*BSD News Article 93997


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.mel.connect.com.au!munnari.OZ.AU!news.ecn.uoknor.edu!feed1.news.erols.com!howland.erols.net!news.mathworks.com!mvb.saic.com!pacifier!deraadt
From: deraadt@theos.com (Theo de Raadt)
Newsgroups: comp.unix.bsd.bsdi.misc,comp.unix.bsd.misc,comp.security.unix
Subject: Re: *BSD* Security WWW/Mailing List?
Date: 20 Apr 1997 17:35:09 GMT
Organization: Pacifier BBS, Vancouver, Wa.  ((360) 693-0325)
Lines: 89
Message-ID: <DERAADT.97Apr20113509@zeus.pacifier.com>
References: <3356E1CC.299E@softway.com.au> <335798C2.167EB0E7@FreeBSD.org>
	<DERAADT.97Apr18181055@zeus.pacifier.com> <5jdgaf$34i@cynic.portal.ca>
NNTP-Posting-Host: zeus.theos.com
In-reply-to: cjs@cynic.portal.ca's message of 20 Apr 1997 09:30:07 -0700
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.bsdi.misc:6683 comp.unix.bsd.misc:3021 comp.security.unix:33758


In article <5jdgaf$34i@cynic.portal.ca> cjs@cynic.portal.ca (Curt Sampson) writes:

   In article <DERAADT.97Apr18181055@zeus.pacifier.com>,
   Theo de Raadt <deraadt@theos.com> wrote:
   >
   >Yeah, FreeBSD has fixed a few holes.

   As has OpenBSD. Although I notice your FTP server still has no way
   of doing anonymous uploads that are secure from abuse by warez-traders.

Oh my, how relevant!

You've been looking at our ftp server source?  We had a lot of fun
fixing problems in there.  About 6 people have worked in there.  There
were a lot of quirky bugs which might conceivably be used in bad ways.
As well as the obvious security problem here or there, some nasty,
some not.

Yeah, there are still bugs in our ftpd.  Especially that horrible
misuse of yacc and longjmp and the quirky lexer that, well, isn't
really a normal lexer and..  but we think that quirk isn't a real
hole, just a quirky command input bug.  We tried to be as careful as
we could be.

However the NetBSD ftpd and the entire rest of the NetBSD tree still
appears to have NO checks for the ftp bounce problem.  Even something
so basic!  And the source routing controls in the kernel appear
completely insufficient compared to the threat.  I could dump a large
list of undealt problems here simply by listing problems discussed on
bugtraq.

At this point I could probably bring up some biblical analogy about a
very large piece of wood being stuck in your eye.

   But heck, let's spend our time making snide comments instead of
   working to fix security problems and share the information so that
   the fixes can be as widely distributed as possible.

Yes, Curt, that's exactly what you are doing!!!

I look forward to the day we are able to look at cvs logs for the
NetBSD source tree!  So that we can see some sharing of information
from the other side, if you know what I mean.

In the meantime, anyone who is interested in the OpenBSD ftpd can do:

setenv CVSROOT anoncvs@anoncvs.openbsd.org:/cvs
setenv CVS_RSH ssh
cvs get src/libexec/ftpd
cd src/libexec/ftpd
cvs log ftpd.c

Oh my god, there's a lot of fixes in there!  Curt, you are
`fictionalizing' when you make statements to suggest that members of
the OpenBSD project are not "working to fix security problems" or do
not "share the information".  It's all there, anyone can read the
diffs and logs.  The fixes are there, and they are shared with the
world.

To bea read by ANYONE.  EVERYONE.  The information is all out there.

I know for a fact that a lot of crackers are looking at our diffs,
because it often tells them how other systems are vulnerable.  If
anyone doesn't like this: Tough.  Get with the times.  The group you
get your operating system from is being slack.

If that isn't the exact form of information sharing that you would
like to see, please tell me what kind you want.  Perhaps you'd like me
to send mail to the NetBSD core group every day telling them of
another hole they've not fixed.

"Hello, you've still not fixed port rebinding with less specific
bindings, port 2049 is wide open for reuse and monitoring by any user
-- I sure am glad I don't run your insecure operating system!"

"Hi!  Me again!  You wouldn't believe the things you can cause a
portmap to do if you spoof packets. Don't your users run rpc
services?"

Oh, and about "making snide comments".  Oh ok, I'll admit it.
Sometimes a snide comment or two helps to increase awareness.  Curt,
have fun fixing your ftpd.  It certainly is a good place to start.
And if reading our logs and diffs increases your awareness of the
problems, please remember to give credit to the people who worked on
ours, ok?  When we got fixes from other people, we gave credit.
--
This space not left unintentionally unblank.		deraadt@openbsd.org
www.OpenBSD.org -- We're fixing security problems so you can sleep at night.
(If it wasn't so fascinating I might get some sleep myself...)