DAgIBKDAHBgUrDgMCHTANBgkqhkiG9w0BAQEFAASBgHPK+LO9y2XafmCowg4ByeE6 +1VZmSyi+4uFRVnXFXZWH7dBp6vNID1j5gdqvp7lATEaOLhHEOV9l6W8Ey18GvkOzzDR69yGjLHY vDEyXryNp58PBeZiiLIT5Y8ngUE4UDqe43sRYuOdhUq0tv2oYE6gZw/EWxiq5kn9TXBmEcqfAAAA AAAA ------=_NextPart_000_00E0_01C26DE1.33F7EB30-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 7 11:47:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 464F637B401 for ; Mon, 7 Oct 2002 11:47:19 -0700 (PDT) Received: from aji.wilshire.net (worm.wilshire.net [64.161.77.242]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0CCDD43E8A for ; Mon, 7 Oct 2002 11:47:18 -0700 (PDT) (envelope-from rileyjmc@pacbell.net) Received: from emilyd (emilyd.wilshire.net [10.100.123.20]) by aji.wilshire.net (8.12.3/8.12.3) with SMTP id g97IkFnm099114 for ; Mon, 7 Oct 2002 11:46:16 -0700 (PDT) (envelope-from rileyjmc@pacbell.net) From: "Riley" To: "FreeBSD Security" Subject: chkrootkit help Date: Mon, 7 Oct 2002 11:47:15 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi all, (Let me know if this belongs in -questions) I could sure use some help interpreting this. A 4.6.2-RELEASE-p2 system (running bind 8.3.3-REL and sendmail 8.12.3) started getting syslog messages like: /kernel: file: table is full along with related messages, then a core dump. (syslog for this date is below.) I took this as a side effect of a recent spamassassin install/upgrade (2.41) and increased kern.maxfiles to 8192 and max.vnodes to 16384. As the system started to recover for fun I ran chkrootkit which came back with this: Checking `bindshell'... INFECTED (PORTS: 114) A few minutes later and ever since chkrootkit returns: Checking `bindshell'... not infected netstat -an doesn't show anything on 114 and nothing unusual. The system is on a dmz with ports 25, 53 and 110 mapped through. Running chkrootkit on the firewall reported this: Checking `bindshell'... not infected Checking `lkm'... not tested: can't exec ./chkproc Checking `rexedcs'... not found Checking `sniffer'... xl0 is not promisc xl2 is not promisc I'm not sure what to think about "can't exec ./chkproc". Also the xl1 interface is not reported in the output and is the dmz interface that the above machine is on. ifconfig shows: xl1: flags=8843 mtu 1500 inet 10.100.100.1 netmask 0xffffff00 broadcast 10.100.100.255 inet6 fe80::260:8ff:fe31:e4b0%xl1 prefixlen 64 scopeid 0x2 ether 00:60:08:31:e4:b0 media: Ethernet autoselect (10baseT/UTP) status: active Any comments would be greatly appreciated. Thanks, Riley "That which does not kill us makes us stranger." --Kimchi Oct 7 03:13:56 aji sendmail[91248]: g97A2rnm091248: SYSERR(root): collect: I/O error on connection from [203.48.40.139], from= Oct 7 08:45:13 aji /kernel: file: table is full Oct 7 08:45:14 aji last message repeated 38 times Oct 7 08:46:27 aji last message repeated 35 times Oct 7 09:14:05 aji sendmail[93085]: g97G8Xnm093085: SYSERR(root): collect: I/O error on connection from adsl-63-rev-addr, from= Oct 7 09:22:17 aji /kernel: file: table is full Oct 7 09:22:20 aji last message repeated 17 times Oct 7 09:23:21 aji last message repeated 16 times Oct 7 09:23:23 aji sendmail[93320]: g97GEKpG093112: SYSERR(UID0): ... openmailer(local): pipe (to mailer): Too many open files in system Oct 7 09:23:25 aji sendmail[93112]: g97GEKpI093112: SYSERR(root): Cannot open hash database /etc/mail/aliases.db: Too many open files in system Oct 7 09:23:22 aji inetd[93322]: /etc/spwd.db: Too many open files in system Oct 7 09:23:28 aji inetd[93322]: pop3/tcp: root: no such user Oct 7 09:25:42 aji /kernel: file: table is full Oct 7 09:25:43 aji last message repeated 4 times Oct 7 09:29:58 aji /kernel: file: table is full Oct 7 09:30:44 aji last message repeated 107 times Oct 7 09:30:53 aji /kernel: pid 93340 (cron), uid 0: exited on signal 11 (core dumped) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 7 13:32:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7D4A837B401 for ; Mon, 7 Oct 2002 13:32:54 -0700 (PDT) Received: from gunjin.wccnet.org (gunjin.wccnet.org [198.111.176.99]) by mx1.FreeBSD.org (Postfix) with ESMTP id F26B443E6E for ; Mon, 7 Oct 2002 13:32:51 -0700 (PDT) (envelope-from anthony@gunjin.wccnet.org) Received: from gunjin.wccnet.org (localhost.rexroof.com [127.0.0.1]) by gunjin.wccnet.org (8.12.3/8.12.2) with ESMTP id g97KeuTU065662; Mon, 7 Oct 2002 16:40:56 -0400 (EDT) Received: (from anthony@localhost) by gunjin.wccnet.org (8.12.3/8.12.3/Submit) id g97Keuws065660; Mon, 7 Oct 2002 16:40:56 -0400 (EDT) Date: Mon, 7 Oct 2002 16:40:55 -0400 From: Anthony Schneider To: Riley Cc: FreeBSD Security Subject: Re: chkrootkit help Message-ID: <20021007204055.GA65040@x-anthony.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org If you've been nailed by a rootkit, you should not trust netstat, ifconfig, ps, etc anymore. Bring in the binaries from another similar system, because rootkits will generally have replacements which supress the output that they don't want you to see (like open ports, promiscuous mode, etc., although promiscuous mode i believe can be overcome by simply writing over a small chunk of kernel memory whilst leaving the interface still promiscuous). you might also try portscanning the machine. and then, after you check these things out, i suggest you do a reinstall. good luck. -Anthony. On Mon, Oct 07, 2002 at 11:47:15AM -0700, Riley wrote: > Hi all, > > (Let me know if this belongs in -questions) > > I could sure use some help interpreting this. A 4.6.2-RELEASE-p2 system > (running bind 8.3.3-REL and sendmail 8.12.3) started getting syslog messages > like: > > /kernel: file: table is full > > along with related messages, then a core dump. (syslog for this date is > below.) > > I took this as a side effect of a recent spamassassin install/upgrade (2.41) > and increased kern.maxfiles to 8192 and max.vnodes to 16384. As the system > started to recover for fun I ran chkrootkit which came back with this: > > Checking `bindshell'... INFECTED (PORTS: 114) > > A few minutes later and ever since chkrootkit returns: > > Checking `bindshell'... not infected > > netstat -an doesn't show anything on 114 and nothing unusual. > > The system is on a dmz with ports 25, 53 and 110 mapped through. Running > chkrootkit on the firewall reported this: > > Checking `bindshell'... not infected > Checking `lkm'... not tested: can't exec ./chkproc > Checking `rexedcs'... not found > Checking `sniffer'... > xl0 is not promisc > xl2 is not promisc > > I'm not sure what to think about "can't exec ./chkproc". Also the xl1 > interface is not reported in the output and is the dmz interface that the > above machine is on. ifconfig shows: > > xl1: flags=8843 mtu 1500 > inet 10.100.100.1 netmask 0xffffff00 broadcast 10.100.100.255 > inet6 fe80::260:8ff:fe31:e4b0%xl1 prefixlen 64 scopeid 0x2 > ether 00:60:08:31:e4:b0 > media: Ethernet autoselect (10baseT/UTP) > status: active > > Any comments would be greatly appreciated. > > Thanks, > > Riley > > > "That which does not kill us makes us stranger." > --Kimchi > > > Oct 7 03:13:56 aji sendmail[91248]: g97A2rnm091248: SYSERR(root): collect: > I/O error on connection from [203.48.40.139], from= > Oct 7 08:45:13 aji /kernel: file: table is full > Oct 7 08:45:14 aji last message repeated 38 times > Oct 7 08:46:27 aji last message repeated 35 times > Oct 7 09:14:05 aji sendmail[93085]: g97G8Xnm093085: SYSERR(root): collect: > I/O error on connection from adsl-63-rev-addr, > from= > Oct 7 09:22:17 aji /kernel: file: table is full > Oct 7 09:22:20 aji last message repeated 17 times > Oct 7 09:23:21 aji last message repeated 16 times > Oct 7 09:23:23 aji sendmail[93320]: g97GEKpG093112: SYSERR(UID0): > ... openmailer(local): pipe (to mailer): Too many open > files in system > Oct 7 09:23:25 aji sendmail[93112]: g97GEKpI093112: SYSERR(root): Cannot > open hash database /etc/mail/aliases.db: Too many open files in system > Oct 7 09:23:22 aji inetd[93322]: /etc/spwd.db: Too many open files in > system > Oct 7 09:23:28 aji inetd[93322]: pop3/tcp: root: no such user > Oct 7 09:25:42 aji /kernel: file: table is full > Oct 7 09:25:43 aji last message repeated 4 times > Oct 7 09:29:58 aji /kernel: file: table is full > Oct 7 09:30:44 aji last message repeated 107 times > Oct 7 09:30:53 aji /kernel: pid 93340 (cron), uid 0: exited on signal 11 > (core > dumped) > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 7 13:36:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E927537B401 for ; Mon, 7 Oct 2002 13:36:13 -0700 (PDT) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8749C43E6A for ; Mon, 7 Oct 2002 13:36:13 -0700 (PDT) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id 3CCEB154DB; Mon, 7 Oct 2002 13:33:04 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id 3BEA4154D5; Mon, 7 Oct 2002 13:33:04 -0700 (PDT) Date: Mon, 7 Oct 2002 13:33:04 -0700 (PDT) From: Mike Hoskins To: Riley Cc: FreeBSD Security Subject: Re: chkrootkit help In-Reply-To: Message-ID: <20021007131203.L83742-100000@fubar.adept.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 7 Oct 2002, Riley wrote: > I could sure use some help interpreting this. A 4.6.2-RELEASE-p2 system > (running bind 8.3.3-REL and sendmail 8.12.3) started getting syslog messages > like: I haven't kept up with Sendmail since Postfix made its debut, but I don't believe there's anything wrong with BIND 8.3.3 (yet). > /kernel: file: table is full If you haven't tuned this server already, this could be quite common and mundane. > I took this as a side effect of a recent spamassassin install/upgrade (2.41) > and increased kern.maxfiles to 8192 and max.vnodes to 16384. I'm not sure how busy this machine is (sounds like it's a firewall and mailserver+antivirus), but I set the following in /boot/loader.conf on my busier servers: kern.maxusers=256 kern.ipc.nmbclusters=16384 This is a machine with 1GB of RAM. This results in the following sysctl values: kern.maxfiles: 8232 kern.maxfilesperproc: 7408 kern.maxvnodes: 68387 Note "maxfilesperproc". That may be important to you. > Checking `bindshell'... INFECTED (PORTS: 114) > netstat -an doesn't show anything on 114 and nothing unusual. > I'm not sure what to think about "can't exec ./chkproc". First, from chkrootkit.org: Q. Which commands does chkrootkit use? A. The following commands are used by the chkrootkit script: awk, cut, echo, egrep, find, head, id, ls, netstat, ps, strings, sed, uname If you suspect you've been compromised... It would be best not to trust those system binaries. Read the documentation/webpage and make sure you're using a safe set of binaries to check your system. From the docs, chkproc seems to be /proc intensive. The port's Makefile does not mention chkproc: do-install: ${INSTALL_SCRIPT} ${WRKSRC}/chkrootkit ${PREFIX}/sbin ${INSTALL_PROGRAM} ${WRKSRC}/chklastlog ${PREFIX}/sbin ${INSTALL_PROGRAM} ${WRKSRC}/chkwtmp ${PREFIX}/sbin ${INSTALL_PROGRAM} ${WRKSRC}/ifpromisc ${PREFIX}/sbin .if !defined(NOPORTDOCS) @${MKDIR} ${PREFIX}/share/doc/chkrootkit ${INSTALL_DATA} ${DOCFILES:C,^,${WRKSRC}/,} ${PREFIX}/share/doc/chkrootkit .endif I suspect it isn't built due to it's very nature. You could try using a trusted sockstat binary to verify what's listening on the local system. % sockstat -4l You should be able to account for everything listed. > Also the xl1 interface is not reported in the output and is the dmz > interface that the above machine is on. ifconfig shows: > xl1: flags=8843 mtu 1500 Odd if xl1 is not in promiscuous mode, but is not listed as such by the script. However, I am not that familiar with chkrootkit. Perhaps it placed xl1 in PROMISC while running? That can be verified by checking ifconfig while chkrootkit is running... ifconfig -a ... fxp0: flags=8943 mtu 1500 > Oct 7 03:13:56 aji sendmail[91248]: g97A2rnm091248: SYSERR(root): collect: > I/O error on connection from [203.48.40.139], from= > Oct 7 08:45:13 aji /kernel: file: table is full OK, most of these look IO related... But what's this mean? > Oct 7 09:23:28 aji inetd[93322]: pop3/tcp: root: no such user > Oct 7 09:30:53 aji /kernel: pid 93340 (cron), uid 0: exited on signal 11 > (core dumped) If 'root' really doesn't exist, then who is uid 0? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 7 13:53:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9251D37B401 for ; Mon, 7 Oct 2002 13:53:37 -0700 (PDT) Received: from alcanet.com.au (mail2.alcanet.com.au [203.62.196.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id B79E543E75 for ; Mon, 7 Oct 2002 13:53:35 -0700 (PDT) (envelope-from peter.jeremy@alcatel.com.au) Received: from sydsmtp01.alcatel.com.au (IDENT:root@localhost.localdomain [127.0.0.1]) by alcanet.com.au (8.12.4/8.12.4/Alcanet1.3) with ESMTP id g97Kr9uA013534; Tue, 8 Oct 2002 06:53:33 +1000 Received: from gsmx07.alcatel.com.au ([139.188.20.247]) by sydsmtp01.alcatel.com.au (Lotus Domino Release 5.0.11) with ESMTP id 2002100806530818:7026 ; Tue, 8 Oct 2002 06:53:08 +1000 Received: from gsmx07.alcatel.com.au (localhost [127.0.0.1]) by gsmx07.alcatel.com.au (8.12.5/8.12.5) with ESMTP id g97Kr72t079934; Tue, 8 Oct 2002 06:53:07 +1000 (EST) (envelope-from peter.jeremy@alcatel.com.au) Received: (from jeremyp@localhost) by gsmx07.alcatel.com.au (8.12.5/8.12.5/Submit) id g97Kr7VO079933; Tue, 8 Oct 2002 06:53:07 +1000 (EST) (envelope-from peter.jeremy@alcatel.com.au) Date: Tue, 8 Oct 2002 06:53:07 +1000 From: Peter Jeremy To: Aragon Gouveia Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw stateful help - strange behaviour Message-ID: <20021007205307.GF495@gsmx07.alcatel.com.au> Mail-Followup-To: Aragon Gouveia , freebsd-security@FreeBSD.ORG References: <20021004153554.GD5787@phat.za.net> Mime-Version: 1.0 In-Reply-To: <20021004153554.GD5787@phat.za.net> User-Agent: Mutt/1.4i X-MIMETrack: Itemize by SMTP Server on SYDSMTP01/AlcatelAustralia(Release 5.0.11 |July 24, 2002) at 08/10/2002 06:53:08 AM, Serialize by Router on SYDSMTP01/AlcatelAustralia(Release 5.0.11 |July 24, 2002) at 08/10/2002 06:53:33 AM, Serialize complete at 08/10/2002 06:53:33 AM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2002-Oct-04 17:35:54 +0200, Aragon Gouveia wrote: >I'm having a problem with ipfw's stateful operation which I can't quite >figure out. Let me start with my ruleset. > >00100 check-state >00500 allow tcp from any to 66.8.x.y 80 keep-state setup >01000 deny tcp from any to 66.8.x.y 80 >65535 allow ip from any to any Are you running NAT as well? Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 7 14: 7:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E3CE37B401 for ; Mon, 7 Oct 2002 14:07:45 -0700 (PDT) Received: from gunjin.wccnet.org (gunjin.wccnet.org [198.111.176.99]) by mx1.FreeBSD.org (Postfix) with ESMTP id D606D43E81 for ; Mon, 7 Oct 2002 14:07:44 -0700 (PDT) (envelope-from anthony@gunjin.wccnet.org) Received: from gunjin.wccnet.org (localhost.rexroof.com [127.0.0.1]) by gunjin.wccnet.org (8.12.3/8.12.2) with ESMTP id g97LFeTU066035; Mon, 7 Oct 2002 17:15:40 -0400 (EDT) Received: (from anthony@localhost) by gunjin.wccnet.org (8.12.3/8.12.3/Submit) id g97LFdUf066034; Mon, 7 Oct 2002 17:15:39 -0400 (EDT) Date: Mon, 7 Oct 2002 17:15:39 -0400 From: Anthony Schneider To: Mike Hoskins Cc: Riley , FreeBSD Security Subject: Re: chkrootkit help Message-ID: <20021007211539.GA65775@x-anthony.com> References: <20021007131203.L83742-100000@fubar.adept.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021007131203.L83742-100000@fubar.adept.org> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > You could try using a trusted sockstat binary to verify what's listening > on the local system. > > % sockstat -4l quick aside: sockstat is a perl script, unless this changed with 4.6.2. -Anthony. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 7 14:14:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF49C37B401 for ; Mon, 7 Oct 2002 14:14:34 -0700 (PDT) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7555C43E4A for ; Mon, 7 Oct 2002 14:14:34 -0700 (PDT) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id 0A0A9154D5; Mon, 7 Oct 2002 14:11:25 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id 07C88154D3; Mon, 7 Oct 2002 14:11:25 -0700 (PDT) Date: Mon, 7 Oct 2002 14:11:25 -0700 (PDT) From: Mike Hoskins To: Anthony Schneider Cc: Riley , FreeBSD Security Subject: Re: chkrootkit help In-Reply-To: <20021007211539.GA65775@x-anthony.com> Message-ID: <20021007141041.S84008-100000@fubar.adept.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 7 Oct 2002, Anthony Schneider wrote: > > You could try using a trusted sockstat binary to verify what's listening > > on the local system. > > % sockstat -4l > quick aside: sockstat is a perl script, unless this changed with > 4.6.2. Eww, I hadn't noticed. Good point, stick to a safe netsat from cdrom, etc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 8 3:23:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C47C37B401 for ; Tue, 8 Oct 2002 03:23:19 -0700 (PDT) Received: from south.nanolink.com (south.nanolink.com [217.75.134.10]) by mx1.FreeBSD.org (Postfix) with SMTP id 8466443EA3 for ; Tue, 8 Oct 2002 03:23:17 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 85409 invoked by uid 85); 8 Oct 2002 10:33:48 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by south.nanolink.com with SMTP; 8 Oct 2002 10:33:46 -0000 Received: (qmail 5722 invoked by uid 1000); 8 Oct 2002 10:23:08 -0000 Date: Tue, 8 Oct 2002 13:23:08 +0300 From: Peter Pentchev To: Mike Hoskins Cc: Riley , FreeBSD Security Subject: Re: chkrootkit help Message-ID: <20021008102308.GB376@straylight.oblivion.bg> Mail-Followup-To: Mike Hoskins , Riley , FreeBSD Security References: <20021007131203.L83742-100000@fubar.adept.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="1UWUbFP1cBYEclgG" Content-Disposition: inline In-Reply-To: <20021007131203.L83742-100000@fubar.adept.org> User-Agent: Mutt/1.5.1i X-Virus-Scanned: by Nik's Monitoring Daemon (AMaViS perl-11d ) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --1UWUbFP1cBYEclgG Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Oct 07, 2002 at 01:33:04PM -0700, Mike Hoskins wrote: > On Mon, 7 Oct 2002, Riley wrote: [snip] > > Oct 7 03:13:56 aji sendmail[91248]: g97A2rnm091248: SYSERR(root): coll= ect: > > I/O error on connection from [203.48.40.139], from=3D > > Oct 7 08:45:13 aji /kernel: file: table is full > >=20 > OK, most of these look IO related... But what's this mean? >=20 > > Oct 7 09:23:28 aji inetd[93322]: pop3/tcp: root: no such user > > > Oct 7 09:30:53 aji /kernel: pid 93340 (cron), uid 0: exited on signal = 11 > > (core dumped) >=20 > If 'root' really doesn't exist, then who is uid 0? It might well be that the POP3 service does not authenticate against the system passwd file; think 'virtual domains'. There might be no user named 'root' in the virtual domain requested, even though there is such a user on the local machine :) G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If wishes were fishes, the antecedent of this conditional would be true. --1UWUbFP1cBYEclgG Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (FreeBSD) iD8DBQE9orIM7Ri2jRYZRVMRAqOkAKCOIyzo8Vitply7eIDUPcn5O3pYpQCfSNnK zsxhtsjdkudVTcNGuWeFod8= =RCsQ -----END PGP SIGNATURE----- --1UWUbFP1cBYEclgG-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 8 10:54:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C4B0E37B404 for ; Tue, 8 Oct 2002 10:54:48 -0700 (PDT) Received: from web10107.mail.yahoo.com (web10107.mail.yahoo.com [216.136.130.57]) by mx1.FreeBSD.org (Postfix) with SMTP id 4299443E3B for ; Tue, 8 Oct 2002 10:54:48 -0700 (PDT) (envelope-from twigles@yahoo.com) Message-ID: <20021008175440.76297.qmail@web10107.mail.yahoo.com> Received: from [68.5.49.41] by web10107.mail.yahoo.com via HTTP; Tue, 08 Oct 2002 10:54:40 PDT Date: Tue, 8 Oct 2002 10:54:40 -0700 (PDT) From: twig les Subject: Sniffer nic To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hey *, I need another nic (10/100 copper) for sniffing and was wondering if anyone had input as to which one kicks ass. I'm planning on either an Intel Pro or 3Com, not sure which model yet. Anyone had something so good that they want to recommend it? The box is 4.6 Release (fully patched) running Snort 1.8.7. Hardware is dual P3-1GHz, 2gig ram, scsi blah blah blah, the only really interesting thing is that I have an empty 64-bit, 66mhz PCI slot so I can use that for a good nic if possible. ===== ----------------------------------------------------------- Heavy metal made me do it. ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos & More http://faith.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 8 11: 4:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4DE7337B401 for ; Tue, 8 Oct 2002 11:04:16 -0700 (PDT) Received: from cithaeron.argolis.org (pool-138-88-90-249.res.east.verizon.net [138.88.90.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6EEF043E3B for ; Tue, 8 Oct 2002 11:04:15 -0700 (PDT) (envelope-from piechota@argolis.org) Received: from cithaeron.argolis.org (localhost [127.0.0.1]) by cithaeron.argolis.org (8.12.6/8.12.5) with ESMTP id g98I4DvL001064; Tue, 8 Oct 2002 14:04:13 -0400 (EDT) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.12.6/8.12.6/Submit) with ESMTP id g98I4D9g001061; Tue, 8 Oct 2002 14:04:13 -0400 (EDT) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Tue, 8 Oct 2002 14:04:13 -0400 (EDT) From: Matt Piechota To: twig les Cc: freebsd-security@FreeBSD.ORG Subject: Re: Sniffer nic In-Reply-To: <20021008175440.76297.qmail@web10107.mail.yahoo.com> Message-ID: <20021008140221.R396-100000@cithaeron.argolis.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 8 Oct 2002, twig les wrote: > Hey *, I need another nic (10/100 copper) for sniffing > and was wondering if anyone had input as to which one > kicks ass. I'm planning on either an Intel Pro or > 3Com, not sure which model yet. Anyone had something > so good that they want to recommend it? The box is > 4.6 Release (fully patched) running Snort 1.8.7. > Hardware is dual P3-1GHz, 2gig ram, scsi blah blah > blah, the only really interesting thing is that I have > an empty 64-bit, 66mhz PCI slot so I can use that for > a good nic if possible. I've had good luck with Intel 8255x NICs, ie EtherExpress Pro, both in card form and in laptops (built-in). I could record a most saturated 100Mbit line on a P2-350 (using Ethereal and FreeBSD) -- Matt Piechota To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 8 11:33:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2E55237B401 for ; Tue, 8 Oct 2002 11:33:14 -0700 (PDT) Received: from aeimail.aei.ca (aeimail.aei.ca [206.123.6.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 494CA43E8A for ; Tue, 8 Oct 2002 11:33:13 -0700 (PDT) (envelope-from anarcat@anarcat.ath.cx) Received: from shall.anarcat.ath.cx (uwlazdcotvccknsr@dsl-131-25.aei.ca [66.36.131.25]) by aeimail.aei.ca (8.11.6/8.10.1) with ESMTP id g98IXCM23482 for ; Tue, 8 Oct 2002 14:33:12 -0400 (EDT) Received: from lenny.anarcat.ath.cx (lenny.anarcat.ath.cx [192.168.0.4]) by shall.anarcat.ath.cx (Postfix) with SMTP id 23659342 for ; Tue, 8 Oct 2002 14:38:48 -0400 (EDT) Received: by lenny.anarcat.ath.cx (sSMTP sendmail emulation); Tue, 8 Oct 2002 14:32:27 -0400 Date: Tue, 8 Oct 2002 14:32:27 -0400 From: The Anarcat To: FreeBSD Security Issues Subject: access() is a security hole? Message-ID: <20021008183227.GC309@lenny.anarcat.ath.cx> Mail-Followup-To: FreeBSD Security Issues Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="c3bfwLpm8qysLVxt" Content-Disposition: inline User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --c3bfwLpm8qysLVxt Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable The access(2) manpage mentions an obscure security hole in access(2). How so? " CAVEAT Access() is a potential security hole and should never be used. " This seems to have been part of the manpage forever, or so to speak, so I really wonder what it's talking about. :) And if it's really that serious of a security hole, why isn't there a compiler warning similar to the use of mktemp() when linking against it? Thanks, A. --=20 Stop the bombings. Stop the murders. Anti-war. --c3bfwLpm8qysLVxt Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9oyS7ttcWHAnWiGcRAhiuAJ4pxlAvYtVcl9NlCFDx/d11VEHYwwCeKigW eMq8DB5c0NqR5ptM3TRxOQA= =Jxck -----END PGP SIGNATURE----- --c3bfwLpm8qysLVxt-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 8 12:28:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1D9F737B401 for ; Tue, 8 Oct 2002 12:28:24 -0700 (PDT) Received: from dire.bris.ac.uk (dire.bris.ac.uk [137.222.10.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4395543E6A for ; Tue, 8 Oct 2002 12:28:23 -0700 (PDT) (envelope-from Jan.Grant@bristol.ac.uk) Received: from mail.ilrt.bris.ac.uk by dire.bris.ac.uk with SMTP-PRIV with ESMTP; Tue, 8 Oct 2002 20:28:12 +0100 Received: from cmjg (helo=localhost) by mail.ilrt.bris.ac.uk with local-esmtp (Exim 3.16 #1) id 17yzz2-0002xm-00; Tue, 08 Oct 2002 20:25:32 +0100 Date: Tue, 8 Oct 2002 20:25:32 +0100 (BST) From: Jan Grant X-X-Sender: cmjg@mail.ilrt.bris.ac.uk To: The Anarcat Cc: FreeBSD Security Issues Subject: Re: access() is a security hole? In-Reply-To: <20021008183227.GC309@lenny.anarcat.ath.cx> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 8 Oct 2002, The Anarcat wrote: > The access(2) manpage mentions an obscure security hole in > access(2). How so? > > " > CAVEAT > Access() is a potential security hole and should never be used. > " > > This seems to have been part of the manpage forever, or so to speak, > so I really wonder what it's talking about. :) Race conditions. Rather than using access, the idea is presumably that you drop privs and try to actually access the object, getting a file handle in the process. Canonical counterexample, IIRC, is samba. -- jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/ Tel +44(0)117 9287088 Fax +44 (0)117 9287112 http://ioctl.org/jan/ Ever see something and think, "I've gotta leverage me some of that?" Odds are, you were looking at a synergy and didn't even know it. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 8 13:38:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DCE5437B401 for ; Tue, 8 Oct 2002 13:38:49 -0700 (PDT) Received: from aeimail.aei.ca (aeimail.aei.ca [206.123.6.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5B0EF43E77 for ; Tue, 8 Oct 2002 13:38:48 -0700 (PDT) (envelope-from anarcat@anarcat.ath.cx) Received: from shall.anarcat.ath.cx (gaxoqlq4sqchft2n@dsl-131-25.aei.ca [66.36.131.25]) by aeimail.aei.ca (8.11.6/8.10.1) with ESMTP id g98KcfM25474; Tue, 8 Oct 2002 16:38:41 -0400 (EDT) Received: from lenny.anarcat.ath.cx (lenny.anarcat.ath.cx [192.168.0.4]) by shall.anarcat.ath.cx (Postfix) with SMTP id DE04D342; Tue, 8 Oct 2002 16:44:20 -0400 (EDT) Received: by lenny.anarcat.ath.cx (sSMTP sendmail emulation); Tue, 8 Oct 2002 16:37:59 -0400 Date: Tue, 8 Oct 2002 16:37:59 -0400 From: The Anarcat To: Fernando Schapachnik Cc: FreeBSD Security Issues Subject: Re: access() is a security hole? Message-ID: <20021008203759.GD309@lenny.anarcat.ath.cx> Mail-Followup-To: Fernando Schapachnik , FreeBSD Security Issues References: <20021008183227.GC309@lenny.anarcat.ath.cx> <20021008154204.D56601@ns1.via-net-works.net.ar> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="bajzpZikUji1w+G9" Content-Disposition: inline In-Reply-To: <20021008154204.D56601@ns1.via-net-works.net.ar> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --bajzpZikUji1w+G9 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue Oct 08, 2002 at 03:42:04PM -0300, Fernando Schapachnik wrote: > En un mensaje anterior, The Anarcat escribi=F3: > > The access(2) manpage mentions an obscure security hole in > > access(2). How so? > >=20 > > " > > CAVEAT > > Access() is a potential security hole and should never be used. >=20 > It might have to do with the fact that file permissions can change > between the access() call and the open() call. The preferred way is > to use fstat() that takes an open fd. Just what I thought. The man page should be more precise. The way I read it, there is a security bug in access(2) which is not the case. I'll try to come up with an update to the manpage. A. --=20 Advertisers, not governments, are the primary censors of media content=20 in the United States today. - C. Edwin Baker http://www.ad-mad.co.uk/quotes/freespeech.htm --bajzpZikUji1w+G9 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9o0InttcWHAnWiGcRAqU1AKCMo8PebN36m3nWaA1j/vSixKnEvwCgl47F aP4pjDDUypRPinu7v4cu7io= =ILAR -----END PGP SIGNATURE----- --bajzpZikUji1w+G9-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 8 13:59:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B449B37B404 for ; Tue, 8 Oct 2002 13:59:09 -0700 (PDT) Received: from localhost.neotext.ca (h24-70-64-200.ed.shawcable.net [24.70.64.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id BC3B243E6A for ; Tue, 8 Oct 2002 13:59:08 -0700 (PDT) (envelope-from freebsd@babayaga.neotext.ca) Received: from babayaga.neotext.ca (localhost.neotext.ca [127.0.0.1]) by localhost.neotext.ca (8.12.6/8.12.5) with ESMTP id g98Kw1uj010590; Tue, 8 Oct 2002 14:58:05 -0600 (MDT) (envelope-from freebsd@babayaga.neotext.ca) From: "Duncan Patton a Campbell is Dhu" To: Matt Piechota , twig les Cc: freebsd-security@FreeBSD.ORG Subject: Re: Sniffer nic Date: Tue, 8 Oct 2002 14:58:01 -0600 Message-Id: <20021008205801.M19596@babayaga.neotext.ca> In-Reply-To: <20021008140221.R396-100000@cithaeron.argolis.org> References: <20021008175440.76297.qmail@web10107.mail.yahoo.com> <20021008140221.R396-100000@cithaeron.argolis.org> X-Mailer: Open WebMail 1.70 20020712 X-OriginatingIP: 127.0.0.1 (freebsd) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hmm. I don't know anything about the cards mentioned here or the application you are putting the sniffer to, but you should consider whether you need to look outside the usual sense window for the card -- iff you are looking for network layer virii or other out-band transmissions. Dhu > On Tue, 8 Oct 2002, twig les wrote: > > > Hey *, I need another nic (10/100 copper) for sniffing > > and was wondering if anyone had input as to which one > > kicks ass. I'm planning on either an Intel Pro or > > 3Com, not sure which model yet. Anyone had something > > so good that they want to recommend it? The box is > > 4.6 Release (fully patched) running Snort 1.8.7. > > Hardware is dual P3-1GHz, 2gig ram, scsi blah blah > > blah, the only really interesting thing is that I have > > an empty 64-bit, 66mhz PCI slot so I can use that for > > a good nic if possible. > > I've had good luck with Intel 8255x NICs, ie > EtherExpress Pro, both in card form and in laptops > (built-in). I could record a most saturated 100Mbit > line on a P2-350 (using Ethereal and FreeBSD) > > -- > Matt Piechota > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of > the message Duncan Patton a Campbell is Duihb To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 8 14:21:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9D95B37B401 for ; Tue, 8 Oct 2002 14:21:50 -0700 (PDT) Received: from web10102.mail.yahoo.com (web10102.mail.yahoo.com [216.136.130.52]) by mx1.FreeBSD.org (Postfix) with SMTP id 5BAEB43E77 for ; Tue, 8 Oct 2002 14:21:50 -0700 (PDT) (envelope-from twigles@yahoo.com) Message-ID: <20021008212150.26159.qmail@web10102.mail.yahoo.com> Received: from [68.5.49.41] by web10102.mail.yahoo.com via HTTP; Tue, 08 Oct 2002 14:21:50 PDT Date: Tue, 8 Oct 2002 14:21:50 -0700 (PDT) From: twig les Subject: Re: Sniffer nic To: Duncan Patton a Campbell is Dhu , Matt Piechota Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20021008205801.M19596@babayaga.neotext.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Nope, nothing like that. Just some good old L3-7 NIDS. A couple things I was wondering though.... Is anyone running the "ANA-62011 64-bit single port 10/100baseTX adapter" from Adaptec? It's supported by 4.6 release, but I won't be on site for the installation so I'm looking for easy installation here. This leads to the second question which is: What kind of performance increase will I see with a 64-bit 100BT nic vs the same card running in a 32-bit slot? I'm tryig to figure out if it's worth the extra $30 before I tell my boss to get it (well...ask him). Thnx for the answers so far though. --- Duncan Patton a Campbell is Dhu wrote: > Hmm. I don't know anything about the cards > mentioned here > or the application you are putting the sniffer to, > but you > should > consider whether you need to look outside the usual > sense > window for the card -- iff you are looking for > network layer > virii > or other out-band transmissions. > > Dhu > > > On Tue, 8 Oct 2002, twig les wrote: > > > > > Hey *, I need another nic (10/100 copper) for > sniffing > > > and was wondering if anyone had input as to > which one > > > kicks ass. I'm planning on either an Intel Pro > or > > > 3Com, not sure which model yet. Anyone had > something > > > so good that they want to recommend it? The box > is > > > 4.6 Release (fully patched) running Snort 1.8.7. > > > Hardware is dual P3-1GHz, 2gig ram, scsi blah > blah > > > blah, the only really interesting thing is that > I have > > > an empty 64-bit, 66mhz PCI slot so I can use > that for > > > a good nic if possible. > > > > I've had good luck with Intel 8255x NICs, ie > > EtherExpress Pro, both in card form and in laptops > > > (built-in). I could record a most saturated > 100Mbit > > line on a P2-350 (using Ethereal and FreeBSD) > > > > -- > > Matt Piechota > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of > > > the message > > > Duncan Patton a Campbell is Duihb > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of > the message ===== ----------------------------------------------------------- Heavy metal made me do it. ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos & More http://faith.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 8 14:24:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1564C37B401 for ; Tue, 8 Oct 2002 14:24:33 -0700 (PDT) Received: from aeimail.aei.ca (aeimail.aei.ca [206.123.6.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 295D743E77 for ; Tue, 8 Oct 2002 14:24:32 -0700 (PDT) (envelope-from anarcat@anarcat.ath.cx) Received: from shall.anarcat.ath.cx (dsl-131-25.aei.ca [66.36.131.25]) by aeimail.aei.ca (8.11.6/8.10.1) with ESMTP id g98LOMM04436; Tue, 8 Oct 2002 17:24:22 -0400 (EDT) Received: from lenny.anarcat.ath.cx (lenny.anarcat.ath.cx [192.168.0.4]) by shall.anarcat.ath.cx (Postfix) with SMTP id 4AF7D3E1; Tue, 8 Oct 2002 17:29:57 -0400 (EDT) Received: by lenny.anarcat.ath.cx (sSMTP sendmail emulation); Tue, 8 Oct 2002 17:23:35 -0400 Date: Tue, 8 Oct 2002 17:23:35 -0400 From: The Anarcat To: Jan Grant Cc: FreeBSD Security Issues Subject: Re: access() is a security hole? Message-ID: <20021008212335.GF309@lenny.anarcat.ath.cx> Mail-Followup-To: Jan Grant , FreeBSD Security Issues References: <20021008183227.GC309@lenny.anarcat.ath.cx> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="O98KdSgI27dgYlM5" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --O98KdSgI27dgYlM5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Also, this means that the stat() manpage should also contains a similar section about its non-fd incarnations. A. --O98KdSgI27dgYlM5 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9o0zXttcWHAnWiGcRAn5RAJ4jC5sMo0mvi7lZIUO3BVCJG5GAfwCgoTw7 +x8KngED3V4Zb57r+qDXD5k= =2AoA -----END PGP SIGNATURE----- --O98KdSgI27dgYlM5-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 8 14:30: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A238337B401 for ; Tue, 8 Oct 2002 14:30:03 -0700 (PDT) Received: from smtpout.mac.com (smtpout.mac.com [204.179.120.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D22643E3B for ; Tue, 8 Oct 2002 14:30:03 -0700 (PDT) (envelope-from cswiger@mac.com) Received: from asmtp01.mac.com (asmtp01-qfe3 [10.13.10.65]) by smtpout.mac.com (Xserve/MantshX 2.0) with ESMTP id g98LU3O2004754 for ; Tue, 8 Oct 2002 14:30:03 -0700 (PDT) Received: from bust ([12.38.161.88]) by asmtp01.mac.com (Netscape Messaging Server 4.15) with ESMTP id H3OME200.GVM for ; Tue, 8 Oct 2002 14:30:02 -0700 Date: Tue, 8 Oct 2002 17:30:00 -0400 Subject: Re: Sniffer nic Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v482) From: Chuck Swiger To: freebsd-security@FreeBSD.ORG Content-Transfer-Encoding: 7bit In-Reply-To: <20021008205801.M19596@babayaga.neotext.ca> Message-Id: <19A537BF-DB05-11D6-9582-000A27D85A7E@mac.com> X-Mailer: Apple Mail (2.482) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tuesday, October 8, 2002, at 04:58 PM, Duncan Patton a Campbell is Dhu wrote: > Hmm. I don't know anything about the cards mentioned here > or the application you are putting the sniffer to, but you > should consider whether you need to look outside the usual sense > window for the card -- iff you are looking for network layer > virii or other out-band transmissions. Most people don't pay attention to low-level stuff like ARP/RARP, ICMP redirects, source routing, and so forth-- you're right. However, when packet sniffing, you generally run the network interface in promiscuous mode so that it pays attention to all of the traffic going by on the wire. Someone sending raw 802.3 frames (rather than frames encapsulating IP packets) is still sending packets of data that a sniffer will see. On Tuesday, October 8, 2002, at 05:21 PM, twig les wrote: > What kind of performance increase will I see with a > 64-bit 100BT nic vs the same card running in a 32-bit > slot? I'm tryig to figure out if it's worth the extra > $30 before I tell my boss to get it (well...ask him). A normal 32-bit PCI bus gives you 133 Mb/s of bandwidth, which is enough to saturate a 10/100 card. Of course, if you're doing other things on the machine at the same time, it's nice to put your NIC and other devices on different PCI busses, so there will be some advantage to using the 64-bit PCI slot anyway. A 64-bit slot would be better suited for a 10/100/1000 gigabit ethernet card, or for something like a fast SCSI-3 (Ultra-160) card.... -Chuck Chuck Swiger | chuck@codefab.com | All your packets are belong to us. -------------+-------------------+----------------------------------- "The human race's favorite method for being in control of the facts is to ignore them." -Celia Green To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 8 14:38: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA9F637B401 for ; Tue, 8 Oct 2002 14:38:00 -0700 (PDT) Received: from aeimail.aei.ca (aeimail.aei.ca [206.123.6.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0E65B43E4A for ; Tue, 8 Oct 2002 14:38:00 -0700 (PDT) (envelope-from anarcat@anarcat.ath.cx) Received: from shall.anarcat.ath.cx (80nren9matmmazpp@dsl-131-25.aei.ca [66.36.131.25]) by aeimail.aei.ca (8.11.6/8.10.1) with ESMTP id g98LbvM18089 for ; Tue, 8 Oct 2002 17:37:57 -0400 (EDT) Received: from lenny.anarcat.ath.cx (lenny.anarcat.ath.cx [192.168.0.4]) by shall.anarcat.ath.cx (Postfix) with SMTP id 5F2D33E1 for ; Tue, 8 Oct 2002 17:43:33 -0400 (EDT) Received: by lenny.anarcat.ath.cx (sSMTP sendmail emulation); Tue, 8 Oct 2002 17:37:11 -0400 Date: Tue, 8 Oct 2002 17:37:11 -0400 From: The Anarcat To: FreeBSD Security Issues Subject: Re: access() is a security hole? Message-ID: <20021008213711.GG309@lenny.anarcat.ath.cx> Mail-Followup-To: FreeBSD Security Issues References: <20021008183227.GC309@lenny.anarcat.ath.cx> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ulDeV4rPMk/y39in" Content-Disposition: inline In-Reply-To: <20021008183227.GC309@lenny.anarcat.ath.cx> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --ulDeV4rPMk/y39in Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Ok.. I read the manpage in -current, and I guess I'll just shut up now. Maybe just an MFC would be OK. ;) Thanks all for your quick answer! A. --=20 Un =E9ducateur dans l'=E2me ne prend rien au s=E9rieux que par rapport =E0 ses disciples -- soi-m=EAme non except=E9. - Nietzsche, "Par del=E0 le bien et le mal" --ulDeV4rPMk/y39in Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9o1AGttcWHAnWiGcRAunPAJ99+YBs3jy00lFkdngw79FecHgzrQCbBAwu BZQOXjMocpxtxavTnwkMIOo= =HXrd -----END PGP SIGNATURE----- --ulDeV4rPMk/y39in-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 8 15:11: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B8E2737B401 for ; Tue, 8 Oct 2002 15:11:01 -0700 (PDT) Received: from alcanet.com.au (mail3.alcanet.com.au [208.178.117.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id C0CCF43E7B for ; Tue, 8 Oct 2002 15:10:59 -0700 (PDT) (envelope-from peter.jeremy@alcatel.com.au) Received: from sydsmtp01.alcatel.com.au (IDENT:root@localhost.localdomain [127.0.0.1]) by alcanet.com.au (8.12.4/8.12.4/Alcanet1.3) with ESMTP id g98MAmVG003173; Wed, 9 Oct 2002 08:10:49 +1000 Received: from gsmx07.alcatel.com.au ([139.188.20.247]) by sydsmtp01.alcatel.com.au (Lotus Domino Release 5.0.11) with ESMTP id 2002100908104673:18299 ; Wed, 9 Oct 2002 08:10:46 +1000 Received: from gsmx07.alcatel.com.au (localhost [127.0.0.1]) by gsmx07.alcatel.com.au (8.12.5/8.12.5) with ESMTP id g98MAk2t084159; Wed, 9 Oct 2002 08:10:46 +1000 (EST) (envelope-from peter.jeremy@alcatel.com.au) Received: (from jeremyp@localhost) by gsmx07.alcatel.com.au (8.12.5/8.12.5/Submit) id g98MAkrV084158; Wed, 9 Oct 2002 08:10:46 +1000 (EST) (envelope-from peter.jeremy@alcatel.com.au) Date: Wed, 9 Oct 2002 08:10:46 +1000 From: Peter Jeremy To: The Anarcat Cc: FreeBSD Security Issues Subject: Re: access() is a security hole? Message-ID: <20021008221046.GV495@gsmx07.alcatel.com.au> Mail-Followup-To: The Anarcat , FreeBSD Security Issues References: <20021008183227.GC309@lenny.anarcat.ath.cx> <20021008212335.GF309@lenny.anarcat.ath.cx> Mime-Version: 1.0 In-Reply-To: <20021008212335.GF309@lenny.anarcat.ath.cx> User-Agent: Mutt/1.4i X-MIMETrack: Itemize by SMTP Server on SYDSMTP01/AlcatelAustralia(Release 5.0.11 |July 24, 2002) at 09/10/2002 08:10:46 AM, Serialize by Router on SYDSMTP01/AlcatelAustralia(Release 5.0.11 |July 24, 2002) at 09/10/2002 08:10:49 AM, Serialize complete at 09/10/2002 08:10:49 AM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2002-Oct-08 17:23:35 -0400, The Anarcat wrote: >Also, this means that the stat() manpage should also contains a >similar section about its non-fd incarnations. I disagree. access(2) is specifically designed to allow setuid/setgid programs to validate access rights based on the real uid/gid - but is virtually impossible to use safely for this task because of the inherent race conditions. stat(2) and lstat(2) can be used unsafely but accurately fulfil their documented functions without creating a false sense of security. Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 8 17:20:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C23637B401 for ; Tue, 8 Oct 2002 17:20:46 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 43AC143E4A for ; Tue, 8 Oct 2002 17:20:45 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id RAA01027 for ; Tue, 8 Oct 2002 17:54:00 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20021008174734.029e9e00@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 08 Oct 2002 17:53:55 -0600 To: security@FreeBSD.ORG From: Brett Glass Subject: I doubt that this affects FreeBSD, but FYI Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I doubt that the following notice affects FreeBSD as distributed, since Greg is very conscientious about maintaining the code. But if you've downloaded and installed Sendmail 8.12.6, it's worth checking for the Trojan mentioned below. Like the one that was found in OpenSSH, this Trojan kicks in when you build the code rather than when you run it. --Brett Glass >Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm >List-Id: >List-Post: >List-Help: >List-Unsubscribe: >List-Subscribe: >Delivered-To: mailing list bugtraq@securityfocus.com >Delivered-To: moderator for bugtraq@securityfocus.com >Date: Tue, 8 Oct 2002 17:15:04 -0600 (MDT) >From: Dave Ahmad >To: bugtraq@securityfocus.com >Subject: CERT Advisory CA-2002-28 Trojan Horse Sendmail Distribution (fwd) >X-Security: Warning! Do not open files attached to e-mail if you do not > have an up-to-date virus protection program or did not expect to > receive them. Even if the message is from someone you know, an > attachment can contain a virus sent without his or her knowledge. > > > >David Mirza Ahmad >Symantec >KeyID: 0x26005712 >Fingerprint: 8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12 >Return-Path: >Delivered-To: da@securityfocus.com >Received: (qmail 15236 invoked from network); 8 Oct 2002 23:05:08 -0000 >Received: from outgoing3.securityfocus.com (HELO outgoing.securityfocus.com) (205.206.231.27) > by mail.securityfocus.com with SMTP; 8 Oct 2002 23:05:08 -0000 >Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org [192.88.209.169]) > by outgoing.securityfocus.com (Postfix) with ESMTP > id 12E4BA30C0; Tue, 8 Oct 2002 17:02:08 -0600 (MDT) >Received: from localhost (lnchuser@localhost) > by canaveral.indigo.cert.org (8.11.6/8.11.6/1.14) with SMTP id g98LQnP01009; > Tue, 8 Oct 2002 17:26:49 -0400 >Date: Tue, 8 Oct 2002 17:26:49 -0400 >Message-Id: >From: CERT Advisory >To: cert-advisory@cert.org >Organization: CERT(R) Coordination Center - +1 412-268-7090 >List-Help: , >List-Subscribe: >List-Unsubscribe: >List-Post: NO (posting not allowed on this list) >List-Owner: >List-Archive: >Subject: CERT Advisory CA-2002-28 Trojan Horse Sendmail Distribution >Precedence: bulk > > > > >-----BEGIN PGP SIGNED MESSAGE----- > >CERT Advisory CA-2002-28 Trojan Horse Sendmail Distribution > > Original release date: October 08, 2002 > Last revised: -- > Source: CERT/CC > > A complete revision history is at the end of this file. > >Overview > > The CERT/CC has received confirmation that some copies of the source > code for the Sendmail package were modified by an intruder to contain > a Trojan horse. > > Sites that employ, redistribute, or mirror the Sendmail package should > immediately verify the integrity of their distribution. > >I. Description > > The CERT/CC has received confirmation that some copies of the source > code for the Sendmail package have been modified by an intruder to > contain a Trojan horse. > > The following files were modified to include the malicious code: > > sendmail.8.12.6.tar.Z > sendmail.8.12.6.tar.gz > > These files began to appear in downloads from the FTP server > ftp.sendmail.org on or around September 28, 2002. The Sendmail > development team disabled the compromised FTP server on October 6, > 2002 at approximately 22:15 PDT. It does not appear that copies > downloaded via HTTP contained the Trojan horse; however, the CERT/CC > encourages users who may have downloaded the source code via HTTP > during this time period to take the steps outlined in the Solution > section as a precautionary measure. > > The Trojan horse versions of Sendmail contain malicious code that is > run during the process of building the software. This code forks a > process that connects to a fixed remote server on 6667/tcp. This > forked process allows the intruder to open a shell running in the > context of the user who built the Sendmail software. There is no > evidence that the process is persistent after a reboot of the > compromised system. However, a subsequent build of the Trojan horse > Sendmail package will re-establish the backdoor process. > >II. Impact > > An intruder operating from the remote address specified in the > malicious code can gain unauthorized remote access to any host that > compiled a version of Sendmail from this Trojan horse version of the > source code. The level of access would be that of the user who > compiled the source code. > > It is important to understand that the compromise is to the system > that is used to build the Sendmail software and not to the systems > that run the Sendmail daemon. Because the compromised system creates a > tunnel to the intruder-controlled system, the intruder may have a path > through network access controls. > >III. Solution > >Obtain an authentic version Sendmail > > The primary distribution site for Sendmail is > > http://www.sendmail.org/ > > Sites that mirror the Sendmail source code are encouraged to verify > the integrity of their sources. > >Verify software authenticity > > We strongly encourage sites that recently downloaded a copy of the > Sendmail distribution to verify the authenticity of their > distribution, regardless of where it was obtained. Furthermore, we > encourage users to inspect any and all software that may have been > downloaded from the compromised site. Note that it is not sufficient > to rely on the timestamps or sizes of the file when trying to > determine whether or not you have a copy of the Trojan horse version. > >Verify PGP signatures > > The Sendmail source distribution is cryptographically signed with the > following PGP key: > > pub 1024R/678C0A03 2001-12-18 Sendmail Signing Key/2002 > > Key fingerprint = 7B 02 F4 AA FC C0 22 DA 47 3E 2A 9A 9B 35 22 45 > > The Trojan horse copy did not include an updated PGP signature, so > attempts to verify its integrity would have failed. The sendmail.org > staff has verified that the Trojan horse copies did indeed fail PGP > signature checks. > >Verify MD5 checksums > > In the absence of PGP, you can use the following MD5 checksums to > verify the integrity of your Sendmail source code distribution: > Correct versions: > > 73e18ea78b2386b774963c8472cbd309 sendmail.8.12.6.tar.gz > cebe3fa43731b315908f44889d9d2137 sendmail.8.12.6.tar.Z > 8b9c78122044f4e4744fc447eeafef34 sendmail.8.12.6.tar.sig > > As a matter of good security practice, the CERT/CC encourages users to > verify, whenever possible, the integrity of downloaded software. For > more information, see > > http://www.cert.org/incident_notes/IN-2001-06.html > >Employ egress filtering > > Egress filtering manages the flow of traffic as it leaves a network > under your administrative control. > > In the case of the Trojan horse Sendmail distribution, employing > egress filtering can help prevent systems on your network from > connecting to the remote intruder-controlled system. Blocking outbound > TCP connections to port 6667 from your network reduces the risk of > internal compromised machines communicating with the remote system. > >Build software as an unprivileged user > > Sites are encouraged to build software from source code as an > unprivileged, non-root user on the system. This can lessen the > immediate impact of Trojan horse software. Compiling software that > contains Trojan horses as the root user results in a compromise that > is much more difficult to reliably recover from than if the Trojan > horse is executed as a normal, unprivileged user on the system. > >Recovering from a system compromise > > If you believe a system under your administrative control has been > compromised, please follow the steps outlined in > > Steps for Recovering from a UNIX or NT System Compromise > >Reporting > > The CERT/CC is interested in receiving reports of this activity. If > machines under your administrative control are compromised, please > send mail to cert@cert.org with the following text included in the > subject line: "[CERT#33376]". > >Appendix A. - Vendor Information > > This appendix contains information provided by vendors for this > advisory. As vendors report new information to the CERT/CC, we will > update this section and note the changes in our revision history. If a > particular vendor is not listed below, we have not received their > comments. > _________________________________________________________________ > > The CERT Coordination Center thanks the staff at the Sendmail > Consortium for bringing this issue to our attention. > _________________________________________________________________ > > Feedback can be directed to the authors: Chad Dougherty, Marty > Lindner. > ______________________________________________________________________ > > This document is available from: > http://www.cert.org/advisories/CA-2002-28.html > ______________________________________________________________________ > >CERT/CC Contact Information > > Email: cert@cert.org > Phone: +1 412-268-7090 (24-hour hotline) > Fax: +1 412-268-6989 > Postal address: > CERT Coordination Center > Software Engineering Institute > Carnegie Mellon University > Pittsburgh PA 15213-3890 > U.S.A. > > CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / > EDT(GMT-4) Monday through Friday; they are on call for emergencies > during other hours, on U.S. holidays, and on weekends. > >Using encryption > > We strongly urge you to encrypt sensitive information sent by email. > Our public PGP key is available from > http://www.cert.org/CERT_PGP.key > > If you prefer to use DES, please call the CERT hotline for more > information. > >Getting security information > > CERT publications and other security information are available from > our web site > http://www.cert.org/ > > To subscribe to the CERT mailing list for advisories and bulletins, > send email to majordomo@cert.org. Please include in the body of your > message > > subscribe cert-advisory > > * "CERT" and "CERT Coordination Center" are registered in the U.S. > Patent and Trademark Office. > ______________________________________________________________________ > > NO WARRANTY > Any material furnished by Carnegie Mellon University and the Software > Engineering Institute is furnished on an "as is" basis. Carnegie > Mellon University makes no warranties of any kind, either expressed or > implied as to any matter including, but not limited to, warranty of > fitness for a particular purpose or merchantability, exclusivity or > results obtained from use of the material. Carnegie Mellon University > does not make any warranty of any kind with respect to freedom from > patent, trademark, or copyright infringement. > _________________________________________________________________ > > Conditions for use, disclaimers, and sponsorship information > > Copyright 2002 Carnegie Mellon University. > > Revision History >October 08, 2002: Initial release > >-----BEGIN PGP SIGNATURE----- >Version: PGP 6.5.8 > >iQCVAwUBPaNCtmjtSoHZUTs5AQHXrgQA2CkSFrIQxV9dLy07J0ezZgT2RrfCDpXY >lPO0HhPe4kcbw4AMXs5LAjhA7DoW32PjAytRWOCNMu1FFDbl3eohf7OP2ZjtgYnD >kwpfjPKVejJDD1BX2O/+jb1rlUKOm2tIt7NK+w8HKOKUYZal/x3RI3AxnAAGLv8A >/DNWpyNYsGg= >=fL1h >-----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 8 18:52: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A94137B401 for ; Tue, 8 Oct 2002 18:51:53 -0700 (PDT) Received: from mail1.infospace.com (mail1.infospace.com [206.29.197.87]) by mx1.FreeBSD.org (Postfix) with SMTP id 8E9AB43E7B for ; Tue, 8 Oct 2002 18:51:52 -0700 (PDT) (envelope-from william.carrel@infospace.com) Received: (qmail 13790 invoked from network); 9 Oct 2002 01:51:45 -0000 Received: from unknown (HELO absolut.inspinc.ad) (10.100.11.48) by jim.inspinc.ad with SMTP; 9 Oct 2002 01:51:45 -0000 Received: (qmail 8990 invoked from network); 9 Oct 2002 01:51:42 -0000 Received: from unknown (HELO infospace.com) ([10.100.29.130]) (envelope-sender ) by absolut.inspinc.ad (qmail-ldap-1.03) with SMTP for ; 9 Oct 2002 01:51:42 -0000 Date: Tue, 8 Oct 2002 18:51:42 -0700 Subject: Re: I doubt that this affects FreeBSD, but FYI Content-Type: text/plain; delsp=yes; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v546) Cc: brett@lariat.org To: security@freebsd.org From: William Carrel In-Reply-To: <4.3.2.7.2.20021008174734.029e9e00@localhost> Message-Id: Content-Transfer-Encoding: 7bit X-Mailer: Apple Mail (2.546) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org A quick peer over at CVSweb indicates that the import of 8.12.6 was done well before the sendmail.org folks got their server fooled with. On Tuesday, October 8, 2002, at 04:53 PM, Brett Glass wrote: > I doubt that the following notice affects FreeBSD as distributed, > since Greg is very conscientious about maintaining the code. But > if you've downloaded and installed Sendmail 8.12.6, it's worth > checking for the Trojan mentioned below. Like the one that was > found in OpenSSH, this Trojan kicks in when you build the code > rather than when you run it. > > --Brett Glass > > >> Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm >> List-Id: >> List-Post: >> List-Help: >> List-Unsubscribe: >> List-Subscribe: >> Delivered-To: mailing list bugtraq@securityfocus.com >> Delivered-To: moderator for bugtraq@securityfocus.com >> Date: Tue, 8 Oct 2002 17:15:04 -0600 (MDT) >> From: Dave Ahmad >> To: bugtraq@securityfocus.com >> Subject: CERT Advisory CA-2002-28 Trojan Horse Sendmail Distribution >> (fwd) >> X-Security: Warning! Do not open files attached to e-mail if you do >> not >> have an up-to-date virus protection program or did not expect >> to >> receive them. Even if the message is from someone you know, an >> attachment can contain a virus sent without his or her >> knowledge. >> >> >> >> David Mirza Ahmad >> Symantec >> KeyID: 0x26005712 >> Fingerprint: 8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 >> 57 12 >> Return-Path: >> Delivered-To: da@securityfocus.com >> Received: (qmail 15236 invoked from network); 8 Oct 2002 23:05:08 >> -0000 >> Received: from outgoing3.securityfocus.com (HELO >> outgoing.securityfocus.com) (205.206.231.27) >> by mail.securityfocus.com with SMTP; 8 Oct 2002 23:05:08 -0000 >> Received: from canaveral.indigo.cert.org (canaveral.indigo.cert.org >> [192.88.209.169]) >> by outgoing.securityfocus.com (Postfix) with ESMTP >> id 12E4BA30C0; Tue, 8 Oct 2002 17:02:08 -0600 (MDT) >> Received: from localhost (lnchuser@localhost) >> by canaveral.indigo.cert.org (8.11.6/8.11.6/1.14) with SMTP id >> g98LQnP01009; >> Tue, 8 Oct 2002 17:26:49 -0400 >> Date: Tue, 8 Oct 2002 17:26:49 -0400 >> Message-Id: >> From: CERT Advisory >> To: cert-advisory@cert.org >> Organization: CERT(R) Coordination Center - +1 412-268-7090 >> List-Help: , >> >> List-Subscribe: >> >> List-Unsubscribe: >> >> List-Post: NO (posting not allowed on this list) >> List-Owner: >> List-Archive: >> Subject: CERT Advisory CA-2002-28 Trojan Horse Sendmail Distribution >> Precedence: bulk >> >> >> >> >> -----BEGIN PGP SIGNED MESSAGE----- >> >> CERT Advisory CA-2002-28 Trojan Horse Sendmail Distribution >> >> Original release date: October 08, 2002 >> Last revised: -- >> Source: CERT/CC >> >> A complete revision history is at the end of this file. >> >> Overview >> >> The CERT/CC has received confirmation that some copies of the >> source >> code for the Sendmail package were modified by an intruder to >> contain >> a Trojan horse. >> >> Sites that employ, redistribute, or mirror the Sendmail package >> should >> immediately verify the integrity of their distribution. >> >> I. Description >> >> The CERT/CC has received confirmation that some copies of the >> source >> code for the Sendmail package have been modified by an intruder >> to >> contain a Trojan horse. >> >> The following files were modified to include the malicious code: >> >> sendmail.8.12.6.tar.Z >> sendmail.8.12.6.tar.gz >> >> These files began to appear in downloads from the FTP >> server >> ftp.sendmail.org on or around September 28, 2002. The >> Sendmail >> development team disabled the compromised FTP server on October >> 6, >> 2002 at approximately 22:15 PDT. It does not appear that >> copies >> downloaded via HTTP contained the Trojan horse; however, the >> CERT/CC >> encourages users who may have downloaded the source code via >> HTTP >> during this time period to take the steps outlined in the >> Solution >> section as a precautionary measure. >> >> The Trojan horse versions of Sendmail contain malicious code that >> is >> run during the process of building the software. This code >> forks a >> process that connects to a fixed remote server on 6667/tcp. >> This >> forked process allows the intruder to open a shell running in >> the >> context of the user who built the Sendmail software. There is >> no >> evidence that the process is persistent after a reboot of >> the >> compromised system. However, a subsequent build of the Trojan >> horse >> Sendmail package will re-establish the backdoor process. >> >> II. Impact >> >> An intruder operating from the remote address specified in >> the >> malicious code can gain unauthorized remote access to any host >> that >> compiled a version of Sendmail from this Trojan horse version of >> the >> source code. The level of access would be that of the user >> who >> compiled the source code. >> >> It is important to understand that the compromise is to the >> system >> that is used to build the Sendmail software and not to the >> systems >> that run the Sendmail daemon. Because the compromised system >> creates a >> tunnel to the intruder-controlled system, the intruder may have a >> path >> through network access controls. >> >> III. Solution >> >> Obtain an authentic version Sendmail >> >> The primary distribution site for Sendmail is >> >> http://www.sendmail.org/ >> >> Sites that mirror the Sendmail source code are encouraged to >> verify >> the integrity of their sources. >> >> Verify software authenticity >> >> We strongly encourage sites that recently downloaded a copy of >> the >> Sendmail distribution to verify the authenticity of >> their >> distribution, regardless of where it was obtained. Furthermore, >> we >> encourage users to inspect any and all software that may have >> been >> downloaded from the compromised site. Note that it is not >> sufficient >> to rely on the timestamps or sizes of the file when trying >> to >> determine whether or not you have a copy of the Trojan horse >> version. >> >> Verify PGP signatures >> >> The Sendmail source distribution is cryptographically signed with >> the >> following PGP key: >> >> pub 1024R/678C0A03 2001-12-18 Sendmail Signing >> Key/2002 >> >> Key fingerprint = 7B 02 F4 AA FC C0 22 DA 47 3E 2A 9A 9B 35 22 45 >> >> The Trojan horse copy did not include an updated PGP signature, >> so >> attempts to verify its integrity would have failed. The >> sendmail.org >> staff has verified that the Trojan horse copies did indeed fail >> PGP >> signature checks. >> >> Verify MD5 checksums >> >> In the absence of PGP, you can use the following MD5 checksums >> to >> verify the integrity of your Sendmail source code distribution: >> Correct versions: >> >> 73e18ea78b2386b774963c8472cbd309 sendmail.8.12.6.tar.gz >> cebe3fa43731b315908f44889d9d2137 sendmail.8.12.6.tar.Z >> 8b9c78122044f4e4744fc447eeafef34 sendmail.8.12.6.tar.sig >> >> As a matter of good security practice, the CERT/CC encourages users >> to >> verify, whenever possible, the integrity of downloaded software. >> For >> more information, see >> >> http://www.cert.org/incident_notes/IN-2001-06.html >> >> Employ egress filtering >> >> Egress filtering manages the flow of traffic as it leaves a >> network >> under your administrative control. >> >> In the case of the Trojan horse Sendmail distribution, >> employing >> egress filtering can help prevent systems on your network >> from >> connecting to the remote intruder-controlled system. Blocking >> outbound >> TCP connections to port 6667 from your network reduces the risk >> of >> internal compromised machines communicating with the remote system. >> >> Build software as an unprivileged user >> >> Sites are encouraged to build software from source code as >> an >> unprivileged, non-root user on the system. This can lessen >> the >> immediate impact of Trojan horse software. Compiling software >> that >> contains Trojan horses as the root user results in a compromise >> that >> is much more difficult to reliably recover from than if the >> Trojan >> horse is executed as a normal, unprivileged user on the system. >> >> Recovering from a system compromise >> >> If you believe a system under your administrative control has >> been >> compromised, please follow the steps outlined in >> >> Steps for Recovering from a UNIX or NT System Compromise >> >> Reporting >> >> The CERT/CC is interested in receiving reports of this activity. >> If >> machines under your administrative control are compromised, >> please >> send mail to cert@cert.org with the following text included in >> the >> subject line: "[CERT#33376]". >> >> Appendix A. - Vendor Information >> >> This appendix contains information provided by vendors for >> this >> advisory. As vendors report new information to the CERT/CC, we >> will >> update this section and note the changes in our revision history. >> If a >> particular vendor is not listed below, we have not received >> their >> comments. >> _________________________________________________________________ >> >> The CERT Coordination Center thanks the staff at the >> Sendmail >> Consortium for bringing this issue to our attention. >> _________________________________________________________________ >> >> Feedback can be directed to the authors: Chad Dougherty, >> Marty >> Lindner. >> >> ______________________________________________________________________ >> >> This document is available from: >> http://www.cert.org/advisories/CA-2002-28.html >> >> ______________________________________________________________________ >> >> CERT/CC Contact Information >> >> Email: cert@cert.org >> Phone: +1 412-268-7090 (24-hour hotline) >> Fax: +1 412-268-6989 >> Postal address: >> CERT Coordination Center >> Software Engineering Institute >> Carnegie Mellon University >> Pittsburgh PA 15213-3890 >> U.S.A. >> >> CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) >> / >> EDT(GMT-4) Monday through Friday; they are on call for >> emergencies >> during other hours, on U.S. holidays, and on weekends. >> >> Using encryption >> >> We strongly urge you to encrypt sensitive information sent by >> email. >> Our public PGP key is available from >> http://www.cert.org/CERT_PGP.key >> >> If you prefer to use DES, please call the CERT hotline for >> more >> information. >> >> Getting security information >> >> CERT publications and other security information are available >> from >> our web site >> http://www.cert.org/ >> >> To subscribe to the CERT mailing list for advisories and >> bulletins, >> send email to majordomo@cert.org. Please include in the body of >> your >> message >> >> subscribe cert-advisory >> >> * "CERT" and "CERT Coordination Center" are registered in the >> U.S. >> Patent and Trademark Office. >> >> ______________________________________________________________________ >> >> NO WARRANTY >> Any material furnished by Carnegie Mellon University and the >> Software >> Engineering Institute is furnished on an "as is" basis. >> Carnegie >> Mellon University makes no warranties of any kind, either expressed >> or >> implied as to any matter including, but not limited to, warranty >> of >> fitness for a particular purpose or merchantability, exclusivity >> or >> results obtained from use of the material. Carnegie Mellon >> University >> does not make any warranty of any kind with respect to freedom >> from >> patent, trademark, or copyright infringement. >> _________________________________________________________________ >> >> Conditions for use, disclaimers, and sponsorship information >> >> Copyright 2002 Carnegie Mellon University. >> >> Revision History >> October 08, 2002: Initial release >> >> -----BEGIN PGP SIGNATURE----- >> Version: PGP 6.5.8 >> >> iQCVAwUBPaNCtmjtSoHZUTs5AQHXrgQA2CkSFrIQxV9dLy07J0ezZgT2RrfCDpXY >> lPO0HhPe4kcbw4AMXs5LAjhA7DoW32PjAytRWOCNMu1FFDbl3eohf7OP2ZjtgYnD >> kwpfjPKVejJDD1BX2O/+jb1rlUKOm2tIt7NK+w8HKOKUYZal/x3RI3AxnAAGLv8A >> /DNWpyNYsGg= >> =fL1h >> -----END PGP SIGNATURE----- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 8 21:18:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5CF6937B401 for ; Tue, 8 Oct 2002 21:18:28 -0700 (PDT) Received: from in.flite.net (in.flite.net [207.203.36.254]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9445B43E3B for ; Tue, 8 Oct 2002 21:18:27 -0700 (PDT) (envelope-from deevil@deevil.homeunix.org) Received: from deevil.homeunix.org (adsl-34-22-140.mia.bellsouth.net [67.34.22.140]) by in.flite.net (8.11.3/8.11.3) with ESMTP id g994PQo13211 for ; Wed, 9 Oct 2002 00:25:26 -0400 (EDT) (envelope-from deevil@deevil.homeunix.org) Message-ID: <3DA3AE76.1070006@deevil.homeunix.org> Date: Wed, 09 Oct 2002 00:20:06 -0400 From: Ken Ebling User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Sendmail trojan...? Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org http://www.cert.org/advisories/CA-2002-28.html I'm assuming recent cvs buildworlds are immune to this?? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 3:56:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 674B937B404 for ; Wed, 9 Oct 2002 03:56:16 -0700 (PDT) Received: from chicken.orbitel.bg (chicken100.orbitel.bg [195.24.32.21]) by mx1.FreeBSD.org (Postfix) with SMTP id 4F89743E88 for ; Wed, 9 Oct 2002 03:56:14 -0700 (PDT) (envelope-from i.tanusheff@procreditbank.com) Received: (qmail 23396 invoked from network); 9 Oct 2002 10:56:12 -0000 Received: from unknown (HELO procreditbank.com) (212.95.179.198) by chicken.orbitel.bg with SMTP; 9 Oct 2002 10:56:12 -0000 Received: from itaush [172.16.248.250] by Proxy+; Wed, 09 Oct 2002 13:49:52 +0300 for multiple recipients From: "Ivailo Tanusheff" To: "FreeBSD Questions" , "FreeBSD Net" , "FreeBSD Security" Subject: VPN Tunneling Date: Wed, 9 Oct 2002 13:49:51 +0300 Message-ID: <01d901c26f81$984bbd40$faf810ac@sof.procreditbank.bg> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, I'm trying to make a VPN tunnel between a FreeBSD machine and a Win2K Machine. My configuration is: {Net1} <---> <--...--> <---> {Net2} Win2k machine has dynamically assigned IP address as it's connecting to public ISP. Can you help me build the tunnel? Regards, Ivailo Tanusheff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 4: 4:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6F88E37B406 for ; Wed, 9 Oct 2002 04:04:37 -0700 (PDT) Received: from south.nanolink.com (south.nanolink.com [217.75.134.10]) by mx1.FreeBSD.org (Postfix) with SMTP id 0D21B43E65 for ; Wed, 9 Oct 2002 04:04:35 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 31780 invoked by uid 85); 9 Oct 2002 11:15:13 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by south.nanolink.com with SMTP; 9 Oct 2002 11:15:10 -0000 Received: (qmail 57730 invoked by uid 1000); 9 Oct 2002 11:04:26 -0000 Date: Wed, 9 Oct 2002 14:04:26 +0300 From: Peter Pentchev To: Ivailo Tanusheff Cc: FreeBSD Questions , FreeBSD Net , FreeBSD Security Subject: Re: VPN Tunneling Message-ID: <20021009110426.GP376@straylight.oblivion.bg> Mail-Followup-To: Ivailo Tanusheff , FreeBSD Questions , FreeBSD Net , FreeBSD Security References: <01d901c26f81$984bbd40$faf810ac@sof.procreditbank.bg> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="x38akuY2VS0PywU3" Content-Disposition: inline In-Reply-To: <01d901c26f81$984bbd40$faf810ac@sof.procreditbank.bg> User-Agent: Mutt/1.5.1i X-Virus-Scanned: by Nik's Monitoring Daemon (AMaViS perl-11d ) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --x38akuY2VS0PywU3 Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Oct 09, 2002 at 01:49:51PM +0300, Ivailo Tanusheff wrote: > Hello, >=20 > I'm trying to make a VPN tunnel between a FreeBSD machine and a Win2K > Machine. My configuration is: >=20 > {Net1} <---> <--...--> <---> {Net2} >=20 > Win2k machine has dynamically assigned IP address as it's connecting to > public ISP. Can you help me build the tunnel? Take a look at the net/mpd port; it needs Netgraph either built into the kernel, or loaded as a KLD. Then, on the Win2K side, use the PPTP VPN connections ('Connect to a private network through the Internet'). Things are *very* easy to set up, actually :) Drop me a private mail if you need some help, or we just might meet on IRC :) G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence contains exactly threee erors. --x38akuY2VS0PywU3 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (FreeBSD) iD8DBQE9pA057Ri2jRYZRVMRAr3HAJ9dSgRYovMYXHT2otrg2RIw6dSrPACgo/Dq rn+gbK+QFb89Aaq/XxyQrQE= =N0PG -----END PGP SIGNATURE----- --x38akuY2VS0PywU3-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 7:16:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 566CB37B401 for ; Wed, 9 Oct 2002 07:16:44 -0700 (PDT) Received: from crimelords.org (crimelords.org [199.233.213.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8CBB143E3B for ; Wed, 9 Oct 2002 07:16:43 -0700 (PDT) (envelope-from admin@crimelords.org) Received: from crimelords.org (admin@localhost [127.0.0.1]) by crimelords.org (8.12.6/8.12.5) with ESMTP id g99EGTha038842; Wed, 9 Oct 2002 09:16:29 -0500 (CDT) (envelope-from admin@crimelords.org) Received: from localhost (admin@localhost) by crimelords.org (8.12.6/8.12.5/Submit) with ESMTP id g99EGStV038839; Wed, 9 Oct 2002 09:16:28 -0500 (CDT) Date: Wed, 9 Oct 2002 09:16:28 -0500 (CDT) From: Emacs To: Ken Ebling Cc: freebsd-security@FreeBSD.ORG Subject: Re: Sendmail trojan...? In-Reply-To: <3DA3AE76.1070006@deevil.homeunix.org> Message-ID: <20021009091519.E38815-100000@crimelords.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm hoping so myself...although my build date is out of the range the CERT defines....I guess you could verify via the md5's? -e On Wed, 9 Oct 2002, Ken Ebling wrote: > http://www.cert.org/advisories/CA-2002-28.html > > I'm assuming recent cvs buildworlds are immune to this?? > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 7:25:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 17A4837B401 for ; Wed, 9 Oct 2002 07:25:53 -0700 (PDT) Received: from svr-ganmtc-appserv-mgmt.ncf.coxexpress.com (svr-ganmtc-appserv-mgmt.ncf.coxexpress.com [24.136.46.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5FF5443E3B for ; Wed, 9 Oct 2002 07:25:52 -0700 (PDT) (envelope-from jedgar@www.fxp.org) Received: from darkstar.doublethink.cx (cpe-oca-24-136-59-202-cmcpe.ncf.coxexpress.com [24.136.59.202]) by svr-ganmtc-appserv-mgmt.ncf.coxexpress.com (8.11.4/8.11.4) with ESMTP id g99EPpd22190 for ; Wed, 9 Oct 2002 10:25:52 -0400 Received: by darkstar.doublethink.cx (Postfix, from userid 1000) id 01A7925A; Wed, 9 Oct 2002 10:25:46 -0400 (EDT) Date: Wed, 9 Oct 2002 10:25:46 -0400 From: Chris Faulhaber To: freebsd-security@freebsd.org Subject: Re: Sendmail trojan...? Message-ID: <20021009142546.GA27227@darkstar.doublethink.cx> References: <3DA3AE76.1070006@deevil.homeunix.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="5mCyUwZo2JvN/JJP" Content-Disposition: inline In-Reply-To: <3DA3AE76.1070006@deevil.homeunix.org> X-Mailer: socket() Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --5mCyUwZo2JvN/JJP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Oct 09, 2002 at 12:20:06AM -0400, Ken Ebling wrote: > http://www.cert.org/advisories/CA-2002-28.html >=20 > I'm assuming recent cvs buildworlds are immune to this?? >=20 (resending from a subscribed address) Yes, the source in the tree has been verified against the signed tarball; plus, it was the configure script that was backdoored which buildworld does not use. --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --5mCyUwZo2JvN/JJP Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) Comment: FreeBSD: The Power To Serve iD8DBQE9pDxqObaG4P6BelARAjEFAJ441moEwEZnC1hPcvSejbIhfHv2SQCeIxc+ NRV6WI4hxG29CIJJCDlBUO8= =Fdra -----END PGP SIGNATURE----- --5mCyUwZo2JvN/JJP-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 7:37:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1019C37B401; Wed, 9 Oct 2002 07:37:35 -0700 (PDT) Received: from wso-h001.wsonline.net (12-254-8-189.client.attbi.com [12.254.8.189]) by mx1.FreeBSD.org (Postfix) with ESMTP id 69F5D43E3B; Wed, 9 Oct 2002 07:37:34 -0700 (PDT) (envelope-from seahorse51@attbi.com) Received: from seahorse.attbi.com (trilluser@seahorse [192.168.1.101]) by wso-h001.wsonline.net (8.12.5/8.12.5) with ESMTP id g99EbVxl013524; Wed, 9 Oct 2002 08:37:33 -0600 (MDT) (envelope-from seahorse51@attbi.com) Message-Id: <5.1.1.6.0.20021009083403.01c88f88@mail.seahorse.wsonline.net> X-Sender: seahorse@mail.seahorse.wsonline.net X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Wed, 09 Oct 2002 08:37:30 -0600 To: Peter Pentchev , Ivailo Tanusheff From: Andy Subject: Re: VPN Tunneling Cc: FreeBSD Questions , FreeBSD Net , FreeBSD Security In-Reply-To: <20021009110426.GP376@straylight.oblivion.bg> References: <01d901c26f81$984bbd40$faf810ac@sof.procreditbank.bg> <01d901c26f81$984bbd40$faf810ac@sof.procreditbank.bg> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >On Wed, Oct 09, 2002 at 01:49:51PM +0300, Ivailo Tanusheff wrote: >Hello, > >I'm trying to make a VPN tunnel between a FreeBSD machine and a Win2K >Machine. My configuration is: > >{Net1} <---> <--...--> <---> {Net2} > >Win2k machine has dynamically assigned IP address as it's connecting to >public ISP. Can you help me build the tunnel? At 05:04 10/09/2002, Peter Pentchev wrote: >Take a look at the net/mpd port; it needs Netgraph either built into the >kernel, or loaded as a KLD. Then, on the Win2K side, use the PPTP VPN >connections ('Connect to a private network through the Internet'). >Things are *very* easy to set up, actually :) > >Drop me a private mail if you need some help, or we just might meet on >IRC :) > >G'luck, >Peter Will this method permit incoming connections from the out side Internet and then forward them to a box with an internal IP address on net1? Where the FreeBSD box is acting as a gateway/natd for the net1 internal network. Andy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 8: 4: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6AC9137B401 for ; Wed, 9 Oct 2002 08:04:06 -0700 (PDT) Received: from zardoc.esmtp.org (adsl-63-195-85-27.dsl.snfc21.pacbell.net [63.195.85.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id CEB8243E42 for ; Wed, 9 Oct 2002 08:04:05 -0700 (PDT) (envelope-from ca@zardoc.esmtp.org) Received: from zardoc.esmtp.org (localhost [127.0.0.1]) by zardoc.esmtp.org (8.12.7.Beta1/8.12.4) with ESMTP id g99F3fMN011570 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for ; Wed, 9 Oct 2002 08:03:41 -0700 (PDT) Received: (from ca@localhost) by zardoc.esmtp.org (8.12.7.Beta1/8.12.3/Submit) id g99F3fiE004484 for freebsd-security@FreeBSD.ORG; Wed, 9 Oct 2002 08:03:41 -0700 (PDT) Date: Wed, 9 Oct 2002 08:03:41 -0700 From: Claus Assmann To: freebsd-security@FreeBSD.ORG Subject: Re: Sendmail trojan...? Message-ID: <20021009080341.A26616@zardoc.esmtp.org> Reply-To: freebsd-security@FreeBSD.ORG References: <3DA3AE76.1070006@deevil.homeunix.org> <20021009142546.GA27227@darkstar.doublethink.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii In-Reply-To: <20021009142546.GA27227@darkstar.doublethink.cx>; from jedgar@fxp.org on Wed, Oct 09, 2002 at 10:25:46AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Oct 09, 2002, Chris Faulhaber wrote: > Yes, the source in the tree has been verified against the > signed tarball; plus, it was the configure script that was > backdoored which buildworld does not use. It was not the configure script. I'm wondering who came up with this rumor; please stop spreading it. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 8: 9:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B7EA537B407 for ; Wed, 9 Oct 2002 08:09:17 -0700 (PDT) Received: from south.nanolink.com (south.nanolink.com [217.75.134.10]) by mx1.FreeBSD.org (Postfix) with SMTP id 2B14D43E65 for ; Wed, 9 Oct 2002 08:09:16 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 32956 invoked by uid 85); 9 Oct 2002 15:19:51 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by south.nanolink.com with SMTP; 9 Oct 2002 15:19:48 -0000 Received: (qmail 82038 invoked by uid 1000); 9 Oct 2002 15:09:03 -0000 Date: Wed, 9 Oct 2002 18:09:02 +0300 From: Peter Pentchev To: Andy Cc: Ivailo Tanusheff , FreeBSD Questions , FreeBSD Net , FreeBSD Security Subject: Re: VPN Tunneling Message-ID: <20021009150902.GV376@straylight.oblivion.bg> Mail-Followup-To: Andy , Ivailo Tanusheff , FreeBSD Questions , FreeBSD Net , FreeBSD Security References: <01d901c26f81$984bbd40$faf810ac@sof.procreditbank.bg> <01d901c26f81$984bbd40$faf810ac@sof.procreditbank.bg> <5.1.1.6.0.20021009083403.01c88f88@mail.seahorse.wsonline.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="xe2geHXJg22At20M" Content-Disposition: inline In-Reply-To: <5.1.1.6.0.20021009083403.01c88f88@mail.seahorse.wsonline.net> User-Agent: Mutt/1.5.1i X-Virus-Scanned: by Nik's Monitoring Daemon (AMaViS perl-11d ) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --xe2geHXJg22At20M Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Oct 09, 2002 at 08:37:30AM -0600, Andy wrote: >=20 > >On Wed, Oct 09, 2002 at 01:49:51PM +0300, Ivailo Tanusheff wrote: > >Hello, > > > >I'm trying to make a VPN tunnel between a FreeBSD machine and a Win2K > >Machine. My configuration is: > > > >{Net1} <---> <--...--> <---> {Net2} > > > >Win2k machine has dynamically assigned IP address as it's connecting to > >public ISP. Can you help me build the tunnel? >=20 > At 05:04 10/09/2002, Peter Pentchev wrote: >=20 > >Take a look at the net/mpd port; it needs Netgraph either built into the > >kernel, or loaded as a KLD. Then, on the Win2K side, use the PPTP VPN > >connections ('Connect to a private network through the Internet'). > >Things are *very* easy to set up, actually :) > > > >Drop me a private mail if you need some help, or we just might meet on > >IRC :) > > > >G'luck, > >Peter >=20 > Will this method permit incoming connections from the out side Internet a= nd=20 > then forward them to a box with an internal IP address on net1? Where th= e=20 > FreeBSD box is acting as a gateway/natd for the net1 internal network. In this case, the FreeBSD box does not act as a gateway, merely as a tunnel endpoint. It may be otherwise configured to act as a NAT gateway, but this is independend: this allows another FreeBSD or Win2K or maybe even Linux box to establish a PPTP VPN tunnel, and perform direct routing between net1 and net2. Any machine within net1 will be abel to reach net2 directly, and vice versa. To let machines from the outside Internet -- not the other side of the tunnel -- reach the inside boxes, you will need to set up some other NAT mechanism, but, once again, this is entirely independent of mpd - mpd will provide the VPN functionality regardless of whether the FreeBSD box is also acting as a NAT gateway. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 I am not the subject of this sentence. --xe2geHXJg22At20M Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (FreeBSD) iD8DBQE9pEaO7Ri2jRYZRVMRAnxTAJsE5UmtoHy0CGL5G+A/h2QD8kN5HQCeNEc7 DEcwpPcTKKYbXAsW+8Yrc38= =kaSl -----END PGP SIGNATURE----- --xe2geHXJg22At20M-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 9:36:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E108337B401; Wed, 9 Oct 2002 09:36:38 -0700 (PDT) Received: from aji.wilshire.net (worm.wilshire.net [64.161.77.242]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9E19F43E7B; Wed, 9 Oct 2002 09:36:37 -0700 (PDT) (envelope-from rileyjmc@pacbell.net) Received: from emilyd (emilyd.wilshire.net [10.100.123.20]) by aji.wilshire.net (8.12.3/8.12.3) with SMTP id g99GZFDk021451; Wed, 9 Oct 2002 09:35:16 -0700 (PDT) (envelope-from rileyjmc@pacbell.net) From: "Riley" To: "Mike Hoskins" , "Anthony Schneider" Cc: "FreeBSD Security" , "FreeBSD Questions" Subject: RE: chkrootkit help Date: Wed, 9 Oct 2002 09:36:25 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 In-Reply-To: <20021007141041.S84008-100000@fubar.adept.org> Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Greetings, I'd like to thank all who replied, the advice and suggestions were valuable and appreciated, not to mention timely! It looks like it was a false positive. I ran netstat from cd, new chkrootkit compiled on a clean machine, and nmap remotely. It also made sense to mount / (-ro) from a clean machine and do a diff -r /bin /mnt/bin. There doesn't seem to be a security breach. I'll rebuild the machine anyway soon. There's a know issue with chkrootkit reporting false positives running programs that use bindshell's ports. Although these aren't running on this machine (an _up-to-date_ DNS/mail server), it was in an unstable state for known reasons. An nmap from a remote machine of the entire network directed at the firewall showed nothing abnormal. I'm going to rebuild it anyway, but wanted to followup. Also, if the above is misguided, please advise! Again, thanks, Riley > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Mike Hoskins > Sent: Monday, October 07, 2002 2:11 PM > To: Anthony Schneider > Cc: Riley; FreeBSD Security > Subject: Re: chkrootkit help > > > On Mon, 7 Oct 2002, Anthony Schneider wrote: > > > You could try using a trusted sockstat binary to verify > what's listening > > > on the local system. > > > % sockstat -4l > > quick aside: sockstat is a perl script, unless this changed with > > 4.6.2. > > Eww, I hadn't noticed. Good point, stick to a safe netsat from cdrom, > etc. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 9:59:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A77BE37B401 for ; Wed, 9 Oct 2002 09:59:46 -0700 (PDT) Received: from obsidian.sentex.ca (obsidian.sentex.ca [64.7.128.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id BE05143E88 for ; Wed, 9 Oct 2002 09:59:42 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (pyroxene.sentex.ca [199.212.134.18]) by obsidian.sentex.ca (8.12.6/8.12.6) with ESMTP id g99Gxd8g036382 for ; Wed, 9 Oct 2002 12:59:39 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.1.6.0.20021009125538.04748c18@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Wed, 09 Oct 2002 13:00:49 -0400 To: freebsd-security@FreeBSD.ORG From: Mike Tancsa Subject: Re: Sendmail trojan...? In-Reply-To: <20021009080341.A26616@zardoc.esmtp.org> References: <20021009142546.GA27227@darkstar.doublethink.cx> <3DA3AE76.1070006@deevil.homeunix.org> <20021009142546.GA27227@darkstar.doublethink.cx> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (obsidian/20020517) X-Spam-Status: No, hits=-8.2 required=5.0 tests=IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,SPAM_PHRASE_00_01 version=2.41 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Do you know the method they used to get in ? OpenSSL/https then local root exploit ? Although netcraft says Apache/1.3.26 (Unix) mod_ssl/2.8.10 OpenSSL/0.9.6e on FreeBSD ---Mike At 08:03 AM 09/10/2002 -0700, Claus Assmann wrote: >On Wed, Oct 09, 2002, Chris Faulhaber wrote: > > > Yes, the source in the tree has been verified against the > > signed tarball; plus, it was the configure script that was > > backdoored which buildworld does not use. > >It was not the configure script. I'm wondering who came up with >this rumor; please stop spreading it. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 10: 1:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9CE7937B401 for ; Wed, 9 Oct 2002 10:01:18 -0700 (PDT) Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2CC0A43E75 for ; Wed, 9 Oct 2002 10:01:18 -0700 (PDT) (envelope-from emechler@radix.cryptio.net) Received: from radix.cryptio.net (localhost [127.0.0.1]) by radix.cryptio.net (8.12.5/8.12.5) with ESMTP id g99H1Hpl088092 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Wed, 9 Oct 2002 10:01:17 -0700 (PDT) (envelope-from emechler@radix.cryptio.net) Received: (from emechler@localhost) by radix.cryptio.net (8.12.5/8.12.5/Submit) id g99H1Hfv088091; Wed, 9 Oct 2002 10:01:17 -0700 (PDT) Date: Wed, 9 Oct 2002 10:01:17 -0700 From: Erick Mechler To: William Carrel Cc: security@FreeBSD.ORG, brett@lariat.org Subject: Re: I doubt that this affects FreeBSD, but FYI Message-ID: <20021009170117.GJ10532@techometer.net> References: <4.3.2.7.2.20021008174734.029e9e00@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :: A quick peer over at CVSweb indicates that the import of 8.12.6 was :: done well before the sendmail.org folks got their server fooled with. Additionally, you would have had to explicitly told your build to continue after it warned you about a mismatch in the MD5 sums. All the more reason you should really trust the MD5 sums in your distinfo files :) Cheers - Erick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 10: 5:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F4AD37B401 for ; Wed, 9 Oct 2002 10:05:21 -0700 (PDT) Received: from mail1.infospace.com (mail1.infospace.com [206.29.197.87]) by mx1.FreeBSD.org (Postfix) with SMTP id 3557843E65 for ; Wed, 9 Oct 2002 10:05:21 -0700 (PDT) (envelope-from william.carrel@infospace.com) Received: (qmail 25318 invoked from network); 9 Oct 2002 17:05:16 -0000 Received: from unknown (HELO skyy.inspinc.ad) (10.100.11.50) by jim.inspinc.ad with SMTP; 9 Oct 2002 17:05:16 -0000 Received: (qmail 28302 invoked from network); 9 Oct 2002 17:05:16 -0000 Received: from unknown (HELO infospace.com) ([10.100.29.130]) (envelope-sender ) by skyy.inspinc.ad (qmail-ldap-1.03) with SMTP for ; 9 Oct 2002 17:05:16 -0000 Date: Wed, 9 Oct 2002 10:05:16 -0700 Subject: Re: I doubt that this affects FreeBSD, but FYI Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v546) Cc: security@FreeBSD.ORG To: Erick Mechler From: William Carrel In-Reply-To: <20021009170117.GJ10532@techometer.net> Message-Id: <486282FF-DBA9-11D6-AA28-003065479A66@infospace.com> Content-Transfer-Encoding: 7bit X-Mailer: Apple Mail (2.546) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wednesday, October 9, 2002, at 10:01 AM, Erick Mechler wrote: > :: A quick peer over at CVSweb indicates that the import of 8.12.6 was > :: done well before the sendmail.org folks got their server fooled > with. > > Additionally, you would have had to explicitly told your build to > continue > after it warned you about a mismatch in the MD5 sums. All the more > reason > you should really trust the MD5 sums in your distinfo files :) I was talking about the base system, not ports. I guess I should've been clearer about that. I don't think the base system checks the MD5 sums during buildworld. But then I have NO_SENDMAIL turned on in make.conf anyway, so what would I know. And ports would check the MD5 so, everything is happy. -- William Carrel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 10:12:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 005CC37B401 for ; Wed, 9 Oct 2002 10:12:46 -0700 (PDT) Received: from obsidian.sentex.ca (obsidian.sentex.ca [64.7.128.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5FED843E42 for ; Wed, 9 Oct 2002 10:12:45 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (pyroxene.sentex.ca [199.212.134.18]) by obsidian.sentex.ca (8.12.6/8.12.6) with ESMTP id g99HCg8g037601; Wed, 9 Oct 2002 13:12:43 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.1.6.0.20021009130608.0655d7f8@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Wed, 09 Oct 2002 13:13:51 -0400 To: Erick Mechler From: Mike Tancsa Subject: Am I downloading what I think I am (was Re: I doubt that this affects FreeBSD, but FYI Cc: security@FreeBSD.ORG In-Reply-To: <20021009170117.GJ10532@techometer.net> References: <4.3.2.7.2.20021008174734.029e9e00@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (obsidian/20020517) X-Spam-Status: No, hits=-5.4 required=5.0 tests=IN_REP_TO,REFERENCES,SPAM_PHRASE_01_02 version=2.41 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 10:01 AM 09/10/2002 -0700, Erick Mechler wrote: >:: A quick peer over at CVSweb indicates that the import of 8.12.6 was >:: done well before the sendmail.org folks got their server fooled with. > >Additionally, you would have had to explicitly told your build to continue >after it warned you about a mismatch in the MD5 sums. All the more reason >you should really trust the MD5 sums in your distinfo files :) One thing to note about MD5 sums, is that if someone broke into an ftp site and uploaded a trojaned file, why not upload a new matching MD5 checksum file as well ? Granted, you can use pgp to sign the file, but how many people would notice that no one else has 'signed' the key or that a whole whack of seemingly legit people signed the key ? I mean there is a PGPKEYS file there, but why not just upload your own PGPKEYS file as well ? ---Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 10:13: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4257D37B406 for ; Wed, 9 Oct 2002 10:13:04 -0700 (PDT) Received: from zardoc.esmtp.org (adsl-63-195-85-27.dsl.snfc21.pacbell.net [63.195.85.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3DDEB43E75 for ; Wed, 9 Oct 2002 10:13:02 -0700 (PDT) (envelope-from ca@zardoc.esmtp.org) Received: from zardoc.esmtp.org (localhost [127.0.0.1]) by zardoc.esmtp.org (8.12.7.Beta1/8.12.4) with ESMTP id g99HCbMN018629 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for ; Wed, 9 Oct 2002 10:12:37 -0700 (PDT) Received: (from ca@localhost) by zardoc.esmtp.org (8.12.7.Beta1/8.12.3/Submit) id g99HCb1G022780 for freebsd-security@FreeBSD.ORG; Wed, 9 Oct 2002 10:12:37 -0700 (PDT) Date: Wed, 9 Oct 2002 10:12:37 -0700 From: Claus Assmann To: freebsd-security@FreeBSD.ORG Subject: Re: Sendmail trojan...? Message-ID: <20021009101237.A11608@zardoc.esmtp.org> Reply-To: freebsd-security@FreeBSD.ORG References: <20021009142546.GA27227@darkstar.doublethink.cx> <3DA3AE76.1070006@deevil.homeunix.org> <20021009142546.GA27227@darkstar.doublethink.cx> <20021009080341.A26616@zardoc.esmtp.org> <5.1.1.6.0.20021009125538.04748c18@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii In-Reply-To: <5.1.1.6.0.20021009125538.04748c18@marble.sentex.ca>; from mike@sentex.net on Wed, Oct 09, 2002 at 01:00:49PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Oct 09, 2002, Mike Tancsa wrote: > > Hi, > Do you know the method they used to get in ? OpenSSL/https then > local root exploit ? Although netcraft says > Apache/1.3.26 (Unix) mod_ssl/2.8.10 OpenSSL/0.9.6e on FreeBSD We don't know (yet). If you can help us trying to figure this out, please contact sendmail-security at sendmail.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 10:13:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5B7AB37B404 for ; Wed, 9 Oct 2002 10:13:35 -0700 (PDT) Received: from mx01.nfr.com (mx01.nfr.com [63.91.45.135]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2BFA143E75 for ; Wed, 9 Oct 2002 10:13:33 -0700 (PDT) (envelope-from nigel@nfr.com) Received: from localhost (localhost.nfr.com [127.0.0.1]) by mx01.nfr.com (Postfix) with ESMTP id 392D6222670; Wed, 9 Oct 2002 13:13:32 -0400 (EDT) Received: from l10n.hq.nfr.net (l10n.hq.nfr.net [65.202.219.68]) by mx01.nfr.com (Postfix) with ESMTP id 5D7F222262D; Wed, 9 Oct 2002 13:13:31 -0400 (EDT) Received: from dawgbsd.hq.nfr.net (localhost.nfr.com [127.0.0.1]) by l10n.hq.nfr.net (Postfix) with ESMTP id 1521B66B66; Wed, 9 Oct 2002 13:13:58 -0400 (EDT) Subject: Re: Sendmail trojan...? From: Nigel Houghton To: Mike Tancsa Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <5.1.1.6.0.20021009125538.04748c18@marble.sentex.ca> References: <20021009142546.GA27227@darkstar.doublethink.cx> <3DA3AE76.1070006@deevil.homeunix.org> <20021009142546.GA27227@darkstar.doublethink.cx> <5.1.1.6.0.20021009125538.04748c18@marble.sentex.ca> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-/WYWXRNbIJV4Q/G+ldSK" X-Mailer: Ximian Evolution 1.0.5 Date: 09 Oct 2002 13:16:30 -0400 Message-Id: <1034183794.249.54.camel@dawgbsd> Mime-Version: 1.0 X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --=-/WYWXRNbIJV4Q/G+ldSK Content-Type: text/plain Content-Transfer-Encoding: quoted-printable There are a myriad of possibilities, the only folks who can tell you are those who are responsible for the box in question. On Wed, 2002-10-09 at 13:00, Mike Tancsa wrote: >=20 > Hi, > Do you know the method they used to get in ? OpenSSL/https then=20 > local root exploit ? Although netcraft says > Apache/1.3.26 (Unix) mod_ssl/2.8.10 OpenSSL/0.9.6e on FreeBSD >=20 >=20 >=20 > ---Mike >=20 > At 08:03 AM 09/10/2002 -0700, Claus Assmann wrote: > >On Wed, Oct 09, 2002, Chris Faulhaber wrote: > > > > > Yes, the source in the tree has been verified against the > > > signed tarball; plus, it was the configure script that was > > > backdoored which buildworld does not use. > > > >It was not the configure script. I'm wondering who came up with > >this rumor; please stop spreading it. >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --=20 --------------------------------------- Nigel Houghton NFR Security Inc. Webmaster http://www.nfr.com/ There cannot be a crisis next week. My schedule is already full. --Henry Kissinger=20 --=-/WYWXRNbIJV4Q/G+ldSK Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQA9pGRts9X0TSPbQvERAszXAJwK7pR/kkuYuhndCVHgtf9OYxfO3ACgrKYu mXvzBgs58VH7O6lwOoTNz58= =abqo -----END PGP SIGNATURE----- --=-/WYWXRNbIJV4Q/G+ldSK-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 10:35:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2C05B37B401 for ; Wed, 9 Oct 2002 10:35:24 -0700 (PDT) Received: from obsidian.sentex.ca (obsidian.sentex.ca [64.7.128.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4319E43E4A for ; Wed, 9 Oct 2002 10:35:23 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (pyroxene.sentex.ca [199.212.134.18]) by obsidian.sentex.ca (8.12.6/8.12.6) with ESMTP id g99HZK8g039278 for ; Wed, 9 Oct 2002 13:35:20 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.1.6.0.20021009132729.03c584a8@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Wed, 09 Oct 2002 13:36:27 -0400 To: freebsd-security@FreeBSD.ORG From: Mike Tancsa Subject: Re: Sendmail trojan...? In-Reply-To: <20021009101237.A11608@zardoc.esmtp.org> References: <5.1.1.6.0.20021009125538.04748c18@marble.sentex.ca> <20021009142546.GA27227@darkstar.doublethink.cx> <3DA3AE76.1070006@deevil.homeunix.org> <20021009142546.GA27227@darkstar.doublethink.cx> <20021009080341.A26616@zardoc.esmtp.org> <5.1.1.6.0.20021009125538.04748c18@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (obsidian/20020517) X-Spam-Status: No, hits=-8.7 required=5.0 tests=IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,SPAM_PHRASE_01_02, TO_BE_REMOVED_REPLY version=2.41 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I am no forensics expert, but my initial guess tells me some remote non root exploit (was apache really compiled against the proper OpenSSL update? Someone careless with ssh keys or passwords ?) and then if netcraft is correct (uptime was 159 days) there are a couple of local root exploits that could have been used. ---Mike At 10:12 AM 09/10/2002 -0700, Claus Assmann wrote: >On Wed, Oct 09, 2002, Mike Tancsa wrote: > > > > Hi, > > Do you know the method they used to get in ? OpenSSL/https then > > local root exploit ? Although netcraft says > > Apache/1.3.26 (Unix) mod_ssl/2.8.10 OpenSSL/0.9.6e on FreeBSD > >We don't know (yet). > >If you can help us trying to figure this out, please contact >sendmail-security at sendmail.org > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 11: 4: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E1EFB37B407 for ; Wed, 9 Oct 2002 11:03:59 -0700 (PDT) Received: from va.cs.wm.edu (va.cs.wm.edu [128.239.2.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id B9F1443E88 for ; Wed, 9 Oct 2002 11:03:58 -0700 (PDT) (envelope-from zvezdan@CS.WM.EDU) Received: from dali.cs.wm.edu (dali [128.239.26.26]) by va.cs.wm.edu (8.11.4/8.9.1) with ESMTP id g99I0Rr08721 for ; Wed, 9 Oct 2002 14:00:27 -0400 (EDT) Received: (from zvezdan@localhost) by dali.cs.wm.edu (8.11.6/8.9.1) id g99I3vs06627 for security@FreeBSD.ORG; Wed, 9 Oct 2002 14:03:57 -0400 Date: Wed, 9 Oct 2002 14:03:57 -0400 From: Zvezdan Petkovic To: security@FreeBSD.ORG Subject: Re: Am I downloading what I think I am (was Re: I doubt that this affects FreeBSD, but FYI Message-ID: <20021009140357.A6605@dali.cs.wm.edu> Mail-Followup-To: security@FreeBSD.ORG References: <4.3.2.7.2.20021008174734.029e9e00@localhost> <20021009170117.GJ10532@techometer.net> <5.1.1.6.0.20021009130608.0655d7f8@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <5.1.1.6.0.20021009130608.0655d7f8@marble.sentex.ca>; from mike@sentex.net on Wed, Oct 09, 2002 at 01:13:51PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Oct 09, 2002 at 01:13:51PM -0400, Mike Tancsa wrote: > At 10:01 AM 09/10/2002 -0700, Erick Mechler wrote: > >Additionally, you would have had to explicitly told your build to continue > >after it warned you about a mismatch in the MD5 sums. All the more reason > >you should really trust the MD5 sums in your distinfo files :) > > > One thing to note about MD5 sums, is that if someone broke into an ftp site > and uploaded a trojaned file, why not upload a new matching MD5 checksum > file as well ? Granted, you can use pgp to sign the file, but how many > people would notice that no one else has 'signed' the key or that a whole > whack of seemingly legit people signed the key ? I mean there is a PGPKEYS > file there, but why not just upload your own PGPKEYS file as well ? > > ---Mike > He's talking about md5 sums on _your_ computer, not ftp server. Port system has md5 sum (and some other too) stored with each port in the file named distinfo. When you check out the port, if _that_ md5 sum doesn't correspond to the downloaded tar.gz the port system will refuse to build it. Thus, you put the trust in a FreeBSD maintainer who stored the md5 sum in distinfo file on _your_ computer, instead of sysadmin of the ftp site in question, where md5 sum file could have been changed. The point is that ftp site's md5 sum is not checked; FreeBSD's md5 sum _is_ checked. Best regards, -- Zvezdan Petkovic http://www.cs.wm.edu/~zvezdan/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 12:36: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 49EC137B401 for ; Wed, 9 Oct 2002 12:36:06 -0700 (PDT) Received: from obsecurity.dyndns.org (adsl-64-165-226-88.dsl.lsan03.pacbell.net [64.165.226.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id AE25843E65 for ; Wed, 9 Oct 2002 12:36:05 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 1D75166C7B; Wed, 9 Oct 2002 12:36:03 -0700 (PDT) Date: Wed, 9 Oct 2002 12:36:02 -0700 From: Kris Kennaway Cc: Mike Tancsa , Erick Mechler , security@FreeBSD.ORG Subject: Re: Am I downloading what I think I am (was Re: I doubt that this affects FreeBSD, but FYI Message-ID: <20021009193602.GG84472@xor.obsecurity.org> References: <4.3.2.7.2.20021008174734.029e9e00@localhost> <5.1.1.6.0.20021009130608.0655d7f8@marble.sentex.ca> <20021009193436.GF84472@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="DWg365Y4B18r8evw" Content-Disposition: inline In-Reply-To: <20021009193436.GF84472@xor.obsecurity.org> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --DWg365Y4B18r8evw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Oct 09, 2002 at 01:13:51PM -0400, Mike Tancsa wrote: > One thing to note about MD5 sums, is that if someone broke into an ftp site > and uploaded a trojaned file, why not upload a new matching MD5 checksum > file as well ? MD5 sums distributed _with_ the binary are a guard against corruption during download, they are not a security mechanism. _Externally_ distributed MD5 checksums (not obtained from the same source) are a security mechanism (not a perfect one, but very good in practise) - the md5 sums in the FreeBSD ports collection fall into this class, which is why FreeBSD was never affected by this problem even if people downloaded the trojaned distfile (unless they overrode the security warning and shot their own foot off). Kris --DWg365Y4B18r8evw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9pIUhWry0BWjoQKURAg+lAJ916S14OYtDB+qibhWNC6xLfN1cuwCeK5hk QtpVYri194YNDsVykPu1ggU= =EVwX -----END PGP SIGNATURE----- --DWg365Y4B18r8evw-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 12:38: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 649B537B401 for ; Wed, 9 Oct 2002 12:38:01 -0700 (PDT) Received: from obsecurity.dyndns.org (adsl-64-165-226-88.dsl.lsan03.pacbell.net [64.165.226.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id D784843E4A for ; Wed, 9 Oct 2002 12:38:00 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 5207C66C7B; Wed, 9 Oct 2002 12:38:00 -0700 (PDT) Date: Wed, 9 Oct 2002 12:38:00 -0700 From: Kris Kennaway To: William Carrel Cc: Erick Mechler , security@FreeBSD.ORG Subject: Re: I doubt that this affects FreeBSD, but FYI Message-ID: <20021009193800.GH84472@xor.obsecurity.org> References: <20021009170117.GJ10532@techometer.net> <486282FF-DBA9-11D6-AA28-003065479A66@infospace.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="l06SQqiZYCi8rTKz" Content-Disposition: inline In-Reply-To: <486282FF-DBA9-11D6-AA28-003065479A66@infospace.com> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --l06SQqiZYCi8rTKz Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Oct 09, 2002 at 10:05:16AM -0700, William Carrel wrote: > I was talking about the base system, not ports. I guess I should've=20 > been clearer about that. I don't think the base system checks the MD5=20 > sums during buildworld. But then I have NO_SENDMAIL turned on in=20 > make.conf anyway, so what would I know. Buildworld uses the included copy of sendmail, it doesn't download an external distfile, so there is no point at which checking an md5 sum makes sense. This is also the same reason why sendmail in the base system was never affected. Kris --l06SQqiZYCi8rTKz Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9pIWXWry0BWjoQKURAjxAAJ9I50qE/j8oKvB2bkACi4zMnXu+PwCgy30I eLyBMTaBWSFckr0vj9vvK5w= =Hd7l -----END PGP SIGNATURE----- --l06SQqiZYCi8rTKz-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 12:53:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1D8BD37B401; Wed, 9 Oct 2002 12:53:40 -0700 (PDT) Received: from obsidian.sentex.ca (obsidian.sentex.ca [64.7.128.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B7DA43E8A; Wed, 9 Oct 2002 12:53:37 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (pyroxene.sentex.ca [199.212.134.18]) by obsidian.sentex.ca (8.12.6/8.12.6) with ESMTP id g99JrX8g051088; Wed, 9 Oct 2002 15:53:34 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.1.6.0.20021009154208.05e43d98@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Wed, 09 Oct 2002 15:54:27 -0400 To: Kris Kennaway From: Mike Tancsa Subject: Re: Am I downloading what I think I am (was Re: I doubt that this affects FreeBSD, but FYI Cc: security@FreeBSD.ORG In-Reply-To: <20021009193602.GG84472@xor.obsecurity.org> References: <20021009193436.GF84472@xor.obsecurity.org> <4.3.2.7.2.20021008174734.029e9e00@localhost> <5.1.1.6.0.20021009130608.0655d7f8@marble.sentex.ca> <20021009193436.GF84472@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (obsidian/20020517) X-Spam-Status: No, hits=-4.7 required=5.0 tests=IN_REP_TO,REFERENCES,SPAM_PHRASE_00_01 version=2.41 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:36 PM 09/10/2002 -0700, Kris Kennaway wrote: >On Wed, Oct 09, 2002 at 01:13:51PM -0400, Mike Tancsa wrote: > > > One thing to note about MD5 sums, is that if someone broke into an ftp site > > and uploaded a trojaned file, why not upload a new matching MD5 checksum > > file as well ? > >MD5 sums distributed _with_ the binary are a guard against corruption Hi, Sorry, I should have been more clear. I was speaking more to the general issue of a user downloading both the binary and checksum from the same source as is / was the case with ftp.sendmail.org. I really like how the ports work because they do add a bit of extra security. Like you said, its not perfect, but it does help. Actually, I am somewhat surprised there is not some more widely used mechanism. e.g. for integrity checksums, why not have it on a totally separate server run on a totally separate network by totally separate admins. data one place, checksum another. This way to tamper with the package, you would need to compromise two different systems. A sort of checksum clearing house ? ---Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 13: 0:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 75E2037B401; Wed, 9 Oct 2002 13:00:44 -0700 (PDT) Received: from obsecurity.dyndns.org (adsl-64-165-226-88.dsl.lsan03.pacbell.net [64.165.226.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 99FC643E4A; Wed, 9 Oct 2002 13:00:43 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 0BF8F66E58; Wed, 9 Oct 2002 13:00:43 -0700 (PDT) Date: Wed, 9 Oct 2002 13:00:42 -0700 From: Kris Kennaway To: Mike Tancsa Cc: Kris Kennaway , security@FreeBSD.ORG Subject: Re: Am I downloading what I think I am (was Re: I doubt that this affects FreeBSD, but FYI Message-ID: <20021009200042.GA91276@xor.obsecurity.org> References: <20021009193436.GF84472@xor.obsecurity.org> <4.3.2.7.2.20021008174734.029e9e00@localhost> <5.1.1.6.0.20021009130608.0655d7f8@marble.sentex.ca> <20021009193436.GF84472@xor.obsecurity.org> <5.1.1.6.0.20021009154208.05e43d98@marble.sentex.ca> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="3V7upXqbjpZ4EhLz" Content-Disposition: inline In-Reply-To: <5.1.1.6.0.20021009154208.05e43d98@marble.sentex.ca> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --3V7upXqbjpZ4EhLz Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Oct 09, 2002 at 03:54:27PM -0400, Mike Tancsa wrote: > I really like how the ports work because they do add a bit of extra=20 > security. Like you said, its not perfect, but it does help. Actually, I= =20 > am somewhat surprised there is not some more widely used mechanism. e.g.= =20 > for integrity checksums, why not have it on a totally separate server run= =20 > on a totally separate network by totally separate admins. data one place= ,=20 > checksum another. This way to tamper with the package, you would need to= =20 > compromise two different systems. A sort of checksum clearing house ? Great idea! Let's call it /usr/ports :-) Kris --3V7upXqbjpZ4EhLz Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9pIrqWry0BWjoQKURAgbuAKDwz1R4hUetQ11tdmY8jvlFGJTYXgCeLt+0 cPZM7M5cJXq/I1OQGhGOs9A= =MJzt -----END PGP SIGNATURE----- --3V7upXqbjpZ4EhLz-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 13:15:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE5F337B401; Wed, 9 Oct 2002 13:15:07 -0700 (PDT) Received: from obsidian.sentex.ca (obsidian.sentex.ca [64.7.128.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 404CF43E6E; Wed, 9 Oct 2002 13:15:07 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (pyroxene.sentex.ca [199.212.134.18]) by obsidian.sentex.ca (8.12.6/8.12.6) with ESMTP id g99KF28g052873; Wed, 9 Oct 2002 16:15:02 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.1.6.0.20021009160707.0652d740@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Wed, 09 Oct 2002 16:15:54 -0400 To: Kris Kennaway From: Mike Tancsa Subject: Re: Am I downloading what I think I am (was Re: I doubt that this affects FreeBSD, but FYI Cc: security@freebsd.org In-Reply-To: <20021009200042.GA91276@xor.obsecurity.org> References: <5.1.1.6.0.20021009154208.05e43d98@marble.sentex.ca> <20021009193436.GF84472@xor.obsecurity.org> <4.3.2.7.2.20021008174734.029e9e00@localhost> <5.1.1.6.0.20021009130608.0655d7f8@marble.sentex.ca> <20021009193436.GF84472@xor.obsecurity.org> <5.1.1.6.0.20021009154208.05e43d98@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (obsidian/20020517) X-Spam-Status: No, hits=-4.7 required=5.0 tests=IN_REP_TO,REFERENCES,SPAM_PHRASE_00_01 version=2.41 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 01:00 PM 09/10/2002 -0700, Kris Kennaway wrote: >Great idea! > >Let's call it /usr/ports :-) I like it :-) Seriously though, I am surprised there is not some pseudo trusted third party offering these sorts of services... something like signatures.sourceforge.net ? I am thinking of all those poor slobs who dont have the benefit of ports :-) ---Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 13:17: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D8B9C37B401 for ; Wed, 9 Oct 2002 13:17:02 -0700 (PDT) Received: from zardoc.esmtp.org (adsl-63-195-85-27.dsl.snfc21.pacbell.net [63.195.85.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F76843E7B for ; Wed, 9 Oct 2002 13:17:02 -0700 (PDT) (envelope-from ca@zardoc.esmtp.org) Received: from zardoc.esmtp.org (localhost [127.0.0.1]) by zardoc.esmtp.org (8.12.7.Beta1/8.12.4) with ESMTP id g99KGbMN020997 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for ; Wed, 9 Oct 2002 13:16:37 -0700 (PDT) Received: (from ca@localhost) by zardoc.esmtp.org (8.12.7.Beta1/8.12.3/Submit) id g99KGb07006876 for security@FreeBSD.ORG; Wed, 9 Oct 2002 13:16:37 -0700 (PDT) Date: Wed, 9 Oct 2002 13:16:37 -0700 From: Claus Assmann To: security@FreeBSD.ORG Subject: Re: Am I downloading what I think I am (was Re: I doubt that this affects FreeBSD, but FYI Message-ID: <20021009131637.A15913@zardoc.esmtp.org> Reply-To: security@FreeBSD.ORG Mail-Followup-To: security@FreeBSD.ORG References: <20021009193436.GF84472@xor.obsecurity.org> <4.3.2.7.2.20021008174734.029e9e00@localhost> <5.1.1.6.0.20021009130608.0655d7f8@marble.sentex.ca> <20021009193436.GF84472@xor.obsecurity.org> <20021009193602.GG84472@xor.obsecurity.org> <5.1.1.6.0.20021009154208.05e43d98@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii In-Reply-To: <5.1.1.6.0.20021009154208.05e43d98@marble.sentex.ca>; from mike@sentex.net on Wed, Oct 09, 2002 at 03:54:27PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Oct 09, 2002, Mike Tancsa wrote: > Sorry, I should have been more clear. I was speaking more to the > general issue of a user downloading both the binary and checksum from the > same source as is / was the case with ftp.sendmail.org. For sendmail the MD5 sums are in the PGP signed announcements. If you can verify the PGP signature of the announcements and you can "trust" the PGP key, then you're as safe as if you do the same check for the PGP signature of the tar file itself. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 13:28:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3E28537B401 for ; Wed, 9 Oct 2002 13:28:28 -0700 (PDT) Received: from post.kyx.net (s216-232-31-82.bc.hsia.telus.net [216.232.31.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id CD22743E4A for ; Wed, 9 Oct 2002 13:28:27 -0700 (PDT) (envelope-from dr@kyx.net) Content-Type: text/plain; charset="iso-8859-1" From: Dragos Ruiu Reply-To: dr@kyx.net Organization: all terrain ninjas To: freebsd-security@FreeBSD.ORG Subject: Re: Sendmail trojan...? Date: Wed, 9 Oct 2002 13:27:18 +0000 X-Mailer: KYX CP/M FNORD 5602 References: <3DA3AE76.1070006@deevil.homeunix.org> <20021009142546.GA27227@darkstar.doublethink.cx> <20021009080341.A26616@zardoc.esmtp.org> In-Reply-To: <20021009080341.A26616@zardoc.esmtp.org> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200210091327.18139.dr@kyx.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On October 9, 2002 03:03 pm, Claus Assmann wrote: > On Wed, Oct 09, 2002, Chris Faulhaber wrote: > > Yes, the source in the tree has been verified against the > > signed tarball; plus, it was the configure script that was > > backdoored which buildworld does not use. > > It was not the configure script. I'm wondering who came up with > this rumor; please stop spreading it. Where is the best collection of forensic information about this so the method can be understood and effects checked=20 for? The CERT advisory mentioned trojaned versions "contain malicious code that is run during the process of building the software." It was less than illuminating about the method after that. thanks, --dr --=20 dr@kyx.net pgp: http://dragos.com/kyxpgp Advance CanSecWest/03 registration available: http://cansecwest.com "The question of whether computers can think is like the question of whether submarines can swim." --Edsger Wybe Dijkstra 1930-2002 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 13:35: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7A1AE37B401 for ; Wed, 9 Oct 2002 13:35:02 -0700 (PDT) Received: from carbon.berkeley.netdot.net (carbon.berkeley.netdot.net [216.27.190.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D0DC43E4A for ; Wed, 9 Oct 2002 13:35:02 -0700 (PDT) (envelope-from nick@netdot.net) Received: by carbon.berkeley.netdot.net (Postfix, from userid 101) id 5C8BBF810; Wed, 9 Oct 2002 13:35:01 -0700 (PDT) Date: Wed, 9 Oct 2002 13:35:01 -0700 From: Nicholas Esborn To: security@FreeBSD.ORG Subject: Re: Am I downloading what I think I am (was Re: I doubt that this affects FreeBSD, but FYI Message-ID: <20021009203501.GA67010@carbon.berkeley.netdot.net> References: <20021009193436.GF84472@xor.obsecurity.org> <4.3.2.7.2.20021008174734.029e9e00@localhost> <5.1.1.6.0.20021009130608.0655d7f8@marble.sentex.ca> <20021009193436.GF84472@xor.obsecurity.org> <20021009193602.GG84472@xor.obsecurity.org> <5.1.1.6.0.20021009154208.05e43d98@marble.sentex.ca> <20021009131637.A15913@zardoc.esmtp.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In-Reply-To: <20021009131637.A15913@zardoc.esmtp.org> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Oct 09, 2002 at 01:16:37PM -0700, Claus Assmann wrote: > For sendmail the MD5 sums are in the PGP signed announcements. If > you can verify the PGP signature of the announcements and you can > "trust" the PGP key, then you're as safe as if you do the same check > for the PGP signature of the tar file itself. Sendmail's method is good for hand installations, or for integration by hand into systems like the ports tree, but it doesn't directly provide for automation. A common method for verifying distfiles against seperately administrated checksums would be very useful. I like the checksum server idea. -nick --=20 Nicholas Esborn Unix Systems Administrator Berkeley, California To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 13:48:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA8C637B401 for ; Wed, 9 Oct 2002 13:48:43 -0700 (PDT) Received: from post.kyx.net (s216-232-31-82.bc.hsia.telus.net [216.232.31.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5AC0C43E4A for ; Wed, 9 Oct 2002 13:48:43 -0700 (PDT) (envelope-from dr@kyx.net) Content-Type: text/plain; charset="iso-8859-1" From: Dragos Ruiu Reply-To: dr@kyx.net Organization: all terrain ninjas To: security@FreeBSD.ORG, Claus Assmann Subject: Re: Am I downloading what I think I am (was Re: I doubt that this affects FreeBSD, but FYI Date: Wed, 9 Oct 2002 13:47:37 +0000 X-Mailer: KYX CP/M FNORD 5602 References: <20021009193436.GF84472@xor.obsecurity.org> <5.1.1.6.0.20021009154208.05e43d98@marble.sentex.ca> <20021009131637.A15913@zardoc.esmtp.org> In-Reply-To: <20021009131637.A15913@zardoc.esmtp.org> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200210091347.37912.dr@kyx.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On October 9, 2002 08:16 pm, Claus Assmann wrote: > On Wed, Oct 09, 2002, Mike Tancsa wrote: > > Sorry, I should have been more clear. I was speaking more t= o > > the general issue of a user downloading both the binary and checksum = from > > the same source as is / was the case with ftp.sendmail.org. > > For sendmail the MD5 sums are in the PGP signed announcements. If > you can verify the PGP signature of the announcements and you can > "trust" the PGP key, then you're as safe as if you do the same check > for the PGP signature of the tar file itself. And as long as the announcements that went out were the ones that left and the checksums mailed were good. If that server is back to trusted now, another authoritative method would= be code diffs. (find -type f -exec diff -u \{\} ../oldsendmail/\{\} ) --=20 dr@kyx.net pgp: http://dragos.com/kyxpgp Advance CanSecWest/03 registration available: http://cansecwest.com "The question of whether computers can think is like the question of whether submarines can swim." --Edsger Wybe Dijkstra 1930-2002 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 13:56:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7AFFB37B401 for ; Wed, 9 Oct 2002 13:56:46 -0700 (PDT) Received: from harrier.mail.pas.earthlink.net (harrier.mail.pas.earthlink.net [207.217.120.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2A0FB43E88 for ; Wed, 9 Oct 2002 13:56:46 -0700 (PDT) (envelope-from chris@digitaldeck.com) Received: from user-vcaus12.dsl.mindspring.com ([216.175.112.34] helo=protools) by harrier.mail.pas.earthlink.net with smtp (Exim 3.33 #1) id 17zNsn-0007mv-00 for freebsd-security@freebsd.org; Wed, 09 Oct 2002 13:56:42 -0700 From: "Chris McCluskey" To: Subject: VPN Solutions for Win 2K/XP -> FreeBSD (Possible FAQ entry) Date: Wed, 9 Oct 2002 14:02:29 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Where is the FBSD security mailing list FAQ? If this question is in the FAQ please excuse the repeat, if it's not then perhaps it couple be added: I'm looking for a solution to allow a Win 2K/XP client to tunnel though a FreeBSD box to a LAN, meeting the following requirements: 1. The VPN server (a FreeBSD machine) is running NAT so the VPN solution must be compatible. 2. I would like to use the stock MS VPN connection tools (PPTP/L2TP) to keep things simple for the MS end users. 3. If possible I would like to keep the certificate management down to a minimum -- possibly using local user level authentication in preference to a preshared CA cert. Does anyone have any experience and good stories in this area? I have looked at a variety of solutions on the Internet, but all that I have found either requires manual adjustment of security policy (http://www.wiretapped.net/~fyre/ipsec/) -- which I'm not sure if my MS end users could do without incident) or others involving complications with NAT (http://www.sigsegv.cx/FreeBSD-WIN2K-IPSEC-HOWTO.html). Any pointers to the "cleanest path" would be appreciated. Thank you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 14:38:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8241937B401 for ; Wed, 9 Oct 2002 14:38:10 -0700 (PDT) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 322D643E6A for ; Wed, 9 Oct 2002 14:38:10 -0700 (PDT) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id 97F2A154D5; Wed, 9 Oct 2002 14:34:48 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id 95AED154D3 for ; Wed, 9 Oct 2002 14:34:48 -0700 (PDT) Date: Wed, 9 Oct 2002 14:34:48 -0700 (PDT) From: Mike Hoskins To: security@FreeBSD.ORG Subject: md5 checksum server In-Reply-To: <20021009203501.GA67010@carbon.berkeley.netdot.net> Message-ID: <20021009142623.Q88247-100000@fubar.adept.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 9 Oct 2002, Nicholas Esborn wrote: > A common method for verifying distfiles against seperately administrated > checksums would be very useful. I like the checksum server idea. This wouldn't be hard. Write a script that grabs the MD5 checksums from the ports collection (on a server that's trusted and up to date) and turns the MD5 sums into TXT records in a md5.somedomain.com DNS zone. Then people can issue queries like sendmail.a.b.c.md5.somedomain.com and get the MD5 sum returned for sendmail version a.b.c. Think portsdb.org, but for md5 sums instead of TCP and UDP ports. As for how useful this really is... Well, is it any harder to grab the MD5 sum from the vendor and compare yourself vs. doing a DNS lookup? Probably not. Also, while the vendor sites/sums can certainly be compromised, some would argue adding a third-party source for the sums just creates another attack vector. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 14:50:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6342537B401 for ; Wed, 9 Oct 2002 14:50:23 -0700 (PDT) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2A64B43E4A for ; Wed, 9 Oct 2002 14:50:23 -0700 (PDT) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id A77DA154D5; Wed, 9 Oct 2002 14:47:01 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id A5393154D3 for ; Wed, 9 Oct 2002 14:47:01 -0700 (PDT) Date: Wed, 9 Oct 2002 14:47:01 -0700 (PDT) From: Mike Hoskins To: security@FreeBSD.ORG Subject: Re: md5 checksum server In-Reply-To: <20021009142623.Q88247-100000@fubar.adept.org> Message-ID: <20021009144421.B88247-100000@fubar.adept.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 9 Oct 2002, Mike Hoskins wrote: > As for how useful this really is... Well, is it any harder to grab the > MD5 sum from the vendor and compare yourself vs. doing a DNS lookup? > Probably not. Also, while the vendor sites/sums can certainly be > compromised, some would argue adding a third-party source for the sums > just creates another attack vector. As an aside, what if someone worked up a standard/RFC detailing accepted naming conventions for md5 sums. If there was some standardization (I.e. software.version.md5 in the same directory the distfile is retreived from, many follow similar conventions already), then FTP clients (including things like wget) could be modified to automagically compare md5 sums on download when they exist. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 15: 3: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E557137B401 for ; Wed, 9 Oct 2002 15:03:01 -0700 (PDT) Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by mx1.FreeBSD.org (Postfix) with ESMTP id 42BE643E88 for ; Wed, 9 Oct 2002 15:03:00 -0700 (PDT) (envelope-from emechler@radix.cryptio.net) Received: from radix.cryptio.net (localhost [127.0.0.1]) by radix.cryptio.net (8.12.5/8.12.5) with ESMTP id g99M2upl094948 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Wed, 9 Oct 2002 15:02:56 -0700 (PDT) (envelope-from emechler@radix.cryptio.net) Received: (from emechler@localhost) by radix.cryptio.net (8.12.5/8.12.5/Submit) id g99M2uuu094947; Wed, 9 Oct 2002 15:02:56 -0700 (PDT) Date: Wed, 9 Oct 2002 15:02:56 -0700 From: Erick Mechler To: Mike Hoskins Cc: security@FreeBSD.ORG Subject: Re: md5 checksum server Message-ID: <20021009220256.GN10532@techometer.net> References: <20021009142623.Q88247-100000@fubar.adept.org> <20021009144421.B88247-100000@fubar.adept.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021009144421.B88247-100000@fubar.adept.org> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :: As an aside, what if someone worked up a standard/RFC detailing accepted :: naming conventions for md5 sums. If there was some standardization :: (I.e. software.version.md5 in the same directory the distfile is retreived :: from, many follow similar conventions already), then FTP clients :: (including things like wget) could be modified to automagically compare :: md5 sums on download when they exist. Unless I'm misunderstanding what you're proposing, this still doesn't prevent someone from modifying both the tarball and the MD5 file. PGP signatures are an even better method, and harder to spoof. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 15:12:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A6FE437B401 for ; Wed, 9 Oct 2002 15:12:26 -0700 (PDT) Received: from orthanc.ab.ca (orthanc.ab.ca [216.123.203.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0051243E65 for ; Wed, 9 Oct 2002 15:12:26 -0700 (PDT) (envelope-from lyndon@orthanc.ab.ca) Received: from orthanc.ab.ca (localhost.orthanc.ab.ca [127.0.0.1]) by orthanc.ab.ca (8.12.6/8.12.6) with ESMTP id g99M6oGI092623; Wed, 9 Oct 2002 16:06:50 -0600 (MDT) (envelope-from lyndon@orthanc.ab.ca) Message-Id: <200210092206.g99M6oGI092623@orthanc.ab.ca> From: Lyndon Nerenberg Organization: The Frobozz Magic Homing Pigeon Company To: Mike Hoskins Cc: security@FreeBSD.ORG Subject: Re: md5 checksum server In-reply-to: Your message of "Wed, 09 Oct 2002 14:34:48 PDT." <20021009142623.Q88247-100000@fubar.adept.org> X-Mailer: mh-e 6.1+cvs; MH 6.8.4; Emacs 21.2 Date: Wed, 09 Oct 2002 16:06:49 -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Mike> This wouldn't be hard. Write a script that grabs the MD5 Mike> checksums from the ports collection (on a server that's Mike> trusted and up to date) and turns the MD5 sums into TXT Mike> records in a md5.somedomain.com DNS zone. Then people can Mike> issue queries like sendmail.a.b.c.md5.somedomain.com and get Mike> the MD5 sum returned for sendmail version a.b.c. DNS isn't the right place for this. 1) it requires DNSSEC to ensure the MD5 record data isn't forged 2) DNS caching would hide updates for the duration of the TTL attached to the TXT record --lyndon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 15:12:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB8CE37B401 for ; Wed, 9 Oct 2002 15:12:28 -0700 (PDT) Received: from thufir.bluecom.no (thufir.bluecom.no [217.118.32.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id 04BE643E65 for ; Wed, 9 Oct 2002 15:12:28 -0700 (PDT) (envelope-from erik@pentadon.com) Received: from erik (a217-118-56-152.bluecom.no [217.118.56.152]) by thufir.bluecom.no (Postfix) with ESMTP id 020FD50EC4F for ; Thu, 10 Oct 2002 00:12:22 +0200 (CEST) From: =?iso-8859-1?Q?Erik_Paulsen_Sk=E5lerud?= To: Subject: DHCP Relay over IPSec ESP/Tunnel Date: Thu, 10 Oct 2002 00:12:21 +0200 MIME-Version: 1.0 Message-ID: Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_0000_01C26FF1.B2DDD880" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0000_01C26FF1.B2DDD880 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Hello. Is it possible to use DHCP relay over an IPSec ESP/tunnel? What are the requirements to accomplish this, and is there any special configuration I have to use? I've been trying to get this to work for two days now, and I'm really really ready to give up. This is my last resort, so, please, if you do have any comments, please let me know. ------=_NextPart_000_0000_01C26FF1.B2DDD880 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII7TCCAnww ggHloAMCAQICAwhv7zANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl c3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsT FENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAw MC44LjMwMB4XDTAyMTAwODE5Mzg0NloXDTAzMTAwODE5Mzg0NlowQzEfMB0GA1UEAxMWVGhhd3Rl IEZyZWVtYWlsIE1lbWJlcjEgMB4GCSqGSIb3DQEJARYRZXJpa0BwZW50YWRvbi5jb20wgZ8wDQYJ KoZIhvcNAQEBBQADgY0AMIGJAoGBAOLvGK5AC/mpa/owuZsPD4db9+ZHhPA9VK7lbxSjoARoSbjb Ils0q//PFAsEemIp2/gn0E9uTT7Ql7Au22R0JAOnUgO2AKNxrH1y3HohQgvauJSOl8inSRC6+2zO dP0tjIJgrODTQjnDPdkDbaSg0KUi04Iytwpm1YMaBR4ptw0ZAgMBAAGjLjAsMBwGA1UdEQQVMBOB EWVyaWtAcGVudGFkb24uY29tMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEARBNXkrY2 oe1LAH3i6x1T7+BzkRwjfOpAnJ43SmJ/sMfGZCaEQWVZbtJZVQjvk4JMYg3/Msr2TxNpj96p6uAh qXP5bmllJ4g7dRFMoN0i7p2RoEhK6VC9is4cUe3xtHkwyhxSrZuQMRz/CcLtn2xRYfdDK6mnef9f Lem0V1w0FDswggMtMIIClqADAgECAgEAMA0GCSqGSIb3DQEBBAUAMIHRMQswCQYDVQQGEwJaQTEV MBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0 ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQw IgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNv bmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNOTYwMTAxMDAwMDAwWhcNMjAxMjMxMjM1OTU5WjCB 0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du MRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2 aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJ KoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMIGfMA0GCSqGSIb3DQEBAQUA A4GNADCBiQKBgQDUadfUsJRkW3HpR9gMUbbqcpGwhF59LQ2PexLfhSV1KHQ6QixjJ5+Ve0vvfhmH HYbqo925zpZkGsIUbkSsfOaP6E0PcR9AOKYAo4d49vmUhl6t6sBeduvZFKNdbnp8DKVLVX8GGSl/ npom1Wq7OCQIapjHsdqjmJH9edvlWsQcuQIDAQABoxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqG SIb3DQEBBAUAA4GBAMfskn5O+PWWpWdiKqTwTRFg0G+NYFhhrCa7UjVcCM8w+6hKloofYkIjjBcP 9LpknBesRynfnZhe0mxgcVyirNx54+duAEcftQ0o6AKd5Jr9E/Sm2Xyx+NxfIyYJkYBz0BQb3kOp gyXy5pwvFcr+pquKB3WLDN1RhGvk+NHOd6KBMIIDODCCAqGgAwIBAgIQZkVyt8x09c9jdkWE0C6R ATANBgkqhkiG9w0BAQQFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTES MBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMf Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFs IEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29t MB4XDTAwMDgzMDAwMDAwMFoXDTA0MDgyNzIzNTk1OVowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQI EwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYD VQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNB IDIwMDAuOC4zMDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3jMypmPHCSVFPtJueCdngcXa iBmClw7jRCmKYzUqbXA8+tyu9+50bzC8M5B/+TRxoKNtmPHDT6Jl2w36S/HW3WGl+YXNVZo1Gp2S dagnrthy+boC9tewkd4c6avgGAOofENCUFGHgzzwObSbVIoTh/+zm51JZgAtCYnslGvpoWkCAwEA AaNOMEwwKQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDEtMjk3MBIGA1UdEwEB /wQIMAYBAf8CAQAwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBBAUAA4GBADGxS0dd+QFx5fVTbF15 1j2YwCYTYoEipxL4IpXoG0m3J3sEObr85vIk65H6vewNKjj3UFWobPcNrUwbvAP0teuiR59sogxY jTFCCRFssBpp0SsSskBdavl50OouJd2K5PzbDR+dAvNa28o89kTqJmmHf0iezqWf54TYyWJirQXG MYIDtTCCA7ECAQEwgZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQ BgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBT ZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMAIDCG/vMAkG BSsOAwIaBQCgggJwMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTAy MTAwOTIyMTIxOVowIwYJKoZIhvcNAQkEMRYEFGMjMk+Sv4BPE2Zcf7LMw3t6I9z3MEoGCyqGSIb3 DQEJEAIBMTswOQQdAAAAABAAAADbONEXPwUCT4xQNdz8DqBGAQAAAACAAQAwFTATgRFlcmlrQHBl bnRhZG9uLmNvbTBnBgkqhkiG9w0BCQ8xWjBYMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDAN BggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDAHBgUrDgMCGjAKBggqhkiG9w0C BTCBqwYJKwYBBAGCNxAEMYGdMIGaMIGSMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBD YXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UECxMUQ2VydGlm aWNhdGUgU2VydmljZXMxKDAmBgNVBAMTH1BlcnNvbmFsIEZyZWVtYWlsIFJTQSAyMDAwLjguMzAC Awhv7zCBrQYLKoZIhvcNAQkQAgsxgZ2ggZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0 ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRD ZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAu OC4zMAIDCG/vMA0GCSqGSIb3DQEBAQUABIGAEPLqMPX/Z9/sWVahc3pFOCf4pnnkRSgr/vrzjBYx x6GqK2ysPVufBAjBe+6GPDghy5HgOTd/ouBnfibrBBrW8e1wfcqO75NoJ4shDVCkhGmrCqu7IcCX pb8lBR7JyDZdCKgMp0dUtyk6gncuBiIzZ2YRoDDEMEgBmtoeaZ2D6osAAAAAAAA= ------=_NextPart_000_0000_01C26FF1.B2DDD880-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 15:53:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 42A7937B401 for ; Wed, 9 Oct 2002 15:53:39 -0700 (PDT) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 016AA43E6A for ; Wed, 9 Oct 2002 15:53:39 -0700 (PDT) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id 266D7154D5; Wed, 9 Oct 2002 15:50:17 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id 22E42154D3; Wed, 9 Oct 2002 15:50:17 -0700 (PDT) Date: Wed, 9 Oct 2002 15:50:17 -0700 (PDT) From: Mike Hoskins To: Erick Mechler Cc: security@FreeBSD.ORG Subject: Re: md5 checksum server In-Reply-To: <20021009220256.GN10532@techometer.net> Message-ID: <20021009154809.O88571-100000@fubar.adept.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 9 Oct 2002, Erick Mechler wrote: > Unless I'm misunderstanding what you're proposing, this still doesn't > prevent someone from modifying both the tarball and the MD5 file. PGP > signatures are an even better method, and harder to spoof. Yes, PGP has been preferred to MD5 since its debut... So, how about a similar setup for PGP signatures? :) The main problem is laziness... And how many times have we heard that laziness is a core admin precept? So I don't think these sorts of problems will go away anytime soon. The only way to protect the innocnet then seems to "DTRT" whenever possible w/o requiring manual intervention on the part of the admin. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 15:59:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A753237B401 for ; Wed, 9 Oct 2002 15:59:33 -0700 (PDT) Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F5DC43E65 for ; Wed, 9 Oct 2002 15:59:33 -0700 (PDT) (envelope-from emechler@radix.cryptio.net) Received: from radix.cryptio.net (localhost [127.0.0.1]) by radix.cryptio.net (8.12.5/8.12.5) with ESMTP id g99MxWpl096712 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Wed, 9 Oct 2002 15:59:32 -0700 (PDT) (envelope-from emechler@radix.cryptio.net) Received: (from emechler@localhost) by radix.cryptio.net (8.12.5/8.12.5/Submit) id g99MxWs0096711; Wed, 9 Oct 2002 15:59:32 -0700 (PDT) Date: Wed, 9 Oct 2002 15:59:32 -0700 From: Erick Mechler To: Mike Hoskins Cc: security@FreeBSD.ORG Subject: Re: md5 checksum server Message-ID: <20021009225932.GO10532@techometer.net> References: <20021009220256.GN10532@techometer.net> <20021009154809.O88571-100000@fubar.adept.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021009154809.O88571-100000@fubar.adept.org> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :: Yes, PGP has been preferred to MD5 since its debut... So, how about a :: similar setup for PGP signatures? :) I think it's a fantastic idea, and would be totally willing to produce patches for common ftp clients, wget, etc .... but I don't know C :) I'd be willing to help design the PGP signature server if we actually think software suppliers would sign up for it, though. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 16:14:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E35E037B401 for ; Wed, 9 Oct 2002 16:14:12 -0700 (PDT) Received: from thufir.bluecom.no (thufir.bluecom.no [217.118.32.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9EEED43E42 for ; Wed, 9 Oct 2002 16:14:11 -0700 (PDT) (envelope-from erik@pentadon.com) Received: from erik (a217-118-56-152.bluecom.no [217.118.56.152]) by thufir.bluecom.no (Postfix) with ESMTP id EAFCC50EC87 for ; Thu, 10 Oct 2002 01:14:10 +0200 (CEST) From: =?iso-8859-1?Q?Erik_Paulsen_Sk=E5lerud?= To: Subject: DHCP Relay over IPSec ESP/Tunnel Date: Thu, 10 Oct 2002 01:14:09 +0200 Message-ID: MIME-Version: 1.0 Content-Type: application/pkcs7-mime; smime-type=signed-data; name="smime.p7m" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7m" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAaCAJIAEggG6Q29u dGVudC1UeXBlOiB0ZXh0L3BsYWluOw0KCWNoYXJzZXQ9Imlzby04ODU5LTEiDQpDb250ZW50LVRy YW5zZmVyLUVuY29kaW5nOiA3Yml0DQoNCkhlbGxvLg0KDQpJcyBpdCBwb3NzaWJsZSB0byB1c2Ug REhDUCByZWxheSBvdmVyIGFuIElQU2VjIEVTUC90dW5uZWw/IFdoYXQgYXJlIHRoZQ0KcmVxdWly ZW1lbnRzIHRvIGFjY29tcGxpc2ggdGhpcywgYW5kIGlzIHRoZXJlIGFueSBzcGVjaWFsIGNvbmZp Z3VyYXRpb24NCkkgaGF2ZSB0byB1c2U/DQoNCkkndmUgYmVlbiB0cnlpbmcgdG8gZ2V0IHRoaXMg dG8gd29yayBmb3IgdHdvIGRheXMgbm93LCBhbmQgSSdtIHJlYWxseQ0KcmVhbGx5IHJlYWR5IHRv IGdpdmUgdXAuIFRoaXMgaXMgbXkgbGFzdCByZXNvcnQsIHNvLCBwbGVhc2UsIGlmIHlvdSBkbw0K aGF2ZSBhbnkgY29tbWVudHMsIHBsZWFzZSBsZXQgbWUga25vdy4NCgAAAAAAAKCCCO0wggJ8MIIB 5aADAgECAgMIb+8wDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0 ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRD ZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAu OC4zMDAeFw0wMjEwMDgxOTM4NDZaFw0wMzEwMDgxOTM4NDZaMEMxHzAdBgNVBAMTFlRoYXd0ZSBG cmVlbWFpbCBNZW1iZXIxIDAeBgkqhkiG9w0BCQEWEWVyaWtAcGVudGFkb24uY29tMIGfMA0GCSqG SIb3DQEBAQUAA4GNADCBiQKBgQDi7xiuQAv5qWv6MLmbDw+HW/fmR4TwPVSu5W8Uo6AEaEm42yJb NKv/zxQLBHpiKdv4J9BPbk0+0JewLttkdCQDp1IDtgCjcax9ctx6IUIL2riUjpfIp0kQuvtsznT9 LYyCYKzg00I5wz3ZA22koNClItOCMrcKZtWDGgUeKbcNGQIDAQABoy4wLDAcBgNVHREEFTATgRFl cmlrQHBlbnRhZG9uLmNvbTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBAEQTV5K2NqHt SwB94usdU+/gc5EcI3zqQJyeN0pif7DHxmQmhEFlWW7SWVUI75OCTGIN/zLK9k8TaY/eqergIalz +W5pZSeIO3URTKDdIu6dkaBISulQvYrOHFHt8bR5MMocUq2bkDEc/wnC7Z9sUWH3Qyupp3n/Xy3p tFdcNBQ7MIIDLTCCApagAwIBAgIBADANBgkqhkiG9w0BAQQFADCB0TELMAkGA1UEBhMCWkExFTAT BgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUg Q29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIG A1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25h bC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTk2MDEwMTAwMDAwMFoXDTIwMTIzMTIzNTk1OVowgdEx CzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEa MBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2Vydmlj ZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqG SIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOB jQAwgYkCgYEA1GnX1LCUZFtx6UfYDFG26nKRsIRefS0Nj3sS34UldSh0OkIsYyeflXtL734Zhx2G 6qPduc6WZBrCFG5ErHzmj+hND3EfQDimAKOHePb5lIZererAXnbr2RSjXW56fAylS1V/Bhkpf56a JtVquzgkCGqYx7Hao5iR/Xnb5VrEHLkCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG 9w0BAQQFAAOBgQDH7JJ+Tvj1lqVnYiqk8E0RYNBvjWBYYawmu1I1XAjPMPuoSpaKH2JCI4wXD/S6 ZJwXrEcp352YXtJsYHFcoqzceePnbgBHH7UNKOgCneSa/RP0ptl8sfjcXyMmCZGAc9AUG95DqYMl 8uacLxXK/qarigd1iwzdUYRr5PjRzneigTCCAzgwggKhoAMCAQICEGZFcrfMdPXPY3ZFhNAukQEw DQYJKoZIhvcNAQEEBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQ BgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0Nl cnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBG cmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAe Fw0wMDA4MzAwMDAwMDBaFw0wNDA4MjcyMzU5NTlaMIGSMQswCQYDVQQGEwJaQTEVMBMGA1UECBMM V2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UE CxMUQ2VydGlmaWNhdGUgU2VydmljZXMxKDAmBgNVBAMTH1BlcnNvbmFsIEZyZWVtYWlsIFJTQSAy MDAwLjguMzAwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN4zMqZjxwklRT7SbngnZ4HF2ogZ gpcO40QpimM1Km1wPPrcrvfudG8wvDOQf/k0caCjbZjxw0+iZdsN+kvx1t1hpfmFzVWaNRqdknWo J67Ycvm6AvbXsJHeHOmr4BgDqHxDQlBRh4M88Dm0m1SKE4f/s5udSWYALQmJ7JRr6aFpAgMBAAGj TjBMMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFQcml2YXRlTGFiZWwxLTI5NzASBgNVHRMBAf8E CDAGAQH/AgEAMAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQQFAAOBgQAxsUtHXfkBceX1U2xdedY9 mMAmE2KBIqcS+CKV6BtJtyd7BDm6/ObyJOuR+r3sDSo491BVqGz3Da1MG7wD9LXrokefbKIMWI0x QgkRbLAaadErErJAXWr5edDqLiXdiuT82w0fnQLzWtvKPPZE6iZph39Ins6ln+eE2MliYq0FxjGC A7UwggOxAgEBMIGaMIGSMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYD VQQHEwlDYXBlIFRvd24xDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UECxMUQ2VydGlmaWNhdGUgU2Vy dmljZXMxKDAmBgNVBAMTH1BlcnNvbmFsIEZyZWVtYWlsIFJTQSAyMDAwLjguMzACAwhv7zAJBgUr DgMCGgUAoIICcDAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wMjEw MDkyMzE0MDZaMCMGCSqGSIb3DQEJBDEWBBRjIzJPkr+ATxNmXH+yzMN7eiPc9zBKBgsqhkiG9w0B CRACATE7MDkEHQAAAAAQAAAArl9ZvBqKKk6juZL/INsKgAEAAAAAgAEAMBUwE4ERZXJpa0BwZW50 YWRvbi5jb20wZwYJKoZIhvcNAQkPMVowWDAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYI KoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwBwYFKw4DAhowCgYIKoZIhvcNAgUw gasGCSsGAQQBgjcQBDGBnTCBmjCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2Fw ZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmlj YXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwAgMI b+8wga0GCyqGSIb3DQEJEAILMYGdoIGaMIGSMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVy biBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UECxMUQ2Vy dGlmaWNhdGUgU2VydmljZXMxKDAmBgNVBAMTH1BlcnNvbmFsIEZyZWVtYWlsIFJTQSAyMDAwLjgu MzACAwhv7zANBgkqhkiG9w0BAQEFAASBgLZWG7ETjH9Fto/wn1H0V4GEwHb2mDSMQMjuVfWnS/gF 93zl0BvWCgs3zwkUCFdd97NcnK8y3YOhPdm7DYD82NEyvJo/DWlXBfj6nZljjSwbxaWUunltPg1O myX6WAi+Trp51yflEOE66dfsuYWu7UeVZx5FC5dx04RZv2jeoP9XAAAAAAAA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 16:19: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 94D7937B401 for ; Wed, 9 Oct 2002 16:18:58 -0700 (PDT) Received: from thufir.bluecom.no (thufir.bluecom.no [217.118.32.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id E69AC43E4A for ; Wed, 9 Oct 2002 16:18:57 -0700 (PDT) (envelope-from erik@pentadon.com) Received: from erik (a217-118-56-152.bluecom.no [217.118.56.152]) by thufir.bluecom.no (Postfix) with ESMTP id E72C250EC87 for ; Thu, 10 Oct 2002 01:18:57 +0200 (CEST) From: =?iso-8859-1?Q?Erik_Paulsen_Sk=E5lerud?= To: Subject: DHCP Relay over IPSec ESP/Tunnel (Sorry about the duplicate posts, problems with digital ID) Date: Thu, 10 Oct 2002 01:18:56 +0200 Message-ID: MIME-Version: 1.0 Content-Type: application/pkcs7-mime; smime-type=signed-data; name="smime.p7m" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7m" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAaCAJIAEggG6Q29u dGVudC1UeXBlOiB0ZXh0L3BsYWluOw0KCWNoYXJzZXQ9Imlzby04ODU5LTEiDQpDb250ZW50LVRy YW5zZmVyLUVuY29kaW5nOiA3Yml0DQoNCkhlbGxvLg0KDQpJcyBpdCBwb3NzaWJsZSB0byB1c2Ug REhDUCByZWxheSBvdmVyIGFuIElQU2VjIEVTUC90dW5uZWw/IFdoYXQgYXJlIHRoZQ0KcmVxdWly ZW1lbnRzIHRvIGFjY29tcGxpc2ggdGhpcywgYW5kIGlzIHRoZXJlIGFueSBzcGVjaWFsIGNvbmZp Z3VyYXRpb24NCkkgaGF2ZSB0byB1c2U/DQoNCkkndmUgYmVlbiB0cnlpbmcgdG8gZ2V0IHRoaXMg dG8gd29yayBmb3IgdHdvIGRheXMgbm93LCBhbmQgSSdtIHJlYWxseQ0KcmVhbGx5IHJlYWR5IHRv IGdpdmUgdXAuIFRoaXMgaXMgbXkgbGFzdCByZXNvcnQsIHNvLCBwbGVhc2UsIGlmIHlvdSBkbw0K aGF2ZSBhbnkgY29tbWVudHMsIHBsZWFzZSBsZXQgbWUga25vdy4NCgAAAAAAAKCCCO0wggJ8MIIB 5aADAgECAgMIb+8wDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0 ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRD ZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAu OC4zMDAeFw0wMjEwMDgxOTM4NDZaFw0wMzEwMDgxOTM4NDZaMEMxHzAdBgNVBAMTFlRoYXd0ZSBG cmVlbWFpbCBNZW1iZXIxIDAeBgkqhkiG9w0BCQEWEWVyaWtAcGVudGFkb24uY29tMIGfMA0GCSqG SIb3DQEBAQUAA4GNADCBiQKBgQDi7xiuQAv5qWv6MLmbDw+HW/fmR4TwPVSu5W8Uo6AEaEm42yJb NKv/zxQLBHpiKdv4J9BPbk0+0JewLttkdCQDp1IDtgCjcax9ctx6IUIL2riUjpfIp0kQuvtsznT9 LYyCYKzg00I5wz3ZA22koNClItOCMrcKZtWDGgUeKbcNGQIDAQABoy4wLDAcBgNVHREEFTATgRFl cmlrQHBlbnRhZG9uLmNvbTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBAEQTV5K2NqHt SwB94usdU+/gc5EcI3zqQJyeN0pif7DHxmQmhEFlWW7SWVUI75OCTGIN/zLK9k8TaY/eqergIalz +W5pZSeIO3URTKDdIu6dkaBISulQvYrOHFHt8bR5MMocUq2bkDEc/wnC7Z9sUWH3Qyupp3n/Xy3p tFdcNBQ7MIIDLTCCApagAwIBAgIBADANBgkqhkiG9w0BAQQFADCB0TELMAkGA1UEBhMCWkExFTAT BgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUg Q29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIG A1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25h bC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTk2MDEwMTAwMDAwMFoXDTIwMTIzMTIzNTk1OVowgdEx CzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEa MBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2Vydmlj ZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqG SIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOB jQAwgYkCgYEA1GnX1LCUZFtx6UfYDFG26nKRsIRefS0Nj3sS34UldSh0OkIsYyeflXtL734Zhx2G 6qPduc6WZBrCFG5ErHzmj+hND3EfQDimAKOHePb5lIZererAXnbr2RSjXW56fAylS1V/Bhkpf56a JtVquzgkCGqYx7Hao5iR/Xnb5VrEHLkCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG 9w0BAQQFAAOBgQDH7JJ+Tvj1lqVnYiqk8E0RYNBvjWBYYawmu1I1XAjPMPuoSpaKH2JCI4wXD/S6 ZJwXrEcp352YXtJsYHFcoqzceePnbgBHH7UNKOgCneSa/RP0ptl8sfjcXyMmCZGAc9AUG95DqYMl 8uacLxXK/qarigd1iwzdUYRr5PjRzneigTCCAzgwggKhoAMCAQICEGZFcrfMdPXPY3ZFhNAukQEw DQYJKoZIhvcNAQEEBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQ BgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0Nl cnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBG cmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAe Fw0wMDA4MzAwMDAwMDBaFw0wNDA4MjcyMzU5NTlaMIGSMQswCQYDVQQGEwJaQTEVMBMGA1UECBMM V2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UE CxMUQ2VydGlmaWNhdGUgU2VydmljZXMxKDAmBgNVBAMTH1BlcnNvbmFsIEZyZWVtYWlsIFJTQSAy MDAwLjguMzAwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN4zMqZjxwklRT7SbngnZ4HF2ogZ gpcO40QpimM1Km1wPPrcrvfudG8wvDOQf/k0caCjbZjxw0+iZdsN+kvx1t1hpfmFzVWaNRqdknWo J67Ycvm6AvbXsJHeHOmr4BgDqHxDQlBRh4M88Dm0m1SKE4f/s5udSWYALQmJ7JRr6aFpAgMBAAGj TjBMMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFQcml2YXRlTGFiZWwxLTI5NzASBgNVHRMBAf8E CDAGAQH/AgEAMAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQQFAAOBgQAxsUtHXfkBceX1U2xdedY9 mMAmE2KBIqcS+CKV6BtJtyd7BDm6/ObyJOuR+r3sDSo491BVqGz3Da1MG7wD9LXrokefbKIMWI0x QgkRbLAaadErErJAXWr5edDqLiXdiuT82w0fnQLzWtvKPPZE6iZph39Ins6ln+eE2MliYq0FxjGC A7UwggOxAgEBMIGaMIGSMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYD VQQHEwlDYXBlIFRvd24xDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UECxMUQ2VydGlmaWNhdGUgU2Vy dmljZXMxKDAmBgNVBAMTH1BlcnNvbmFsIEZyZWVtYWlsIFJTQSAyMDAwLjguMzACAwhv7zAJBgUr DgMCGgUAoIICcDAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wMjEw MDkyMzE4NTNaMCMGCSqGSIb3DQEJBDEWBBRjIzJPkr+ATxNmXH+yzMN7eiPc9zBKBgsqhkiG9w0B CRACATE7MDkEHQAAAAAQAAAAui7NknaTqUWmIb6hEuofnwEAAAAAgAEAMBUwE4ERZXJpa0BwZW50 YWRvbi5jb20wZwYJKoZIhvcNAQkPMVowWDAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYI KoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwBwYFKw4DAhowCgYIKoZIhvcNAgUw gasGCSsGAQQBgjcQBDGBnTCBmjCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2Fw ZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmlj YXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwAgMI b+8wga0GCyqGSIb3DQEJEAILMYGdoIGaMIGSMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVy biBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UECxMUQ2Vy dGlmaWNhdGUgU2VydmljZXMxKDAmBgNVBAMTH1BlcnNvbmFsIEZyZWVtYWlsIFJTQSAyMDAwLjgu MzACAwhv7zANBgkqhkiG9w0BAQEFAASBgJCMAof0qFMoVlAdk7jOM1V36r+v+h9WvSjfjj2s4HUq 37T0cWCzIolA9Oe8+tJxKHzVtYL280l5lkEqTKt7NRbhISar7K/TK9jXjxTXtV3XkTbYg7GFTzm1 3dk/isJF/+ULrEin4PksdTAXt4DHRnOoSmTeStfaa7kw09pi6MFNAAAAAAAA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 16:31:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BFD0737B404 for ; Wed, 9 Oct 2002 16:31:30 -0700 (PDT) Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6105E43E6E for ; Wed, 9 Oct 2002 16:31:29 -0700 (PDT) (envelope-from andrew@scoop.co.nz) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.2/8.12.2) with ESMTP id g99NVOMT056683; Thu, 10 Oct 2002 12:31:24 +1300 (NZDT) (envelope-from andrew@scoop.co.nz) Date: Thu, 10 Oct 2002 12:31:24 +1300 (NZDT) From: Andrew McNaughton To: Erick Mechler Cc: Mike Hoskins , Subject: Re: md5 checksum server In-Reply-To: <20021009225932.GO10532@techometer.net> Message-ID: <20021010121731.O55435-100000@a2.scoop.co.nz> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 9 Oct 2002, Erick Mechler wrote: > :: Yes, PGP has been preferred to MD5 since its debut... So, how about a > :: similar setup for PGP signatures? :) It's interesting then that we use MD5 sums for ports. You might argue that the MD5 sum comes from a different source to the source tarball, but actually there's a lot of ports for which this is not the case. Obviously key management would become an issue, and probably the MD5 mechanism shoud be kept, but would it be worthwhile to add PGP signatures to ports? Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 16:46:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D085F37B404 for ; Wed, 9 Oct 2002 16:46:27 -0700 (PDT) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8451143E7B for ; Wed, 9 Oct 2002 16:46:27 -0700 (PDT) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id 14492154D5; Wed, 9 Oct 2002 16:43:05 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id 12015154D3; Wed, 9 Oct 2002 16:43:05 -0700 (PDT) Date: Wed, 9 Oct 2002 16:43:05 -0700 (PDT) From: Mike Hoskins To: Andrew McNaughton Cc: Erick Mechler , Subject: Re: md5 checksum server In-Reply-To: <20021010121731.O55435-100000@a2.scoop.co.nz> Message-ID: <20021009163635.V88705-100000@fubar.adept.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 10 Oct 2002, Andrew McNaughton wrote: > It's interesting then that we use MD5 sums for ports. Well, it's easy and has been done for quite awhile. ;) I think the basic PGP vs. MD5 idea is quite simple... If someone compromises the server the tarball lives on, then they can easily generate a malicious MD5 sum as well. If there was a 3rd party, you may be able to check the downloaded MD5 sum against a "trusted" sum, but the trusted sum couldn't really be trusted if it ultimately came from the same source. With PGP at least, the malicious party may generate a new fingerprint/etc. but it won't have the correct credentials. It's always difficult to figure out best practices in this scenario... Anytime you try to maintain trust while assuming a trusted resource (the server distributing tarballs in our case) has been compromised, you run into a lot of grey areas. (Obviously we want solutions that add trust while creating as little work as possible, and that can not just be "worked around".) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 16:48:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8893437B401 for ; Wed, 9 Oct 2002 16:48:28 -0700 (PDT) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5248C43E77 for ; Wed, 9 Oct 2002 16:48:28 -0700 (PDT) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id 59077154D5; Wed, 9 Oct 2002 16:45:06 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id 58402154D3; Wed, 9 Oct 2002 16:45:06 -0700 (PDT) Date: Wed, 9 Oct 2002 16:45:06 -0700 (PDT) From: Mike Hoskins To: Lyndon Nerenberg Cc: security@FreeBSD.ORG Subject: Re: md5 checksum server In-Reply-To: <200210092206.g99M6oGI092623@orthanc.ab.ca> Message-ID: <20021009164341.E88705-100000@fubar.adept.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 9 Oct 2002, Lyndon Nerenberg wrote: > DNS isn't the right place for this. You could make the same arguments about portsdb.org... > 1) it requires DNSSEC to ensure the MD5 record data isn't forged Easy enough. > 2) DNS caching would hide updates for the duration of the TTL > attached to the TXT record Tuneable. I didn't say this was ideal, but it's easy to setup does work in the wild now for some datasets. Regardless, I'm not attached to any one proposal... Feel free to make others. :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 17:29:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E05A637B404 for ; Wed, 9 Oct 2002 17:29:32 -0700 (PDT) Received: from orthanc.ab.ca (orthanc.ab.ca [216.123.203.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 53E6143E65 for ; Wed, 9 Oct 2002 17:29:32 -0700 (PDT) (envelope-from lyndon@orthanc.ab.ca) Received: from orthanc.ab.ca (localhost.orthanc.ab.ca [127.0.0.1]) by orthanc.ab.ca (8.12.6/8.12.6) with ESMTP id g9A0TLGI015286; Wed, 9 Oct 2002 18:29:21 -0600 (MDT) (envelope-from lyndon@orthanc.ab.ca) Message-Id: <200210100029.g9A0TLGI015286@orthanc.ab.ca> From: Lyndon Nerenberg Organization: The Frobozz Magic Homing Pigeon Company To: Mike Hoskins Cc: security@FreeBSD.ORG Subject: Re: md5 checksum server In-reply-to: Your message of "Wed, 09 Oct 2002 16:45:06 PDT." <20021009164341.E88705-100000@fubar.adept.org> Date: Wed, 09 Oct 2002 18:29:21 -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Mike Hoskins writes: >> 1) it requires DNSSEC to ensure the MD5 record data isn't forged > >Easy enough. Technically, yes. But until we have offficially signed roots, it's not practical to deploy. >> 2) DNS caching would hide updates for the duration of the TTL >> attached to the TXT record > >Tuneable. Yes, but a log of implementations silently enforce a 5 minute minimum TTL, leaving a window where incorrect information could be presented. >I didn't say this was ideal, but it's easy to setup does work in the wild >now for some datasets. Regardless, I'm not attached to any one >proposal... Feel free to make others. :) I like the idea of basing this on the PGP web of trust. I also sense a business opportunity for anyone willing to build an Akami-like secure software distribution service. --lyndon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 17:44:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CD19337B401 for ; Wed, 9 Oct 2002 17:44:21 -0700 (PDT) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9463E43E4A for ; Wed, 9 Oct 2002 17:44:21 -0700 (PDT) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id 5F6C3154D5; Wed, 9 Oct 2002 17:40:59 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id 5D26A154D3; Wed, 9 Oct 2002 17:40:59 -0700 (PDT) Date: Wed, 9 Oct 2002 17:40:59 -0700 (PDT) From: Mike Hoskins To: Lyndon Nerenberg Cc: security@FreeBSD.ORG Subject: Re: md5 checksum server In-Reply-To: <200210100029.g9A0TLGI015286@orthanc.ab.ca> Message-ID: <20021009173802.O88779-100000@fubar.adept.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 9 Oct 2002, Lyndon Nerenberg wrote: > I like the idea of basing this on the PGP web of trust. I also sense > a business opportunity for anyone willing to build an Akami-like > secure software distribution service. Hmm, I was hoping for something more "open". A concept that could be implemented cooperatively. Such a distribution service would primarily need disk space and bandwidth - something places that already distribute this software apparently have... So it'd make sense to figure out a way to implement this via existing resources (assuming cooperation). So we come up with a server that suits everyone's needs, enroll all known PGP signatures, keep it all up to date, and get participation from all distribution sites... Should be a piece of cake. ;) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 18:31:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 22A4137B401 for ; Wed, 9 Oct 2002 18:31:33 -0700 (PDT) Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 438CB43E75 for ; Wed, 9 Oct 2002 18:31:32 -0700 (PDT) (envelope-from andrew@scoop.co.nz) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.2/8.12.2) with ESMTP id g9A1VVIK064607; Thu, 10 Oct 2002 14:31:31 +1300 (NZDT) (envelope-from andrew@scoop.co.nz) Date: Thu, 10 Oct 2002 14:31:31 +1300 (NZDT) From: Andrew McNaughton To: Garrett Wollman Cc: security@FreeBSD.ORG Subject: Re: md5 checksum server In-Reply-To: <200210100114.g9A1EJKZ059028@khavrinen.lcs.mit.edu> Message-ID: <20021010142806.G63299-100000@a2.scoop.co.nz> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 9 Oct 2002, Garrett Wollman wrote: > < said: > > > be kept, but would it be worthwhile to add PGP signatures to ports? > > Most people have no better connection to the PGP Web of Trust than > they do to the FreeBSD CVS repository, so there is effectively no > difference. That is to say, I can make a signature that claims to be > signed by "Andrew McNaughton " almost as easily as > I can make an unsigned MD5 checksum. Only people who have already > been introduced to your real PGP key would know the difference. Given that the ports are distributed by FreeBSD.org, it would only be necessary to have one signing key which signs the signatures that are expected to match the tarballs. The public master key could be distributed once, and present on any newly installed system. Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 18:40:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3122E37B401 for ; Wed, 9 Oct 2002 18:40:22 -0700 (PDT) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id EEEED43E65 for ; Wed, 9 Oct 2002 18:40:21 -0700 (PDT) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id 802B3154D5; Wed, 9 Oct 2002 18:36:59 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id 7DE87154D3; Wed, 9 Oct 2002 18:36:59 -0700 (PDT) Date: Wed, 9 Oct 2002 18:36:59 -0700 (PDT) From: Mike Hoskins To: Garrett Wollman Cc: security@FreeBSD.ORG Subject: Re: md5 checksum server In-Reply-To: <200210100118.g9A1Ia3Q059056@khavrinen.lcs.mit.edu> Message-ID: <20021009183231.N88890-100000@fubar.adept.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 9 Oct 2002, Garrett Wollman wrote: > Sounds like you want SFS. Hmm, reading the FAQ now. :) However, I suppose there's a valid reason this hasn't already been implemented if it's the answer, no? I'm assuming you mean self-certifying FS... So many things to play with, I wish the weekend was already here. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 9 22:24:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BF69637B401 for ; Wed, 9 Oct 2002 22:24:41 -0700 (PDT) Received: from south.nanolink.com (south.nanolink.com [217.75.134.10]) by mx1.FreeBSD.org (Postfix) with SMTP id 4538F43E75 for ; Wed, 9 Oct 2002 22:24:40 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 36822 invoked by uid 85); 10 Oct 2002 05:35:22 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by south.nanolink.com with SMTP; 10 Oct 2002 05:35:20 -0000 Received: (qmail 87223 invoked by uid 1000); 10 Oct 2002 05:24:33 -0000 Date: Thu, 10 Oct 2002 08:24:33 +0300 From: Peter Pentchev To: Chris McCluskey Cc: freebsd-security@freebsd.org Subject: Re: VPN Solutions for Win 2K/XP -> FreeBSD (Possible FAQ entry) Message-ID: <20021010052433.GZ376@straylight.oblivion.bg> Mail-Followup-To: Chris McCluskey , freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Wt10+cXOThorkX0z" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.1i X-Virus-Scanned: by Nik's Monitoring Daemon (AMaViS perl-11d ) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Wt10+cXOThorkX0z Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Oct 09, 2002 at 02:02:29PM -0700, Chris McCluskey wrote: > Where is the FBSD security mailing list FAQ? >=20 > If this question is in the FAQ please excuse the repeat, if it's not then > perhaps it couple be added: >=20 > I'm looking for a solution to allow a Win 2K/XP client to tunnel though a > FreeBSD box to a LAN, meeting the following requirements: >=20 > 1. The VPN server (a FreeBSD machine) is running NAT so the VPN solution > must be compatible. >=20 > 2. I would like to use the stock MS VPN connection tools (PPTP/L2TP) to k= eep > things simple for the MS end users. >=20 > 3. If possible I would like to keep the certificate management down to a > minimum -- possibly using local user level authentication in preference t= o a > preshared CA cert. >=20 > Does anyone have any experience and good stories in this area? I have loo= ked > at a variety of solutions on the Internet, but all that I have found eith= er > requires manual adjustment of security policy > (http://www.wiretapped.net/~fyre/ipsec/) -- which I'm not sure if my MS e= nd > users could do without incident) or others involving complications with N= AT > (http://www.sigsegv.cx/FreeBSD-WIN2K-IPSEC-HOWTO.html). Any pointers to t= he > "cleanest path" would be appreciated. A very similar question was asked in this list yesterday; the answer, if you really do not mind using Win2K's PPTP implementation with the recently discovered DoS attacks, may well be the same: ports/net/mpd. Build Netgraph into the kernel or load it as a KLD, then run mpd in server mode as shown in the sample config files, click your way through setting up a new VPN/PPTP connection on the Win2K box, and you're on. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 I am jealous of the first word in this sentence. --Wt10+cXOThorkX0z Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (FreeBSD) iD8DBQE9pQ8Q7Ri2jRYZRVMRAu4wAKCc8Qz6TTqqjdfLiT1C4DRSIZUUngCeIqxg UXqrepj0Du9s04OcwL0cDFg= =I3eI -----END PGP SIGNATURE----- --Wt10+cXOThorkX0z-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 10 3:19:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AFCA737B401 for ; Thu, 10 Oct 2002 03:19:47 -0700 (PDT) Received: from mail-gp.star.spb.ru (gamma.star.spb.ru [217.195.79.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id B397D43E97 for ; Thu, 10 Oct 2002 03:19:45 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from green.star.spb.ru (green.star.spb.ru [217.195.79.10]) by mail-gp.star.spb.ru (8.9.3/8.9.3) with ESMTP id OAA35681; Thu, 10 Oct 2002 14:19:39 +0400 (MSD) Received: from IBMKA ([217.195.82.21]) by green.star.spb.ru with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id 4LZPB0WT; Thu, 10 Oct 2002 14:19:38 +0400 Date: Thu, 10 Oct 2002 14:19:57 +0400 From: "Nickolay A. Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A. Kritsky" X-Priority: 3 (Normal) Message-ID: <168272775470.20021010141957@internethelp.ru> To: Dragos Ruiu Cc: freebsd-security@FreeBSD.ORG Subject: Re[2]: Sendmail trojan...? In-reply-To: <200210091327.18139.dr@kyx.net> References: <3DA3AE76.1070006@deevil.homeunix.org> <20021009142546.GA27227@darkstar.doublethink.cx> <20021009080341.A26616@zardoc.esmtp.org> <200210091327.18139.dr@kyx.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Dragos, Wednesday, October 09, 2002, 5:27:18 PM, you wrote: DR> Where is the best collection of forensic information about DR> this so the method can be understood and effects checked DR> for? The CERT advisory mentioned trojaned versions "contain DR> malicious code that is run during the process of building the DR> software." It was less than illuminating about the method DR> after that. You can obtain additional info about sendmail's backdoor here: From: netmask Anyhow, I have made the backdoor'd sendmail code available at http://www.enzotech.net/files/sm.backdoor.patch and the base64 portion is decoded at http://www.enzotech.net/files/sm.backdoor.base64.txt ;------------------------------------------- ; NKritsky ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 10 12:31:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 356A137B401 for ; Thu, 10 Oct 2002 12:31:56 -0700 (PDT) Received: from HAL9000.homeunix.com (12-232-220-15.client.attbi.com [12.232.220.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 72B7043E4A for ; Thu, 10 Oct 2002 12:31:54 -0700 (PDT) (envelope-from dschultz@uclink.Berkeley.EDU) Received: from HAL9000.homeunix.com (localhost [127.0.0.1]) by HAL9000.homeunix.com (8.12.6/8.12.5) with ESMTP id g9AJVhBY013614; Thu, 10 Oct 2002 12:31:43 -0700 (PDT) (envelope-from dschultz@uclink.Berkeley.EDU) Received: (from das@localhost) by HAL9000.homeunix.com (8.12.6/8.12.5/Submit) id g9AJVcB7013613; Thu, 10 Oct 2002 12:31:38 -0700 (PDT) (envelope-from dschultz@uclink.Berkeley.EDU) Date: Thu, 10 Oct 2002 12:31:38 -0700 From: David Schultz To: Peter Jeremy Cc: The Anarcat , FreeBSD Security Issues Subject: Re: access() is a security hole? Message-ID: <20021010193137.GA13547@HAL9000.homeunix.com> Mail-Followup-To: Peter Jeremy , The Anarcat , FreeBSD Security Issues References: <20021008183227.GC309@lenny.anarcat.ath.cx> <20021008212335.GF309@lenny.anarcat.ath.cx> <20021008221046.GV495@gsmx07.alcatel.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021008221046.GV495@gsmx07.alcatel.com.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thus spake Peter Jeremy : > On 2002-Oct-08 17:23:35 -0400, The Anarcat wrote: > >Also, this means that the stat() manpage should also contains a > >similar section about its non-fd incarnations. > > I disagree. access(2) is specifically designed to allow setuid/setgid > programs to validate access rights based on the real uid/gid - but is > virtually impossible to use safely for this task because of the > inherent race conditions. No, access(2) is designed to allow NON-setuid programs to easily do sanity checks without opening a file or device right away. There's still a race condition, but it isn't typically a security threat when all you're trying to do is prevent the user from shooting himself in the foot. To use access() in a setuid program is usually an error. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 10 15: 8:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B33CD37B404 for ; Thu, 10 Oct 2002 15:08:29 -0700 (PDT) Received: from 042.dsl6660142.ftth.surewest.net (042.dsl6660142.ftth.surewest.net [66.60.142.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 10BDF43EB1 for ; Thu, 10 Oct 2002 15:08:29 -0700 (PDT) (envelope-from anguiano@codesourcery.com) Received: (from anguiano@localhost) by 042.dsl6660142.ftth.surewest.net (8.11.6/8.11.6) id g9AM8LV29029; Thu, 10 Oct 2002 15:08:21 -0700 To: The Anarcat Cc: freebsd-security@freebsd.org Subject: Re: access() is a security hole? References: <20021008183227.GC309@lenny.anarcat.ath.cx> From: Ricardo Anguiano In-Reply-To: <20021008183227.GC309@lenny.anarcat.ath.cx> Date: 10 Oct 2002 15:08:21 -0700 Message-ID: Lines: 44 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The Anarcat writes: > The access(2) manpage mentions an obscure security hole in > access(2). How so? > > " > CAVEAT > Access() is a potential security hole and should never be used. > " > > This seems to have been part of the manpage forever, or so to speak, > so I really wonder what it's talking about. :) In a nutshell, access(2) takes a string parameter, which indicates the path to a file being checked. If after the user is found to have sufficient permission, but before the program acts on this information, the user my change the filesystem. By replacing the original file with another file which that user does not have access(2) to, a setuid program may be tricked into "using" a file on behalf of the original user who does not have permission. if (access("file")); // "file" changes after this line from myfile // to myfile -> /var/spool/mail/boss fd = open("file"); ... The problem is that there is no guarantee that the string "file" refers to the same filesystem object for both system calls. File descriptors don't suffer from this binding problem, but there is no common file descriptor equivalent for access(2). One way to get around this problem is to do the work of access(2) using file descriptors instead: fd = open("file"); fdstat(fd, buf); // fd still refers to same object even // after filesystem change if (access_check(buf)) ... HTH, -- Ricardo Anguiano CodeSourcery, LLC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 10 21:31:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 02F3C37B401 for ; Thu, 10 Oct 2002 21:31:44 -0700 (PDT) Received: from out6.mx.nwbl.wi.voyager.net (out6.mx.nwbl.wi.voyager.net [169.207.3.77]) by mx1.FreeBSD.org (Postfix) with ESMTP id 376E543EAF for ; Thu, 10 Oct 2002 21:31:43 -0700 (PDT) (envelope-from silby@silby.com) Received: from [10.1.1.6] (d176.as20.nwbl0.wi.voyager.net [169.207.139.178]) by out6.mx.nwbl.wi.voyager.net (Postfix) with ESMTP id 20AE6DA491; Thu, 10 Oct 2002 23:31:41 -0500 (CDT) Date: Thu, 10 Oct 2002 23:36:02 -0500 (CDT) From: Mike Silbersack To: twig les Cc: Duncan Patton a Campbell is Dhu , Matt Piechota , Subject: Re: Sniffer nic In-Reply-To: <20021008212150.26159.qmail@web10102.mail.yahoo.com> Message-ID: <20021010233434.Q815-100000@patrocles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 8 Oct 2002, twig les wrote: > Nope, nothing like that. Just some good old L3-7 > NIDS. A couple things I was wondering though.... Is > anyone running the "ANA-62011 64-bit single port > 10/100baseTX adapter" from Adaptec? It's supported by > 4.6 release, but I won't be on site for the > installation so I'm looking for easy installation > here. This leads to the second question which is: > What kind of performance increase will I see with a > 64-bit 100BT nic vs the same card running in a 32-bit > slot? I'm tryig to figure out if it's worth the extra > $30 before I tell my boss to get it (well...ask him). > > Thnx for the answers so far though. You're best off going with a more commonly used card. That adaptec cards sound rather rare, so it's more likely that the driver is stale. If you want a NIC which will last into the future, get one of the Intel Gigabit cards - the driver is officially maintained by an employee of Intel, so you have someone to yell at if it breaks. :) (And Luigi claims that it performs well too...) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 11 1:53:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 05BE837B401 for ; Fri, 11 Oct 2002 01:53:28 -0700 (PDT) Received: from mailman.zeta.org.au (mailman.zeta.org.au [203.26.10.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id C7AD943EC5 for ; Fri, 11 Oct 2002 01:53:26 -0700 (PDT) (envelope-from bde@zeta.org.au) Received: from bde.zeta.org.au (bde.zeta.org.au [203.2.228.102]) by mailman.zeta.org.au (8.9.3/8.8.7) with ESMTP id SAA11922; Fri, 11 Oct 2002 18:53:11 +1000 Date: Fri, 11 Oct 2002 19:03:23 +1000 (EST) From: Bruce Evans X-X-Sender: bde@gamplex.bde.org To: David Schultz Cc: Peter Jeremy , The Anarcat , FreeBSD Security Issues Subject: Re: access() is a security hole? In-Reply-To: <20021010193137.GA13547@HAL9000.homeunix.com> Message-ID: <20021011185423.B12227-100000@gamplex.bde.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 10 Oct 2002, David Schultz wrote: > Thus spake Peter Jeremy : > > On 2002-Oct-08 17:23:35 -0400, The Anarcat wrote: > > >Also, this means that the stat() manpage should also contains a > > >similar section about its non-fd incarnations. > > > > I disagree. access(2) is specifically designed to allow setuid/setgid > > programs to validate access rights based on the real uid/gid - but is > > virtually impossible to use safely for this task because of the > > inherent race conditions. > > No, access(2) is designed to allow NON-setuid programs to easily > do sanity checks without opening a file or device right away. > There's still a race condition, but it isn't typically a security > threat when all you're trying to do is prevent the user from > shooting himself in the foot. To use access() in a setuid program > is usually an error. No, it was designed to be useful to setuid programs. Whether it actually is useful is arguable. From the V7 manual: "The user and group IDs with respect to which permission is checked are the real UID and GID of the process, so that this call is useful to set-UID programs". Setuid programs should only use access() to check whether they will have permission after they set[ug]id() to the real [ug]id. Non-setuid programs mostly don't need such checks. They can just try the operation. Bruce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 11 2:36:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3046E37B401 for ; Fri, 11 Oct 2002 02:36:56 -0700 (PDT) Received: from HAL9000.homeunix.com (12-232-220-15.client.attbi.com [12.232.220.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8B5A243EC2 for ; Fri, 11 Oct 2002 02:36:55 -0700 (PDT) (envelope-from dschultz@uclink.Berkeley.EDU) Received: from HAL9000.homeunix.com (localhost [127.0.0.1]) by HAL9000.homeunix.com (8.12.6/8.12.5) with ESMTP id g9B9ajBY015799; Fri, 11 Oct 2002 02:36:45 -0700 (PDT) (envelope-from dschultz@uclink.Berkeley.EDU) Received: (from das@localhost) by HAL9000.homeunix.com (8.12.6/8.12.5/Submit) id g9B9aiab015798; Fri, 11 Oct 2002 02:36:44 -0700 (PDT) (envelope-from dschultz@uclink.Berkeley.EDU) Date: Fri, 11 Oct 2002 02:36:44 -0700 From: David Schultz To: Bruce Evans Cc: Peter Jeremy , The Anarcat , FreeBSD Security Issues Subject: Re: access() is a security hole? Message-ID: <20021011093644.GA15563@HAL9000.homeunix.com> Mail-Followup-To: Bruce Evans , Peter Jeremy , The Anarcat , FreeBSD Security Issues References: <20021010193137.GA13547@HAL9000.homeunix.com> <20021011185423.B12227-100000@gamplex.bde.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021011185423.B12227-100000@gamplex.bde.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thus spake Bruce Evans : > No, it was designed to be useful to setuid programs. Whether it > actually is useful is arguable. From the V7 manual: > > "The user and group IDs with respect to which permission is checked > are the real UID and GID of the process, so that this call is useful > to set-UID programs". > > Setuid programs should only use access() to check whether they will > have permission after they set[ug]id() to the real [ug]id. Non-setuid > programs mostly don't need such checks. They can just try the operation. I don't really see how it's arguable, given that you can't avoid a race between time of use and time of access check. Using it to check for permission is inherently insecure. And...err...I believe Version 7 shipped with a version of mail(1) that allowed any user to write arbitrary files to other users' home directories. While it may be a good source of information on the original /intent/ of the access(2) syscall, it certainly isn't a good reference on computer security. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 11 7: 1:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7D51437B401 for ; Fri, 11 Oct 2002 07:01:36 -0700 (PDT) Received: from topperwein.dyndns.org (acs-24-154-51-246.zoominternet.net [24.154.51.246]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8FEE443E8A for ; Fri, 11 Oct 2002 07:01:35 -0700 (PDT) (envelope-from behanna@zbzoom.net) Received: from topperwein.pennasoft.com ([192.168.168.10]) by topperwein.dyndns.org (8.12.6/8.12.5) with ESMTP id g9BE1aCk033184 for ; Fri, 11 Oct 2002 10:01:36 -0400 (EDT) (envelope-from behanna@zbzoom.net) Date: Fri, 11 Oct 2002 10:01:30 -0400 (EDT) From: Chris BeHanna Reply-To: Chris BeHanna To: FreeBSD Security Subject: Re: access() is a security hole? In-Reply-To: <20021011185423.B12227-100000@gamplex.bde.org> Message-ID: <20021011094935.I86274-100000@topperwein.pennasoft.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 11 Oct 2002, Bruce Evans wrote: > On Thu, 10 Oct 2002, David Schultz wrote: > > > Thus spake Peter Jeremy : > > > On 2002-Oct-08 17:23:35 -0400, The Anarcat wrote: > > > >Also, this means that the stat() manpage should also contains a > > > >similar section about its non-fd incarnations. > > > > > > I disagree. access(2) is specifically designed to allow setuid/setgid > > > programs to validate access rights based on the real uid/gid - but is > > > virtually impossible to use safely for this task because of the > > > inherent race conditions. > > > > No, access(2) is designed to allow NON-setuid programs to easily > > do sanity checks without opening a file or device right away. > > There's still a race condition, but it isn't typically a security > > threat when all you're trying to do is prevent the user from > > shooting himself in the foot. To use access() in a setuid program > > is usually an error. > > No, it was designed to be useful to setuid programs. Whether it > actually is useful is arguable. From the V7 manual: > > "The user and group IDs with respect to which permission is checked > are the real UID and GID of the process, so that this call is useful > to set-UID programs". > > Setuid programs should only use access() to check whether they will > have permission after they set[ug]id() to the real [ug]id. Non-setuid > programs mostly don't need such checks. They can just try the operation. Perhaps the way to avoid the race is to open the file, lock it, and *then* call access(), then close the file or proceed based upon the result. Yes, I know--there's a possible race between open() and fcntl(). Where there a way to get a mandatory readlock on a file without opening it, then that race would be removed. Or, perhaps a more workable solution is to add a flag to open() that locks the file at the same time it's opening it. I don't have time at the moment to look at the source to see how this might be implemented, but I think it's a reasonable idea. Once a process has the lock, it can call fstat() to determine if the real [ug]id (which it already knows) has permission to access the file in the desired manner. If not, close the file (implicitly dropping the lock). This whole mess should be encapsulated into its own procedure. For programs that modify ranges of a file, the interface gets slightly more complicated, as you need an flock structure to specify the range to lock (so that other processes aren't blocked by a whole-file lock). For those who are (justifiably) skittish about modifying open(), perhaps a new syscall with semantics such as open_and_lock() should be created. -- Chris BeHanna http://www.pennasoft.com Principal Consultant PennaSoft Corporation chris@pennasoft.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 11 9:39:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E005037B401 for ; Fri, 11 Oct 2002 09:39:13 -0700 (PDT) Received: from 042.dsl6660142.ftth.surewest.net (042.dsl6660142.ftth.surewest.net [66.60.142.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 41E4543E9C for ; Fri, 11 Oct 2002 09:39:13 -0700 (PDT) (envelope-from anguiano@codesourcery.com) Received: (from anguiano@localhost) by 042.dsl6660142.ftth.surewest.net (8.11.6/8.11.6) id g9BGd7f09664; Fri, 11 Oct 2002 09:39:07 -0700 To: Chris BeHanna Cc: FreeBSD Security Subject: Re: access() is a security hole? References: <20021011094935.I86274-100000@topperwein.pennasoft.com> From: Ricardo Anguiano In-Reply-To: <20021011094935.I86274-100000@topperwein.pennasoft.com> Date: 11 Oct 2002 09:39:07 -0700 Message-ID: Lines: 17 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Chris BeHanna writes: > On Fri, 11 Oct 2002, Bruce Evans wrote: > > Setuid programs should only use access() to check whether they will > > have permission after they set[ug]id() to the real [ug]id. Non-setuid > > programs mostly don't need such checks. They can just try the operation. > > Perhaps the way to avoid the race is to open the file, lock it, > and *then* call access(), then close the file or proceed based upon > the result. What's wrong with opening the file, then using fstat to check the properties of the file associated with the file descriptor? -- Ricardo Anguiano CodeSourcery, LLC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 11 9:56:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2755F37B401 for ; Fri, 11 Oct 2002 09:56:27 -0700 (PDT) Received: from 042.dsl6660142.ftth.surewest.net (042.dsl6660142.ftth.surewest.net [66.60.142.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9393B43E9C for ; Fri, 11 Oct 2002 09:56:26 -0700 (PDT) (envelope-from anguiano@codesourcery.com) Received: (from anguiano@localhost) by 042.dsl6660142.ftth.surewest.net (8.11.6/8.11.6) id g9BGuOY09852; Fri, 11 Oct 2002 09:56:24 -0700 To: benjamin@seattlefenix.net Cc: Chris BeHanna , FreeBSD Security Subject: Re: access() is a security hole? References: <20021011094935.I86274-100000@topperwein.pennasoft.com> <20021011164805.GA27132@surreal.seattlefenix.net> From: Ricardo Anguiano In-Reply-To: <20021011164805.GA27132@surreal.seattlefenix.net> Date: 11 Oct 2002 09:56:24 -0700 Message-ID: Lines: 35 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Benjamin Krueger writes: > * Ricardo Anguiano (anguiano@codesourcery.com) [021011 09:39]: > > Chris BeHanna writes: > > > > > On Fri, 11 Oct 2002, Bruce Evans wrote: > > > > Setuid programs should only use access() to check whether they will > > > > have permission after they set[ug]id() to the real [ug]id. Non-setuid > > > > programs mostly don't need such checks. They can just try the operation. > > > > > > Perhaps the way to avoid the race is to open the file, lock it, > > > and *then* call access(), then close the file or proceed based upon > > > the result. > > > > What's wrong with opening the file, then using fstat to check the > > properties of the file associated with the file descriptor? > > > > -- > > Ricardo Anguiano > > CodeSourcery, LLC > > And if you don't have sufficient permission to open the file? IMHO, then there was no point in making the access(2) call. The problem exists when the process is running with elevated privileges. AFAIK, open(2) does not fail due to permission problems when run as root. Thus, the need to check for the invoking user's permission to open the file. PS: Chris: postmaster@telstraclear.co.nz says you don't exist. -- Ricardo Anguiano CodeSourcery, LLC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 11 12:21:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DA6E737B401 for ; Fri, 11 Oct 2002 12:21:32 -0700 (PDT) Received: from carbon.berkeley.netdot.net (carbon.berkeley.netdot.net [216.27.190.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5AA3643E97 for ; Fri, 11 Oct 2002 12:21:32 -0700 (PDT) (envelope-from nick@netdot.net) Received: by carbon.berkeley.netdot.net (Postfix, from userid 101) id CB398F810; Fri, 11 Oct 2002 12:21:31 -0700 (PDT) Date: Fri, 11 Oct 2002 12:21:31 -0700 From: Nicholas Esborn To: freebsd-security@freebsd.org Subject: Possible to get publickey fingerprint in sshd log messages? Message-ID: <20021011192131.GB18130@carbon.berkeley.netdot.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, Is there any possibility to identify which public key was accepted in sshd's syslog messages? Right now, it spits out something like: Oct 11 12:06:52 barbados sshd[14112]: Accepted publickey for jimbo from 10.0.0.167 port 2411 ssh2 The problem is that I can't tell which public key was used to gain entry. Would a public key fingerprint in this message weaken security in some way I'm missing? Thanks, -nick -- Nicholas Esborn Unix Systems Administrator Berkeley, California To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 11 14: 8:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 48C0E37B404 for ; Fri, 11 Oct 2002 14:08:49 -0700 (PDT) Received: from bubbles.electricutopia.net (bubbles.electricutopia.net [63.214.178.76]) by mx1.FreeBSD.org (Postfix) with ESMTP id CDB9F43E97 for ; Fri, 11 Oct 2002 14:08:48 -0700 (PDT) (envelope-from dave@slickness.org) Received: by bubbles.electricutopia.net (Postfix, from userid 1001) id 09BCE154AF; Fri, 11 Oct 2002 14:08:42 -0700 (PDT) Date: Fri, 11 Oct 2002 14:08:41 -0700 From: David Olbersen To: Nicholas Esborn Cc: freebsd-security@freebsd.org Subject: Re: Possible to get publickey fingerprint in sshd log messages? Message-ID: <20021011210841.GA20531@slickness.org> References: <20021011192131.GB18130@carbon.berkeley.netdot.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="gBBFr7Ir9EOA20Yy" Content-Disposition: inline In-Reply-To: <20021011192131.GB18130@carbon.berkeley.netdot.net> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --gBBFr7Ir9EOA20Yy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Thus spake Nicholas Esborn (nick@netdot.net): > The problem is that I can't tell which public key was used to gain entry. > Would a public key fingerprint in this message weaken security in some way > I'm missing? I've been wondering about this ability myself. Showing a PUBLIC key fingerprint shouldn't weaken security at all, should it? It would create the possibility of somebody sending your client encrypted messages, but I wonder how much of a problem that could be. --=20 David Olbersen Site: http://mp3s.mootech.net PGP Key: http://mootech.net/~dave/gpg-key.txt One hoopy frood who knows where his towel is. --gBBFr7Ir9EOA20Yy Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD4DBQE9pz3ZrtSBoeosATgRAopQAJjcjYK2RgMDAiuE8Q2AM13ybn6hAKDwxLrQ 9IblqYi6V2y4KOOTsuJM6w== =KxxK -----END PGP SIGNATURE----- --gBBFr7Ir9EOA20Yy-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 11 14:20:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 674B337B401 for ; Fri, 11 Oct 2002 14:20:24 -0700 (PDT) Received: from c18609.belrs1.nsw.optusnet.com.au (c18609.belrs1.nsw.optusnet.com.au [210.49.80.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id E2D2343E97 for ; Fri, 11 Oct 2002 14:20:22 -0700 (PDT) (envelope-from peterjeremy@optushome.com.au) Received: from server.c18609.belrs1.nsw.optusnet.com.au (localhost.c18609.belrs1.nsw.optusnet.com.au [127.0.0.1]) by server.c18609.belrs1.nsw.optusnet.com.au (8.12.6/8.12.6) with ESMTP id g9BLKKeB000229; Sat, 12 Oct 2002 07:20:20 +1000 (EST) (envelope-from peter@server.c18609.belrs1.nsw.optusnet.com.au) Received: (from peter@localhost) by server.c18609.belrs1.nsw.optusnet.com.au (8.12.6/8.12.6/Submit) id g9BLKKan000228; Sat, 12 Oct 2002 07:20:20 +1000 (EST) Date: Sat, 12 Oct 2002 07:20:20 +1000 From: Peter Jeremy To: Chris BeHanna Cc: FreeBSD Security Subject: Re: access() is a security hole? Message-ID: <20021011212020.GA209@server.c18609.belrs1.nsw.optusnet.com.au> References: <20021011185423.B12227-100000@gamplex.bde.org> <20021011094935.I86274-100000@topperwein.pennasoft.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021011094935.I86274-100000@topperwein.pennasoft.com> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Oct 11, 2002 at 10:01:30AM -0400, Chris BeHanna wrote: > Perhaps the way to avoid the race is to open the file, lock it, >and *then* call access(), then close the file or proceed based upon >the result. > > Yes, I know--there's a possible race between open() and fcntl(). ... > Once a process has the lock, it can call fstat() to determine if >the real [ug]id (which it already knows) has permission to access the >file in the desired manner. I can see two more critical problems: Firstly, open() options like O_TRUNC and O_CREAT will have already modified the file based on the e[gu]id before the later checks discover that the r[gu]id shouldn't have access to the file. You can delay the O_TRUNC by calling ftruncate() later, but there's no way to postpone O_CREAT. Secondly (and more seriously), open() only returns a file descriptor referring to the leaf file in the pathname - and file locks only affect that specific file. Using fstat() on the returned descriptor can only tell you the access permissions on that particular file, it can't tell you that access should have been blocked due to permissions on intervening directories - and the file lock won't prevent an attacker changing the intervening directory structure. The sequence open(),fstat(),access(),stat() and verifying that the inode returned by the fstat() and stat() are the same makes the race harder to win, but there's still a race: Someone could manage to swap the file back to the original between the access() and stat(). It's not at all clear how to solve this in userland. In the absence of symlinks, you can parse the pathname, using open(),fstat(),fchdir() to securely get to the final pathname component. Unfortunately, there's no way to securely do this and handle symlinks (because you have to use lstat() to detect a symlink and there is a gap between the lstat() and subsequent open(). The only solution I can see is a new "open_as_real_user()" system call which is identical to open(2) except that it performs all the access checks using the processes real credentials instead of the effective credentials. (This could potentially be done using a new O_REALUSER flag on the existing open()). Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 11 15:12:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8160137B404 for ; Fri, 11 Oct 2002 15:12:42 -0700 (PDT) Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2F76943E88 for ; Fri, 11 Oct 2002 15:12:42 -0700 (PDT) (envelope-from jason@shalott.net) Received: (qmail 53604 invoked by uid 1000); 11 Oct 2002 22:12:38 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 11 Oct 2002 22:12:38 -0000 Date: Fri, 11 Oct 2002 15:12:38 -0700 (PDT) From: Jason Stone X-X-Sender: To: Nicholas Esborn Cc: Subject: Re: Possible to get publickey fingerprint in sshd log messages? In-Reply-To: <20021011192131.GB18130@carbon.berkeley.netdot.net> Message-ID: <20021011150528.W98319-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Is there any possibility to identify which public key was accepted in > sshd's syslog messages? Right now, it spits out something like: Yes - as of... 3.4? you can get key fingerprints by setting the loglevel to verbose. I reccommend using a separate logfile for sshd in that case, as the logs will get very long and noisy (depending on the size of your user base, of course). I add this to my syslog.conf: local7.* /var/log/sshd.log and this to my sshd_config: SyslogFacility LOCAL7 LogLevel VERBOSE I then get output like this in sshd.log: Oct 11 15:06:36 iphigenia sshd[715]: Found matching DSA key: c2:2a:a3:de:a4:42:19:a7:d0:45:9a:55:e8:0f:bc:d5 Oct 11 15:06:36 iphigenia sshd[715]: Accepted publickey for root from ::1 port 1358 ssh2 Oct 11 15:06:54 iphigenia sshd[715]: Connection closed by remote host. Oct 11 15:06:54 iphigenia sshd[715]: Closing connection to ::1 Oct 11 15:06:56 iphigenia sshd[722]: Connection from ::1 port 1359 Oct 11 15:06:58 iphigenia sshd[722]: Found matching RSA1 key: a9:3b:46:de:a4:42:19:a7:d0:45:9a:55:e8:0f:ad:9f Oct 11 15:06:58 iphigenia sshd[722]: Accepted rsa for root from ::1 port 1359 -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE9p0zWswXMWWtptckRAtO/AJ0d4MAa6jGznNB1XUTptYNlff5T5QCgux2U 9PeLIVxksDtrYMfuXsJ0hdI= =bB9D -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 11 17: 4:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3683137B401 for ; Fri, 11 Oct 2002 17:04:50 -0700 (PDT) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id DEEB143E9C for ; Fri, 11 Oct 2002 17:04:49 -0700 (PDT) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id DE711154D5; Fri, 11 Oct 2002 17:01:15 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id DC2EB154D3 for ; Fri, 11 Oct 2002 17:01:15 -0700 (PDT) Date: Fri, 11 Oct 2002 17:01:15 -0700 (PDT) From: Mike Hoskins To: freebsd-security@FreeBSD.ORG Subject: Re: Sniffer nic In-Reply-To: <20021010233434.Q815-100000@patrocles.silby.com> Message-ID: <20021011165800.G93030-100000@fubar.adept.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 10 Oct 2002, Mike Silbersack wrote: > On Tue, 8 Oct 2002, twig les wrote: > > NIDS. A couple things I was wondering though.... Is > > anyone running the "ANA-62011 64-bit single port > > 10/100baseTX adapter" from Adaptec? It's supported by > You're best off going with a more commonly used card. > If you want a NIC which will last into the future, get one of the > Intel Gigabit cards > (And Luigi claims that it performs well too...) I've used the 4-port Adaptec ANA* cards. No major complaints, but I have definately seen more anamolies than many years using fxp. I'd highly suggest sticking to Intel for anything high-throughput. As for the new Intel GB NICs... I'm glad to hear they're working well with FreeBSD (haven't tried 'em yet)... That's a lot more than I can currently say for Linux. ;) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 11 17:10:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A5BFF37B401 for ; Fri, 11 Oct 2002 17:10:14 -0700 (PDT) Received: from moek.pir.net (moek.pir.net [130.64.1.215]) by mx1.FreeBSD.org (Postfix) with ESMTP id 42B8B43E6E for ; Fri, 11 Oct 2002 17:10:14 -0700 (PDT) (envelope-from pir@pir.net) Received: from pir by moek.pir.net with local (Exim) id 1809rB-0005gw-00 for freebsd-security@FreeBSD.ORG; Fri, 11 Oct 2002 20:10:13 -0400 Date: Fri, 11 Oct 2002 20:10:13 -0400 From: Peter Radcliffe To: freebsd-security@FreeBSD.ORG Subject: Re: Sniffer nic Message-ID: <20021012001013.GD18678@pir.net> Reply-To: freebsd-security@freebsd.org Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <20021010233434.Q815-100000@patrocles.silby.com> <20021011165800.G93030-100000@fubar.adept.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021011165800.G93030-100000@fubar.adept.org> User-Agent: Mutt/1.4i X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Mike Hoskins probably said: > As for the new Intel GB NICs... I'm glad to hear they're working well > with FreeBSD (haven't tried 'em yet)... That's a lot more than I can > currently say for Linux. ;) I've reported problems that are still ongoing with the Intel gig copper cards, I can't use them with any reliability. We went back to Netgear GA620 copper cards, which have worked flawlessly for me. P. -- pir pir-sig@pir.net pir-sig@net.tufts.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 11 19: 2:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 04B3A37B401 for ; Fri, 11 Oct 2002 19:02:10 -0700 (PDT) Received: from gw.catspoiler.org (217-ip-163.nccn.net [209.79.217.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 593EF43E88 for ; Fri, 11 Oct 2002 19:02:09 -0700 (PDT) (envelope-from dl-freebsd@catspoiler.org) Received: from mousie.catspoiler.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.12.5/8.12.5) with ESMTP id g9C220vU046809; Fri, 11 Oct 2002 19:02:04 -0700 (PDT) (envelope-from dl-freebsd@catspoiler.org) Message-Id: <200210120202.g9C220vU046809@gw.catspoiler.org> Date: Fri, 11 Oct 2002 19:02:00 -0700 (PDT) From: Don Lewis Subject: Re: access() is a security hole? To: peterjeremy@optushome.com.au Cc: behanna@zbzoom.net, security@FreeBSD.ORG In-Reply-To: <20021011212020.GA209@server.c18609.belrs1.nsw.optusnet.com.au> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 12 Oct, Peter Jeremy wrote: > On Fri, Oct 11, 2002 at 10:01:30AM -0400, Chris BeHanna wrote: >> Perhaps the way to avoid the race is to open the file, lock it, >>and *then* call access(), then close the file or proceed based upon >>the result. >> >> Yes, I know--there's a possible race between open() and fcntl(). > ... >> Once a process has the lock, it can call fstat() to determine if >>the real [ug]id (which it already knows) has permission to access the >>file in the desired manner. > > I can see two more critical problems: > > Firstly, open() options like O_TRUNC and O_CREAT will have already > modified the file based on the e[gu]id before the later checks > discover that the r[gu]id shouldn't have access to the file. You > can delay the O_TRUNC by calling ftruncate() later, but there's no > way to postpone O_CREAT. > > Secondly (and more seriously), open() only returns a file descriptor > referring to the leaf file in the pathname - and file locks only > affect that specific file. Using fstat() on the returned descriptor > can only tell you the access permissions on that particular file, it > can't tell you that access should have been blocked due to permissions > on intervening directories - and the file lock won't prevent an > attacker changing the intervening directory structure. > > The sequence open(),fstat(),access(),stat() and verifying that the > inode returned by the fstat() and stat() are the same makes the race > harder to win, but there's still a race: Someone could manage to > swap the file back to the original between the access() and stat(). > > It's not at all clear how to solve this in userland. In the absence > of symlinks, you can parse the pathname, using open(),fstat(),fchdir() > to securely get to the final pathname component. Unfortunately, > there's no way to securely do this and handle symlinks (because you > have to use lstat() to detect a symlink and there is a gap between > the lstat() and subsequent open(). It's worse than that because you can run into the same problems with trying to verify the directory permissions before doing mkdir(), rmdir(), link(), symlink(), etc. > The only solution I can see is a new "open_as_real_user()" system call > which is identical to open(2) except that it performs all the access > checks using the processes real credentials instead of the effective > credentials. (This could potentially be done using a new O_REALUSER > flag on the existing open()). and all the other foo_as_real_user() syscalls. I suppose an alternative to the latter would be to open_as_real_user() the directory and create fmkdir(), frmdir(), flink(), fsymlink(), etc. syscalls that act a lot like fchown() but take the fd of the directory. Another problem with doing a stat() and looking at the ownership and permission bits is that it is an attempt to duplicate the same checks that are in the kernel, and it fails to do the right thing when new kernel features, such as access control lists, are implemented. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 11 20:11:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 08CF337B401 for ; Fri, 11 Oct 2002 20:11:30 -0700 (PDT) Received: from HAL9000.homeunix.com (12-232-220-15.client.attbi.com [12.232.220.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6DC3C43E6A for ; Fri, 11 Oct 2002 20:11:29 -0700 (PDT) (envelope-from dschultz@uclink.Berkeley.EDU) Received: from HAL9000.homeunix.com (localhost [127.0.0.1]) by HAL9000.homeunix.com (8.12.6/8.12.5) with ESMTP id g9C3BLbb001986; Fri, 11 Oct 2002 20:11:21 -0700 (PDT) (envelope-from dschultz@uclink.Berkeley.EDU) Received: (from das@localhost) by HAL9000.homeunix.com (8.12.6/8.12.5/Submit) id g9C3BKLX001985; Fri, 11 Oct 2002 20:11:20 -0700 (PDT) (envelope-from dschultz@uclink.Berkeley.EDU) Date: Fri, 11 Oct 2002 20:11:20 -0700 From: David Schultz To: Don Lewis Cc: peterjeremy@optushome.com.au, behanna@zbzoom.net, security@FreeBSD.ORG Subject: Re: access() is a security hole? Message-ID: <20021012031120.GA1951@HAL9000.homeunix.com> Mail-Followup-To: Don Lewis , peterjeremy@optushome.com.au, behanna@zbzoom.net, security@FreeBSD.ORG References: <20021011212020.GA209@server.c18609.belrs1.nsw.optusnet.com.au> <200210120202.g9C220vU046809@gw.catspoiler.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200210120202.g9C220vU046809@gw.catspoiler.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thus spake Don Lewis : > > It's not at all clear how to solve this in userland. In the absence > > of symlinks, you can parse the pathname, using open(),fstat(),fchdir() > > to securely get to the final pathname component. Unfortunately, > > there's no way to securely do this and handle symlinks (because you > > have to use lstat() to detect a symlink and there is a gap between > > the lstat() and subsequent open(). > > It's worse than that because you can run into the same problems with > trying to verify the directory permissions before doing mkdir(), > rmdir(), link(), symlink(), etc. In addition to what has already been mentioned, consider what happens when someone creates a symlink to a tape drive. Just the act of opening the device may have actions associated with it. Really, there ought to be a version of the open syscall that takes an argument specifying the credentials to use for the call, but instead we're stuck with the lovely setuid suite of functions. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 11 22: 9:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EE5A737B401 for ; Fri, 11 Oct 2002 22:09:28 -0700 (PDT) Received: from mpls-qmqp-04.inet.qwest.net (mpls-qmqp-04.inet.qwest.net [63.231.195.115]) by mx1.FreeBSD.org (Postfix) with SMTP id 3086643E75 for ; Fri, 11 Oct 2002 22:09:28 -0700 (PDT) (envelope-from maildrop@qwest.net) Received: (qmail 20086 invoked by uid 0); 12 Oct 2002 05:04:30 -0000 Received: from unknown (63.231.195.4) by mpls-qmqp-04.inet.qwest.net with QMQP; 12 Oct 2002 05:04:30 -0000 Received: from unknown (HELO jenny) (63.231.238.226) by mpls-pop-04.inet.qwest.net with SMTP; 12 Oct 2002 05:09:27 -0000 Date: Sat, 12 Oct 2002 00:17:42 -0500 Message-ID: From: "Maildrop" To: freebsd-security@freebsd.org Subject: monitor ALL connections to ALL ports MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I currently have a DSL line and a FreeBSD firewall/gateway (dual homed). It has one internal IP address and 5 external IP address (one "real" ip and 4 alaises on same external nic). What I want to do is montior and record (to log) all incoming/outging connection (just source ip/dest ip/port). If someone connects to my web server it should log what ip accessed it, the time, which ip (web server runs on 2 external ip address) and the port. Also if someone does a port scan against the box I should be able to tell it is a port scan (since one ip address would be opening up a bunch of ports). Right now I don't care what data is being sent/received, just what connections are being made (and the details about those connections). Any suggestions? Regards, Jack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 11 22:26:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 77F7237B401 for ; Fri, 11 Oct 2002 22:26:41 -0700 (PDT) Received: from web40508.mail.yahoo.com (web40508.mail.yahoo.com [66.218.78.125]) by mx1.FreeBSD.org (Postfix) with SMTP id 27F2643E6E for ; Fri, 11 Oct 2002 22:26:41 -0700 (PDT) (envelope-from sonam_singh_s@yahoo.com) Message-ID: <20021012052641.80433.qmail@web40508.mail.yahoo.com> Received: from [202.88.149.172] by web40508.mail.yahoo.com via HTTP; Fri, 11 Oct 2002 22:26:41 PDT Date: Fri, 11 Oct 2002 22:26:41 -0700 (PDT) From: sonam singh Subject: Re: monitor ALL connections to ALL ports To: maildrop@qwest.net, freebsd-security@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org u can use packet analyzer or sniffer run the network card in promiscous mode use ntop or snmp with mrtg or tcpdump or etheral regards Sonam Singh --- Maildrop wrote: > > I currently have a DSL line and a FreeBSD > firewall/gateway (dual homed). It > has one internal IP address and 5 external IP > address (one "real" ip and 4 > alaises on same external nic). > > What I want to do is montior and record (to log) all > incoming/outging > connection (just source ip/dest ip/port). If > someone connects to my web > server it should log what ip accessed it, the time, > which ip (web server > runs on 2 external ip address) and the port. Also > if someone does a port > scan against the box I should be able to tell it is > a port scan (since one > ip address would be opening up a bunch of ports). > > Right now I don't care what data is being > sent/received, just what > connections are being made (and the details about > those connections). > > Any suggestions? > > Regards, > Jack > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of > the message __________________________________________________ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos & More http://faith.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 11 22:37:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F414137B401 for ; Fri, 11 Oct 2002 22:37:06 -0700 (PDT) Received: from mpls-qmqp-03.inet.qwest.net (mpls-qmqp-03.inet.qwest.net [63.231.195.114]) by mx1.FreeBSD.org (Postfix) with SMTP id 68B7C43E65 for ; Fri, 11 Oct 2002 22:37:06 -0700 (PDT) (envelope-from maildrop@qwest.net) Received: (qmail 58961 invoked by uid 0); 12 Oct 2002 05:33:50 -0000 Received: from unknown (63.231.195.11) by mpls-qmqp-03.inet.qwest.net with QMQP; 12 Oct 2002 05:33:50 -0000 Received: from unknown (HELO jenny) (63.231.238.226) by mpls-pop-11.inet.qwest.net with SMTP; 12 Oct 2002 05:37:05 -0000 Date: Sat, 12 Oct 2002 00:45:20 -0500 Message-ID: From: "Maildrop" To: "sonam singh" , maildrop@qwest.net, freebsd-security@freebsd.org Subject: RE: monitor ALL connections to ALL ports MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20021012052641.80433.qmail@web40508.mail.yahoo.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I looked at those, but I was looking for more of a Daemon that runs it the background 24-7, and logs all connections without interaction from admin (ie. me :) regards, jack > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of sonam singh > Sent: Saturday, October 12, 2002 12:27 AM > To: maildrop@qwest.net; freebsd-security@freebsd.org > Subject: Re: monitor ALL connections to ALL ports > > > u can use packet analyzer or sniffer run the network > card in promiscous mode use ntop or snmp with mrtg or > tcpdump or etheral > regards > Sonam Singh > > > --- Maildrop wrote: > > > > I currently have a DSL line and a FreeBSD > > firewall/gateway (dual homed). It > > has one internal IP address and 5 external IP > > address (one "real" ip and 4 > > alaises on same external nic). > > > > What I want to do is montior and record (to log) all > > incoming/outging > > connection (just source ip/dest ip/port). If > > someone connects to my web > > server it should log what ip accessed it, the time, > > which ip (web server > > runs on 2 external ip address) and the port. Also > > if someone does a port > > scan against the box I should be able to tell it is > > a port scan (since one > > ip address would be opening up a bunch of ports). > > > > Right now I don't care what data is being > > sent/received, just what > > connections are being made (and the details about > > those connections). > > > > Any suggestions? > > > > Regards, > > Jack > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of > > the message > > > __________________________________________________ > Do you Yahoo!? > Faith Hill - Exclusive Performances, Videos & More > http://faith.yahoo.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 11 23: 3:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 88F2337B401 for ; Fri, 11 Oct 2002 23:03:07 -0700 (PDT) Received: from ns.ulstu.ru (ns.ulstu.ru [62.76.34.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4603F43E8A for ; Fri, 11 Oct 2002 23:03:06 -0700 (PDT) (envelope-from zaa@ulstu.ru) Received: from omega.ulstu.ru (omega.ulstu.ru [62.76.34.34]) by ns.ulstu.ru (Postfix-ULSTU) with ESMTP id B55AAF2369 for ; Sat, 12 Oct 2002 10:03:00 +0400 (MSD) Received: by omega.ulstu.ru (Postfix, from userid 3909) id 35D3520F27; Sat, 12 Oct 2002 10:03:00 +0400 (MSD) Date: Sat, 12 Oct 2002 10:03:00 +0400 From: zhuravlev alexander To: freebsd-security@freebsd.org Subject: Re: monitor ALL connections to ALL ports Message-ID: <20021012060300.GA34336@omega.ulstu.ru> Reply-To: zhuravlev alexander Mail-Followup-To: freebsd-security@freebsd.org References: <20021012052641.80433.qmail@web40508.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Oct 12, 2002 at 12:45:20AM -0500, Maildrop wrote: > > I looked at those, but I was looking for more of a Daemon that runs it the > background 24-7, and logs all connections without interaction from admin > (ie. me :) [omega:net]>make search name=ipcad Port: ipcad-2.6.3 Path: /usr/ports/net/ipcad Info: IP accounting daemon simulating Cisco ip accounting Maint: vlm@spelio.net.ru Index: net B-deps: R-deps: [omega:net]>make search name=traf Port: trafd-3.0.1 Path: /usr/ports/net/trafd Info: The BPF Traffic Collector Maint: ports@FreeBSD.org Index: net B-deps: R-deps: > > regards, > jack -- zhuravlev alexander u l s t u n o c To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 12 0:52: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4978337B401 for ; Sat, 12 Oct 2002 00:51:59 -0700 (PDT) Received: from mailman.zeta.org.au (mailman.zeta.org.au [203.26.10.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4CAA843E91 for ; Sat, 12 Oct 2002 00:51:58 -0700 (PDT) (envelope-from bde@zeta.org.au) Received: from bde.zeta.org.au (bde.zeta.org.au [203.2.228.102]) by mailman.zeta.org.au (8.9.3/8.8.7) with ESMTP id RAA08333; Sat, 12 Oct 2002 17:51:47 +1000 Date: Sat, 12 Oct 2002 18:02:02 +1000 (EST) From: Bruce Evans X-X-Sender: bde@gamplex.bde.org To: David Schultz Cc: Don Lewis , , , Subject: Re: access() is a security hole? In-Reply-To: <20021012031120.GA1951@HAL9000.homeunix.com> Message-ID: <20021012175752.K16055-100000@gamplex.bde.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 11 Oct 2002, David Schultz wrote: > ... > Really, there ought to be a version of the open syscall that takes > an argument specifying the credentials to use for the call, but > instead we're stuck with the lovely setuid suite of functions. Unmentionablux has had the setfsuid suite for some time now. Bruce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 12 1:53: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C38A137B401 for ; Sat, 12 Oct 2002 01:52:58 -0700 (PDT) Received: from p7.ns777.net (p7.ns777.net [216.127.84.10]) by mx1.FreeBSD.org (Postfix) with SMTP id 26ED843EA9 for ; Sat, 12 Oct 2002 01:52:58 -0700 (PDT) (envelope-from alex.pavlovic@corp-x.com) Received: (qmail 25984 invoked from network); 12 Oct 2002 08:52:57 -0000 Received: from a0it30ycy20h9.bc.hsia.telus.net (HELO rg3xxrk05ruyqib) (66.183.61.160) by preview7.ns777.net with SMTP; 12 Oct 2002 08:52:57 -0000 From: "Alex Pavlovic" To: Subject: RE: monitor ALL connections to ALL ports Date: Sat, 12 Oct 2002 01:54:46 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, If I am not mistaken I think you are looking for ids. Your best bet would be something like snort ( snort.org ), as it recognizes multitude of attacks and probes. Logging incoming web server connections can be done via server log files, thats what they are for. Hope this helps. -- Alex Pavlovic Founder and CTO Corp-X Solutions http://www.corp-x.com -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Maildrop Sent: Friday, October 11, 2002 10:18 PM To: freebsd-security@freebsd.org Subject: monitor ALL connections to ALL ports I currently have a DSL line and a FreeBSD firewall/gateway (dual homed). It has one internal IP address and 5 external IP address (one "real" ip and 4 alaises on same external nic). What I want to do is montior and record (to log) all incoming/outging connection (just source ip/dest ip/port). If someone connects to my web server it should log what ip accessed it, the time, which ip (web server runs on 2 external ip address) and the port. Also if someone does a port scan against the box I should be able to tell it is a port scan (since one ip address would be opening up a bunch of ports). Right now I don't care what data is being sent/received, just what connections are being made (and the details about those connections). Any suggestions? Regards, Jack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 12 7:39:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1CA3E37B401 for ; Sat, 12 Oct 2002 07:39:32 -0700 (PDT) Received: from micko.boca.verio.net (r00.nat.boca.verio.net [208.55.254.110]) by mx1.FreeBSD.org (Postfix) with ESMTP id 52DE443E9C for ; Sat, 12 Oct 2002 07:39:31 -0700 (PDT) (envelope-from micko@micko.boca.verio.net) Received: from micko.boca.verio.net (localhost.boca.verio.net [127.0.0.1]) by micko.boca.verio.net (8.12.5/8.12.5) with ESMTP id g9CEfK4M044814; Sat, 12 Oct 2002 10:41:20 -0400 (EDT) (envelope-from micko@micko.boca.verio.net) Received: (from micko@localhost) by micko.boca.verio.net (8.12.5/8.12.5/Submit) id g9CEfJlF044813; Sat, 12 Oct 2002 10:41:19 -0400 (EDT) Date: Sat, 12 Oct 2002 10:41:19 -0400 From: Dragan Mickovic To: Maildrop Cc: freebsd-security@freebsd.org Subject: Re: monitor ALL connections to ALL ports Message-ID: <20021012104119.A43753@verio.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from maildrop@qwest.net on Sat, Oct 12, 2002 at 12:17:42AM -0500 X-Operating-System: FreeBSD micko.boca.verio.net 4.6-STABLE FreeBSD 4.6-STABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You can just put IPFilter with a default rule to pass and log. By default it will log src,dst,port,len .. ie: Sep 22 19:39:20 server_name ipmon[84]: 19:39:20.251359 fxp0 @0:20 b 192.168.1.20,137 -> 192.168.1.255,137 PR udp len 20 78 IN micko On Sat, Oct 12, 2002 at 12:17:42AM -0500, Maildrop wrote: > > I currently have a DSL line and a FreeBSD firewall/gateway (dual homed). It > has one internal IP address and 5 external IP address (one "real" ip and 4 > alaises on same external nic). > > What I want to do is montior and record (to log) all incoming/outging > connection (just source ip/dest ip/port). If someone connects to my web > server it should log what ip accessed it, the time, which ip (web server > runs on 2 external ip address) and the port. Also if someone does a port > scan against the box I should be able to tell it is a port scan (since one > ip address would be opening up a bunch of ports). > > Right now I don't care what data is being sent/received, just what > connections are being made (and the details about those connections). > > Any suggestions? > > Regards, > Jack > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Dragan Mickovic UNIX Systems Administrator NTT/Verio x.4012 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 12 17:40: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8EAB837B401 for ; Sat, 12 Oct 2002 17:39:59 -0700 (PDT) Received: from txsmtp01.texas.rr.com (smtp1.texas.rr.com [24.93.36.229]) by mx1.FreeBSD.org (Postfix) with ESMTP id BCDE343EB1 for ; Sat, 12 Oct 2002 17:39:58 -0700 (PDT) (envelope-from ww@austin.rr.com) Received: from apricot (cs24243228-109.austin.rr.com [24.243.228.109]) by txsmtp01.texas.rr.com (8.12.5/8.12.2) with SMTP id g9D0cbss026959 for ; Sat, 12 Oct 2002 20:38:38 -0400 (EDT) From: "William Wallace" To: "FreeBSD Security" Subject: Kernel log message Date: Sat, 12 Oct 2002 19:37:33 -0500 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0328_01C27226.CF7796C0" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Importance: Normal X-MS-TNEF-Correlator: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0328_01C27226.CF7796C0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit > Could someone explain to me what the following log message means: > > disco.wwallace.net kernel log messages: > > arp: 192.168.100.2 moved from 00:20:78:0d:5a:7f to 00:00:78:0d:5a:7f on > de0 > > Oct 5 08:03:57 disco /kernel: arp: 192.168.100.2 moved from > 00:20:78:0d:5a:7f to 00:00:78:0d:5a:7f on de0 > > The machine in question (192.168.100.2) is a Windows 2000 machine that has > had the same NIC for years. Also, only one of the digits in the MAC > address seems to have changed. What could cause this? > > Thanks, > - William. > > ------=_NextPart_000_0328_01C27226.CF7796C0 Content-Type: application/ms-tnef; name="winmail.dat" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="winmail.dat" eJ8+IiEAAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAGAAAAElQTS5NaWNy b3NvZnQgTWFpbC5Ob3RlADEIAQ2ABAACAAAAAgACAAEIAAUABAAAAAAAAAAAAAEJAAQAAgAAAAAA AAABBoADAA4AAADSBwoADAATACUAAAAGAC0BAQOQBgDYBQAAJQAAAAsAAgABAAAACwAjAAAAAAAD ACYAAAAAAAsAKQAAAAAAAwAuAAAAAAADADYAAAAAAB4ATQABAAAAAQAAAAAAAAAeAHAAAQAAABMA AABLZXJuZWwgbG9nIG1lc3NhZ2UAAAIBcQABAAAAIAAAAAHCb7HRHlbSEqjUbUWaqvRtXb4XMKsA kteXkAAU3cbQCwAXDAAAAAACAR0MAQAAABYAAABTTVRQOldXQEFVU1RJTi5SUi5DT00AAAALAAEO AAAAAEAABg4AXlikUHLCAQIBCg4BAAAAGAAAAAAAAABZCsOfvijjTJkcZGaa5aztwoAAAAsAHw4B AAAAAgEJEAEAAAAKAgAABgIAANYCAABMWkZ1X6NalwMACgByY3BnMTI1FjIA+Atgbg4QMDMzTwH3 AqQD4wIAY2gKwHOwZXQwIAcTAoB9CoGSdgiQd2sLgGQ0DGCGYwBQCwNsaTM2AUDqcANgdAWQdAul EqAKsUMKgAhRbGQgcwNwZSECIGUgZXgLUyB0ZG8gB4AgdxDwBUB0dmgVwAIQbAkAA/APICDHCQAX 0AeBc2FnFcAHgG0AcToUpBSkZAQABaAujHd3B0ALYGNlLhWw9QVAawSRZQMgF/kY8RNQCRWxPiAK wHA6IDFAOTIuMTY4HUAwyDAuMhaAb3YJgBdAFQNhIB2gOgHQOjc4QDowZDo1YR7wZt8WUh6hHqEf CgIgIAEAAUDFHFVPFAAgIDUekB8RmjMfUDchMBniIC8bBP8c8BzPHd8e7x//IQoZFQvibCBUFyEA wWgcYhYxcdEKUHN0aSERKBRTJCyNKUQpKlAEIGEgVxJx/xeQBCAB0CTAKdcXEBbhEPA/BCAQ8BVA FxIYYBaRTkm2QxdBBcB5GMAREC4iIJRBbBVgLCEBbHkhAR0VwG8mwRchGdBnaXRnBCAWMhchTUEw AC8gZOcJcAQRESBlbQQgFmEQ8L0lMCAQ4Q8gCYAwsVcW0uMFoBUiY2F1ESAXAQQAjj8ZGimgAHBr cywUpM4tLSEXcAcwbS4ZGhSkBRHhADpQAAALAAGACCAGAAAAAADAAAAAAAAARgAAAAADhQAAAAAA AAMAA4AIIAYAAAAAAMAAAAAAAABGAAAAABCFAAAAAAAAAwAHgAggBgAAAAAAwAAAAAAAAEYAAAAA UoUAAD9xAQAeAAmACCAGAAAAAADAAAAAAAAARgAAAABUhQAAAQAAAAQAAAA5LjAACwANgAggBgAA AAAAwAAAAAAAAEYAAAAAgoUAAAEAAAALADqACCAGAAAAAADAAAAAAAAARgAAAAAOhQAAAAAAAAMA PIAIIAYAAAAAAMAAAAAAAABGAAAAABGFAAAAAAAAAwA9gAggBgAAAAAAwAAAAAAAAEYAAAAAGIUA AAAAAAALAFKACCAGAAAAAADAAAAAAAAARgAAAAAGhQAAAAAAAAMAU4AIIAYAAAAAAMAAAAAAAABG AAAAAAGFAAAAAAAAAgH4DwEAAAAQAAAAWQrDn74o40yZHGRmmuWs7QIB+g8BAAAAEAAAAFkKw5++ KONMmRxkZprlrO0CAfsPAQAAAFYAAAAAAAAAOKG7EAXlEBqhuwgAKypWwgAAUFNUUFJYLkRMTAAA AAAAAAAATklUQfm/uAEAqgA32W4AAABaOlxNb3VudFxNYWlsQm94XG91dGxvb2sucHN0AAAAAwD+ DwUAAAADAA00/TcAAAIBfwABAAAAMAAAADxPREVNSkpCTUROR01GSkhLQkNNRkdFR0hFQUFBLnd3 QGF1c3Rpbi5yci5jb20+AAMABhAFgF9UAwAHEJ0BAAADABAQAQAAAAMAERADAAAAHgAIEAEAAABl AAAAQ09VTERTT01FT05FRVhQTEFJTlRPTUVXSEFUVEhFRk9MTE9XSU5HTE9HTUVTU0FHRU1FQU5T OkRJU0NPV1dBTExBQ0VORVRLRVJORUxMT0dNRVNTQUdFUzpBUlA6MTkyMTY4MQAAAABvPA== ------=_NextPart_000_0328_01C27226.CF7796C0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 12 21: 4:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CCAC537B401 for ; Sat, 12 Oct 2002 21:04:19 -0700 (PDT) Received: from dsl-64-128-185-9.telocity.com (dsl-64-128-185-9.telocity.com [64.128.185.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id DCA3043E91 for ; Sat, 12 Oct 2002 21:04:18 -0700 (PDT) (envelope-from mjoyner2@hq.dyns.cx) Received: (from root@localhost) by dsl-64-128-185-9.telocity.com (8.12.6/8.11.5) id g9D44G7K003094 for freebsd-security@freebsd.org; Sun, 13 Oct 2002 00:04:16 -0400 (EDT) (envelope-from mjoyner2@hq.dyns.cx) Received: from ip-24.internal (ip-34.internal [192.168.2.34]) by hq.dyns.cx (8.12.6/8.11.5av) with ESMTP id g9D4465u003072 for ; Sun, 13 Oct 2002 00:04:06 -0400 (EDT) (envelope-from mjoyner2@hq.dyns.cx) Received: from hq.dyns.cx (localhost [127.0.0.1]) by ip-24.internal (8.12.6/8.12.6) with ESMTP id g9D447rG002018 for ; Sun, 13 Oct 2002 00:04:08 -0400 (EDT) (envelope-from mjoyner2@hq.dyns.cx) Message-ID: <3DA8F0B7.8050505@hq.dyns.cx> Date: Sun, 13 Oct 2002 00:04:07 -0400 From: wolf User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:0.9.4.1) Gecko/20020508 Netscape6/6.2.3 X-Accept-Language: en-us MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: ipcs output when running netscape shows --rwarwarwa Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Is the 'mode' as listed below a security issue? Linux Netscape 6 is running w/ mode rwarwarwa while all the other apps I've tested so far (all native compiled btw) show only --rw-------. :/ bash-2.05a$ ipcs -m -o -p Shared Memory: T ID KEY MODE OWNER GROUP NATTCH CPID LPID m 262144 0 --rw------- mjoyner mjoyner 2 597 278 m 1048577 0 --rwarwarwa mjoyner mjoyner 2 710 278 m 1179650 0 --rwarwarwa mjoyner mjoyner 2 710 278 m 131075 0 --rwarwarwa mjoyner mjoyner 2 710 278 m 131076 0 --rwarwarwa mjoyner mjoyner 2 710 278 m 131077 0 --rwarwarwa mjoyner mjoyner 2 710 278 m 131078 0 --rwarwarwa mjoyner mjoyner 2 710 278 bash-2.05a$ ps -p 710 PID TT STAT TIME COMMAND 710 ?? S 0:37.54 ./mozilla-bin bash-2.05a$ ps -p 278 PID TT STAT TIME COMMAND 278 ?? S 0:21.95 /usr/X11R6/bin/XFree86 -auth /var/lib/kdm/authfiles/A bash-2.05a$ uname -a FreeBSD ip-34.internal 4.7-STABLE FreeBSD 4.7-STABLE #0: Fri Oct 11 22:21:11 EDT 2002 mjoyner@ip-34.internal:/usr/src/sys/compile/workstation i386 bash-2.05a$ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 12 21:17:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F23337B401 for ; Sat, 12 Oct 2002 21:17:47 -0700 (PDT) Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by mx1.FreeBSD.org (Postfix) with SMTP id 6E97943E75 for ; Sat, 12 Oct 2002 21:17:46 -0700 (PDT) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 39892 invoked by uid 1001); 13 Oct 2002 04:17:40 -0000 Date: Sun, 13 Oct 2002 00:17:40 -0400 From: "Peter C. Lai" To: William Wallace Cc: FreeBSD Security Subject: Re: Kernel log message Message-ID: <20021013041740.GA39841@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This looks like another candidate for an entry in the FAQ, since in the past 3 years that I have been on this list, questions about the arp messages have been asked and answered many many times. Take the message at face value. All it is saying is at Oct 5 08:03:57, the kernel detected that 192.168.100.2 broadcasted its MAC address as something different than what it had been broadcasting before. This could mean that 192.168.100.2 changed its MAC address, or that some other device decided to become 192.168.100.2 There are many causes of that happening; if I create an IP conflict with 2 devices having 192.168.100.2 and both keep broadcasting, that would cause the the MAC to alternate every time i talk to 192.168.100.1. On Sat, Oct 12, 2002 at 07:37:33PM -0500, William Wallace wrote: > > > Could someone explain to me what the following log message means: > > > > disco.wwallace.net kernel log messages: > > > arp: 192.168.100.2 moved from 00:20:78:0d:5a:7f to 00:00:78:0d:5a:7f on > > de0 > > > Oct 5 08:03:57 disco /kernel: arp: 192.168.100.2 moved from > > 00:20:78:0d:5a:7f to 00:00:78:0d:5a:7f on de0 > > > > The machine in question (192.168.100.2) is a Windows 2000 machine that has > > had the same NIC for years. Also, only one of the digits in the MAC > > address seems to have changed. What could cause this? > > > > Thanks, > > - William. > > > > -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology Yale University School of Medicine Center for Medical Informatics | Research Assistant http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 12 21:39:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1EFF437B401 for ; Sat, 12 Oct 2002 21:39:50 -0700 (PDT) Received: from dsl-64-128-185-9.telocity.com (dsl-64-128-185-9.telocity.com [64.128.185.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C6A043EB3 for ; Sat, 12 Oct 2002 21:39:49 -0700 (PDT) (envelope-from mjoyner2@hq.dyns.cx) Received: (from root@localhost) by dsl-64-128-185-9.telocity.com (8.12.6/8.11.5) id g9D4dkTg004597 for freebsd-security@freebsd.org; Sun, 13 Oct 2002 00:39:46 -0400 (EDT) (envelope-from mjoyner2@hq.dyns.cx) Received: from ip-24.internal (ip-34.internal [192.168.2.34]) by hq.dyns.cx (8.12.6/8.11.5av) with ESMTP id g9D4da5u004584 for ; Sun, 13 Oct 2002 00:39:36 -0400 (EDT) (envelope-from mjoyner2@hq.dyns.cx) Received: from hq.dyns.cx (localhost [127.0.0.1]) by ip-24.internal (8.12.6/8.12.6) with ESMTP id g9D4dcrG008354 for ; Sun, 13 Oct 2002 00:39:38 -0400 (EDT) (envelope-from mjoyner2@hq.dyns.cx) Message-ID: <3DA8F90A.7070101@hq.dyns.cx> Date: Sun, 13 Oct 2002 00:39:38 -0400 From: wolf User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:0.9.4.1) Gecko/20020508 Netscape6/6.2.3 X-Accept-Language: en-us MIME-Version: 1.0 Cc: FreeBSD Security Subject: Re: Kernel log message References: <20021013041740.GA39841@cowbert.2y.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Could someone explain to me what the following log message means: > >disco.wwallace.net kernel log messages: > >arp: 192.168.100.2 moved from 00:20:78:0d:5a:7f to 00:00:78:0d:5a:7f on > >de0 > >Oct 5 08:03:57 disco /kernel: arp: 192.168.100.2 moved from > >00:20:78:0d:5a:7f to 00:00:78:0d:5a:7f on de0 > >The machine in question (192.168.100.2) is a Windows 2000 machine that has >had the same NIC for years. Also, only one of the digits in the MAC >address seems to have changed. What could cause this? > 1) The NIC card could be dieing. "same NIC for years" 2) Transmission error of some sort on you LAN 3) Problem w/ a packet switch. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 12 22:50:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CA75137B401 for ; Sat, 12 Oct 2002 22:50:07 -0700 (PDT) Received: from p7.ns777.net (p7.ns777.net [216.127.84.10]) by mx1.FreeBSD.org (Postfix) with SMTP id 3C1A143EA9 for ; Sat, 12 Oct 2002 22:50:07 -0700 (PDT) (envelope-from alex.pavlovic@corp-x.com) Received: (qmail 2047 invoked from network); 13 Oct 2002 05:50:06 -0000 Received: from a0it30ycy20h9.bc.hsia.telus.net (HELO rg3xxrk05ruyqib) (66.183.61.160) by preview7.ns777.net with SMTP; 13 Oct 2002 05:50:06 -0000 From: "Alex Pavlovic" To: "FreeBSD Security" Subject: RE: Kernel log message Date: Sat, 12 Oct 2002 22:51:55 -0700 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0000_01C27241.F6B3E2A0" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal In-Reply-To: X-MS-TNEF-Correlator: X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0000_01C27241.F6B3E2A0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Hi, There is always a possibility of someone or something performing arp manipulation in order to redirect the lan traffic. Some common techniques that come to mind are: MAC spoofing which is efficient against CAM tables found in switches ( If you are running a switched network ) and ARP spoofing / cache poisoning which might apply to you. Attacks that can be performed with these range from sniffing to proxying, MiM, DoS to escaping firewalls. Recently for example certain data has been published about intreception of ssl traffic and attack against Microsoft IE certificates. -- Alex Pavlovic Founder and CTO Corp-X Solutions http://www.corp-x.com > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG] > Sent: Saturday, October 12, 2002 5:38 PM > To: FreeBSD Security > Subject: Kernel log message > > > Could someone explain to me what the following log message means: > > disco.wwallace.net kernel log messages: > > arp: 192.168.100.2 moved from 00:20:78:0d:5a:7f to > 00:00:78:0d:5a:7f on de0 > > Oct 5 08:03:57 disco /kernel: arp: 192.168.100.2 moved from > 00:20:78:0d:5a:7f to 00:00:78:0d:5a:7f on de0 > > The machine in question (192.168.100.2) is a Windows 2000 machine > that has had the same NIC for years. Also, only one of the digits in the > MAC address seems to have changed. What could cause this? > > Thanks, > - William. > > ------=_NextPart_000_0000_01C27241.F6B3E2A0 Content-Type: application/ms-tnef; name="winmail.dat" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="winmail.dat" eJ8+IjcFAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAGAAAAElQTS5NaWNy b3NvZnQgTWFpbC5Ob3RlADEIAQ2ABAACAAAAAgACAAEGgAMADgAAANIHCgAMABYAMwAAAAYAPgEB A5AGAAAKAAAnAAAACwACAAEAAAALACMAAAAAAAMAJgAAAAAACwApAAAAAAADAC4AAAAAAAMANgAA AAAAHgBwAAEAAAATAAAAS2VybmVsIGxvZyBtZXNzYWdlAAACAXEAAQAAACUAAAABwm+x0R5W0hKo 1G1Fmqr0bV2+FzCrAJLXl5AAFN3G0AAKGEsgAAAAAgEdDAEAAAAeAAAAU01UUDpBTEVYLlBBVkxP VklDQENPUlAtWC5DT00AAAALAAEOAAAAAEAABg4AOtyBfHLCAQIBCg4BAAAAGAAAAAAAAADBxRyl be7oQ682oHIkBc7vwoAAAAsAHw4BAAAAAgEJEAEAAAA4BQAANAUAAMIHAABMWkZ1/6XYUAMACgBy Y3BnMTI1FjIA+Atgbg4QMDMzTwH3AqQD4wIAY2gKwHPwZXQwIAcTAoMAUAPVxxF4DlAQZnBycRNB EOfYVGFoA3ECgH0KgAjIbCA7CW8OMDUCgAqBdkkIkHdrC4BkNAxgYxsAUAsDYxICC8QgSGlOLAqi CoQKgFRoBJBliiAEACAHQHdheRshSCBwbwQQaWIDEGmAdHkgb2YgcwNwnmUCIBrwBbEcwnRoC4DO ZxvABJACEHJtHdIKwC5wGfQDgQUgdQtgdGkfAiAbAAOgBbAEgSB0b+ogCXFpCXBjBUAdsBrwsw8B IKByYQEgDeAuBgB1HNEgBaBtBGAh0QWQaP0DAHEKUBCwGgMdsB/AIsKXGvAgsR5xZB6xZToF0LxB QxywG9AckB3Sdx3AfxDgGwIBEQ3gCJACMBswZ8ULcXMFQENBTSPlAaB2bAeRAhB1JTEgIQPhdKMQ 4AeRKCBJHKB5CGD/JVIg0ClQAwAekim2JUAdEMR0dwWwayApGfQAcNElQEFSUCXoLyLAANA/IYEb 0AQAAiAmSB5wZ2i9J5FwC1AccCCxKqEuGfR2QQJAANBrBCAkRAORYv8usR4kLCEp0SbAIXERICDQ /w8RGvADUhywAwAiIR3hILCjGfQT4G94eR3RLAXQ5GlNNjBEbwXwILEHkD0ucHAd0iIwCXAbYGxs +nMiYFIFkCdxMGEeQScA+HhhbQtQIrEEkAGQC4H9GgNkH8AbsBDwBCAycAnw/RvAdQJgBAAsEgGg CGAFQL8LgCHwOGEFMB/iHJJzAyD/IfUs6B/AMYInpzZQBQAb4PMckAVASUU5kwaQDeAfwB8HkDD1 GfUZAALRMSAtBi0xBSjweCBQYXbbCQAX0GMK4wqARilCIIFxLUJDVE8Z9AhQHtAtPlgicQpAH9Ij 1TAAdHDQOi8vd0dQLgWhRbD6eEeBbUE7GgQLtBhQGgfzCzAcQDM2AUA1sSNBBUDPAzAPBEmxEzMx NkJhTKF6TwUQZwuAB0AF0AeQc/0nsGVMoxn2SwRK0QsTSwTBAgBpLTE0NAFAHEA4MTgwAUAM0FBD YiAuRgNhJZAMg2IRUG93GR0Qci0DUAngYnNk2i0RIGMIcRxgQFGQCeAAQlNELk9SRyBuWwDAAxAg sDpSf1OPXW9DxVFhBmACMDpR9gYQdKsIcDpweTYwTyFAbzJwHwXADiA2MAHQS+AgNTrcMzhDMChV UWFUVQBR9t9T5QZRViRXaDtgaiExWDf6SwSRZQMgCQAd8AeBTbL/SDxOz0/SHEABwUuFD2BJXP0I UWwlQBzGOSALUyTTGvD/JoAkYSFyAhA4AFUgHdJfKT9fUQBxWDAaCSEABPBvLidHUDfxANBlLixR IGtvXs9nsRxAHRE+HrIlkDFoOTIuTHA4bABQ0C67WlAEYHYsITRTUNA6AdAAOjc4OjBkOjX+YW2w HKAgsW1hbWFtyh/x3wEAUHJrM1lhS2A1bVBt0fozbhA3b/Booi5AacQlkP9rj2yfba9uv2/KSPYZ ghqxvyUALoFrIiAhI6If0yhJg8ty7BlkKRsDIFcYIVUg/wQgWiERUHimJEM6whDwJUBnIXJNsCKh Tkkl0Djied9ngBEQImARYDgQbzYwAiC/MGEdA3WBIYEhAE0gdAQg72TyIYElsn3gZAlwBBERIPxl bTHBIMAQ8HPwIsAQ8HU0EWR/cVckVGPiLnB18zPBHbFzPxn8AHAxsBnl7i174TgABzBtQSwaAxVR AgCJEB4AQhABAAAAMAAAADxPREVNSkpCTUROR01GSkhLQkNNRkdFR0hFQUFBLnd3QGF1c3Rpbi5y ci5jb20+AAsAAYAIIAYAAAAAAMAAAAAAAABGAAAAAAOFAAAAAAAAAwADgAggBgAAAAAAwAAAAAAA AEYAAAAAEIUAAAAAAAADAAeACCAGAAAAAADAAAAAAAAARgAAAABShQAAJ2oBAB4ACYAIIAYAAAAA AMAAAAAAAABGAAAAAFSFAAABAAAABAAAADkuMAAeAAqACCAGAAAAAADAAAAAAAAARgAAAAA2hQAA AQAAAAEAAAAAAAAAHgALgAggBgAAAAAAwAAAAAAAAEYAAAAAN4UAAAEAAAABAAAAAAAAAB4ADIAI IAYAAAAAAMAAAAAAAABGAAAAADiFAAABAAAAAQAAAAAAAAALAA2ACCAGAAAAAADAAAAAAAAARgAA AACChQAAAQAAAAsAOoAIIAYAAAAAAMAAAAAAAABGAAAAAA6FAAAAAAAAAwA8gAggBgAAAAAAwAAA AAAAAEYAAAAAEYUAAAAAAAADAD2ACCAGAAAAAADAAAAAAAAARgAAAAAYhQAAAAAAAAsAWIAIIAYA AAAAAMAAAAAAAABGAAAAAAaFAAAAAAAAAwBZgAggBgAAAAAAwAAAAAAAAEYAAAAAAYUAAAAAAAAC AfgPAQAAABAAAADBxRylbe7oQ682oHIkBc7vAgH6DwEAAAAQAAAAwcUcpW3u6EOvNqByJAXO7wIB +w8BAAAAnwAAAAAAAAA4obsQBeUQGqG7CAArKlbCAABQU1RQUlguRExMAAAAAAAAAABOSVRB+b+4 AQCqADfZbgAAAEM6XERvY3VtZW50cyBhbmQgU2V0dGluZ3NcQWRtaW5pc3RyYXRvclxMb2NhbCBT ZXR0aW5nc1xBcHBsaWNhdGlvbiBEYXRhXE1pY3Jvc29mdFxPdXRsb29rXG91dGxvb2sucHN0AAAD AP4PBQAAAAMADTT9NwAAAgF/AAEAAAA4AAAAPE9JRURLUERHR0JMSERJS0FLREFCQUVBTENBQUEu YWxleC5wYXZsb3ZpY0Bjb3JwLXguY29tPgADAAYQPZIlCAMABxBvBAAAAwAQEAAAAAADABEQAwAA AB4ACBABAAAAZQAAAEhJLFRIRVJFSVNBTFdBWVNBUE9TU0lCSUxJVFlPRlNPTUVPTkVPUlNPTUVU SElOR1BFUkZPUk1JTkdBUlBNQU5JUFVMQVRJT05JTk9SREVSVE9SRURJUkVDVFRIRUxBTlRSQUYA AAAANZo= ------=_NextPart_000_0000_01C27241.F6B3E2A0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message