From owner-freebsd-security Thu Dec 14 7: 5:34 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 14 07:05:31 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from citusc.usc.edu (citusc.usc.edu [128.125.38.123]) by hub.freebsd.org (Postfix) with ESMTP id 7812737B400 for ; Thu, 14 Dec 2000 07:05:31 -0800 (PST) Received: (from kris@localhost) by citusc.usc.edu (8.9.3/8.9.3) id HAA25459 for security@freebsd.org; Thu, 14 Dec 2000 07:06:49 -0800 Date: Thu, 14 Dec 2000 07:06:49 -0800 From: Kris Kennaway To: security@freebsd.org Subject: Details of www.freebsd.org penetration Message-ID: <20001214070649.A25429@citusc.usc.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="mP3DRpeJDSE+ciuQ" Content-Disposition: inline User-Agent: Mutt/1.2i Sender: kris@citusc.usc.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --mP3DRpeJDSE+ciuQ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline As promised, here are the details of the recent penetration of the www.freebsd.org server. As several people guessed, the initial penetration involved weaknesses in the CGI scripts running on the website. This gained control of user nobody, and then a local root vulnerability was leveraged to gain root access to the machine. As far as we could tell, the attackers' only action was to plant a greeting on the main webpage. They contacted the security-officer immediately describing the entry mechanism and the extent of their activities, and while we do not believe any further malicious activity was carried out, various protective measures were taken to sanitize the compromised system, including an audit for all known security holes and a complete system upgrade. The www cgi scripts have since been audited by several people for other vulnerabilities, four of which were found and corrected (I don't have the exact details to hand). All involved input validation errors which allowed a remote user to execute commands as the user running the cgi scripts (user nobody). There is still further work which is being done on the cgi scripts to ensure greater safety (e.g. use of perl's taint mode), but the auditors believe the problems have been fixed. There are also other changes planned to improve the security of machines in the freebsd.org cluster against future penetration attempts. It's my understanding that none of the www.freebsd.org mirrors use the CGI scripts, therefore this vulnerability is likely limited to the one main server - but if anyone else has adapted freebsd CGI scripts for their own purposes they are advised to catch up with recent changes. Since the website contents are not a supported FreeBSD product an advisory is not planned for these vulnerabilities. Sorry for taking longer than promised to send this mail. I am currently suffering under very reduced connectivity while back home in Australia for the holidays. Thanks for everyone's patience. Kris Kennaway FreeBSD Security Officer --mP3DRpeJDSE+ciuQ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iQCVAwUBOjjiBVUuHi5z0oilAQGPTAP/azr4NoB6RZEgdY6N347d6Hgo4sCpLvuD 3B1EUesjNKMai4tuvj3x8MYriyg+DZQ4VxruHUsDBQvY5AgHKzlCezIbjy6Z+R4C owD08Hi/X0y8vuyf3nw5iKhJMRgwc0AmMIVv4VfSdya/KjpcRKeopORYbRnQOw3A Ru8qcF63zZw= =WrKi -----END PGP SIGNATURE----- --mP3DRpeJDSE+ciuQ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message