/usr/bin/Mail buffer 0verfl0w ????

2001-03-07 Thread Julian Stoev 

There is some discussion about possible /usr/bin/Mail buffer overflow.
The link is from http://lwn.net/2001/0308/security.php3

http://securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D82%26threads%3D1%26end%3D2001-03-03%26tid%3D166333%26fromthread%3D0%26start%3D2001-02-25%26

Last Debian unstable appears to be vulnerable.

[host]:~# Mail
Mail version 8.1 6/6/93.  Type ? for help.
[cut...]
& t [2240x'0']
No applicable messages from {[2240x'0']}
& t 0 x 2240
0: Invalid message number
& t 
0
0: Invalid message number
"Source" stack over-pop.
Segmentation fault


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: promiscuous eth0

2001-03-07 Thread Eric N. Valor 


This is really goofy.  But I've been able to (at least in my case) narrow 
the "problem" down to using Xircom cards.  The 3Com card that I use in my 
other Debian laptop works great (switching between the two demonstrates 
this behavior as well, so it isn't the laptop, and the 3Com card is Cardbus 
as well).


If I switch the Xircom to promiscuous mode, ping the gateway, and then 
switch back, everything is great.  Until I switch it into promiscuous, 
though, no traffic occurs.  The really weird thing is that I *do* get 
enough traffic through to allow DHCP configuration on startup.  Using a 
static IP address works (although I'm hijacking an address in the DHCP 
field.. can't wait 'till the guy in charge finds out...)


At 06:37 PM 3/7/2001 -0800, you wrote:

On Mon, 5 Mar 2001, Jaan Sarv wrote:

> > Also, paranoid network administrators might be a little upset by it, 
since

> > Linux sends out a frame indicating it is switching into (or out
> > of) promiscuous mode. This is possible evidence that you're running a
> > sniffer of some kind (such as snort).
>
> Hi,
>
> How can I recognize such frames/packets? I know this isn't very effective
> method when trying to discover sniffers, but worth a shot.
>
> Is there a way to disable those frames/packets?
>
> Jaan
>
> a bit paranoid :)
Unless I'm mistaken, there was an article in phrack magazine a while back
about a kernel patch that disables the sending of the "promscuous
mode" packet. For this reason, only misconfigured computers (or script
kiddies) would be sending this out; truly skilled {cr,h}ackers are
unlikely to not patch the kernel before doing any covert sniffing.

Regards,

Alex.


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]


--
Eric N. Valor
Webmeister/Inetservices
Lutris Technologies
[EMAIL PROTECTED]

- This Space Intentionally Left Blank -

Re: promiscuous eth0

2001-03-07 Thread Alexander Hvostov 
On Mon, 5 Mar 2001, Jaan Sarv wrote:

> > Also, paranoid network administrators might be a little upset by it, since
> > Linux sends out a frame indicating it is switching into (or out
> > of) promiscuous mode. This is possible evidence that you're running a
> > sniffer of some kind (such as snort).
> 
> Hi,
> 
> How can I recognize such frames/packets? I know this isn't very effective
> method when trying to discover sniffers, but worth a shot.
> 
> Is there a way to disable those frames/packets?
> 
> Jaan
> 
> a bit paranoid :)
Unless I'm mistaken, there was an article in phrack magazine a while back
about a kernel patch that disables the sending of the "promscuous
mode" packet. For this reason, only misconfigured computers (or script
kiddies) would be sending this out; truly skilled {cr,h}ackers are
unlikely to not patch the kernel before doing any covert sniffing.

Regards,

Alex.

Re: promiscuous eth0

2001-03-07 Thread Eric N. Valor 


This is really goofy.  But I've been able to (at least in my case) narrow 
the "problem" down to using Xircom cards.  The 3Com card that I use in my 
other Debian laptop works great (switching between the two demonstrates 
this behavior as well, so it isn't the laptop, and the 3Com card is Cardbus 
as well).

If I switch the Xircom to promiscuous mode, ping the gateway, and then 
switch back, everything is great.  Until I switch it into promiscuous, 
though, no traffic occurs.  The really weird thing is that I *do* get 
enough traffic through to allow DHCP configuration on startup.  Using a 
static IP address works (although I'm hijacking an address in the DHCP 
field.. can't wait 'till the guy in charge finds out...)

At 06:37 PM 3/7/2001 -0800, you wrote:
>On Mon, 5 Mar 2001, Jaan Sarv wrote:
>
> > > Also, paranoid network administrators might be a little upset by it, 
> since
> > > Linux sends out a frame indicating it is switching into (or out
> > > of) promiscuous mode. This is possible evidence that you're running a
> > > sniffer of some kind (such as snort).
> >
> > Hi,
> >
> > How can I recognize such frames/packets? I know this isn't very effective
> > method when trying to discover sniffers, but worth a shot.
> >
> > Is there a way to disable those frames/packets?
> >
> > Jaan
> >
> > a bit paranoid :)
>Unless I'm mistaken, there was an article in phrack magazine a while back
>about a kernel patch that disables the sending of the "promscuous
>mode" packet. For this reason, only misconfigured computers (or script
>kiddies) would be sending this out; truly skilled {cr,h}ackers are
>unlikely to not patch the kernel before doing any covert sniffing.
>
>Regards,
>
>Alex.
>
>
>--
>To UNSUBSCRIBE, email to [EMAIL PROTECTED]
>with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

--
Eric N. Valor
Webmeister/Inetservices
Lutris Technologies
[EMAIL PROTECTED]

- This Space Intentionally Left Blank -


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: promiscuous eth0

2001-03-07 Thread Alexander Hvostov 

On Mon, 5 Mar 2001, Jaan Sarv wrote:

> > Also, paranoid network administrators might be a little upset by it, since
> > Linux sends out a frame indicating it is switching into (or out
> > of) promiscuous mode. This is possible evidence that you're running a
> > sniffer of some kind (such as snort).
> 
> Hi,
> 
> How can I recognize such frames/packets? I know this isn't very effective
> method when trying to discover sniffers, but worth a shot.
> 
> Is there a way to disable those frames/packets?
> 
> Jaan
> 
> a bit paranoid :)
Unless I'm mistaken, there was an article in phrack magazine a while back
about a kernel patch that disables the sending of the "promscuous
mode" packet. For this reason, only misconfigured computers (or script
kiddies) would be sending this out; truly skilled {cr,h}ackers are
unlikely to not patch the kernel before doing any covert sniffing.

Regards,

Alex.


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: kernel patches

2001-03-07 Thread Francois Deppierraz 
On Wed, Mar 07, 2001 at 05:04:17PM +0100, Niklas Höglund wrote:

> Anyone know where I can find a kernel patch that restricts users so..
> 'who' shows only the user himself

http://www.openwall.com/linux/

> 'netstat -a' only ports that root/the user owns

Openwall can set access rights for /proc

> 'ls' only files that are owned by root/the user

Good access rights

-- 
Francois Deppierraz <[EMAIL PROTECTED]>
Nimag Networks Sàrl - www.nimag.net
Phone +41 21 847 00 75 - Fax +41 21 847 00 77
PGP Key ID: 9D283BC9

kernel patches

2001-03-07 Thread Niklas Höglund 
Hi!
Anyone know where I can find a kernel patch that restricts users so..
'who' shows only the user himself
'netstat -a' only ports that root/the user owns
'ls' only files that are owned by root/the user
??
//Niklas

Re: howto check the integrity of installed packets

2001-03-07 Thread Josep Llauradó Selvas 

The integrity of the files installed can be found in tripwire and aide, that
checksums the selected files into a database... its not the same you ask but can
be usefull...

On Wed, 7 Mar 2001, Alexander Reelsen wrote:

 Hi
 
 On Wed, Mar 07, 2001 at 03:34:14PM +0100, Jörgen Persson wrote:
 > the subject is clear enough... I'm looking for ''native'' support for 
 > checking the integrity of installed packets.
 You might want to try the package 'debsums'. However those files are easy
 to change, but perhaps it's a start if you monitor the md5sums files as
 well, or mark them readonly with LIDS, whatever...
 
 
 MfG/Regards, Alexander
 
 -- 
 Alexander Reelsen   http://joker.rhwd.de
 [EMAIL PROTECTED]   GnuPG: pub 1024D/F0D7313C  sub 2048g/6AA2EDDB
 [EMAIL PROTECTED] 7D44 F4E3 1993 FDDF 552E  7C88 EE9C CBD1 F0D7 
313C
 Securing Debian:http://joker.rhwd.de/doc/Securing-Debian-HOWTO
 
 
 --  
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: howto check the integrity of installed packets

2001-03-07 Thread Alexander Reelsen 
Hi

On Wed, Mar 07, 2001 at 03:34:14PM +0100, Jörgen Persson wrote:
> the subject is clear enough... I'm looking for ''native'' support for 
> checking the integrity of installed packets.
You might want to try the package 'debsums'. However those files are easy
to change, but perhaps it's a start if you monitor the md5sums files as
well, or mark them readonly with LIDS, whatever...


MfG/Regards, Alexander

-- 
Alexander Reelsen   http://joker.rhwd.de
[EMAIL PROTECTED]   GnuPG: pub 1024D/F0D7313C  sub 2048g/6AA2EDDB
[EMAIL PROTECTED] 7D44 F4E3 1993 FDDF 552E  7C88 EE9C CBD1 F0D7 313C
Securing Debian:http://joker.rhwd.de/doc/Securing-Debian-HOWTO

howto check the integrity of installed packets

2001-03-07 Thread Jörgen Persson 
Well,
the subject is clear enough... I'm looking for ''native'' support for 
checking the integrity of installed packets.

Jörgen

Re: kernel patches

2001-03-07 Thread Francois Deppierraz 

On Wed, Mar 07, 2001 at 05:04:17PM +0100, Niklas Höglund wrote:

> Anyone know where I can find a kernel patch that restricts users so..
> 'who' shows only the user himself

http://www.openwall.com/linux/

> 'netstat -a' only ports that root/the user owns

Openwall can set access rights for /proc

> 'ls' only files that are owned by root/the user

Good access rights

-- 
Francois Deppierraz <[EMAIL PROTECTED]>
Nimag Networks Sàrl - www.nimag.net
Phone +41 21 847 00 75 - Fax +41 21 847 00 77
PGP Key ID: 9D283BC9


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

kernel patches

2001-03-07 Thread Niklas Höglund 

Hi!
Anyone know where I can find a kernel patch that restricts users so..
'who' shows only the user himself
'netstat -a' only ports that root/the user owns
'ls' only files that are owned by root/the user
??
//Niklas


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: howto check the integrity of installed packets

2001-03-07 Thread Josep Llauradó Selvas 


The integrity of the files installed can be found in tripwire and aide, that
checksums the selected files into a database... its not the same you ask but can
be usefull...

On Wed, 7 Mar 2001, Alexander Reelsen wrote:

 Hi
 
 On Wed, Mar 07, 2001 at 03:34:14PM +0100, Jörgen Persson wrote:
 > the subject is clear enough... I'm looking for ''native'' support for 
 > checking the integrity of installed packets.
 You might want to try the package 'debsums'. However those files are easy
 to change, but perhaps it's a start if you monitor the md5sums files as
 well, or mark them readonly with LIDS, whatever...
 
 
 MfG/Regards, Alexander
 
 -- 
 Alexander Reelsen   http://joker.rhwd.de
 [EMAIL PROTECTED]   GnuPG: pub 1024D/F0D7313C  sub 2048g/6AA2EDDB
 [EMAIL PROTECTED] 7D44 F4E3 1993 FDDF 552E  7C88 EE9C CBD1 F0D7 313C
 Securing Debian:http://joker.rhwd.de/doc/Securing-Debian-HOWTO
 
 
 --  
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
 


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: howto check the integrity of installed packets

2001-03-07 Thread Alexander Reelsen 

Hi

On Wed, Mar 07, 2001 at 03:34:14PM +0100, Jörgen Persson wrote:
> the subject is clear enough... I'm looking for ''native'' support for 
> checking the integrity of installed packets.
You might want to try the package 'debsums'. However those files are easy
to change, but perhaps it's a start if you monitor the md5sums files as
well, or mark them readonly with LIDS, whatever...


MfG/Regards, Alexander

-- 
Alexander Reelsen   http://joker.rhwd.de
[EMAIL PROTECTED]   GnuPG: pub 1024D/F0D7313C  sub 2048g/6AA2EDDB
[EMAIL PROTECTED] 7D44 F4E3 1993 FDDF 552E  7C88 EE9C CBD1 F0D7 313C
Securing Debian:http://joker.rhwd.de/doc/Securing-Debian-HOWTO


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

howto check the integrity of installed packets

2001-03-07 Thread Jörgen Persson 

Well,
the subject is clear enough... I'm looking for ''native'' support for 
checking the integrity of installed packets.

Jörgen


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: your mail

2001-03-07 Thread Noah L. Meyerhans 

On Wed, Mar 07, 2001 at 01:18:20AM +0100, [EMAIL PROTECTED] wrote:
 
> gcc -D__KERNEL__ -DMODULE -DLINUX -DEXPORT_SYMTAB -D__NO_VERSION__
> -I/usr/include -I. -O2 -pipe  -DCONFIG_PROC_FS -DIANS -DIANS_BASE_VLAN_TAGGING
  ^^
That should probably be -I/usr/src/linux/include.  You need to pull in
the headers from the kernel with which you link this module, and that's
not what's in /usr/include.

Also, not one of the 3 lists you sent this question to was an
appropriate forum for such a question.  Please keep cross-posting to a
minimum.  A question like this should probably only have been posted to
-user.

noah

-- 
 ___
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 


 PGP signature

Re:

2001-03-07 Thread chrifu 
leider hab ich das schon als root versucht zu installieren!

of course i tried it as root!

mfg

-- 
mei gehts mia heit wida guat

Sent through GMX FreeMail - http://www.gmx.net

Re:

2001-03-07 Thread Michael Bauer 
hi

hmm..

> gcc -D__KERNEL__ -DMODULE -DLINUX -DEXPORT_SYMTAB -D__NO_VERSION__
> -I/usr/include -I. -O2 -pipe  -DCONFIG_PROC_FS -DIANS -DIANS_BASE_VLAN_TAGGING
> -DIANS_BASE_VLAN_ID   -c -o ans.o ans.c
> Assembler messages:
> FATAL: Can't create ans.o: Permission denied
> In file included from ans_os.h:128,
>  from ans.h:60,
>  from ans_driver.h:87,
>  from ans.c:52:
> /usr/include/linux/module.h:19: linux/modversions.h: No such file or
> directory
> ans.c: In function `bd_ans_Identify':
> ans.c:239: output pipe has been closed
> cpp: output pipe has been closed
> make: *** [ans.o] Error 1

As I understand this messages, ain't you running this thing as root? if
not run it as root. 

gruss
> --
> mei gehts mia heit wida guat

hoffentlich gets da jetz bessa

-- 
while !asleep {sheep ++};
PGP/GPG key @ http://unet.univie.ac.at/~a9900470/mihi.asc

Re:

2001-03-07 Thread chrifu 

leider hab ich das schon als root versucht zu installieren!

of course i tried it as root!

mfg

-- 
mei gehts mia heit wida guat

Sent through GMX FreeMail - http://www.gmx.net


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]