Re: protection against buffer overflows
On Wed, 23 Jan 2002 18:03:26 -0500 (EST), Emmanuel Valliet [EMAIL PROTECTED] wrote: There was a good article of Aleph One on buffer overflows called 'Smashing the stack for fun and profit'. Phrack 49. Search the web and enjoy :) I found this one to be quite informative too: http://www.cultdeadcow.com/cDc_files/cDc-351/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Spam Apology
To all: Sorry about including the list in reply. David. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Re[2]: protection against buffer overflows
On Jan 23, [EMAIL PROTECTED] wrote: it indeed sounds VERY interesting (not only to me) :-) although I never dealt with special kernel modifications. But I'll give it a go..can anyone recommend any other kernel security patch sites? ..would be great! the only thing you need to bear in mind is that all requests on non-open ports will timeout. Now this is exactly what you want, except for the ident service. Why you ask, everytime you send an e-mail an ident request is made to your machine which normally fails saying connection refused or something. With the stealth patch this will time out, every e-mail will take at least 30 seconds to send before it actually even leaves your machine. This is solved by the 'nullident' server. This is the only problem I had. Alex -- / He is truly wise who gains wisdom from \ \ another's mishap. / \ ^__^ \ (oo)\___ (__)\ )\/\ ||w | || || msg05517/pgp0.pgp Description: PGP signature
Re: /bin/passwd as shell
On Thu, Jan 24, 2002 at 07:23:35AM +0100, martin f krafft wrote: also sprach Rob VanFleet On this list (I beleive) I saw someone mention the use of /bin/passwd as a shell for mail-only users so they can easily change their password without having to ask someone. Is this a secure option, or am I missing some glaring problems? If so, what are some other possible solutions? that was me, and no, noone has mentioned any bad aspects yet, other than your users having to type the old password twice. however, it's not the solution i amlooking for, so i am implementing a highly secure way to do it over and SSL/TLS-encrypted webform with emphasis on minimization of root privilege needs. i'll post to the list when i am done. Thanks, that would be great. I thought about some sort of CGI for that as well, but without spending more time on it than I have at the moment I figured it would be far less secure than a password-protected passwd. :) With proper taint checking it would probably be a better option. -Rob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: /bin/passwd as shell
On Thu, Jan 24, 2002 at 11:17:59AM -0600, Rob VanFleet wrote: On Thu, Jan 24, 2002 at 07:23:35AM +0100, martin f krafft wrote: also sprach Rob VanFleet On this list (I beleive) I saw someone mention the use of /bin/passwd as a shell for mail-only users so they can easily change their password without having to ask someone. Is this a secure option, or am I missing some glaring problems? If so, what are some other possible solutions? that was me, and no, noone has mentioned any bad aspects yet, other than your users having to type the old password twice. however, it's not the solution i amlooking for, so i am implementing a highly secure way to do it over and SSL/TLS-encrypted webform with emphasis on minimization of root privilege needs. i'll post to the list when i am done. Thanks, that would be great. I thought about some sort of CGI for that as well, but without spending more time on it than I have at the moment I figured it would be far less secure than a password-protected passwd. :) With proper taint checking it would probably be a better option. -Rob i'm a new poster here, but one thing that strikes me is that the source to passwd should be hanging around somewhere. It wouldn't be incredibly difficult to make a custom version which does not ask for the original password, right? Then you could set it to be the login shell and it wouldn't ask for the password twice. Just my $0.02, Dave -- gpg key: http://steadfast.2y.net/newweb/pgpkey.txt msg05519/pgp0.pgp Description: PGP signature
Re: /bin/passwd as shell
Hi, David N Moore wrote: i'm a new poster here, but one thing that strikes me is that the source to passwd should be hanging around somewhere. It wouldn't be incredibly difficult to make a custom version which does not ask for the original password, right? Then you could set it to be the login shell and it wouldn't ask for the password twice. and then no user, who has a valid shell has to enter the old password from user x, when he wants to change the password of user x. perhaps even if x=root ;-) be careful, when you don't ask for the old password! bye Ralf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [d-security] Re: /bin/passwd as shell
On Thu, Jan 24, 2002 at 07:05:54PM +0100, Ralf Dreibrodt wrote: and then no user, who has a valid shell has to enter the old password from user x, when he wants to change the password of user x. perhaps even if x=root ;-) You have to enter it once for the ssh daemon anyways. He just wanted to not have to enter it again for the passwd programm. (of course he surely wanted to make sure somehow that normal users still have to enter their passwords prior to be able to change them...) Ralf bye, -christian- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: protection against buffer overflows
And if one do: procedure example is type C_String_Type is array (1..10) of Character; a : C_String_type; begin a := ('1','2','3','4','5','6','7','8','9','A','B','C','D'); end example; then when compiling: % gnatmake example.adb gnatgcc -c example.adb example.adb:5:09: string literal too long for type c_string_type defined at line 2 example.adb:5:09: static expression raises constraint_error gnatmake: example.adb compilation error Preben -- «Don't use C; In my opinion, C is a library programming language not an app programming language.» - Owen Taylor (GTK+ developer) Use Ada 95, a free language. More info at http://www.adapower.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: /bin/passwd as shell
martin f krafft wrote: that was me, and no, noone has mentioned any bad aspects yet, other than your users having to type the old password twice. however, it's not the solution i amlooking for, so i am implementing a highly secure way to do it over and SSL/TLS-encrypted webform with emphasis on minimization of root privilege needs. i'll post to the list when i am done. I found something that claims to do this. http://www.geocities.com/beradrian/soft/soft.html#cgipasswd It claims to use PAM, and it should only be used over https for reasons that should be obvious. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: how to create MD5 passwords
Michael Wood [EMAIL PROTECTED] writes: On Thu, Jan 24, 2002 at 08:56:56AM +0100, Rainer Sigl wrote: Hi everyone, please can me tell somebody how to make MD5 passwords in order to supply it to ftppasswd file? You just need to call the standard crypt() function with the apropriate arguments. You can use perl or python or C or whatever to do it. e.g.: Also, in this particular python example, make sure the LC_CTYPE locale is set to 'C', or you might get weird characters in string.lowercase and string.uppercase... ;-) $ python Make that: $ LC_CTYPE=C python Python 2.1.1 (#1, Nov 11 2001, 18:19:24) [GCC 2.95.4 20011006 (Debian prerelease)] on linux2 Type copyright, credits or license for more information. import string import random import crypt saltchars = string.uppercase + string.lowercase + string.digits + ./ s = [] for i in range(8): ... s.append(random.choice(saltchars)) ... salt = $1$ + string.join(s, ) passwd = Password print crypt.crypt(passwd, salt) $1$e6TSyRDd$OcJO4kuY0I/mLED6n.tNi1 Phil. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE:SpamAssassin (Was Re: SOME ITEMS THAT YOU MAY BE INTERESTED IN OR BE ABLE TO ADVISE ME ON)
Heh, what's funny is that SpamAssassin tagged this message you sent as spam and sent it to my spam folder. j. -- Jeremy L. Gaddis [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Bryan Andersen Sent: Thursday, January 24, 2002 7:04 PM To: [EMAIL PROTECTED] Subject: *SPAM* SpamAssassin (Was Re: SOME ITEMS THAT YOU MAY BE INTERESTED IN OR BE ABLE TO ADVISE ME ON) [snip] My ISP uses SpamAssassin and it works quite nicely. Not perfectly, but well enough that I like it. It's filtered out about 8M bytes of spam in the past 16 days. SpamAssassin puts some new headers into the message that tell it's spam status. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SpamAssassin (Was Re: SOME ITEMS THAT YOU MAY BE INTERESTED IN OR BE ABLE TO ADVISE ME ON)
On Fri, Jan 25, 2002 at 08:31:24AM +0100, Oliver M . Bolzer wrote: I've heard Razor is (configurabule) part of SpamAssassin. I'd recommend disabling that check because somebody is tagging about 1/3 of Bugtraq mail in Razor thus sending it to the Spam folder. Or you can add whitelist_from *@lists.debian.org to your .spamassassin.cf file. Luca -- Luca Filipozzi [dpkg] We are the apt. Resistance is futile. You will be packaged. msg05530/pgp0.pgp Description: PGP signature
how to create MD5 passwords
Hi everyone, please can me tell somebody how to make MD5 passwords in order to supply it to ftppasswd file? Thanks Rainer Sigl
Re: how to create MD5 passwords
On Thu, Jan 24, 2002 at 08:56:56AM +0100, Rainer Sigl wrote: Hi everyone, please can me tell somebody how to make MD5 passwords in order to supply it to ftppasswd file? You just need to call the standard crypt() function with the apropriate arguments. You can use perl or python or C or whatever to do it. e.g.: $ python Python 2.1.1 (#1, Nov 11 2001, 18:19:24) [GCC 2.95.4 20011006 (Debian prerelease)] on linux2 Type copyright, credits or license for more information. import string import random import crypt saltchars = string.uppercase + string.lowercase + string.digits + ./ s = [] for i in range(8): ... s.append(random.choice(saltchars)) ... salt = $1$ + string.join(s, ) passwd = Password print crypt.crypt(passwd, salt) $1$e6TSyRDd$OcJO4kuY0I/mLED6n.tNi1 -- Michael Wood [EMAIL PROTECTED]
Re: SOME ITEMS THAT YOU MAY BE INTERESTED IN OR BE ABLE TO ADVISE ME ON
Hi, Quoting James ([EMAIL PROTECTED]): We could start by blocking @aol.com =) Or by all running good anti-spam measures and not replying to spam; I didn't even know it was there until people started replying to it, and i had to look up the original posting in my spam folder.. Greets, Robert -- Linux Generation encrypted mail preferred. finger [EMAIL PROTECTED] for my GnuPG/PGP key. Sodomy is a pain in the ass.
Re: protection against buffer overflows
On Wed, 23 Jan 2002 18:03:26 -0500 (EST), Emmanuel Valliet [EMAIL PROTECTED] wrote: There was a good article of Aleph One on buffer overflows called 'Smashing the stack for fun and profit'. Phrack 49. Search the web and enjoy :) I found this one to be quite informative too: http://www.cultdeadcow.com/cDc_files/cDc-351/
Spam Apology
To all: Sorry about including the list in reply. David.
Re: Re[2]: protection against buffer overflows
On Jan 23, [EMAIL PROTECTED] wrote: it indeed sounds VERY interesting (not only to me) :-) although I never dealt with special kernel modifications. But I'll give it a go..can anyone recommend any other kernel security patch sites? ..would be great! the only thing you need to bear in mind is that all requests on non-open ports will timeout. Now this is exactly what you want, except for the ident service. Why you ask, everytime you send an e-mail an ident request is made to your machine which normally fails saying connection refused or something. With the stealth patch this will time out, every e-mail will take at least 30 seconds to send before it actually even leaves your machine. This is solved by the 'nullident' server. This is the only problem I had. Alex -- / He is truly wise who gains wisdom from \ \ another's mishap. / \ ^__^ \ (oo)\___ (__)\ )\/\ ||w | || || pgp7jkRJry3pk.pgp Description: PGP signature
Re: /bin/passwd as shell
On Thu, Jan 24, 2002 at 07:23:35AM +0100, martin f krafft wrote: also sprach Rob VanFleet On this list (I beleive) I saw someone mention the use of /bin/passwd as a shell for mail-only users so they can easily change their password without having to ask someone. Is this a secure option, or am I missing some glaring problems? If so, what are some other possible solutions? that was me, and no, noone has mentioned any bad aspects yet, other than your users having to type the old password twice. however, it's not the solution i amlooking for, so i am implementing a highly secure way to do it over and SSL/TLS-encrypted webform with emphasis on minimization of root privilege needs. i'll post to the list when i am done. Thanks, that would be great. I thought about some sort of CGI for that as well, but without spending more time on it than I have at the moment I figured it would be far less secure than a password-protected passwd. :) With proper taint checking it would probably be a better option. -Rob
Re: /bin/passwd as shell
On Thu, Jan 24, 2002 at 11:17:59AM -0600, Rob VanFleet wrote: On Thu, Jan 24, 2002 at 07:23:35AM +0100, martin f krafft wrote: also sprach Rob VanFleet On this list (I beleive) I saw someone mention the use of /bin/passwd as a shell for mail-only users so they can easily change their password without having to ask someone. Is this a secure option, or am I missing some glaring problems? If so, what are some other possible solutions? that was me, and no, noone has mentioned any bad aspects yet, other than your users having to type the old password twice. however, it's not the solution i amlooking for, so i am implementing a highly secure way to do it over and SSL/TLS-encrypted webform with emphasis on minimization of root privilege needs. i'll post to the list when i am done. Thanks, that would be great. I thought about some sort of CGI for that as well, but without spending more time on it than I have at the moment I figured it would be far less secure than a password-protected passwd. :) With proper taint checking it would probably be a better option. -Rob i'm a new poster here, but one thing that strikes me is that the source to passwd should be hanging around somewhere. It wouldn't be incredibly difficult to make a custom version which does not ask for the original password, right? Then you could set it to be the login shell and it wouldn't ask for the password twice. Just my $0.02, Dave -- gpg key: http://steadfast.2y.net/newweb/pgpkey.txt pgpsjktNaSTPv.pgp Description: PGP signature
Re: /bin/passwd as shell
Hi, David N Moore wrote: i'm a new poster here, but one thing that strikes me is that the source to passwd should be hanging around somewhere. It wouldn't be incredibly difficult to make a custom version which does not ask for the original password, right? Then you could set it to be the login shell and it wouldn't ask for the password twice. and then no user, who has a valid shell has to enter the old password from user x, when he wants to change the password of user x. perhaps even if x=root ;-) be careful, when you don't ask for the old password! bye Ralf
Re: [d-security] Re: /bin/passwd as shell
On Thu, Jan 24, 2002 at 07:05:54PM +0100, Ralf Dreibrodt wrote: and then no user, who has a valid shell has to enter the old password from user x, when he wants to change the password of user x. perhaps even if x=root ;-) You have to enter it once for the ssh daemon anyways. He just wanted to not have to enter it again for the passwd programm. (of course he surely wanted to make sure somehow that normal users still have to enter their passwords prior to be able to change them...) Ralf bye, -christian-
Re: protection against buffer overflows
Alvin Oga [EMAIL PROTECTED] wrote on 24/01/2002 (11:13) : hi ya ralf i would have thought that gcc would barf on b[20]='X' and similarly for theother variable assignments since its not prev allocated/defined.. and yet explicitly assigned (incorrectly??)... Why there are no range tests in C. Lets do it Ada 95 instead: I have tired to make the code as similar to C as possible so it is a bit ackward Ada-wise but here goes: Note I have written here the line numbers in front of the code so that it is easier to check with the compiler results. file: example.adb 1 with Ada.Text_IO; use Ada.Text_IO; -- equvalent to #include stdio.h 2 3 procedure example is 4-- Ada has it's own String type, but lets do what the C example does. 5type C_String_Type is array (1..10) of Character; 6 7a : C_String_type; 8b : C_String_type; 9 begin 10 11a := ('1','2','3','4','5','6','7','8','9', others = ' '); 12-- others = ' ' just means that the rest of the array will be 13-- filled with spaces. 14 15-- Printing a becomes ackward as I didn't use the Ada Strings type 16-- in this example, but as you can see the for loop is nice. 17 18Put (a: ); 19for i in C_String_Type'Range loop 20 Put (a(i)); 21end loop; 22 23New_Line; 24 25-- Now the faulty code. 26b (20) := 'X'; 27b (21) := 'Y'; 28b (22) := 'Z'; 29 30-- No point in printing again as the code will never reach here. 31 end example; Now when compiling we get: % gnatmake example.adb gnatgcc -c example.adb example.adb:26:07: warning: value not in range of subtype of Standard.integer defined at line 5 example.adb:26:07: warning: constraint_error will be raised at run time example.adb:27:07: warning: value not in range of subtype of Standard.integer defined at line 5 example.adb:27:07: warning: constraint_error will be raised at run time example.adb:28:07: warning: value not in range of subtype of Standard.integer defined at line 5 example.adb:28:07: warning: constraint_error will be raised at run time gnatbind -x example.ali gnatlink example.ali And if one ignore the wranings and run the program: % ./example a: 123456789 raised CONSTRAINT_ERROR : example.adb:26 So as the compiler said the code would not run without a constraint error being raised at line 26 which is the faulty code. Preben Randhol -- «For me, Ada95 puts back the joy in programming.»
Re: protection against buffer overflows
And if one do: procedure example is type C_String_Type is array (1..10) of Character; a : C_String_type; begin a := ('1','2','3','4','5','6','7','8','9','A','B','C','D'); end example; then when compiling: % gnatmake example.adb gnatgcc -c example.adb example.adb:5:09: string literal too long for type c_string_type defined at line 2 example.adb:5:09: static expression raises constraint_error gnatmake: example.adb compilation error Preben -- «Don't use C; In my opinion, C is a library programming language not an app programming language.» - Owen Taylor (GTK+ developer) Use Ada 95, a free language. More info at http://www.adapower.com/
Re: /bin/passwd as shell
martin f krafft wrote: that was me, and no, noone has mentioned any bad aspects yet, other than your users having to type the old password twice. however, it's not the solution i amlooking for, so i am implementing a highly secure way to do it over and SSL/TLS-encrypted webform with emphasis on minimization of root privilege needs. i'll post to the list when i am done. I found something that claims to do this. http://www.geocities.com/beradrian/soft/soft.html#cgipasswd It claims to use PAM, and it should only be used over https for reasons that should be obvious.
Re: how to create MD5 passwords
Michael Wood [EMAIL PROTECTED] writes: On Thu, Jan 24, 2002 at 08:56:56AM +0100, Rainer Sigl wrote: Hi everyone, please can me tell somebody how to make MD5 passwords in order to supply it to ftppasswd file? You just need to call the standard crypt() function with the apropriate arguments. You can use perl or python or C or whatever to do it. e.g.: Also, in this particular python example, make sure the LC_CTYPE locale is set to 'C', or you might get weird characters in string.lowercase and string.uppercase... ;-) $ python Make that: $ LC_CTYPE=C python Python 2.1.1 (#1, Nov 11 2001, 18:19:24) [GCC 2.95.4 20011006 (Debian prerelease)] on linux2 Type copyright, credits or license for more information. import string import random import crypt saltchars = string.uppercase + string.lowercase + string.digits + ./ s = [] for i in range(8): ... s.append(random.choice(saltchars)) ... salt = $1$ + string.join(s, ) passwd = Password print crypt.crypt(passwd, salt) $1$e6TSyRDd$OcJO4kuY0I/mLED6n.tNi1 Phil.
Re: SOME ITEMS THAT YOU MAY BE INTERESTED IN OR BE ABLE TO ADVISE ME ON
On Thu, Jan 24, 2002 at 09:34:35AM +0100, Robert van der Meulen wrote: Quoting James ([EMAIL PROTECTED]): We could start by blocking @aol.com =) Or by all running good anti-spam measures and not replying to spam; I didn't even know it was there until people started replying to it, and i had to look up the original posting in my spam folder.. That's unfortunately not the solution. [EMAIL PROTECTED]:~$ ls -l .mail/junk -rw---1 srittau srittau 2766614 24. Jan 09:39 .mail/junk [EMAIL PROTECTED]:~$ And that's only the SPAM mail from this year. I have to download this over ad 56kBit link and I pay by the minute. - Sebastian
SpamAssassin (Was Re: SOME ITEMS THAT YOU MAY BE INTERESTED IN OR BE ABLE TO ADVISE ME ON)
Sebastian Rittau wrote: On Thu, Jan 24, 2002 at 09:34:35AM +0100, Robert van der Meulen wrote: Quoting James ([EMAIL PROTECTED]): We could start by blocking @aol.com =) Or by all running good anti-spam measures and not replying to spam; I didn't even know it was there until people started replying to it, and i had to look up the original posting in my spam folder.. That's unfortunately not the solution. [EMAIL PROTECTED]:~$ ls -l .mail/junk -rw---1 srittau srittau 2766614 24. Jan 09:39 .mail/junk [EMAIL PROTECTED]:~$ And that's only the SPAM mail from this year. I have to download this over ad 56kBit link and I pay by the minute. My ISP uses SpamAssassin and it works quite nicely. Not perfectly, but well enough that I like it. It's filtered out about 8M bytes of spam in the past 16 days. SpamAssassin puts some new headers into the message that tell it's spam status. X-Spam-Status: No, hits=0 required=6 tests= version=2.0 is the spam status header for the message I'm replying to. This is the spam status headers from a spam message: X-Spam-Status: Yes, hits=18 required=6 tests=INVALID_DATE_NO_TZ,NONEXISTENT_CHARSET,EXCUSE_3,EXCUSE_7,REPLY_REMOVE_SUBJECT,REMOVE_SUBJ,TO_BE_REMOVED_REPLY,CHARSET_FARAWAY,DATE_IN_FUTURE,RCVD_IN_5_10,RCVD_IN_OUT_ORBZ version=2.0 X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 2.0 (devel $Id: SpamAssassin.pm,v 1.51 2001/12/19 05:20:44 jmason Exp $) X-Spam-Report: 18.7 hits, 6 required; * 2.0 -- Invalid Date: header (no timezone) * 2.0 -- Character set doesn't exist * 2.5 -- BODY: Claims you can be removed from the list * 0.1 -- BODY: Claims you can be removed from the list * 0.1 -- BODY: List removal information * 3.3 -- BODY: List removal information * 1.7 -- BODY: Says: to be removed, reply via email or similar * 3.0 -- Character set indicates a foreign language * 2.0 -- Date: is in the future or unparseable * 1.0 -- Received via a relay in blackholes.five-ten-sg.com [RBL check: found 4.84.114.211.blackholes.five-ten-sg.com.] * 1.0 -- Received via a relay in outputs.orbz.org [RBL check: found 101.156.42.208.outputs.orbz.org.] I still end up download the spam, but I know it is possible for an email program to filter on the headers before downloading the body of the message. It would be even nicer if Debian filtered on it and rejected messages that it marks as spam. It wouldn't be perfect, but it would cut down on alot of them. -- | Bryan Andersen | [EMAIL PROTECTED] | http://www.nerdvest.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | Linux, the OS Microsoft doesn't want you to know about.. | | -Bryan Andersen|
RE:SpamAssassin (Was Re: SOME ITEMS THAT YOU MAY BE INTERESTED IN OR BE ABLE TO ADVISE ME ON)
Heh, what's funny is that SpamAssassin tagged this message you sent as spam and sent it to my spam folder. j. -- Jeremy L. Gaddis [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Bryan Andersen Sent: Thursday, January 24, 2002 7:04 PM To: debian-security@lists.debian.org Subject: *SPAM* SpamAssassin (Was Re: SOME ITEMS THAT YOU MAY BE INTERESTED IN OR BE ABLE TO ADVISE ME ON) [snip] My ISP uses SpamAssassin and it works quite nicely. Not perfectly, but well enough that I like it. It's filtered out about 8M bytes of spam in the past 16 days. SpamAssassin puts some new headers into the message that tell it's spam status.