Re: makedev: /dev/tty([0-9])* should not have 666 permissions
On Tue, Apr 20, 2004 at 11:40:13AM +1000, Russell Coker wrote: > On Tue, 20 Apr 2004 07:50, Jan Minar <[EMAIL PROTECTED]> wrote: > > It seems like they should be 660, not 600, as I suggested (wall(1) and > > talkd(1) would break otherwise, probably). > > What prevents wall from sending those escape sequences? Good intentions of its coders -- they are filtered out (or they should be). Both talkd & wall are sgid tty, and they are controlled channels of writing things to the user terminal(s). The user can dismiss them by ``mesg n''. Maybe the escape sequences should be banned altogether, but even then wall & talkd should be allowed to do their job. -- "To me, clowns aren't funny. In fact, they're kind of scary. I've wondered where this started and I think it goes back to the time I went to the circus, and a clown killed my dad." pgp0.pgp Description: PGP signature
Re: makedev: /dev/tty([0-9])* should not have 666 permissions
On Tue, 20 Apr 2004 07:50, Jan Minar <[EMAIL PROTECTED]> wrote: > It seems like they should be 660, not 600, as I suggested (wall(1) and > talkd(1) would break otherwise, probably). What prevents wall from sending those escape sequences? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: makedev: /dev/tty([0-9])* should not have 666 permissions
On Tue, 20 Apr 2004 07:50, Jan Minar <[EMAIL PROTECTED]> wrote: > It seems like they should be 660, not 600, as I suggested (wall(1) and > talkd(1) would break otherwise, probably). What prevents wall from sending those escape sequences? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Eterm & others allow arbitrary commands execution via escape sequencies [Was: CAN-2003-0020?]
On Mon, Apr 19, 2004 at 11:18:51PM +0200, Jan Minar wrote: It's not about Eterm, or the console.c in Linux, or the tty permissions, it's about the bigger picture. The bigger picture is that there are security problems and there are security problems. The only specific problem you pointed out is just not a big deal. Mike Stone
Re: [SECURITY] [DSA 479-2] New Linux 2.4.18 packages fix local root exploit (i386)
On Mon, Apr 19, 2004 at 06:40:35PM +0200, Jan Minar wrote: > Could You tell us what _exactly_ happened? (DWN cover-story ;-)) Are > there no testsuites/scripts to ensure basic sanity of the packages being > built packages? Or what _exactly_ was the mistake (I'm personally > interested in the security weaknesses of the build process). Some masochistic part of me really wants to know how you can twist a broken package build, missing a bunch of files, into a "security weakness". -- - mdz
Re: makedev: /dev/tty([0-9])* should not have 666 permissions
Hi, Phillip! Thank for a storm-swift reply 8-) It seems like they should be 660, not 600, as I suggested (wall(1) and talkd(1) would break otherwise, probably). On Mon, Apr 19, 2004 at 05:26:25PM -0400, Phillip Hofmeister wrote: > yes, the others are 666. Does it matter? Are they used or just > pointless character devices? Yes, thanks to the escape sequences they are a backdoor to the system; (don't) try the sploit below, it would keep changing the terminal to /dev/tty63 so fast, you won't be able to switch back or kill the offender, not even as a root. The only remedy would be to connect to the comp from another terminal (serial, ssh, ...). On many systems, the only remedy would be to reboot. Although this is of course possible to do locally, the 666 permissions allow doing this *remotely*; even with a guest account, for example. Or in a at(1) entry, or crontab. I'd getting more and more convinced this should be tagged critical. > On Mon, 19 Apr 2004 at 05:07:13PM -0400, Jan Minar wrote: > > > > > % ssh kh > > > > > [EMAIL PROTECTED]'s password: > > > > > Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686 > > > > > unknown > > > > > % echo 'Morning, Mister root, welcome to a jail 8-)' > /dev/tty63 > > > > > % while :; do echo -e '\033[12;63]' > /dev/tty63; done The last line is important. -- "To me, clowns aren't funny. In fact, they're kind of scary. I've wondered where this started and I think it goes back to the time I went to the circus, and a clown killed my dad." pgpc8jOQAGJrz.pgp Description: PGP signature
[no subject]
Title: www www.VSW24.de Ihr Hardware und Software Discounter im Internet Große Gutschein Aktion!! Einfach Gutschein per Mail anfordern und beim Kauf von einem Komplett PC Noch mal 15 Sparen! Auch wenn Sie sich Ihren PC Selber zusammen Stellen. Wir senken die Preise bei Hardware: - komplett PC ab 299,- - Aufrüstsets ab 199,- - Mainbords ab 39,90 - Grafikkarten ab 35,- - Prozessoren AMD ab 59,- - Prozessoren Pentium IV ab 179,90 - DVD Laufwerke ab 31,- - DVD Brenner ab 92,- - CDRW Brenner ab 41,- - Festplatten ab 79,- - DDR RAM ab 39,90 - USB Speicher Stick´s ab 49,- - Monitore ab 125,- - TFT´s ab 300,- - Scanner ab 54,90 - Soundkarten ab 15,90 - Drucker ab 55,- Und natürlich finden Sie noch vieles mehr zu günstigen Preisen bei www.VSW24.de Und wenn Sie mal was nicht finden fragen Sie uns einfach! Wir suchen dann für Sie und finden auch den besten Preis!! E-Mail: [EMAIL PROTECTED] NEVER SEND SPAM. IT IS BAD.
Re: [SECURITY] [DSA 483-1] New mysql packages fix insecure temporary file creation
Hello On Mon, 19 Apr 2004 08:57:39 +0200 (CEST) Tomas Pospisek wrote: > * mysql unstable (4.0.18-4) changelog says: > > > Aplied fix for unprobable tempfile-symlink security problem in > > mysqlbug reported by Shaun Colley on bugtraq on 2004-03-24. > > but doesn't mention the CAN numbers. One upload has accidently not been uploaded, the current version in unstable should be 4.0.18-7 which fixes both bugs and also mentions the CAN numbers. > *t thanks, -christian- <[EMAIL PROTECTED]>
Re: makedev: /dev/tty([0-9])* should not have 666 permissions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED]:~$ ls -l /dev/tty0 crw---1 root root 4, 0 Jul 19 2002 /dev/tty0 [EMAIL PROTECTED]:~$ ls -l /dev/tty1 crw---1 root root 4, 1 Apr 18 21:03 /dev/tty1 [EMAIL PROTECTED]:~$ ls -l /dev/tty2 crw---1 root root 4, 2 Apr 18 21:03 /dev/tty2 [EMAIL PROTECTED]:~$ ls -l /dev/tty3 crw---1 root root 4, 3 Apr 18 21:03 /dev/tty3 [EMAIL PROTECTED]:~$ ls -l /dev/tty4 crw---1 root root 4, 4 Apr 18 21:03 /dev/tty4 [EMAIL PROTECTED]:~$ ls -l /dev/tty5 crw---1 root root 4, 5 Apr 18 21:03 /dev/tty5 [EMAIL PROTECTED]:~$ ls -l /dev/tty6 crw---1 root root 4, 6 Apr 18 21:03 /dev/tty6 yes, the others are 666. Does it matter? Are they used or just pointless character devices? On Mon, 19 Apr 2004 at 05:07:13PM -0400, Jan Minar wrote: > Package: makedev > Version: 2.3.1-58 > Severity: important > Tags: security > > Hi > > Please check the permissions of /dev/tty([0-9])*, they seem to be a > free-for-all, which is no good. > > Thanks to Stephen Gran for telling me who to bug. > > The following patch would do, afaict: > > --- /sbin/MAKEDEV.ORIGMon Apr 19 22:58:21 2004 > +++ /sbin/MAKEDEV Mon Apr 19 22:58:39 2004 > @@ -14,7 +14,7 @@ > private=" root root 0600" > system=" root root 0660" > kmem=" root kmem 0640" > -tty=" root tty0666" > +tty=" root tty0600" > cons=" root tty0600" > vcs=" root root 0600" > dialout=" root dialout 0660" > > This is the discussion on debian-security that lead to this bugreport: > > > On Mon, Apr 19, 2004 at 04:15:41PM -0400, Stephen Gran wrote: > > This one time, at band camp, Matt Zimmerman said: > > > On Mon, Apr 19, 2004 at 09:31:27PM +0200, Jan Minar wrote: > > > > % ssh kh > > > > [EMAIL PROTECTED]'s password: > > > > Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686 > > > > unknown > > > > % echo 'Morning, Mister root, welcome to a jail 8-)' > /dev/tty63 > > > > % while :; do echo -e '\033[12;63]' > /dev/tty63; done > > > > > > The relevant permissions are more restrictive with udev: > > > > > > crw---1 root root 4, 63 2004-03-17 16:23 /dev/tty63 > > > > And on a newly installed sid box: > > crw---1 root tty4, 63 2004-03-23 16:49 /dev/tty63 > > > > No udev here. Previous installs may have had bad permissions, but > > current ones do not. Perhaps, Jan, if you're interested, file a bug > > against makedev or one fo the other associated packages, asking them to > > check the permissions on these devices on upgrade, and correct if > > necessary. Seems trivial enough to do. A patch would probably not > > hurt. > > -- System Information > Debian Release: 3.0 > Architecture: i386 > Kernel: Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686 > Locale: LANG=C, LC_CTYPE=cs_CZ.ISO-8859-2 > > Versions of packages makedev depends on: > ii base-passwd 3.4.1 Debian Base System > Password/Group - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAhEP5S3Jybf3L5MQRAtfuAJ40TFzSQFCNN0UmbyQtM2QM0mSrUACgjmY2 ssBFqnnpuHMCHOf3qbaKiU4= =2O8y -END PGP SIGNATURE-
Re: Eterm & others allow arbitrary commands execution via escape sequencies [Was: CAN-2003-0020?]
On Mon, Apr 19, 2004 at 01:07:59PM -0700, Matt Zimmerman wrote: > On Mon, Apr 19, 2004 at 09:31:27PM +0200, Jan Minar wrote: > > > And as a part of this community, I am... > > [doing more pointing and whining] We are going astray. Maybe a time to rephrase... We have security issues in Debian stable every interested party knows about (that posting was on bugtraq a year ago), except for the Debian users, and the Security Team. It's not about Eterm, or the console.c in Linux, or the tty permissions, it's about the bigger picture. Now I shut up. Jan. -- "To me, clowns aren't funny. In fact, they're kind of scary. I've wondered where this started and I think it goes back to the time I went to the circus, and a clown killed my dad." pgpdZi7IjLupO.pgp Description: PGP signature
makedev: /dev/tty([0-9])* should not have 666 permissions
Package: makedev Version: 2.3.1-58 Severity: important Tags: security Hi Please check the permissions of /dev/tty([0-9])*, they seem to be a free-for-all, which is no good. Thanks to Stephen Gran for telling me who to bug. The following patch would do, afaict: --- /sbin/MAKEDEV.ORIG Mon Apr 19 22:58:21 2004 +++ /sbin/MAKEDEV Mon Apr 19 22:58:39 2004 @@ -14,7 +14,7 @@ private=" root root 0600" system=" root root 0660" kmem=" root kmem 0640" -tty=" root tty0666" +tty=" root tty0600" cons=" root tty0600" vcs=" root root 0600" dialout=" root dialout 0660" This is the discussion on debian-security that lead to this bugreport: On Mon, Apr 19, 2004 at 04:15:41PM -0400, Stephen Gran wrote: > This one time, at band camp, Matt Zimmerman said: > > On Mon, Apr 19, 2004 at 09:31:27PM +0200, Jan Minar wrote: > > > % ssh kh > > > [EMAIL PROTECTED]'s password: > > > Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686 > > > unknown > > > % echo 'Morning, Mister root, welcome to a jail 8-)' > /dev/tty63 > > > % while :; do echo -e '\033[12;63]' > /dev/tty63; done > > > > The relevant permissions are more restrictive with udev: > > > > crw---1 root root 4, 63 2004-03-17 16:23 /dev/tty63 > > And on a newly installed sid box: > crw---1 root tty4, 63 2004-03-23 16:49 /dev/tty63 > > No udev here. Previous installs may have had bad permissions, but > current ones do not. Perhaps, Jan, if you're interested, file a bug > against makedev or one fo the other associated packages, asking them to > check the permissions on these devices on upgrade, and correct if > necessary. Seems trivial enough to do. A patch would probably not > hurt. -- System Information Debian Release: 3.0 Architecture: i386 Kernel: Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686 Locale: LANG=C, LC_CTYPE=cs_CZ.ISO-8859-2 Versions of packages makedev depends on: ii base-passwd 3.4.1 Debian Base System Password/Group pgpCR6ffJNu3u.pgp Description: PGP signature
jacksonian
Hello Debian-security-private (Mon, 19 Apr 2004 17:46:51 -0300)
Re: Eterm & others allow arbitrary commands execution via escape sequencies [Was: CAN-2003-0020?]
I believe that the permissions are changed to allow a logged in user to access that terminal. The permissions are handled and reset by the appropriate log in service. [EMAIL PROTECTED]:~$ ls -lh /dev/pts/3 crw---1 plhofmei tty 136, 3 Apr 19 16:47 /dev/pts/3 [EMAIL PROTECTED]:~$ Other than that...I have always noted the /dev/tty and /dev/pts devices to always be secured and owned by root. I have been using Debian since Potato-- (been so long, I forgot what the code name was...) On Mon, 19 Apr 2004 at 04:15:41PM -0400, Stephen Gran wrote: > This one time, at band camp, Matt Zimmerman said: > > On Mon, Apr 19, 2004 at 09:31:27PM +0200, Jan Minar wrote: > > > % ssh kh > > > [EMAIL PROTECTED]'s password: > > > Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686 > > > unknown > > > % echo 'Morning, Mister root, welcome to a jail 8-)' > /dev/tty63 > > > % while :; do echo -e '\033[12;63]' > /dev/tty63; done > > > > The relevant permissions are more restrictive with udev: > > > > crw---1 root root 4, 63 2004-03-17 16:23 /dev/tty63 > > And on a newly installed sid box: > crw---1 root tty4, 63 2004-03-23 16:49 /dev/tty63 > > No udev here. Previous installs may have had bad permissions, but > current ones do not. Perhaps, Jan, if you're interested, file a bug > against makedev or one fo the other associated packages, asking them to > check the permissions on these devices on upgrade, and correct if > necessary. Seems trivial enough to do. A patch would probably not > hurt. > > -- > - > | ,''`. Stephen Gran | > | : :' : [EMAIL PROTECTED] | > | `. `' Debian user, admin, and developer | > |`- http://www.debian.org | > - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import
Re: Eterm & others allow arbitrary commands execution via escape sequencies [Was: CAN-2003-0020?]
On Mon, Apr 19, 2004 at 11:18:51PM +0200, Jan Minar wrote: It's not about Eterm, or the console.c in Linux, or the tty permissions, it's about the bigger picture. The bigger picture is that there are security problems and there are security problems. The only specific problem you pointed out is just not a big deal. Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 479-2] New Linux 2.4.18 packages fix local root exploit (i386)
On Mon, Apr 19, 2004 at 06:40:35PM +0200, Jan Minar wrote: > Could You tell us what _exactly_ happened? (DWN cover-story ;-)) Are > there no testsuites/scripts to ensure basic sanity of the packages being > built packages? Or what _exactly_ was the mistake (I'm personally > interested in the security weaknesses of the build process). Some masochistic part of me really wants to know how you can twist a broken package build, missing a bunch of files, into a "security weakness". -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Eterm & others allow arbitrary commands execution via escape sequencies [Was: CAN-2003-0020?]
This one time, at band camp, Matt Zimmerman said: > On Mon, Apr 19, 2004 at 09:31:27PM +0200, Jan Minar wrote: > > % ssh kh > > [EMAIL PROTECTED]'s password: > > Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686 unknown > > % echo 'Morning, Mister root, welcome to a jail 8-)' > /dev/tty63 > > % while :; do echo -e '\033[12;63]' > /dev/tty63; done > > The relevant permissions are more restrictive with udev: > > crw---1 root root 4, 63 2004-03-17 16:23 /dev/tty63 And on a newly installed sid box: crw---1 root tty4, 63 2004-03-23 16:49 /dev/tty63 No udev here. Previous installs may have had bad permissions, but current ones do not. Perhaps, Jan, if you're interested, file a bug against makedev or one fo the other associated packages, asking them to check the permissions on these devices on upgrade, and correct if necessary. Seems trivial enough to do. A patch would probably not hurt. -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpVNKqN9uqUw.pgp Description: PGP signature
Re: Eterm & others allow arbitrary commands execution via escape sequencies [Was: CAN-2003-0020?]
On Mon, Apr 19, 2004 at 09:31:27PM +0200, Jan Minar wrote: > And as a part of this community, I am... > [doing more pointing and whining] Did you miss the bit where I said that didn't help? > Haha, I can feel the free spirit of the computer labs of the late > sixties: > > /usr/src/linux/drivers/char/console.c: > >>> case 12: /* bring specified console to the front */ > >>> if (par[1] >= 1 && vc_cons_allocated(par[1]-1)) > >>> set_console(par[1] - 1); > >>> break; > > % ssh kh > [EMAIL PROTECTED]'s password: > Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686 unknown > % echo 'Morning, Mister root, welcome to a jail 8-)' > /dev/tty63 > % while :; do echo -e '\033[12;63]' > /dev/tty63; done The relevant permissions are more restrictive with udev: crw---1 root root 4, 63 2004-03-17 16:23 /dev/tty63 So this is a makedev bug, or a devfsd bug, or both. Oddly enough, though, I don't see a bug report from you (or anyone else) against either package. This would seem to further reinforce my impression so far, which is that your intention is to make a lot of noise without doing any work. Reporting a bug is a very small amount of effort, approximately the same as that required for you to post this message, but much more useful. > This is a *known issue*. It just seems there is no will to fix this... > for over a decade. If Debian is going to be as insecure as this, why > don't all the Security Team take a long pleasurable holiday, after all? Debian didn't have a release a decade ago, nor a bug tracking system, nor a security team. So to whom exactly did you make this *issue* *known* within Debian a decade ago? Or at any other time? -- - mdz
Re: makedev: /dev/tty([0-9])* should not have 666 permissions
Hi, Phillip! Thank for a storm-swift reply 8-) It seems like they should be 660, not 600, as I suggested (wall(1) and talkd(1) would break otherwise, probably). On Mon, Apr 19, 2004 at 05:26:25PM -0400, Phillip Hofmeister wrote: > yes, the others are 666. Does it matter? Are they used or just > pointless character devices? Yes, thanks to the escape sequences they are a backdoor to the system; (don't) try the sploit below, it would keep changing the terminal to /dev/tty63 so fast, you won't be able to switch back or kill the offender, not even as a root. The only remedy would be to connect to the comp from another terminal (serial, ssh, ...). On many systems, the only remedy would be to reboot. Although this is of course possible to do locally, the 666 permissions allow doing this *remotely*; even with a guest account, for example. Or in a at(1) entry, or crontab. I'd getting more and more convinced this should be tagged critical. > On Mon, 19 Apr 2004 at 05:07:13PM -0400, Jan Minar wrote: > > > > > % ssh kh > > > > > [EMAIL PROTECTED]'s password: > > > > > Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686 unknown > > > > > % echo 'Morning, Mister root, welcome to a jail 8-)' > /dev/tty63 > > > > > % while :; do echo -e '\033[12;63]' > /dev/tty63; done The last line is important. -- "To me, clowns aren't funny. In fact, they're kind of scary. I've wondered where this started and I think it goes back to the time I went to the circus, and a clown killed my dad." pgp0.pgp Description: PGP signature
[no subject]
Title: www www.VSW24.de Ihr Hardware und Software Discounter im Internet Große Gutschein Aktion!! Einfach Gutschein per Mail anfordern und beim Kauf von einem Komplett PC Noch mal 15 Sparen! Auch wenn Sie sich Ihren PC Selber zusammen Stellen. Wir senken die Preise bei Hardware: - komplett PC ab 299,- - Aufrüstsets ab 199,- - Mainbords ab 39,90 - Grafikkarten ab 35,- - Prozessoren AMD ab 59,- - Prozessoren Pentium IV ab 179,90 - DVD Laufwerke ab 31,- - DVD Brenner ab 92,- - CDRW Brenner ab 41,- - Festplatten ab 79,- - DDR RAM ab 39,90 - USB Speicher Stick´s ab 49,- - Monitore ab 125,- - TFT´s ab 300,- - Scanner ab 54,90 - Soundkarten ab 15,90 - Drucker ab 55,- Und natürlich finden Sie noch vieles mehr zu günstigen Preisen bei www.VSW24.de Und wenn Sie mal was nicht finden fragen Sie uns einfach! Wir suchen dann für Sie und finden auch den besten Preis!! E-Mail: [EMAIL PROTECTED] NEVER SEND SPAM. IT IS BAD. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 483-1] New mysql packages fix insecure temporary file creation
Hello On Mon, 19 Apr 2004 08:57:39 +0200 (CEST) Tomas Pospisek wrote: > * mysql unstable (4.0.18-4) changelog says: > > > Aplied fix for unprobable tempfile-symlink security problem in > > mysqlbug reported by Shaun Colley on bugtraq on 2004-03-24. > > but doesn't mention the CAN numbers. One upload has accidently not been uploaded, the current version in unstable should be 4.0.18-7 which fixes both bugs and also mentions the CAN numbers. > *t thanks, -christian- <[EMAIL PROTECTED]> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Eterm & others allow arbitrary commands execution via escape sequencies [Was: CAN-2003-0020?]
On Mon, Apr 19, 2004 at 11:18:41AM -0700, Matt Zimmerman wrote: > On Mon, Apr 19, 2004 at 07:51:27PM +0200, Jan Minar wrote: > > > Come on, Matt: Virtually all terminal emulators are vulnerable, and the > > vulnerability is a common knowledge. The abovementioned paper was on > > Bugtraq 2003-02-24 21:02:52... Is the Security Team going to do > > something about it themselves (filing RC bugs at least)? > > You are part of a community, not somebody purchasing a service. Take some > initiative and contribute. And as a part of this community, I am saying right now: We have a big problem, and the problem is we don't deal with security issues known for decades, while happily convincing newcomers our system is fairly secure. It's not. Haha, I can feel the free spirit of the computer labs of the late sixties: /usr/src/linux/drivers/char/console.c: >>> case 12: /* bring specified console to the front */ >>> if (par[1] >= 1 && vc_cons_allocated(par[1]-1)) >>> set_console(par[1] - 1); >>> break; % ssh kh [EMAIL PROTECTED]'s password: Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686 unknown % echo 'Morning, Mister root, welcome to a jail 8-)' > /dev/tty63 % while :; do echo -e '\033[12;63]' > /dev/tty63; done > The security team does not have the resources to audit Debian, and can > barely keep up with new issues as they become known. Pointing and whining > doesn't help. This is a *known issue*. It just seems there is no will to fix this... for over a decade. If Debian is going to be as insecure as this, why don't all the Security Team take a long pleasurable holiday, after all? -- Q: To prece nejde nekoho zastrelit jen tak. Kazdy ma sva nezadatelna lidska prava, i ten zlocinec. Bylo fakt nutne strilet? A: To urcite nebylo. Mohli ho chytit a ukopat. pgpbVp2QOtfcS.pgp Description: PGP signature
Re: makedev: /dev/tty([0-9])* should not have 666 permissions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED]:~$ ls -l /dev/tty0 crw---1 root root 4, 0 Jul 19 2002 /dev/tty0 [EMAIL PROTECTED]:~$ ls -l /dev/tty1 crw---1 root root 4, 1 Apr 18 21:03 /dev/tty1 [EMAIL PROTECTED]:~$ ls -l /dev/tty2 crw---1 root root 4, 2 Apr 18 21:03 /dev/tty2 [EMAIL PROTECTED]:~$ ls -l /dev/tty3 crw---1 root root 4, 3 Apr 18 21:03 /dev/tty3 [EMAIL PROTECTED]:~$ ls -l /dev/tty4 crw---1 root root 4, 4 Apr 18 21:03 /dev/tty4 [EMAIL PROTECTED]:~$ ls -l /dev/tty5 crw---1 root root 4, 5 Apr 18 21:03 /dev/tty5 [EMAIL PROTECTED]:~$ ls -l /dev/tty6 crw---1 root root 4, 6 Apr 18 21:03 /dev/tty6 yes, the others are 666. Does it matter? Are they used or just pointless character devices? On Mon, 19 Apr 2004 at 05:07:13PM -0400, Jan Minar wrote: > Package: makedev > Version: 2.3.1-58 > Severity: important > Tags: security > > Hi > > Please check the permissions of /dev/tty([0-9])*, they seem to be a > free-for-all, which is no good. > > Thanks to Stephen Gran for telling me who to bug. > > The following patch would do, afaict: > > --- /sbin/MAKEDEV.ORIGMon Apr 19 22:58:21 2004 > +++ /sbin/MAKEDEV Mon Apr 19 22:58:39 2004 > @@ -14,7 +14,7 @@ > private=" root root 0600" > system=" root root 0660" > kmem=" root kmem 0640" > -tty=" root tty0666" > +tty=" root tty0600" > cons=" root tty0600" > vcs=" root root 0600" > dialout=" root dialout 0660" > > This is the discussion on debian-security that lead to this bugreport: > > > On Mon, Apr 19, 2004 at 04:15:41PM -0400, Stephen Gran wrote: > > This one time, at band camp, Matt Zimmerman said: > > > On Mon, Apr 19, 2004 at 09:31:27PM +0200, Jan Minar wrote: > > > > % ssh kh > > > > [EMAIL PROTECTED]'s password: > > > > Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686 unknown > > > > % echo 'Morning, Mister root, welcome to a jail 8-)' > /dev/tty63 > > > > % while :; do echo -e '\033[12;63]' > /dev/tty63; done > > > > > > The relevant permissions are more restrictive with udev: > > > > > > crw---1 root root 4, 63 2004-03-17 16:23 /dev/tty63 > > > > And on a newly installed sid box: > > crw---1 root tty4, 63 2004-03-23 16:49 /dev/tty63 > > > > No udev here. Previous installs may have had bad permissions, but > > current ones do not. Perhaps, Jan, if you're interested, file a bug > > against makedev or one fo the other associated packages, asking them to > > check the permissions on these devices on upgrade, and correct if > > necessary. Seems trivial enough to do. A patch would probably not > > hurt. > > -- System Information > Debian Release: 3.0 > Architecture: i386 > Kernel: Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686 > Locale: LANG=C, LC_CTYPE=cs_CZ.ISO-8859-2 > > Versions of packages makedev depends on: > ii base-passwd 3.4.1 Debian Base System Password/Group - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAhEP5S3Jybf3L5MQRAtfuAJ40TFzSQFCNN0UmbyQtM2QM0mSrUACgjmY2 ssBFqnnpuHMCHOf3qbaKiU4= =2O8y -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Eterm & others allow arbitrary commands execution via escape sequencies [Was: CAN-2003-0020?]
On Mon, Apr 19, 2004 at 01:07:59PM -0700, Matt Zimmerman wrote: > On Mon, Apr 19, 2004 at 09:31:27PM +0200, Jan Minar wrote: > > > And as a part of this community, I am... > > [doing more pointing and whining] We are going astray. Maybe a time to rephrase... We have security issues in Debian stable every interested party knows about (that posting was on bugtraq a year ago), except for the Debian users, and the Security Team. It's not about Eterm, or the console.c in Linux, or the tty permissions, it's about the bigger picture. Now I shut up. Jan. -- "To me, clowns aren't funny. In fact, they're kind of scary. I've wondered where this started and I think it goes back to the time I went to the circus, and a clown killed my dad." pgp0.pgp Description: PGP signature
makedev: /dev/tty([0-9])* should not have 666 permissions
Package: makedev Version: 2.3.1-58 Severity: important Tags: security Hi Please check the permissions of /dev/tty([0-9])*, they seem to be a free-for-all, which is no good. Thanks to Stephen Gran for telling me who to bug. The following patch would do, afaict: --- /sbin/MAKEDEV.ORIG Mon Apr 19 22:58:21 2004 +++ /sbin/MAKEDEV Mon Apr 19 22:58:39 2004 @@ -14,7 +14,7 @@ private=" root root 0600" system=" root root 0660" kmem=" root kmem 0640" -tty=" root tty0666" +tty=" root tty0600" cons=" root tty0600" vcs=" root root 0600" dialout=" root dialout 0660" This is the discussion on debian-security that lead to this bugreport: On Mon, Apr 19, 2004 at 04:15:41PM -0400, Stephen Gran wrote: > This one time, at band camp, Matt Zimmerman said: > > On Mon, Apr 19, 2004 at 09:31:27PM +0200, Jan Minar wrote: > > > % ssh kh > > > [EMAIL PROTECTED]'s password: > > > Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686 unknown > > > % echo 'Morning, Mister root, welcome to a jail 8-)' > /dev/tty63 > > > % while :; do echo -e '\033[12;63]' > /dev/tty63; done > > > > The relevant permissions are more restrictive with udev: > > > > crw---1 root root 4, 63 2004-03-17 16:23 /dev/tty63 > > And on a newly installed sid box: > crw---1 root tty4, 63 2004-03-23 16:49 /dev/tty63 > > No udev here. Previous installs may have had bad permissions, but > current ones do not. Perhaps, Jan, if you're interested, file a bug > against makedev or one fo the other associated packages, asking them to > check the permissions on these devices on upgrade, and correct if > necessary. Seems trivial enough to do. A patch would probably not > hurt. -- System Information Debian Release: 3.0 Architecture: i386 Kernel: Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686 Locale: LANG=C, LC_CTYPE=cs_CZ.ISO-8859-2 Versions of packages makedev depends on: ii base-passwd 3.4.1 Debian Base System Password/Group pgp0.pgp Description: PGP signature
jacksonian
Hello Debian-security-private (Mon, 19 Apr 2004 17:46:51 -0300)
Re: Eterm & others allow arbitrary commands execution via escape sequencies [Was: CAN-2003-0020?]
I believe that the permissions are changed to allow a logged in user to access that terminal. The permissions are handled and reset by the appropriate log in service. [EMAIL PROTECTED]:~$ ls -lh /dev/pts/3 crw---1 plhofmei tty 136, 3 Apr 19 16:47 /dev/pts/3 [EMAIL PROTECTED]:~$ Other than that...I have always noted the /dev/tty and /dev/pts devices to always be secured and owned by root. I have been using Debian since Potato-- (been so long, I forgot what the code name was...) On Mon, 19 Apr 2004 at 04:15:41PM -0400, Stephen Gran wrote: > This one time, at band camp, Matt Zimmerman said: > > On Mon, Apr 19, 2004 at 09:31:27PM +0200, Jan Minar wrote: > > > % ssh kh > > > [EMAIL PROTECTED]'s password: > > > Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686 unknown > > > % echo 'Morning, Mister root, welcome to a jail 8-)' > /dev/tty63 > > > % while :; do echo -e '\033[12;63]' > /dev/tty63; done > > > > The relevant permissions are more restrictive with udev: > > > > crw---1 root root 4, 63 2004-03-17 16:23 /dev/tty63 > > And on a newly installed sid box: > crw---1 root tty4, 63 2004-03-23 16:49 /dev/tty63 > > No udev here. Previous installs may have had bad permissions, but > current ones do not. Perhaps, Jan, if you're interested, file a bug > against makedev or one fo the other associated packages, asking them to > check the permissions on these devices on upgrade, and correct if > necessary. Seems trivial enough to do. A patch would probably not > hurt. > > -- > - > | ,''`. Stephen Gran | > | : :' : [EMAIL PROTECTED] | > | `. `' Debian user, admin, and developer | > |`- http://www.debian.org | > - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import
Re: Eterm & others allow arbitrary commands execution via escape sequencies [Was: CAN-2003-0020?]
On Mon, Apr 19, 2004 at 07:51:27PM +0200, Jan Minar wrote: > Come on, Matt: Virtually all terminal emulators are vulnerable, and the > vulnerability is a common knowledge. The abovementioned paper was on > Bugtraq 2003-02-24 21:02:52... Is the Security Team going to do > something about it themselves (filing RC bugs at least)? You are part of a community, not somebody purchasing a service. Take some initiative and contribute. The security team does not have the resources to audit Debian, and can barely keep up with new issues as they become known. Pointing and whining doesn't help. -- - mdz
Re: Eterm & others allow arbitrary commands execution via escape sequencies [Was: CAN-2003-0020?]
This one time, at band camp, Matt Zimmerman said: > On Mon, Apr 19, 2004 at 09:31:27PM +0200, Jan Minar wrote: > > % ssh kh > > [EMAIL PROTECTED]'s password: > > Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686 unknown > > % echo 'Morning, Mister root, welcome to a jail 8-)' > /dev/tty63 > > % while :; do echo -e '\033[12;63]' > /dev/tty63; done > > The relevant permissions are more restrictive with udev: > > crw---1 root root 4, 63 2004-03-17 16:23 /dev/tty63 And on a newly installed sid box: crw---1 root tty4, 63 2004-03-23 16:49 /dev/tty63 No udev here. Previous installs may have had bad permissions, but current ones do not. Perhaps, Jan, if you're interested, file a bug against makedev or one fo the other associated packages, asking them to check the permissions on these devices on upgrade, and correct if necessary. Seems trivial enough to do. A patch would probably not hurt. -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgp0.pgp Description: PGP signature
Re: Eterm & others allow arbitrary commands execution via escape sequencies [Was: CAN-2003-0020?]
On Mon, Apr 19, 2004 at 09:31:27PM +0200, Jan Minar wrote: > And as a part of this community, I am... > [doing more pointing and whining] Did you miss the bit where I said that didn't help? > Haha, I can feel the free spirit of the computer labs of the late > sixties: > > /usr/src/linux/drivers/char/console.c: > >>> case 12: /* bring specified console to the front */ > >>> if (par[1] >= 1 && vc_cons_allocated(par[1]-1)) > >>> set_console(par[1] - 1); > >>> break; > > % ssh kh > [EMAIL PROTECTED]'s password: > Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686 unknown > % echo 'Morning, Mister root, welcome to a jail 8-)' > /dev/tty63 > % while :; do echo -e '\033[12;63]' > /dev/tty63; done The relevant permissions are more restrictive with udev: crw---1 root root 4, 63 2004-03-17 16:23 /dev/tty63 So this is a makedev bug, or a devfsd bug, or both. Oddly enough, though, I don't see a bug report from you (or anyone else) against either package. This would seem to further reinforce my impression so far, which is that your intention is to make a lot of noise without doing any work. Reporting a bug is a very small amount of effort, approximately the same as that required for you to post this message, but much more useful. > This is a *known issue*. It just seems there is no will to fix this... > for over a decade. If Debian is going to be as insecure as this, why > don't all the Security Team take a long pleasurable holiday, after all? Debian didn't have a release a decade ago, nor a bug tracking system, nor a security team. So to whom exactly did you make this *issue* *known* within Debian a decade ago? Or at any other time? -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Eterm & others allow arbitrary commands execution via escape sequencies [Was: CAN-2003-0020?]
On Mon, Apr 19, 2004 at 09:32:47AM -0700, Matt Zimmerman wrote: > On Mon, Apr 19, 2004 at 06:08:51PM +0200, Jan Minar wrote: > > > On Sun, Apr 18, 2004 at 11:58:21AM -0700, Matt Zimmerman wrote: > > > untrusted source. This is a fundamental Unix feature (or flaw). Terminal > > > control sequences may be contained in the data. > > > > I've read this [1]analysis by by H D Moore. No matter how convenient > > the escape sequences that allow injecting of arbitrary data as-if typed > > by the user might be, they should go, and they should go now. > > Yes, I agree. Patches and bug reports, where appropriate, are welcome. > These are the real bugs, not Apache's. Come on, Matt: Virtually all terminal emulators are vulnerable, and the vulnerability is a common knowledge. The abovementioned paper was on Bugtraq 2003-02-24 21:02:52... Is the Security Team going to do something about it themselves (filing RC bugs at least)? Jan. -- Q: To prece nejde nekoho zastrelit jen tak. Kazdy ma sva nezadatelna lidska prava, i ten zlocinec. Bylo fakt nutne strilet? A: To urcite nebylo. Mohli ho chytit a ukopat. pgpf03idgzELH.pgp Description: PGP signature
Re: Eterm & others allow arbitrary commands execution via escape sequencies [Was: CAN-2003-0020?]
On Mon, Apr 19, 2004 at 11:18:41AM -0700, Matt Zimmerman wrote: > On Mon, Apr 19, 2004 at 07:51:27PM +0200, Jan Minar wrote: > > > Come on, Matt: Virtually all terminal emulators are vulnerable, and the > > vulnerability is a common knowledge. The abovementioned paper was on > > Bugtraq 2003-02-24 21:02:52... Is the Security Team going to do > > something about it themselves (filing RC bugs at least)? > > You are part of a community, not somebody purchasing a service. Take some > initiative and contribute. And as a part of this community, I am saying right now: We have a big problem, and the problem is we don't deal with security issues known for decades, while happily convincing newcomers our system is fairly secure. It's not. Haha, I can feel the free spirit of the computer labs of the late sixties: /usr/src/linux/drivers/char/console.c: >>> case 12: /* bring specified console to the front */ >>> if (par[1] >= 1 && vc_cons_allocated(par[1]-1)) >>> set_console(par[1] - 1); >>> break; % ssh kh [EMAIL PROTECTED]'s password: Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686 unknown % echo 'Morning, Mister root, welcome to a jail 8-)' > /dev/tty63 % while :; do echo -e '\033[12;63]' > /dev/tty63; done > The security team does not have the resources to audit Debian, and can > barely keep up with new issues as they become known. Pointing and whining > doesn't help. This is a *known issue*. It just seems there is no will to fix this... for over a decade. If Debian is going to be as insecure as this, why don't all the Security Team take a long pleasurable holiday, after all? -- Q: To prece nejde nekoho zastrelit jen tak. Kazdy ma sva nezadatelna lidska prava, i ten zlocinec. Bylo fakt nutne strilet? A: To urcite nebylo. Mohli ho chytit a ukopat. pgp0.pgp Description: PGP signature
Re: [SECURITY] [DSA 479-2] New Linux 2.4.18 packages fix local root exploit (i386)
On Sat, Apr 17, 2004 at 06:10:36PM -0400, Michael Stone wrote: > The big problem is that the kernel situation in woody blows. There are > too many kernels and they don't build consistently. Hopefully things > will be better in sarge (although if you look at the number of kernels > out there the future seems grim) but woody will always have slow & > painful kernel updates. Could You tell us what _exactly_ happened? (DWN cover-story ;-)) Are there no testsuites/scripts to ensure basic sanity of the packages being built packages? Or what _exactly_ was the mistake (I'm personally interested in the security weaknesses of the build process). -- "To me, clowns aren't funny. In fact, they're kind of scary. I've wondered where this started and I think it goes back to the time I went to the circus, and a clown killed my dad." pgpYHTGIkz32x.pgp Description: PGP signature
Re: Eterm & others allow arbitrary commands execution via escape sequencies [Was: CAN-2003-0020?]
On Mon, Apr 19, 2004 at 06:08:51PM +0200, Jan Minar wrote: > On Sun, Apr 18, 2004 at 11:58:21AM -0700, Matt Zimmerman wrote: > > untrusted source. This is a fundamental Unix feature (or flaw). Terminal > > control sequences may be contained in the data. > > I've read this [1]analysis by by H D Moore. No matter how convenient > the escape sequences that allow injecting of arbitrary data as-if typed > by the user might be, they should go, and they should go now. Yes, I agree. Patches and bug reports, where appropriate, are welcome. These are the real bugs, not Apache's. -- - mdz
Re: Eterm & others allow arbitrary commands execution via escape sequencies [Was: CAN-2003-0020?]
On Mon, Apr 19, 2004 at 07:51:27PM +0200, Jan Minar wrote: > Come on, Matt: Virtually all terminal emulators are vulnerable, and the > vulnerability is a common knowledge. The abovementioned paper was on > Bugtraq 2003-02-24 21:02:52... Is the Security Team going to do > something about it themselves (filing RC bugs at least)? You are part of a community, not somebody purchasing a service. Take some initiative and contribute. The security team does not have the resources to audit Debian, and can barely keep up with new issues as they become known. Pointing and whining doesn't help. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Eterm & others allow arbitrary commands execution via escape sequencies [Was: CAN-2003-0020?]
On Sun, Apr 18, 2004 at 11:58:21AM -0700, Matt Zimmerman wrote: > untrusted source. This is a fundamental Unix feature (or flaw). Terminal > control sequences may be contained in the data. I've read this [1]analysis by by H D Moore. No matter how convenient the escape sequences that allow injecting of arbitrary data as-if typed by the user might be, they should go, and they should go now. [1] http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2 I will add few remarks to the abovementioned paper: (1) It's possible to covertly inject arbitrary commands in a shell command-line, by switching the echoing of characters typed off and on, letting the user press the him-/herself. (2) There are many applications that allow bang-shell-escape, where is used e.g. for scrolling (less(1), mutt(1)). Although the dangerous escape sequences might be filtered out [by default], this can be turned off -- And there *are* no warning signs. (3) There probably is a way of abusing e.g. the readline(3) macro ability, obviating the need of being included in the payload; in some environments, some ordinary ASCII character might be mapped to by default, even. (4) This is a failure to separate the security domains cleanly, by allowing the intruder to type things with the terminal owner's privileges. It breaks the security scheme very deeply, and exactly because of this, ``nobody'' would expect it. (5) Many observations made about MS Outlook & friends e.g. wrt the click-me virii apply. But this is even worse than Windows: Here any and every file may contain executable code, any and every file may carry a `virus'. Looking forward to your comments. Cheers, Jan. pgpFyuVFJF8Ew.pgp Description: PGP signature
Re: Eterm & others allow arbitrary commands execution via escape sequencies [Was: CAN-2003-0020?]
On Mon, Apr 19, 2004 at 09:32:47AM -0700, Matt Zimmerman wrote: > On Mon, Apr 19, 2004 at 06:08:51PM +0200, Jan Minar wrote: > > > On Sun, Apr 18, 2004 at 11:58:21AM -0700, Matt Zimmerman wrote: > > > untrusted source. This is a fundamental Unix feature (or flaw). Terminal > > > control sequences may be contained in the data. > > > > I've read this [1]analysis by by H D Moore. No matter how convenient > > the escape sequences that allow injecting of arbitrary data as-if typed > > by the user might be, they should go, and they should go now. > > Yes, I agree. Patches and bug reports, where appropriate, are welcome. > These are the real bugs, not Apache's. Come on, Matt: Virtually all terminal emulators are vulnerable, and the vulnerability is a common knowledge. The abovementioned paper was on Bugtraq 2003-02-24 21:02:52... Is the Security Team going to do something about it themselves (filing RC bugs at least)? Jan. -- Q: To prece nejde nekoho zastrelit jen tak. Kazdy ma sva nezadatelna lidska prava, i ten zlocinec. Bylo fakt nutne strilet? A: To urcite nebylo. Mohli ho chytit a ukopat. pgp0.pgp Description: PGP signature
Re: [SECURITY] [DSA 479-2] New Linux 2.4.18 packages fix local root exploit (i386)
On Sat, Apr 17, 2004 at 06:10:36PM -0400, Michael Stone wrote: > The big problem is that the kernel situation in woody blows. There are > too many kernels and they don't build consistently. Hopefully things > will be better in sarge (although if you look at the number of kernels > out there the future seems grim) but woody will always have slow & > painful kernel updates. Could You tell us what _exactly_ happened? (DWN cover-story ;-)) Are there no testsuites/scripts to ensure basic sanity of the packages being built packages? Or what _exactly_ was the mistake (I'm personally interested in the security weaknesses of the build process). -- "To me, clowns aren't funny. In fact, they're kind of scary. I've wondered where this started and I think it goes back to the time I went to the circus, and a clown killed my dad." pgp0.pgp Description: PGP signature
Re: Eterm & others allow arbitrary commands execution via escape sequencies [Was: CAN-2003-0020?]
On Mon, Apr 19, 2004 at 06:08:51PM +0200, Jan Minar wrote: > On Sun, Apr 18, 2004 at 11:58:21AM -0700, Matt Zimmerman wrote: > > untrusted source. This is a fundamental Unix feature (or flaw). Terminal > > control sequences may be contained in the data. > > I've read this [1]analysis by by H D Moore. No matter how convenient > the escape sequences that allow injecting of arbitrary data as-if typed > by the user might be, they should go, and they should go now. Yes, I agree. Patches and bug reports, where appropriate, are welcome. These are the real bugs, not Apache's. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Eterm & others allow arbitrary commands execution via escape sequencies [Was: CAN-2003-0020?]
On Sun, Apr 18, 2004 at 11:58:21AM -0700, Matt Zimmerman wrote: > untrusted source. This is a fundamental Unix feature (or flaw). Terminal > control sequences may be contained in the data. I've read this [1]analysis by by H D Moore. No matter how convenient the escape sequences that allow injecting of arbitrary data as-if typed by the user might be, they should go, and they should go now. [1] http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2 I will add few remarks to the abovementioned paper: (1) It's possible to covertly inject arbitrary commands in a shell command-line, by switching the echoing of characters typed off and on, letting the user press the him-/herself. (2) There are many applications that allow bang-shell-escape, where is used e.g. for scrolling (less(1), mutt(1)). Although the dangerous escape sequences might be filtered out [by default], this can be turned off -- And there *are* no warning signs. (3) There probably is a way of abusing e.g. the readline(3) macro ability, obviating the need of being included in the payload; in some environments, some ordinary ASCII character might be mapped to by default, even. (4) This is a failure to separate the security domains cleanly, by allowing the intruder to type things with the terminal owner's privileges. It breaks the security scheme very deeply, and exactly because of this, ``nobody'' would expect it. (5) Many observations made about MS Outlook & friends e.g. wrt the click-me virii apply. But this is even worse than Windows: Here any and every file may contain executable code, any and every file may carry a `virus'. Looking forward to your comments. Cheers, Jan. pgp0.pgp Description: PGP signature
Re: syslog.conf question
On 18/04/04 17:41, Philipp Schulte wrote: LeVA wrote: I'm trying to exclude my mailsystem's logs from the /var/log/syslog file. I've changed this line in /etc/syslog.conf: *.*;auth,authpriv.none -/var/log/syslog to: *.*;auth,authpriv.none;mail.!* -/var/log/syslog Try "*.*;auth,authpriv.none;mail.none -/var/log/syslog" In addition you might want to try using the following: mail.=info -/var/log/mail/mail.info mail.=warn -/var/log/mail/mail.warn mail.=err-/var/log/mail/mail.err so that you properly distinguish the priorities (I figure that was you intention :-)).
Re: syslog.conf question
On 18/04/04 17:41, Philipp Schulte wrote: LeVA wrote: I'm trying to exclude my mailsystem's logs from the /var/log/syslog file. I've changed this line in /etc/syslog.conf: *.*;auth,authpriv.none -/var/log/syslog to: *.*;auth,authpriv.none;mail.!* -/var/log/syslog Try "*.*;auth,authpriv.none;mail.none -/var/log/syslog" In addition you might want to try using the following: mail.=info -/var/log/mail/mail.info mail.=warn -/var/log/mail/mail.warn mail.=err-/var/log/mail/mail.err so that you properly distinguish the priorities (I figure that was you intention :-)). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
unsubscribe
On Monday, April 19, 2004, at 03:06AM, Matt Zimmerman <[EMAIL PROTECTED]> wrote: >-BEGIN PGP SIGNED MESSAGE- >Hash: SHA1 > >- -- >Debian Security Advisory DSA 492-1 [EMAIL PROTECTED] >http://www.debian.org/security/ Matt Zimmerman >April 18th, 2004 http://www.debian.org/security/faq >- -- > >Package: iproute >Vulnerability : denial of service >Problem-Type : local >Debian-specific: no >CVE Ids: CAN-2003-0856 >Debian Bug : 242994 > >Herbert Xu reported that local users could cause a denial of service >against iproute, a set of tools for controlling networking in Linux >kernels. iproute uses the netlink interface to communicate with the >kernel, but failed to verify that the messages it received came from >the kernel (rather than from other user processes). > >For the current stable distribution (woody) this problem has been >fixed in version 20010824-8woody1. > >For the unstable distribution (sid), this problem will be fixed soon. > >We recommend that you update your iproute package. > >Upgrade Instructions >- > >wget url >will fetch the file for you >dpkg -i file.deb >will install the referenced file. > >If you are using the apt-get package manager, use the line for >sources.list as given below: > >apt-get update >will update the internal database >apt-get upgrade >will install corrected packages > >You may use an automated update by adding the resources from the >footer to the proper configuration. > >Debian GNU/Linux 3.0 alias woody >- > > Source archives: > > > http://security.debian.org/pool/updates/main/i/iproute/iproute_20010824-8woody1.dsc > Size/MD5 checksum: 583 4ddfda116fcaa5670bd0a395ce62c249 > > http://security.debian.org/pool/updates/main/i/iproute/iproute_20010824-8woody1.diff.gz > Size/MD5 checksum:30926 818c356e9a703804987a99452a5cb5bf > > http://security.debian.org/pool/updates/main/i/iproute/iproute_20010824.orig.tar.gz > Size/MD5 checksum: 140139 b05a4e375d9468be3a1dd3f0e83daee8 > > Alpha architecture: > > > http://security.debian.org/pool/updates/main/i/iproute/iproute_20010824-8woody1_alpha.deb > Size/MD5 checksum: 535862 84d99c4199f8ae7eab695f8e06a9de6b > > ARM architecture: > > > http://security.debian.org/pool/updates/main/i/iproute/iproute_20010824-8woody1_arm.deb > Size/MD5 checksum: 509116 d4e7b52ca059ab99b67a9f01e07ccb1e > > Intel IA-32 architecture: > > > http://security.debian.org/pool/updates/main/i/iproute/iproute_20010824-8woody1_i386.deb > Size/MD5 checksum: 499718 194a49253bf81cdcf702f935e2b35534 > > Intel IA-64 architecture: > > > http://security.debian.org/pool/updates/main/i/iproute/iproute_20010824-8woody1_ia64.deb > Size/MD5 checksum: 570038 180ddee3ed7373989d54a2b3783c58f2 > > HP Precision architecture: > > > http://security.debian.org/pool/updates/main/i/iproute/iproute_20010824-8woody1_hppa.deb > Size/MD5 checksum: 525956 30b521f7417acb9150cd2b79f065734d > > Motorola 680x0 architecture: > > > http://security.debian.org/pool/updates/main/i/iproute/iproute_20010824-8woody1_m68k.deb > Size/MD5 checksum: 489736 196339f8c47b861aff2c110e5405ecc1 > > Big endian MIPS architecture: > > > http://security.debian.org/pool/updates/main/i/iproute/iproute_20010824-8woody1_mips.deb > Size/MD5 checksum: 512874 2781925dd48d9bb9cb8b948e397b2947 > > Little endian MIPS architecture: > > > http://security.debian.org/pool/updates/main/i/iproute/iproute_20010824-8woody1_mipsel.deb > Size/MD5 checksum: 513570 b61d21209d3cd1bf6b828396ef347676 > > PowerPC architecture: > > > http://security.debian.org/pool/updates/main/i/iproute/iproute_20010824-8woody1_powerpc.deb > Size/MD5 checksum: 507942 cfa15b75474d3faa2bdaeb1b3c399d99 > > IBM S/390 architecture: > > > http://security.debian.org/pool/updates/main/i/iproute/iproute_20010824-8woody1_s390.deb > Size/MD5 checksum: 503396 13e689f21473365267f7f73b44b05c2f > > Sun Sparc architecture: > > > http://security.debian.org/pool/updates/main/i/iproute/iproute_20010824-8woody1_sparc.deb > Size/MD5 checksum: 515030 fbc32ebc11a4cb14b98154b6cb257c8c > > These files will probably be moved into the stable distribution on > its next revision. > >- >- >For apt-get: deb http://security.debian.org/ stable/updates main >For dpkg-ftp: ftp://security.debian.org/debian-security >dists/stable/updates/main >Mailing list: debian-security-announce@lists.debian.org >Package info: `apt-cache show ' and http://packages.debian.org/ >-BEGIN PGP SIGNATURE- >Version: GnuPG v1.2.4 (GNU/
Re: [SECURITY] [DSA 483-1] New mysql packages fix insecure temporary file creation
On Wed, 14 Apr 2004, Martin Schulze wrote: > CAN-2004-0381 > > The script mysqlbug in MySQL allows local users to overwrite > arbitrary files via a symlink attack. > > CAN-2004-0388 > > The script mysqld_multi in MySQL allows local users to overwrite > arbitrary files via a symlink attack. [...] > For the unstable distribution (sid) these problems will be fixed in > version 4.0.18-6 of mysql-dfsg. * mysql unstable (4.0.18-4) changelog says: > Aplied fix for unprobable tempfile-symlink security problem in > mysqlbug reported by Shaun Colley on bugtraq on 2004-03-24. but doesn't mention the CAN numbers. * mysql in unstable is currently at 4.0.18-5 * mysql's bugreports page doesn't show any open reports mentioning any unfixed. So what's the situation now with mysql in unstable?: - Is the bug mentioned in the advisory fixed in 4.0.18-5 and so the advisory wrong (should say "will be fixed in version 4.0.18-6 of mysql-dfsg") ... - or isn't it fixed at which moment I should open a bugreport against mysql? *t -- Tomas Pospisek http://sourcepole.com - Linux & Open Source Solutions
unsubscribe
On Monday, April 19, 2004, at 03:06AM, Matt Zimmerman <[EMAIL PROTECTED]> wrote: >-BEGIN PGP SIGNED MESSAGE- >Hash: SHA1 > >- -- >Debian Security Advisory DSA 492-1 [EMAIL PROTECTED] >http://www.debian.org/security/ Matt Zimmerman >April 18th, 2004 http://www.debian.org/security/faq >- -- > >Package: iproute >Vulnerability : denial of service >Problem-Type : local >Debian-specific: no >CVE Ids: CAN-2003-0856 >Debian Bug : 242994 > >Herbert Xu reported that local users could cause a denial of service >against iproute, a set of tools for controlling networking in Linux >kernels. iproute uses the netlink interface to communicate with the >kernel, but failed to verify that the messages it received came from >the kernel (rather than from other user processes). > >For the current stable distribution (woody) this problem has been >fixed in version 20010824-8woody1. > >For the unstable distribution (sid), this problem will be fixed soon. > >We recommend that you update your iproute package. > >Upgrade Instructions >- > >wget url >will fetch the file for you >dpkg -i file.deb >will install the referenced file. > >If you are using the apt-get package manager, use the line for >sources.list as given below: > >apt-get update >will update the internal database >apt-get upgrade >will install corrected packages > >You may use an automated update by adding the resources from the >footer to the proper configuration. > >Debian GNU/Linux 3.0 alias woody >- > > Source archives: > > > http://security.debian.org/pool/updates/main/i/iproute/iproute_20010824-8woody1.dsc > Size/MD5 checksum: 583 4ddfda116fcaa5670bd0a395ce62c249 > > http://security.debian.org/pool/updates/main/i/iproute/iproute_20010824-8woody1.diff.gz > Size/MD5 checksum:30926 818c356e9a703804987a99452a5cb5bf > > http://security.debian.org/pool/updates/main/i/iproute/iproute_20010824.orig.tar.gz > Size/MD5 checksum: 140139 b05a4e375d9468be3a1dd3f0e83daee8 > > Alpha architecture: > > > http://security.debian.org/pool/updates/main/i/iproute/iproute_20010824-8woody1_alpha.deb > Size/MD5 checksum: 535862 84d99c4199f8ae7eab695f8e06a9de6b > > ARM architecture: > > > http://security.debian.org/pool/updates/main/i/iproute/iproute_20010824-8woody1_arm.deb > Size/MD5 checksum: 509116 d4e7b52ca059ab99b67a9f01e07ccb1e > > Intel IA-32 architecture: > > > http://security.debian.org/pool/updates/main/i/iproute/iproute_20010824-8woody1_i386.deb > Size/MD5 checksum: 499718 194a49253bf81cdcf702f935e2b35534 > > Intel IA-64 architecture: > > > http://security.debian.org/pool/updates/main/i/iproute/iproute_20010824-8woody1_ia64.deb > Size/MD5 checksum: 570038 180ddee3ed7373989d54a2b3783c58f2 > > HP Precision architecture: > > > http://security.debian.org/pool/updates/main/i/iproute/iproute_20010824-8woody1_hppa.deb > Size/MD5 checksum: 525956 30b521f7417acb9150cd2b79f065734d > > Motorola 680x0 architecture: > > > http://security.debian.org/pool/updates/main/i/iproute/iproute_20010824-8woody1_m68k.deb > Size/MD5 checksum: 489736 196339f8c47b861aff2c110e5405ecc1 > > Big endian MIPS architecture: > > > http://security.debian.org/pool/updates/main/i/iproute/iproute_20010824-8woody1_mips.deb > Size/MD5 checksum: 512874 2781925dd48d9bb9cb8b948e397b2947 > > Little endian MIPS architecture: > > > http://security.debian.org/pool/updates/main/i/iproute/iproute_20010824-8woody1_mipsel.deb > Size/MD5 checksum: 513570 b61d21209d3cd1bf6b828396ef347676 > > PowerPC architecture: > > > http://security.debian.org/pool/updates/main/i/iproute/iproute_20010824-8woody1_powerpc.deb > Size/MD5 checksum: 507942 cfa15b75474d3faa2bdaeb1b3c399d99 > > IBM S/390 architecture: > > > http://security.debian.org/pool/updates/main/i/iproute/iproute_20010824-8woody1_s390.deb > Size/MD5 checksum: 503396 13e689f21473365267f7f73b44b05c2f > > Sun Sparc architecture: > > > http://security.debian.org/pool/updates/main/i/iproute/iproute_20010824-8woody1_sparc.deb > Size/MD5 checksum: 515030 fbc32ebc11a4cb14b98154b6cb257c8c > > These files will probably be moved into the stable distribution on > its next revision. > >- - >For apt-get: deb http://security.debian.org/ stable/updates main >For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main >Mailing list: [EMAIL PROTECTED] >Package info: `apt-cache show ' and http://packages.debian.org/ >-BEGIN PGP SIGNATURE- >Version: GnuPG v1.2.4 (GNU/Linux) > >iD8DBQFAgzQHArxCt0
Re: [SECURITY] [DSA 483-1] New mysql packages fix insecure temporary file creation
On Wed, 14 Apr 2004, Martin Schulze wrote: > CAN-2004-0381 > > The script mysqlbug in MySQL allows local users to overwrite > arbitrary files via a symlink attack. > > CAN-2004-0388 > > The script mysqld_multi in MySQL allows local users to overwrite > arbitrary files via a symlink attack. [...] > For the unstable distribution (sid) these problems will be fixed in > version 4.0.18-6 of mysql-dfsg. * mysql unstable (4.0.18-4) changelog says: > Aplied fix for unprobable tempfile-symlink security problem in > mysqlbug reported by Shaun Colley on bugtraq on 2004-03-24. but doesn't mention the CAN numbers. * mysql in unstable is currently at 4.0.18-5 * mysql's bugreports page doesn't show any open reports mentioning any unfixed. So what's the situation now with mysql in unstable?: - Is the bug mentioned in the advisory fixed in 4.0.18-5 and so the advisory wrong (should say "will be fixed in version 4.0.18-6 of mysql-dfsg") ... - or isn't it fixed at which moment I should open a bugreport against mysql? *t -- Tomas Pospisek http://sourcepole.com - Linux & Open Source Solutions -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]