From owner-freebsd-questions@FreeBSD.ORG Fri May 20 05:18:47 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B88B416A4CE for ; Fri, 20 May 2005 05:18:47 +0000 (GMT) Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [65.75.192.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3030E43D55 for ; Fri, 20 May 2005 05:18:47 +0000 (GMT) (envelope-from tedm@toybox.placo.com) Received: from tedwin2k (nat-rtr.freebsd-corp-net-guide.com [65.75.197.130]) j4K5JKb46575; Thu, 19 May 2005 22:19:20 -0700 (PDT) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: "Tim Traver" Date: Thu, 19 May 2005 22:18:43 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1478 In-Reply-To: <428CF69E.5050807@simplenet.com> Importance: Normal cc: bsd Subject: RE: PAWS security vulnerability X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 May 2005 05:18:47 -0000 Hi Tim, If you don't have the ability to test out the patch then LEARN! As the advisory said "no known exploits have been released" I also noticed that the only 2 vendors listed as implementing a fix were Cisco and Microsoft. And Microsoft was NOT on the problem list for ANY of their patched OSs. I would therefore assume that the release of this so-called vulnerability was carefully timed to take place AFTER Microsoft had got it's ass covered, to make them look good, and everyone else look bad. I continue therefore to assume that this is a political security hole, not an actual security hole. OpenBSD is well known for knee-jerk reactions to real and supposed security holes, so it's not surprising they released a patch right away - of course, little good that did them since this advisory trashed them anyway. But knee jerk reactions don't always take all variables into account. I rewrite their patch because it was simple and easy to apply to the FreeBSD source - but I did not write the networking code in FreeBSD and have no idea if it is correct, or if OpenBSD even wrote the fix properly, or if in fact this is a real vulnerability that anyone needs to be concerned about. In theory, any flat-key lock can be picked in less than a minute (I've seen it done that fast, and done it myself somewhat more slowly) but that does not stop millions of them from being sold at Home Depot every year. If people went to a different type of lock that was much harder to pick then the burglar might not break in by picking the lock - but instead by kicking in the door which has the side effect of destroying the door and frame, and there's a couple thousand bucks lost right there fixing that - and if all the burgler does is steal a $200 TV set, then your better off with the pickable lock. The point is that any change in the networking code may have side effects that are worse than the problem. I posted the patch in order to head off a big long dumbass trashing discussion, because I suspected you were trolling - but I was willing to give you the benefit of the doubt. If you were really concerned - such as if you worked for some company that had some stick-up-their-ass security officer that was bigger than his britches, and you had to have a fix RIGHT NOW - then this would have allowed you to apply the patch to shut up the bigger-than-britches security officer so you could continue about your business. In the meantime then the networking and security group could have had discussion about the PROPER way to handle this. Probably that's this patch, but maybe not. Now I find what? Well, it surely looks to me like I just spoiled your troll, so your going to pretend it was no big deal, make a lame-ass excuse about how you really didn't need the patch anyway and can't apply it because your incompetent, and fade into the woodwork. I told you to post the patch and info to the appropriate FreeBSD security lists, and you aren't the least bit interested in doing what I told you. Why - because you were only interested in this silly hypothetical PAWS exploit as long as nobody could say "FreeBSD has a fix, shut up and apply it", so you can go urinate on the parade here. Now I just handed you a urinal, and your going to run away and pee on someone else. I don't want to see a fucking thing more from you unless it's: "Guys, I DID WHAT I WAS TOLD TO DO and went to the FreeBSD security and networking mailing lists and posted what I was given and this is what they said" If you aren't willing to lift a finger to do that, your a fucking troll. Don't waste anyone else's time here. Next time you ask for code, you better check out the going hourly rate for custom programming. Ted > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Tim Traver > Sent: Thursday, May 19, 2005 1:27 PM > To: Ted Mittelstaedt > Cc: bsd > Subject: Re: PAWS security vulnerability > Importance: Low > > > Ted, > > thanks for taking a look at this. I'm not sure I have the ability to > test out your patch. Maybe someone else on this fine list can ? > > But this sounds like a pretty severe DOS issue that seems to be > relatively simple to implement. > > Do you know if the 5.x branch is affected by this as well ? > > Tim. > > > Ted Mittelstaedt wrote: > > >Hi Tim, > > > > Here is a slight mod of the OpenBSD patch for OpenBSD 3.6 > that has been > >rewritten for FreeBSD 4.11. YMMV If it works I would submit > it to the > >FreeBSD > >security list. The only change I made is OpenBSD defines "tiflags" > >FreeBSD defines > >"thflags" I assume they are the same thing. The file is in > >/usr/src/sys/netinet > > > >Turning off the timestamps would be a good way to make your network go > >slow. > > > >*** tcp_input.c.original Thu May 19 11:52:30 2005 > >--- tcp_input.c Thu May 19 12:00:14 2005 > >*************** > >*** 976,984 **** > >--- 976,992 ---- > > * record the timestamp. > > * NOTE that the test is modified according > to the latest > > * proposal of the tcplw@cray.com list (Braden > >1993/04/26). > >+ * NOTE2 additional check added as a result of PAWS > >vulnerability > >+ * documented in Cisco security notice > >cisco-sn-20050518-tcpts > >+ * from OpenBSD patch for OpenBSD 3.6 015_tcp.patch > > */ > > if ((to.to_flags & TOF_TS) != 0 && > > SEQ_LEQ(th->th_seq, tp->last_ack_sent)) { > >+ if (SEQ_LEQ(tp->last_ack_sent, > th->th_seq + tlen > >+ > >+ ((thflags & (TH_SYN|TH_FIN)) != 0))) > >+ tp->ts_recent = to.to_tsval; > >+ else > >+ tp->ts_recent = 0; > > tp->ts_recent_age = ticks; > > tp->ts_recent = to.to_tsval; > > } > > > >Ted > > > > > > > >>-----Original Message----- > >>From: owner-freebsd-questions@freebsd.org > >>[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Tim Traver > >>Sent: Thursday, May 19, 2005 10:09 AM > >>To: bsd > >>Subject: PAWS security vulnerability > >> > >> > >>Hi all, > >> > >>ok, this article was just published about a PAWS TCP DOS > >>vulnerability, > >>and lists freeBSD 4.x as affected. > >> > >>http://www.securityfocus.com/bid/13676/info/ > >> > >>Does anyone know how to turn the TCP timestamps off on FreeBSD 4.x ? > >> > >>and is 5.4 affected too ? > >> > >>Tim. > >> > >>_______________________________________________ > >>freebsd-questions@freebsd.org mailing list > >>http://lists.freebsd.org/mailman/listinfo/freebsd-questions > >>To unsubscribe, send any mail to > >>"freebsd-questions-unsubscribe@freebsd.org" > >> > >> > >> > > > > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" >