200 messages in org.freebsd.freebsd-securityRe: security hole in FreeBSD| From | Sent On | Attachments |
|---|---|---|
| Vincent Poy | Jul 28, 1997 3:19 am | |
| Nicole H. | Jul 28, 1997 3:22 am | |
| Vincent Poy | Jul 28, 1997 4:39 am | |
| Robert Watson | Jul 28, 1997 5:36 am | |
| Nicole H. | Jul 28, 1997 5:40 am | |
| Eric Feillant | Jul 28, 1997 5:41 am | |
| David Holland | Jul 28, 1997 6:12 am | |
| Nicole H. | Jul 28, 1997 6:15 am | |
| Jonathan A. Zdziarski | Jul 28, 1997 6:22 am | |
| Tomasz Dudziak | Jul 28, 1997 6:29 am | |
| Adam Shostack | Jul 28, 1997 6:39 am | |
| Guido van Rooij | Jul 28, 1997 6:52 am | |
| Garrett Wollman | Jul 28, 1997 7:04 am | |
| Robert Watson | Jul 28, 1997 7:56 am | |
| Robert Watson | Jul 28, 1997 7:59 am | |
| Ollivier Robert | Jul 28, 1997 8:16 am | |
| Robert Watson | Jul 28, 1997 8:48 am | |
| Jonathan A. Zdziarski | Jul 28, 1997 8:50 am | |
| Jonathan A. Zdziarski | Jul 28, 1997 8:54 am | |
| Rodney W. Grimes | Jul 28, 1997 8:55 am | |
| Adam Shostack | Jul 28, 1997 9:04 am | |
| Robert Watson | Jul 28, 1997 10:08 am | |
| Rodney W. Grimes | Jul 28, 1997 10:26 am | |
| Vincent Poy | Jul 28, 1997 10:59 am | |
| Vincent Poy | Jul 28, 1997 11:23 am | |
| Vincent Poy | Jul 28, 1997 11:27 am | |
| David Langford | Jul 28, 1997 11:30 am | |
| Vincent Poy | Jul 28, 1997 11:31 am | |
| Robert Watson | Jul 28, 1997 11:33 am | |
| Robert Watson | Jul 28, 1997 11:44 am | |
| Jonathan A. Zdziarski | Jul 28, 1997 11:46 am | |
| Jonathan A. Zdziarski | Jul 28, 1997 11:48 am | |
| Jonathan A. Zdziarski | Jul 28, 1997 11:49 am | |
| Vincent Poy | Jul 28, 1997 12:29 pm | |
| Robert Watson | Jul 28, 1997 12:29 pm | |
| Vincent Poy | Jul 28, 1997 12:38 pm | |
| Vincent Poy | Jul 28, 1997 12:48 pm | |
| Vincent Poy | Jul 28, 1997 12:54 pm | |
| Vincent Poy | Jul 28, 1997 12:56 pm | |
| Adam Shostack | Jul 28, 1997 1:04 pm | |
| Jonathan A. Zdziarski | Jul 28, 1997 1:15 pm | |
| Jonathan A. Zdziarski | Jul 28, 1997 1:16 pm | |
| Robert Watson | Jul 28, 1997 1:45 pm | |
| Jonathan A. Zdziarski | Jul 28, 1997 1:47 pm | |
| Jonathan A. Zdziarski | Jul 28, 1997 1:51 pm | |
| Robert Watson | Jul 28, 1997 1:54 pm | |
| Nate Williams | Jul 28, 1997 2:00 pm | |
| Ollivier Robert | Jul 28, 1997 2:07 pm | |
| Matthew N. Dodd | Jul 28, 1997 2:14 pm | |
| Karl Denninger | Jul 28, 1997 2:42 pm | |
| Vincent Poy | Jul 28, 1997 2:43 pm | |
| Vincent Poy | Jul 28, 1997 3:01 pm | |
| Vincent Poy | Jul 28, 1997 3:06 pm | |
| Jordan K. Hubbard | Jul 28, 1997 3:10 pm | |
| 146 later messages | ||
| Subject: | Re: security hole in FreeBSD | |
|---|---|---|
| From: | Robert Watson (rob...@cyrus.watson.org) | |
| Date: | Jul 28, 1997 5:36:31 am | |
| List: | org.freebsd.freebsd-security | |
On Mon, 28 Jul 1997, Vincent Poy wrote:
On Mon, 28 Jul 1997, Tomasz Dudziak wrote:
=)Well it is possible that he has recompiled /usr/bin/login for example. =)Something like: =)if(strcmp(username, "blahblah")==0) =){ =)setuid(0); =)setgid(0); =)system("/bin/sh"); =)} =)inserted does the job. You are then invisible to w and others... bot not =)netstat i think...
He wasn't invisible to netstat but he did do something that faked the hostname even in netstat.
In this case, the chances are he just inserted some dud DNS entries, or simply set his in-addr.arpa to something nasty. There's nothing one can do to prevent an authoritative name entry (trash or not) from being accepted in DNS or DNSsec. One thing I would like to see is logging of IP address *and* hostname in the logs. Both are useful, depending on the situation. Due to the nature of TCP, IP addresses are fairly useful in tracing an attack, but often, especially after a time delay, hostnames are the only way to easily contact the maintainer of the IP address. Hostname is also more useful in spotting attacks in the first place, as it's easy for a user to tell when they've logged in from somewhere they haven't :).
BTW, does anyone know if there is a secure logging protocol? Syslog on UDP seems a tad unreliable, not to mention opening one up from DoS. I log to a loghost, and that machine could easily suffer DoS from log flooding, etc. A simple signature arrangement using MD5 (HMAC?) similar to DNS TSIG would be easy enough to arrange, and far more secure. I assume someone, somewhere has written one, or implemented one, but I haven't been following the Internet Draft releases to closely.
=)There was a security hole some time ago in perl that allowed local users =)to gain root access... That's probably the way he got root access... =)I would check my binaries, sup and recompile.
Hmmm, I supped the perl from the most recent ports tree and also all the binaries are about 2 months old from the -current tree. I thought the security hole was way before that. What I didn't get is how did he get access to the second system (earth) when he doesn't have a account there in the first place?
I'd be tempted to look in all the normal places -- sendmail, etc. What daemons were running on the machine? Any web server processes? Also, I'd heavily suspect that he sniffed a password if no encrypted telnet/ssh is in use.. Any use of NIS going on? Also, .rhosts arrangements can be extremely unhappy if we already know (s)he is messing with DNS entries.
Robert Watson