/usr/bin/Mail buffer 0verfl0w ????
There is some discussion about possible /usr/bin/Mail buffer overflow. The link is from http://lwn.net/2001/0308/security.php3 http://securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D82%26threads%3D1%26end%3D2001-03-03%26tid%3D166333%26fromthread%3D0%26start%3D2001-02-25%26 Last Debian unstable appears to be vulnerable. [host]:~# Mail Mail version 8.1 6/6/93. Type ? for help. [cut...] & t [2240x'0'] No applicable messages from {[2240x'0']} & t 0 x 2240 0: Invalid message number & t 0 0: Invalid message number "Source" stack over-pop. Segmentation fault -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: promiscuous eth0
This is really goofy. But I've been able to (at least in my case) narrow the "problem" down to using Xircom cards. The 3Com card that I use in my other Debian laptop works great (switching between the two demonstrates this behavior as well, so it isn't the laptop, and the 3Com card is Cardbus as well). If I switch the Xircom to promiscuous mode, ping the gateway, and then switch back, everything is great. Until I switch it into promiscuous, though, no traffic occurs. The really weird thing is that I *do* get enough traffic through to allow DHCP configuration on startup. Using a static IP address works (although I'm hijacking an address in the DHCP field.. can't wait 'till the guy in charge finds out...) At 06:37 PM 3/7/2001 -0800, you wrote: On Mon, 5 Mar 2001, Jaan Sarv wrote: > > Also, paranoid network administrators might be a little upset by it, since > > Linux sends out a frame indicating it is switching into (or out > > of) promiscuous mode. This is possible evidence that you're running a > > sniffer of some kind (such as snort). > > Hi, > > How can I recognize such frames/packets? I know this isn't very effective > method when trying to discover sniffers, but worth a shot. > > Is there a way to disable those frames/packets? > > Jaan > > a bit paranoid :) Unless I'm mistaken, there was an article in phrack magazine a while back about a kernel patch that disables the sending of the "promscuous mode" packet. For this reason, only misconfigured computers (or script kiddies) would be sending this out; truly skilled {cr,h}ackers are unlikely to not patch the kernel before doing any covert sniffing. Regards, Alex. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank -
Re: promiscuous eth0
On Mon, 5 Mar 2001, Jaan Sarv wrote: > > Also, paranoid network administrators might be a little upset by it, since > > Linux sends out a frame indicating it is switching into (or out > > of) promiscuous mode. This is possible evidence that you're running a > > sniffer of some kind (such as snort). > > Hi, > > How can I recognize such frames/packets? I know this isn't very effective > method when trying to discover sniffers, but worth a shot. > > Is there a way to disable those frames/packets? > > Jaan > > a bit paranoid :) Unless I'm mistaken, there was an article in phrack magazine a while back about a kernel patch that disables the sending of the "promscuous mode" packet. For this reason, only misconfigured computers (or script kiddies) would be sending this out; truly skilled {cr,h}ackers are unlikely to not patch the kernel before doing any covert sniffing. Regards, Alex.
Re: promiscuous eth0
This is really goofy. But I've been able to (at least in my case) narrow the "problem" down to using Xircom cards. The 3Com card that I use in my other Debian laptop works great (switching between the two demonstrates this behavior as well, so it isn't the laptop, and the 3Com card is Cardbus as well). If I switch the Xircom to promiscuous mode, ping the gateway, and then switch back, everything is great. Until I switch it into promiscuous, though, no traffic occurs. The really weird thing is that I *do* get enough traffic through to allow DHCP configuration on startup. Using a static IP address works (although I'm hijacking an address in the DHCP field.. can't wait 'till the guy in charge finds out...) At 06:37 PM 3/7/2001 -0800, you wrote: >On Mon, 5 Mar 2001, Jaan Sarv wrote: > > > > Also, paranoid network administrators might be a little upset by it, > since > > > Linux sends out a frame indicating it is switching into (or out > > > of) promiscuous mode. This is possible evidence that you're running a > > > sniffer of some kind (such as snort). > > > > Hi, > > > > How can I recognize such frames/packets? I know this isn't very effective > > method when trying to discover sniffers, but worth a shot. > > > > Is there a way to disable those frames/packets? > > > > Jaan > > > > a bit paranoid :) >Unless I'm mistaken, there was an article in phrack magazine a while back >about a kernel patch that disables the sending of the "promscuous >mode" packet. For this reason, only misconfigured computers (or script >kiddies) would be sending this out; truly skilled {cr,h}ackers are >unlikely to not patch the kernel before doing any covert sniffing. > >Regards, > >Alex. > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: promiscuous eth0
On Mon, 5 Mar 2001, Jaan Sarv wrote: > > Also, paranoid network administrators might be a little upset by it, since > > Linux sends out a frame indicating it is switching into (or out > > of) promiscuous mode. This is possible evidence that you're running a > > sniffer of some kind (such as snort). > > Hi, > > How can I recognize such frames/packets? I know this isn't very effective > method when trying to discover sniffers, but worth a shot. > > Is there a way to disable those frames/packets? > > Jaan > > a bit paranoid :) Unless I'm mistaken, there was an article in phrack magazine a while back about a kernel patch that disables the sending of the "promscuous mode" packet. For this reason, only misconfigured computers (or script kiddies) would be sending this out; truly skilled {cr,h}ackers are unlikely to not patch the kernel before doing any covert sniffing. Regards, Alex. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: kernel patches
On Wed, Mar 07, 2001 at 05:04:17PM +0100, Niklas Höglund wrote: > Anyone know where I can find a kernel patch that restricts users so.. > 'who' shows only the user himself http://www.openwall.com/linux/ > 'netstat -a' only ports that root/the user owns Openwall can set access rights for /proc > 'ls' only files that are owned by root/the user Good access rights -- Francois Deppierraz <[EMAIL PROTECTED]> Nimag Networks Sàrl - www.nimag.net Phone +41 21 847 00 75 - Fax +41 21 847 00 77 PGP Key ID: 9D283BC9
kernel patches
Hi! Anyone know where I can find a kernel patch that restricts users so.. 'who' shows only the user himself 'netstat -a' only ports that root/the user owns 'ls' only files that are owned by root/the user ?? //Niklas
Re: howto check the integrity of installed packets
The integrity of the files installed can be found in tripwire and aide, that checksums the selected files into a database... its not the same you ask but can be usefull... On Wed, 7 Mar 2001, Alexander Reelsen wrote: Hi On Wed, Mar 07, 2001 at 03:34:14PM +0100, Jörgen Persson wrote: > the subject is clear enough... I'm looking for ''native'' support for > checking the integrity of installed packets. You might want to try the package 'debsums'. However those files are easy to change, but perhaps it's a start if you monitor the md5sums files as well, or mark them readonly with LIDS, whatever... MfG/Regards, Alexander -- Alexander Reelsen http://joker.rhwd.de [EMAIL PROTECTED] GnuPG: pub 1024D/F0D7313C sub 2048g/6AA2EDDB [EMAIL PROTECTED] 7D44 F4E3 1993 FDDF 552E 7C88 EE9C CBD1 F0D7 313C Securing Debian:http://joker.rhwd.de/doc/Securing-Debian-HOWTO -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: howto check the integrity of installed packets
Hi On Wed, Mar 07, 2001 at 03:34:14PM +0100, Jörgen Persson wrote: > the subject is clear enough... I'm looking for ''native'' support for > checking the integrity of installed packets. You might want to try the package 'debsums'. However those files are easy to change, but perhaps it's a start if you monitor the md5sums files as well, or mark them readonly with LIDS, whatever... MfG/Regards, Alexander -- Alexander Reelsen http://joker.rhwd.de [EMAIL PROTECTED] GnuPG: pub 1024D/F0D7313C sub 2048g/6AA2EDDB [EMAIL PROTECTED] 7D44 F4E3 1993 FDDF 552E 7C88 EE9C CBD1 F0D7 313C Securing Debian:http://joker.rhwd.de/doc/Securing-Debian-HOWTO
howto check the integrity of installed packets
Well, the subject is clear enough... I'm looking for ''native'' support for checking the integrity of installed packets. Jörgen
Re: kernel patches
On Wed, Mar 07, 2001 at 05:04:17PM +0100, Niklas Höglund wrote: > Anyone know where I can find a kernel patch that restricts users so.. > 'who' shows only the user himself http://www.openwall.com/linux/ > 'netstat -a' only ports that root/the user owns Openwall can set access rights for /proc > 'ls' only files that are owned by root/the user Good access rights -- Francois Deppierraz <[EMAIL PROTECTED]> Nimag Networks Sàrl - www.nimag.net Phone +41 21 847 00 75 - Fax +41 21 847 00 77 PGP Key ID: 9D283BC9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
kernel patches
Hi! Anyone know where I can find a kernel patch that restricts users so.. 'who' shows only the user himself 'netstat -a' only ports that root/the user owns 'ls' only files that are owned by root/the user ?? //Niklas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: howto check the integrity of installed packets
The integrity of the files installed can be found in tripwire and aide, that checksums the selected files into a database... its not the same you ask but can be usefull... On Wed, 7 Mar 2001, Alexander Reelsen wrote: Hi On Wed, Mar 07, 2001 at 03:34:14PM +0100, Jörgen Persson wrote: > the subject is clear enough... I'm looking for ''native'' support for > checking the integrity of installed packets. You might want to try the package 'debsums'. However those files are easy to change, but perhaps it's a start if you monitor the md5sums files as well, or mark them readonly with LIDS, whatever... MfG/Regards, Alexander -- Alexander Reelsen http://joker.rhwd.de [EMAIL PROTECTED] GnuPG: pub 1024D/F0D7313C sub 2048g/6AA2EDDB [EMAIL PROTECTED] 7D44 F4E3 1993 FDDF 552E 7C88 EE9C CBD1 F0D7 313C Securing Debian:http://joker.rhwd.de/doc/Securing-Debian-HOWTO -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: howto check the integrity of installed packets
Hi On Wed, Mar 07, 2001 at 03:34:14PM +0100, Jörgen Persson wrote: > the subject is clear enough... I'm looking for ''native'' support for > checking the integrity of installed packets. You might want to try the package 'debsums'. However those files are easy to change, but perhaps it's a start if you monitor the md5sums files as well, or mark them readonly with LIDS, whatever... MfG/Regards, Alexander -- Alexander Reelsen http://joker.rhwd.de [EMAIL PROTECTED] GnuPG: pub 1024D/F0D7313C sub 2048g/6AA2EDDB [EMAIL PROTECTED] 7D44 F4E3 1993 FDDF 552E 7C88 EE9C CBD1 F0D7 313C Securing Debian:http://joker.rhwd.de/doc/Securing-Debian-HOWTO -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
howto check the integrity of installed packets
Well, the subject is clear enough... I'm looking for ''native'' support for checking the integrity of installed packets. Jörgen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: your mail
On Wed, Mar 07, 2001 at 01:18:20AM +0100, [EMAIL PROTECTED] wrote: > gcc -D__KERNEL__ -DMODULE -DLINUX -DEXPORT_SYMTAB -D__NO_VERSION__ > -I/usr/include -I. -O2 -pipe -DCONFIG_PROC_FS -DIANS -DIANS_BASE_VLAN_TAGGING ^^ That should probably be -I/usr/src/linux/include. You need to pull in the headers from the kernel with which you link this module, and that's not what's in /usr/include. Also, not one of the 3 lists you sent this question to was an appropriate forum for such a question. Please keep cross-posting to a minimum. A question like this should probably only have been posted to -user. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html PGP signature
Re:
leider hab ich das schon als root versucht zu installieren! of course i tried it as root! mfg -- mei gehts mia heit wida guat Sent through GMX FreeMail - http://www.gmx.net
Re:
hi hmm.. > gcc -D__KERNEL__ -DMODULE -DLINUX -DEXPORT_SYMTAB -D__NO_VERSION__ > -I/usr/include -I. -O2 -pipe -DCONFIG_PROC_FS -DIANS -DIANS_BASE_VLAN_TAGGING > -DIANS_BASE_VLAN_ID -c -o ans.o ans.c > Assembler messages: > FATAL: Can't create ans.o: Permission denied > In file included from ans_os.h:128, > from ans.h:60, > from ans_driver.h:87, > from ans.c:52: > /usr/include/linux/module.h:19: linux/modversions.h: No such file or > directory > ans.c: In function `bd_ans_Identify': > ans.c:239: output pipe has been closed > cpp: output pipe has been closed > make: *** [ans.o] Error 1 As I understand this messages, ain't you running this thing as root? if not run it as root. gruss > -- > mei gehts mia heit wida guat hoffentlich gets da jetz bessa -- while !asleep {sheep ++}; PGP/GPG key @ http://unet.univie.ac.at/~a9900470/mihi.asc
Re:
leider hab ich das schon als root versucht zu installieren! of course i tried it as root! mfg -- mei gehts mia heit wida guat Sent through GMX FreeMail - http://www.gmx.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]