Fwd: [ADVISORY] Timing Attack on OpenSSL
Hi, this seems to be a new issue aside the known timing attack from Feb. 19th. Anybody to confirm this? Regards, Leppo -- Weitergeleitete Nachricht -- Subject: [ADVISORY] Timing Attack on OpenSSL Date: Montag, 17. März 2003 09:47 From: Ben Laurie [EMAIL PROTECTED] To: Bugtraq [EMAIL PROTECTED] I expect a release to follow shortly. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff --- OpenSSL v0.9.7a and 0.9.6i vulnerability Researchers have discovered a timing attack on RSA keys, to which OpenSSL is generally vulnerable, unless RSA blinding has been turned on. Typically, it will not have been, because it is not easily possible to do so when using OpenSSL to provide SSL or TLS. The enclosed patch switches blinding on by default. Applications that wish to can remove the blinding with RSA_blinding_off(), but this is not generally advised. It is also possible to disable it completely by defining OPENSSL_NO_FORCE_RSA_BLINDING at compile-time. The performance impact of blinding appears to be small (a few percent). This problem affects many applications using OpenSSL, in particular, almost all SSL-enabled Apaches. You should rebuild and reinstall OpenSSL, and all affected applications. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0147 to this issue. We strongly advise upgrading OpenSSL in all cases, as a precaution. Index: crypto/rsa/rsa_eay.c === RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_eay.c,v retrieving revision 1.28.2.3 diff -u -r1.28.2.3 rsa_eay.c --- crypto/rsa/rsa_eay.c30 Jan 2003 17:37:46 - 1.28.2.3 +++ crypto/rsa/rsa_eay.c16 Mar 2003 10:34:13 - @@ -195,6 +195,25 @@ return(r); } +static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx) + { + int ret = 1; + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + /* Check again inside the lock - the macro's check is racey */ + if(rsa-blinding == NULL) + ret = RSA_blinding_on(rsa, ctx); + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); + return ret; + } + +#define BLINDING_HELPER(rsa, ctx, err_instr) \ + do { \ + if(((rsa)-flags RSA_FLAG_BLINDING) \ + ((rsa)-blinding == NULL) \ + !rsa_eay_blinding(rsa, ctx)) \ + err_instr \ + } while(0) + /* signing */ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) @@ -239,8 +258,8 @@ goto err; } - if ((rsa-flags RSA_FLAG_BLINDING) (rsa-blinding == NULL)) - RSA_blinding_on(rsa,ctx); + BLINDING_HELPER(rsa, ctx, goto err;); + if (rsa-flags RSA_FLAG_BLINDING) if (!BN_BLINDING_convert(f,rsa-blinding,ctx)) goto err; @@ -318,8 +337,8 @@ goto err; } - if ((rsa-flags RSA_FLAG_BLINDING) (rsa-blinding == NULL)) - RSA_blinding_on(rsa,ctx); + BLINDING_HELPER(rsa, ctx, goto err;); + if (rsa-flags RSA_FLAG_BLINDING) if (!BN_BLINDING_convert(f,rsa-blinding,ctx)) goto err; Index: crypto/rsa/rsa_lib.c === RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_lib.c,v retrieving revision 1.30.2.2 diff -u -r1.30.2.2 rsa_lib.c --- crypto/rsa/rsa_lib.c30 Jan 2003 17:37:46 - 1.30.2.2 +++ crypto/rsa/rsa_lib.c16 Mar 2003 10:34:13 - @@ -72,7 +72,13 @@ RSA *RSA_new(void) { - return(RSA_new_method(NULL)); + RSA *r=RSA_new_method(NULL); + +#ifndef OPENSSL_NO_FORCE_RSA_BLINDING + r-flags|=RSA_FLAG_BLINDING; +#endif + + return r; } void RSA_set_default_method(const RSA_METHOD *meth) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
ptrace vulnerability?
Alan Cox apparently just made public a vulnerability in the stock kernel which would permit a local user to gain root privileges (see e.g. Linux Today, LWN, the LK mailing list...). Is a patched source package in the making already or should we humble users, in the meantime, take the original patch and apply it, while the official thing gets worked out? Bye Giacomo -- _ Giacomo Mulas [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel. (OAC): +39 070 71180 248 Fax : +39 070 71180 222 Tel. (UNICA): +39 070 675 4916 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ptrace vulnerability?
Le mar 18/03/2003 à 13:04, Giacomo Mulas a écrit : On Tue, 18 Mar 2003, Giacomo Mulas wrote: Alan Cox apparently just made public a vulnerability in the stock kernel which would permit a local user to gain root privileges (see e.g. Linux Today, LWN, the LK mailing list...). Is a patched source package in the making already or should we humble users, in the meantime, take the original patch and apply it, while the official thing gets worked out? Apparently the kernel source debian package maintainer already answered my previous question in the best possible way, making available the patched package immediately. The responsivity of the Debian community is really something to be proud about: thanks Herbert! Hi, what packages are available *exactly* and where? I don't see any upgrade in security nor any DSA... Thanks, SEb Bye Giacomo -- _ Giacomo Mulas [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel. (OAC): +39 070 71180 248 Fax : +39 070 71180 222 Tel. (UNICA): +39 070 675 4916 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _ -- Sebastien Chaumat [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ptrace vulnerability?
His announcement is Slashdotted, and I'm seeing no notice of which versions are affected! I'm running 2.4.18 on all my Debian servers, please tell me what's going on. --On Tuesday, March 18, 2003 12:04 PM +0100 Giacomo Mulas [EMAIL PROTECTED] wrote: Alan Cox apparently just made public a vulnerability in the stock kernel which would permit a local user to gain root privileges (see e.g. Linux Today, LWN, the LK mailing list...). Is a patched source package in the making already or should we humble users, in the meantime, take the original patch and apply it, while the official thing gets worked out? Bye Giacomo -- _ Giacomo Mulas [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel. (OAC): +39 070 71180 248 Fax : +39 070 71180 222 Tel. (UNICA): +39 070 675 4916 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Jason Rashaad Jackson UNIX Systems Administrator 3556 Samuel T. Dana Building(W) 734.615.1422 Ann Arbor, MI 48109 (M) 734.649.6641 http://www.umich.edu/~jrashaad (F) 734.763.8965 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ptrace vulnerability?
On Tue, 2003-03-18 at 21:40, Jason Rashaad Jackson wrote: His announcement is Slashdotted, and I'm seeing no notice of which versions are affected! I'm running 2.4.18 on all my Debian servers, please tell me what's going on. Here's a cut and paste from Lwn.net :) Ptrace vulnerability in 2.2 and 2.4 kernels From: Alan Cox [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Ptrace vulnerability in Linux 2.2/2.4 Date: Mon, 17 Mar 2003 11:00:16 -0500 (EST) Vulnerability: CAN-2003-0127 The Linux 2.2 and Linux 2.4 kernels have a flaw in ptrace. This hole allows local users to obtain full privileges. Remote exploitation of this hole is not possible. Linux 2.5 is not believed to be vulnerable. Linux 2.2.25 has been released to correct Linux 2.2. It contains no other changes. The bug fixes that would have been in 2.2.5pre1 will now appear in 2.2.26pre1. The patch will apply directly to most older 2.2 releases. A patch for Linux 2.4.20/Linux 2.4.21pre is attached. The patch also subtly changes the PR_SET_DUMPABLE prctl. We believe this is neccessary and that it will not affect any software. The functionality change is specific to unusual debugging situations. We would like to thank Andrzej Szombierski who found the problem, and wrote an initial patch. Seth Arnold cleaned up the 2.2 change. Arjan van de Ven and Ben LaHaise identified additional problems with the original fix. Alan diff -purN linux.orig/arch/alpha/kernel/entry.S linux/arch/alpha/kernel/entry.S --- linux.orig/arch/alpha/kernel/entry.SThu Mar 13 12:01:46 2003 +++ linux/arch/alpha/kernel/entry.S Thu Mar 13 13:28:49 2003 @@ -231,12 +231,12 @@ kernel_clone: .end kernel_clone /* - * kernel_thread(fn, arg, clone_flags) + * arch_kernel_thread(fn, arg, clone_flags) */ .align 3 .globl kernel_thread .ent kernel_thread -kernel_thread: +arch_kernel_thread: ldgp$29,0($27) /* we can be called from a module */ .frame $30, 4*8, $26 subq$30,4*8,$30 diff -purN linux.orig/arch/arm/kernel/process.c linux/arch/arm/kernel/process.c --- linux.orig/arch/arm/kernel/process.cThu Mar 13 12:01:29 2003 +++ linux/arch/arm/kernel/process.c Thu Mar 13 13:25:56 2003 @@ -366,7 +366,7 @@ void dump_thread(struct pt_regs * regs, * a system call from a real process, but the process memory space will * not be free'd until both the parent and the child have exited. */ -pid_t kernel_thread(int (*fn)(void *), void *arg, unsigned long flags) +pid_t arch_kernel_thread(int (*fn)(void *), void *arg, unsigned long flags) { pid_t __ret; diff -purN linux.orig/arch/cris/kernel/entry.S linux/arch/cris/kernel/entry.S --- linux.orig/arch/cris/kernel/entry.S Thu Mar 13 12:01:29 2003 +++ linux/arch/cris/kernel/entry.S Thu Mar 13 13:30:30 2003 @@ -736,12 +736,12 @@ hw_bp_trig_ptr: * the grosser the code, at least with the gcc version in cris-dist-1.13. */ -/* int kernel_thread(int (*fn)(void *), void * arg, unsigned long flags) */ +/* int arch_kernel_thread(int (*fn)(void *), void * arg, unsigned long flags) */ /* r10r11 r12 */ .text - .global kernel_thread -kernel_thread: + .global arch_kernel_thread +arch_kernel_thread: /* Save ARG for later. */ move.d $r11, $r13 diff -purN linux.orig/arch/i386/kernel/process.c linux/arch/i386/kernel/process.c --- linux.orig/arch/i386/kernel/process.c Thu Mar 13 12:01:57 2003 +++ linux/arch/i386/kernel/process.cThu Mar 13 13:26:08 2003 @@ -495,7 +495,7 @@ void release_segments(struct mm_struct * /* * Create a kernel thread */ -int kernel_thread(int (*fn)(void *), void * arg, unsigned long flags) +int arch_kernel_thread(int (*fn)(void *), void * arg, unsigned long flags) { long retval, d0; @@ -518,6 +518,7 @@ int kernel_thread(int (*fn)(void *), voi r (arg), r (fn), b (flags | CLONE_VM) : memory); + return retval; } diff -purN linux.orig/arch/ia64/kernel/process.c linux/arch/ia64/kernel/process.c --- linux.orig/arch/ia64/kernel/process.c Thu Mar 13 12:01:29 2003 +++ linux/arch/ia64/kernel/process.cThu Mar 13 13:26:15 2003 @@ -220,7 +220,7 @@ ia64_load_extra (struct task_struct *tas * | | -- sp (lowest addr) * +-+ * - * Note: if we get called through kernel_thread() then the memory + * Note: if we get called through arch_kernel_thread() then the memory * above (highest addr) is valid kernel stack memory that needs to * be copied as well. * @@ -469,7 +469,7 @@ ia64_set_personality (struct elf64_hdr * } pid_t -kernel_thread (int (*fn)(void *), void *arg, unsigned long flags) +arch_kernel_thread (int (*fn)(void *), void *arg,
Current OpenSSL vulnerability (CAN-2003-0147)
I have not seen any mention of this on this list. Is the current version (0.9.6c-2.woody.2) vulnerable to this current RSA issue? Tuesday, March 18 2003 -- | When a religion is good, I conceive Timm Gleason| it will support itself; and when it http://www.gleason.to/ | does not support itself, and God does http://www.uranushertz.to/ | not take care to support it so that Quis custodiet iposos custodes? | its professors are obliged to call | for help of the civil power, 'tis a | sign, I apprehend, of its being a bad | one. -- Benjamin Franklin -PGP PUBLIC KEY BLOCK AVAILABLE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ptrace vulnerability?
You could try this link http://www.uwsg.iu.edu/hypermail/linux/kernel/0303.2/0226.html but I am not sure if it meets your criteria of authoritive. From: Phillip Hofmeister [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: ptrace vulnerability? Date: Tue, 18 Mar 2003 17:09:10 -0500 MIME-Version: 1.0 Received: from murphy.debian.org ([65.125.64.134]) by mc3-f29.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Tue, 18 Mar 2003 14:49:44 -0800 Received: from localhost (localhost [127.0.0.1])by murphy.debian.org (Postfix) with QMQPid 25DCF1FABD; Tue, 18 Mar 2003 16:25:59 -0600 (CST) Received: from Oneil (66.227.150.91.bay.mi.chartermi.net [66.227.150.91])by murphy.debian.org (Postfix) with ESMTP id 8BD381F9C4for [EMAIL PROTECTED]; Tue, 18 Mar 2003 16:09:10 -0600 (CST) Received: from plhofmei by Oneil with local (Exim 3.35 #1 (Debian))id 18vPGg-OE-00for [EMAIL PROTECTED]; Tue, 18 Mar 2003 17:09:10 -0500 X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP Old-Return-Path: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Mail-Followup-To: [EMAIL PROTECTED] References: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] User-Agent: Mutt/1.4i X-Spam-Status: No, hits=-2.9 required=4.0tests=IN_REP_TO,PGP_SIGNATURE_2,REFERENCES,SPAM_PHRASE_00_01, USER_AGENT,USER_AGENT_MUTTversion=2.43 X-Spam-Level: Resent-Message-ID: [EMAIL PROTECTED] Resent-From: [EMAIL PROTECTED] X-Mailing-List: [EMAIL PROTECTED] archive/latest/11161 X-Loop: [EMAIL PROTECTED] List-Post: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] List-Unsubscribe: mailto:[EMAIL PROTECTED] Precedence: list Resent-Sender: [EMAIL PROTECTED] Resent-Date: Tue, 18 Mar 2003 16:25:59 -0600 (CST) Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 18 Mar 2003 22:49:46.0703 (UTC) FILETIME=[ACA7E5F0:01C2EDA0] I usually make it a habit of only applying patches that come from seemingly authoritive sites. Could anyone make a reference to an authoritive site that would contain this patch? I have been snooping around kernel.org with no success... -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #125: Dumb terminal attach3 _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
unsubscribe
--- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.462 / Virus Database: 261 - Release Date: 3/13/2003 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ptrace vulnerability?
Correct me if I am wrong but is the ptrace vulnerability not a fairly old one. By old I mean like a couple of years. Or is this a completely different ptrace vulnerability. I know there was info about a ptrace vulnerability at http://packetstormsecurity.com including the working exploit code a couple of years ago. From: Mark Janssen [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: Jason Rashaad Jackson [EMAIL PROTECTED] CC: Giacomo Mulas [EMAIL PROTECTED],[EMAIL PROTECTED] Subject: Re: ptrace vulnerability? Date: 18 Mar 2003 22:11:38 +0100 MIME-Version: 1.0 Received: from murphy.debian.org ([65.125.64.134]) by mc10-f17.bay6.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Tue, 18 Mar 2003 13:42:41 -0800 Received: from localhost (localhost [127.0.0.1])by murphy.debian.org (Postfix) with QMQPid 826EA1FA98; Tue, 18 Mar 2003 15:33:00 -0600 (CST) Received: from maniac.nl (cust.13.118.adsl.cistron.nl [62.216.13.118])by murphy.debian.org (Postfix) with ESMTP id 7E3991F3D4for [EMAIL PROTECTED]; Tue, 18 Mar 2003 15:13:46 -0600 (CST) Received: from local-3.saiko.com ([:::10.0.0.3]) by maniac.nl with esmtp; Tue, 18 Mar 2003 22:13:15 +0100 X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP Old-Return-Path: [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] References: [EMAIL PROTECTED] [EMAIL PROTECTED] Organization: Saiko Internet Technologies Message-Id: [EMAIL PROTECTED] X-Mailer: Ximian Evolution 1.2.2 X-Spam-Status: No, hits=-1.4 required=4.0tests=IN_REP_TO,PATCH_UNIFIED_DIFF,REFERENCES,SPAM_PHRASE_00_01version=2.43 X-Spam-Level: Resent-Message-ID: [EMAIL PROTECTED] Resent-From: [EMAIL PROTECTED] X-Mailing-List: [EMAIL PROTECTED] archive/latest/11159 X-Loop: [EMAIL PROTECTED] List-Post: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] List-Unsubscribe: mailto:[EMAIL PROTECTED] Precedence: list Resent-Sender: [EMAIL PROTECTED] Resent-Date: Tue, 18 Mar 2003 15:33:00 -0600 (CST) Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 18 Mar 2003 21:42:41.0898 (UTC) FILETIME=[4DAF64A0:01C2ED97] On Tue, 2003-03-18 at 21:40, Jason Rashaad Jackson wrote: His announcement is Slashdotted, and I'm seeing no notice of which versions are affected! I'm running 2.4.18 on all my Debian servers, please tell me what's going on. Here's a cut and paste from Lwn.net :) Ptrace vulnerability in 2.2 and 2.4 kernels From: Alan Cox [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Ptrace vulnerability in Linux 2.2/2.4 Date: Mon, 17 Mar 2003 11:00:16 -0500 (EST) Vulnerability: CAN-2003-0127 The Linux 2.2 and Linux 2.4 kernels have a flaw in ptrace. This hole allows local users to obtain full privileges. Remote exploitation of this hole is not possible. Linux 2.5 is not believed to be vulnerable. Linux 2.2.25 has been released to correct Linux 2.2. It contains no other changes. The bug fixes that would have been in 2.2.5pre1 will now appear in 2.2.26pre1. The patch will apply directly to most older 2.2 releases. A patch for Linux 2.4.20/Linux 2.4.21pre is attached. The patch also subtly changes the PR_SET_DUMPABLE prctl. We believe this is neccessary and that it will not affect any software. The functionality change is specific to unusual debugging situations. We would like to thank Andrzej Szombierski who found the problem, and wrote an initial patch. Seth Arnold cleaned up the 2.2 change. Arjan van de Ven and Ben LaHaise identified additional problems with the original fix. Alan diff -purN linux.orig/arch/alpha/kernel/entry.S linux/arch/alpha/kernel/entry.S --- linux.orig/arch/alpha/kernel/entry.S Thu Mar 13 12:01:46 2003 +++ linux/arch/alpha/kernel/entry.S Thu Mar 13 13:28:49 2003 @@ -231,12 +231,12 @@ kernel_clone: .end kernel_clone /* - * kernel_thread(fn, arg, clone_flags) + * arch_kernel_thread(fn, arg, clone_flags) */ .align 3 .globl kernel_thread .ent kernel_thread -kernel_thread: +arch_kernel_thread: ldgp $29,0($27) /* we can be called from a module */ .frame $30, 4*8, $26 subq $30,4*8,$30 diff -purN linux.orig/arch/arm/kernel/process.c linux/arch/arm/kernel/process.c --- linux.orig/arch/arm/kernel/process.c Thu Mar 13 12:01:29 2003 +++ linux/arch/arm/kernel/process.c Thu Mar 13 13:25:56 2003 @@ -366,7 +366,7 @@ void dump_thread(struct pt_regs * regs, * a system call from a real process, but the process memory space will * not be free'd until both the parent and the child have exited. */ -pid_t kernel_thread(int (*fn)(void *), void *arg, unsigned long flags) +pid_t arch_kernel_thread(int (*fn)(void *), void *arg, unsigned long flags) { pid_t __ret; diff -purN linux.orig/arch/cris/kernel/entry.S linux/arch/cris/kernel/entry.S --- linux.orig/arch/cris/kernel/entry.S Thu Mar 13 12:01:29 2003 +++ linux/arch/cris/kernel/entry.S Thu
OT: Is it so easy to break into an NIS?
Hi A friend just asked me this question and I got curious. say I'm equipped with a linux laptop and some knowledge, I can walk into a company that uses NIS, find out the settings (NISDOMAIN, free ip address, etc...) and join their domain. now I can login as root on my computer, su to any user and see/change/delete his files. is it that easy? of-course, administrators should protect their mounts with netgroups permissions, and users should protect their important files with encryption, but how many of these you see? any ideas? suggestions? Bye -- Haim -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
On Tuesday 18 March 2003 04:13 pm, Haim Ashkenazi wrote: Hi Hello, A friend just asked me this question and I got curious. say I'm equipped with a linux laptop and some knowledge, I can walk into a company that uses NIS, find out the settings (NISDOMAIN, free ip address, etc...) and join their domain. now I can login as root on my computer, su to any user and see/change/delete his files. is it that easy? Yes, quite. NIS uses no authentication whatsoever. of-course, administrators should protect their mounts with netgroups permissions, and users should protect their important files with encryption, but how many of these you see? Not many. The problems you describe above are well-known. any ideas? suggestions? Use LDAP and Kerberos instead of NIS. They are equally or better supported in every situation I know of. - Keegan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
Quoting Haim Ashkenazi ([EMAIL PROTECTED]): A friend just asked me this question and I got curious. say I'm equipped with a linux laptop and some knowledge, I can walk into a company that uses NIS, find out the settings (NISDOMAIN, free ip address, etc...) and join their domain. now I can login as root on my computer, su to any user and see/change/delete his files. is it that easy? On a typical NIS/NFS setup, it's pretty easy from a workstation to break into other files on the NFS shares. Breaking into the NIS/NFS master is and should be extremely non-trivial. NIS is typically used only inside organisations where random members of the public aren't given free rein to plug in their laptops and snoop. (Employees can try that, but have a lot to lose if caught at it.) Networks needing a greater degree of privacy and authentication can try AFS/Kerberos (entailing non-free server-end software). Substituting LDAP-SSL for NIS is arguably a step forward, but then NFS remains a problem (No Friggin' Security). -- Cheers, The genius of you Americans is that you never make Rick Moen clear-cut stupid moves, only complicated stupid moves [EMAIL PROTECTED] that make us wonder at the possibility that there may be something to them that we are missing. --Gamel Abdel Nasser -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Is it so easy to break into an NIS?
yes NIS+ is a bit better, but basically its in-adequate security wise. It should not be considered for a new system/network IMHO. regards Steven -Original Message- From: Haim Ashkenazi [mailto:[EMAIL PROTECTED] Sent: Wednesday, 19 March 2003 12:30 To: Debian Security Subject: OT: Is it so easy to break into an NIS? Hi A friend just asked me this question and I got curious. say I'm equipped with a linux laptop and some knowledge, I can walk into a company that uses NIS, find out the settings (NISDOMAIN, free ip address, etc...) and join their domain. now I can login as root on my computer, su to any user and see/change/delete his files. is it that easy? of-course, administrators should protect their mounts with netgroups permissions, and users should protect their important files with encryption, but how many of these you see? any ideas? suggestions? Bye -- Haim -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ptrace vulnerability?
New one. The attached module seems to block the currently circulating exploit, I didn't write it so don't email me if it breaks your system. On Tuesday 18 March 2003 17:39, Steve Meyer wrote: Correct me if I am wrong but is the ptrace vulnerability not a fairly old one. By old I mean like a couple of years. Or is this a completely different ptrace vulnerability. I know there was info about a ptrace vulnerability at http://packetstormsecurity.com including the working exploit code a couple of years ago. -- -- Orlando Padilla http://www.g0thead.com/xbud.asc To alcohol! The Cause of AND solution to all of life's problems. Alcohol is a way of life. Alcohol is my way of life, and I aim to keep it. -Homer Simpson -- block_ptrees.tgz Description: application/tgz
Re: ptrace vulnerability?
Does anyone know the ETA of the official patch? _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Fwd: [ADVISORY] Timing Attack on OpenSSL
Hi, this seems to be a new issue aside the known timing attack from Feb. 19th. Anybody to confirm this? Regards, Leppo -- Weitergeleitete Nachricht -- Subject: [ADVISORY] Timing Attack on OpenSSL Date: Montag, 17. März 2003 09:47 From: Ben Laurie [EMAIL PROTECTED] To: Bugtraq BUGTRAQ@securityfocus.com I expect a release to follow shortly. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff --- OpenSSL v0.9.7a and 0.9.6i vulnerability Researchers have discovered a timing attack on RSA keys, to which OpenSSL is generally vulnerable, unless RSA blinding has been turned on. Typically, it will not have been, because it is not easily possible to do so when using OpenSSL to provide SSL or TLS. The enclosed patch switches blinding on by default. Applications that wish to can remove the blinding with RSA_blinding_off(), but this is not generally advised. It is also possible to disable it completely by defining OPENSSL_NO_FORCE_RSA_BLINDING at compile-time. The performance impact of blinding appears to be small (a few percent). This problem affects many applications using OpenSSL, in particular, almost all SSL-enabled Apaches. You should rebuild and reinstall OpenSSL, and all affected applications. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0147 to this issue. We strongly advise upgrading OpenSSL in all cases, as a precaution. Index: crypto/rsa/rsa_eay.c === RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_eay.c,v retrieving revision 1.28.2.3 diff -u -r1.28.2.3 rsa_eay.c --- crypto/rsa/rsa_eay.c30 Jan 2003 17:37:46 - 1.28.2.3 +++ crypto/rsa/rsa_eay.c16 Mar 2003 10:34:13 - @@ -195,6 +195,25 @@ return(r); } +static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx) + { + int ret = 1; + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + /* Check again inside the lock - the macro's check is racey */ + if(rsa-blinding == NULL) + ret = RSA_blinding_on(rsa, ctx); + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); + return ret; + } + +#define BLINDING_HELPER(rsa, ctx, err_instr) \ + do { \ + if(((rsa)-flags RSA_FLAG_BLINDING) \ + ((rsa)-blinding == NULL) \ + !rsa_eay_blinding(rsa, ctx)) \ + err_instr \ + } while(0) + /* signing */ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) @@ -239,8 +258,8 @@ goto err; } - if ((rsa-flags RSA_FLAG_BLINDING) (rsa-blinding == NULL)) - RSA_blinding_on(rsa,ctx); + BLINDING_HELPER(rsa, ctx, goto err;); + if (rsa-flags RSA_FLAG_BLINDING) if (!BN_BLINDING_convert(f,rsa-blinding,ctx)) goto err; @@ -318,8 +337,8 @@ goto err; } - if ((rsa-flags RSA_FLAG_BLINDING) (rsa-blinding == NULL)) - RSA_blinding_on(rsa,ctx); + BLINDING_HELPER(rsa, ctx, goto err;); + if (rsa-flags RSA_FLAG_BLINDING) if (!BN_BLINDING_convert(f,rsa-blinding,ctx)) goto err; Index: crypto/rsa/rsa_lib.c === RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_lib.c,v retrieving revision 1.30.2.2 diff -u -r1.30.2.2 rsa_lib.c --- crypto/rsa/rsa_lib.c30 Jan 2003 17:37:46 - 1.30.2.2 +++ crypto/rsa/rsa_lib.c16 Mar 2003 10:34:13 - @@ -72,7 +72,13 @@ RSA *RSA_new(void) { - return(RSA_new_method(NULL)); + RSA *r=RSA_new_method(NULL); + +#ifndef OPENSSL_NO_FORCE_RSA_BLINDING + r-flags|=RSA_FLAG_BLINDING; +#endif + + return r; } void RSA_set_default_method(const RSA_METHOD *meth)
ptrace vulnerability?
Alan Cox apparently just made public a vulnerability in the stock kernel which would permit a local user to gain root privileges (see e.g. Linux Today, LWN, the LK mailing list...). Is a patched source package in the making already or should we humble users, in the meantime, take the original patch and apply it, while the official thing gets worked out? Bye Giacomo -- _ Giacomo Mulas [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel. (OAC): +39 070 71180 248 Fax : +39 070 71180 222 Tel. (UNICA): +39 070 675 4916 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _
Re: ptrace vulnerability?
On Tue, 18 Mar 2003, Giacomo Mulas wrote: Alan Cox apparently just made public a vulnerability in the stock kernel which would permit a local user to gain root privileges (see e.g. Linux Today, LWN, the LK mailing list...). Is a patched source package in the making already or should we humble users, in the meantime, take the original patch and apply it, while the official thing gets worked out? Apparently the kernel source debian package maintainer already answered my previous question in the best possible way, making available the patched package immediately. The responsivity of the Debian community is really something to be proud about: thanks Herbert! Bye Giacomo -- _ Giacomo Mulas [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel. (OAC): +39 070 71180 248 Fax : +39 070 71180 222 Tel. (UNICA): +39 070 675 4916 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _
Re: ptrace vulnerability?
Le mar 18/03/2003 à 13:04, Giacomo Mulas a écrit : On Tue, 18 Mar 2003, Giacomo Mulas wrote: Alan Cox apparently just made public a vulnerability in the stock kernel which would permit a local user to gain root privileges (see e.g. Linux Today, LWN, the LK mailing list...). Is a patched source package in the making already or should we humble users, in the meantime, take the original patch and apply it, while the official thing gets worked out? Apparently the kernel source debian package maintainer already answered my previous question in the best possible way, making available the patched package immediately. The responsivity of the Debian community is really something to be proud about: thanks Herbert! Hi, what packages are available *exactly* and where? I don't see any upgrade in security nor any DSA... Thanks, SEb Bye Giacomo -- _ Giacomo Mulas [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel. (OAC): +39 070 71180 248 Fax : +39 070 71180 222 Tel. (UNICA): +39 070 675 4916 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _ -- Sebastien Chaumat [EMAIL PROTECTED]
AW: Traffic monitoring
check out flowscan http://www.caida.org/tools/utilities/flowscan/ it gets close to what you want, assuming all the traffic is passing through a cisco router. Something like this for Linux would bei really cool ! Nik
Re: ptrace vulnerability?
His announcement is Slashdotted, and I'm seeing no notice of which versions are affected! I'm running 2.4.18 on all my Debian servers, please tell me what's going on. --On Tuesday, March 18, 2003 12:04 PM +0100 Giacomo Mulas [EMAIL PROTECTED] wrote: Alan Cox apparently just made public a vulnerability in the stock kernel which would permit a local user to gain root privileges (see e.g. Linux Today, LWN, the LK mailing list...). Is a patched source package in the making already or should we humble users, in the meantime, take the original patch and apply it, while the official thing gets worked out? Bye Giacomo -- _ Giacomo Mulas [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel. (OAC): +39 070 71180 248 Fax : +39 070 71180 222 Tel. (UNICA): +39 070 675 4916 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Jason Rashaad Jackson UNIX Systems Administrator 3556 Samuel T. Dana Building(W) 734.615.1422 Ann Arbor, MI 48109 (M) 734.649.6641 http://www.umich.edu/~jrashaad (F) 734.763.8965
Re: [despammed] Re: ptrace vulnerability?
Tuesday, March 18, 2003, 3:40:40 PM, Jason Rashaad Jackson (Jason) wrote: Jason His announcement is Slashdotted, and I'm seeing no notice of which versions Jason are affected! I'm running 2.4.18 on all my Debian servers, please tell me Jason what's going on. http://www.uwsg.indiana.edu/hypermail/linux/kernel/0303.2/0226.html Looks like all 2.2 and 2.4 are affected. The patch for 2.4 is in the email. --- | Eddie J Schwartz [EMAIL PROTECTED] http://www.m00.net | | AIM: The Cypher ICQ: 35576339 YHOO: edmcman2 MSN:[EMAIL PROTECTED] | | SMS: [EMAIL PROTECTED] We Trills have an expression-- | | at forty, you think you know everything. At four hundred | | hundred, you realize you know nothing. - Dax, ST-DS9 | ---
Re: ptrace vulnerability?
On Tue, 2003-03-18 at 21:40, Jason Rashaad Jackson wrote: His announcement is Slashdotted, and I'm seeing no notice of which versions are affected! I'm running 2.4.18 on all my Debian servers, please tell me what's going on. Here's a cut and paste from Lwn.net :) Ptrace vulnerability in 2.2 and 2.4 kernels From: Alan Cox [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Ptrace vulnerability in Linux 2.2/2.4 Date: Mon, 17 Mar 2003 11:00:16 -0500 (EST) Vulnerability: CAN-2003-0127 The Linux 2.2 and Linux 2.4 kernels have a flaw in ptrace. This hole allows local users to obtain full privileges. Remote exploitation of this hole is not possible. Linux 2.5 is not believed to be vulnerable. Linux 2.2.25 has been released to correct Linux 2.2. It contains no other changes. The bug fixes that would have been in 2.2.5pre1 will now appear in 2.2.26pre1. The patch will apply directly to most older 2.2 releases. A patch for Linux 2.4.20/Linux 2.4.21pre is attached. The patch also subtly changes the PR_SET_DUMPABLE prctl. We believe this is neccessary and that it will not affect any software. The functionality change is specific to unusual debugging situations. We would like to thank Andrzej Szombierski who found the problem, and wrote an initial patch. Seth Arnold cleaned up the 2.2 change. Arjan van de Ven and Ben LaHaise identified additional problems with the original fix. Alan diff -purN linux.orig/arch/alpha/kernel/entry.S linux/arch/alpha/kernel/entry.S --- linux.orig/arch/alpha/kernel/entry.SThu Mar 13 12:01:46 2003 +++ linux/arch/alpha/kernel/entry.S Thu Mar 13 13:28:49 2003 @@ -231,12 +231,12 @@ kernel_clone: .end kernel_clone /* - * kernel_thread(fn, arg, clone_flags) + * arch_kernel_thread(fn, arg, clone_flags) */ .align 3 .globl kernel_thread .ent kernel_thread -kernel_thread: +arch_kernel_thread: ldgp$29,0($27) /* we can be called from a module */ .frame $30, 4*8, $26 subq$30,4*8,$30 diff -purN linux.orig/arch/arm/kernel/process.c linux/arch/arm/kernel/process.c --- linux.orig/arch/arm/kernel/process.cThu Mar 13 12:01:29 2003 +++ linux/arch/arm/kernel/process.c Thu Mar 13 13:25:56 2003 @@ -366,7 +366,7 @@ void dump_thread(struct pt_regs * regs, * a system call from a real process, but the process memory space will * not be free'd until both the parent and the child have exited. */ -pid_t kernel_thread(int (*fn)(void *), void *arg, unsigned long flags) +pid_t arch_kernel_thread(int (*fn)(void *), void *arg, unsigned long flags) { pid_t __ret; diff -purN linux.orig/arch/cris/kernel/entry.S linux/arch/cris/kernel/entry.S --- linux.orig/arch/cris/kernel/entry.S Thu Mar 13 12:01:29 2003 +++ linux/arch/cris/kernel/entry.S Thu Mar 13 13:30:30 2003 @@ -736,12 +736,12 @@ hw_bp_trig_ptr: * the grosser the code, at least with the gcc version in cris-dist-1.13. */ -/* int kernel_thread(int (*fn)(void *), void * arg, unsigned long flags) */ +/* int arch_kernel_thread(int (*fn)(void *), void * arg, unsigned long flags) */ /* r10r11 r12 */ .text - .global kernel_thread -kernel_thread: + .global arch_kernel_thread +arch_kernel_thread: /* Save ARG for later. */ move.d $r11, $r13 diff -purN linux.orig/arch/i386/kernel/process.c linux/arch/i386/kernel/process.c --- linux.orig/arch/i386/kernel/process.c Thu Mar 13 12:01:57 2003 +++ linux/arch/i386/kernel/process.cThu Mar 13 13:26:08 2003 @@ -495,7 +495,7 @@ void release_segments(struct mm_struct * /* * Create a kernel thread */ -int kernel_thread(int (*fn)(void *), void * arg, unsigned long flags) +int arch_kernel_thread(int (*fn)(void *), void * arg, unsigned long flags) { long retval, d0; @@ -518,6 +518,7 @@ int kernel_thread(int (*fn)(void *), voi r (arg), r (fn), b (flags | CLONE_VM) : memory); + return retval; } diff -purN linux.orig/arch/ia64/kernel/process.c linux/arch/ia64/kernel/process.c --- linux.orig/arch/ia64/kernel/process.c Thu Mar 13 12:01:29 2003 +++ linux/arch/ia64/kernel/process.cThu Mar 13 13:26:15 2003 @@ -220,7 +220,7 @@ ia64_load_extra (struct task_struct *tas * | | -- sp (lowest addr) * +-+ * - * Note: if we get called through kernel_thread() then the memory + * Note: if we get called through arch_kernel_thread() then the memory * above (highest addr) is valid kernel stack memory that needs to * be copied as well. * @@ -469,7 +469,7 @@ ia64_set_personality (struct elf64_hdr * } pid_t -kernel_thread (int (*fn)(void *), void *arg, unsigned long flags) +arch_kernel_thread (int (*fn)(void *), void
Re: AW: Traffic monitoring
On Tue, 2003-03-18 at 16:04, debian-security wrote: check out flowscan http://www.caida.org/tools/utilities/flowscan/ it gets close to what you want, assuming all the traffic is passing through a cisco router. A better choice (IMHO) would be flow-tools at http://www.splintered.net/sw/flow-tools/ there is no debian package yet... but working on it :) Description: Flow-tools is library and a collection of programs used to collect, send, process, and generate reports from NetFlow data. The tools can be used together on a single server or distributed to multiple servers for large deployments. The flow-toools library provides an API for development of custom applications for NetFlow export versions 1,5,6 and the 14 currently defined version 8 subversions. A Perl and Python interface have been contributed and are included in the distribution. Flow data is collected and stored by default in host byte order, yet the files are portable across big and little endian architectures. Commands that utilize the network use a localip/remoteip/port designation for communication. localip is the IP address the host will use as a source for sending or bind to when receiving NetFlow PDU's (ie the destination address of the exporter. Configuring the localip to 0 will force the kernel to decide what IP address to use for sending and listen on all IP addresses for receiving. remoteip is the destination IP address used for sending or the expected address of the source when receiving. If the remoteip is 0 then the application will accept flows from any source address. The port is the UDP port number used for sending or receiving. When using multicast addresses the localip/remoteip/port is used to represent the source, group, and port respectively. -- JJ van Gorkum Knowledge Zone If UNIX isn't the solution, you've got the wrong problem.
Re: ptrace vulnerability?
I usually make it a habit of only applying patches that come from seemingly authoritive sites. Could anyone make a reference to an authoritive site that would contain this patch? I have been snooping around kernel.org with no success... -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #125: Dumb terminal pgp3ZJWZpM6mC.pgp Description: PGP signature
Current OpenSSL vulnerability (CAN-2003-0147)
I have not seen any mention of this on this list. Is the current version (0.9.6c-2.woody.2) vulnerable to this current RSA issue? Tuesday, March 18 2003 -- | When a religion is good, I conceive Timm Gleason| it will support itself; and when it http://www.gleason.to/ | does not support itself, and God does http://www.uranushertz.to/ | not take care to support it so that Quis custodiet iposos custodes? | its professors are obliged to call | for help of the civil power, 'tis a | sign, I apprehend, of its being a bad | one. -- Benjamin Franklin -PGP PUBLIC KEY BLOCK AVAILABLE-
Re: ptrace vulnerability?
You could try this link http://www.uwsg.iu.edu/hypermail/linux/kernel/0303.2/0226.html but I am not sure if it meets your criteria of authoritive. From: Phillip Hofmeister [EMAIL PROTECTED] To: debian-security@lists.debian.org Subject: Re: ptrace vulnerability? Date: Tue, 18 Mar 2003 17:09:10 -0500 MIME-Version: 1.0 Received: from murphy.debian.org ([65.125.64.134]) by mc3-f29.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Tue, 18 Mar 2003 14:49:44 -0800 Received: from localhost (localhost [127.0.0.1])by murphy.debian.org (Postfix) with QMQPid 25DCF1FABD; Tue, 18 Mar 2003 16:25:59 -0600 (CST) Received: from Oneil (66.227.150.91.bay.mi.chartermi.net [66.227.150.91])by murphy.debian.org (Postfix) with ESMTP id 8BD381F9C4for debian-security@lists.debian.org; Tue, 18 Mar 2003 16:09:10 -0600 (CST) Received: from plhofmei by Oneil with local (Exim 3.35 #1 (Debian))id 18vPGg-OE-00for debian-security@lists.debian.org; Tue, 18 Mar 2003 17:09:10 -0500 X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP Old-Return-Path: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Mail-Followup-To: debian-security@lists.debian.org References: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] User-Agent: Mutt/1.4i X-Spam-Status: No, hits=-2.9 required=4.0tests=IN_REP_TO,PGP_SIGNATURE_2,REFERENCES,SPAM_PHRASE_00_01, USER_AGENT,USER_AGENT_MUTTversion=2.43 X-Spam-Level: Resent-Message-ID: [EMAIL PROTECTED] Resent-From: debian-security@lists.debian.org X-Mailing-List: debian-security@lists.debian.org archive/latest/11161 X-Loop: debian-security@lists.debian.org List-Post: mailto:debian-security@lists.debian.org List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] List-Unsubscribe: mailto:[EMAIL PROTECTED] Precedence: list Resent-Sender: [EMAIL PROTECTED] Resent-Date: Tue, 18 Mar 2003 16:25:59 -0600 (CST) Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 18 Mar 2003 22:49:46.0703 (UTC) FILETIME=[ACA7E5F0:01C2EDA0] I usually make it a habit of only applying patches that come from seemingly authoritive sites. Could anyone make a reference to an authoritive site that would contain this patch? I have been snooping around kernel.org with no success... -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #125: Dumb terminal attach3 _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail
unsubscribe
--- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.462 / Virus Database: 261 - Release Date: 3/13/2003
Re: ptrace vulnerability?
Correct me if I am wrong but is the ptrace vulnerability not a fairly old one. By old I mean like a couple of years. Or is this a completely different ptrace vulnerability. I know there was info about a ptrace vulnerability at http://packetstormsecurity.com including the working exploit code a couple of years ago. From: Mark Janssen [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: Jason Rashaad Jackson [EMAIL PROTECTED] CC: Giacomo Mulas [EMAIL PROTECTED],debian-security@lists.debian.org Subject: Re: ptrace vulnerability? Date: 18 Mar 2003 22:11:38 +0100 MIME-Version: 1.0 Received: from murphy.debian.org ([65.125.64.134]) by mc10-f17.bay6.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Tue, 18 Mar 2003 13:42:41 -0800 Received: from localhost (localhost [127.0.0.1])by murphy.debian.org (Postfix) with QMQPid 826EA1FA98; Tue, 18 Mar 2003 15:33:00 -0600 (CST) Received: from maniac.nl (cust.13.118.adsl.cistron.nl [62.216.13.118])by murphy.debian.org (Postfix) with ESMTP id 7E3991F3D4for debian-security@lists.debian.org; Tue, 18 Mar 2003 15:13:46 -0600 (CST) Received: from local-3.saiko.com ([:::10.0.0.3]) by maniac.nl with esmtp; Tue, 18 Mar 2003 22:13:15 +0100 X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP Old-Return-Path: [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] References: [EMAIL PROTECTED] [EMAIL PROTECTED] Organization: Saiko Internet Technologies Message-Id: [EMAIL PROTECTED] X-Mailer: Ximian Evolution 1.2.2 X-Spam-Status: No, hits=-1.4 required=4.0tests=IN_REP_TO,PATCH_UNIFIED_DIFF,REFERENCES,SPAM_PHRASE_00_01version=2.43 X-Spam-Level: Resent-Message-ID: [EMAIL PROTECTED] Resent-From: debian-security@lists.debian.org X-Mailing-List: debian-security@lists.debian.org archive/latest/11159 X-Loop: debian-security@lists.debian.org List-Post: mailto:debian-security@lists.debian.org List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] List-Unsubscribe: mailto:[EMAIL PROTECTED] Precedence: list Resent-Sender: [EMAIL PROTECTED] Resent-Date: Tue, 18 Mar 2003 15:33:00 -0600 (CST) Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 18 Mar 2003 21:42:41.0898 (UTC) FILETIME=[4DAF64A0:01C2ED97] On Tue, 2003-03-18 at 21:40, Jason Rashaad Jackson wrote: His announcement is Slashdotted, and I'm seeing no notice of which versions are affected! I'm running 2.4.18 on all my Debian servers, please tell me what's going on. Here's a cut and paste from Lwn.net :) Ptrace vulnerability in 2.2 and 2.4 kernels From: Alan Cox [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Ptrace vulnerability in Linux 2.2/2.4 Date: Mon, 17 Mar 2003 11:00:16 -0500 (EST) Vulnerability: CAN-2003-0127 The Linux 2.2 and Linux 2.4 kernels have a flaw in ptrace. This hole allows local users to obtain full privileges. Remote exploitation of this hole is not possible. Linux 2.5 is not believed to be vulnerable. Linux 2.2.25 has been released to correct Linux 2.2. It contains no other changes. The bug fixes that would have been in 2.2.5pre1 will now appear in 2.2.26pre1. The patch will apply directly to most older 2.2 releases. A patch for Linux 2.4.20/Linux 2.4.21pre is attached. The patch also subtly changes the PR_SET_DUMPABLE prctl. We believe this is neccessary and that it will not affect any software. The functionality change is specific to unusual debugging situations. We would like to thank Andrzej Szombierski who found the problem, and wrote an initial patch. Seth Arnold cleaned up the 2.2 change. Arjan van de Ven and Ben LaHaise identified additional problems with the original fix. Alan diff -purN linux.orig/arch/alpha/kernel/entry.S linux/arch/alpha/kernel/entry.S --- linux.orig/arch/alpha/kernel/entry.SThu Mar 13 12:01:46 2003 +++ linux/arch/alpha/kernel/entry.S Thu Mar 13 13:28:49 2003 @@ -231,12 +231,12 @@ kernel_clone: .end kernel_clone /* - * kernel_thread(fn, arg, clone_flags) + * arch_kernel_thread(fn, arg, clone_flags) */ .align 3 .globl kernel_thread .ent kernel_thread -kernel_thread: +arch_kernel_thread: ldgp$29,0($27) /* we can be called from a module */ .frame $30, 4*8, $26 subq$30,4*8,$30 diff -purN linux.orig/arch/arm/kernel/process.c linux/arch/arm/kernel/process.c --- linux.orig/arch/arm/kernel/process.cThu Mar 13 12:01:29 2003 +++ linux/arch/arm/kernel/process.c Thu Mar 13 13:25:56 2003 @@ -366,7 +366,7 @@ void dump_thread(struct pt_regs * regs, * a system call from a real process, but the process memory space will * not be free'd until both the parent and the child have exited. */ -pid_t kernel_thread(int (*fn)(void *), void *arg, unsigned long flags) +pid_t arch_kernel_thread(int (*fn)(void *), void *arg, unsigned long flags) { pid_t __ret; diff -purN
Re: OT: Is it so easy to break into an NIS?
Quoting Haim Ashkenazi ([EMAIL PROTECTED]): A friend just asked me this question and I got curious. say I'm equipped with a linux laptop and some knowledge, I can walk into a company that uses NIS, find out the settings (NISDOMAIN, free ip address, etc...) and join their domain. now I can login as root on my computer, su to any user and see/change/delete his files. is it that easy? On a typical NIS/NFS setup, it's pretty easy from a workstation to break into other files on the NFS shares. Breaking into the NIS/NFS master is and should be extremely non-trivial. NIS is typically used only inside organisations where random members of the public aren't given free rein to plug in their laptops and snoop. (Employees can try that, but have a lot to lose if caught at it.) Networks needing a greater degree of privacy and authentication can try AFS/Kerberos (entailing non-free server-end software). Substituting LDAP-SSL for NIS is arguably a step forward, but then NFS remains a problem (No Friggin' Security). -- Cheers, The genius of you Americans is that you never make Rick Moen clear-cut stupid moves, only complicated stupid moves [EMAIL PROTECTED] that make us wonder at the possibility that there may be something to them that we are missing. --Gamel Abdel Nasser
Re: ptrace vulnerability?
New one. The attached module seems to block the currently circulating exploit, I didn't write it so don't email me if it breaks your system. On Tuesday 18 March 2003 17:39, Steve Meyer wrote: Correct me if I am wrong but is the ptrace vulnerability not a fairly old one. By old I mean like a couple of years. Or is this a completely different ptrace vulnerability. I know there was info about a ptrace vulnerability at http://packetstormsecurity.com including the working exploit code a couple of years ago. -- -- Orlando Padilla http://www.g0thead.com/xbud.asc To alcohol! The Cause of AND solution to all of life's problems. Alcohol is a way of life. Alcohol is my way of life, and I aim to keep it. -Homer Simpson -- block_ptrees.tgz Description: application/tgz