Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.mel.connect.com.au!munnari.OZ.AU!news.ecn.uoknor.edu!feed1.news.erols.com!howland.erols.net!news.mathworks.com!mvb.saic.com!pacifier!deraadt From: deraadt@theos.com (Theo de Raadt) Newsgroups: comp.unix.bsd.bsdi.misc,comp.unix.bsd.misc,comp.security.unix Subject: Re: *BSD* Security WWW/Mailing List? Date: 20 Apr 1997 17:35:09 GMT Organization: Pacifier BBS, Vancouver, Wa. ((360) 693-0325) Lines: 89 Message-ID: <DERAADT.97Apr20113509@zeus.pacifier.com> References: <3356E1CC.299E@softway.com.au> <335798C2.167EB0E7@FreeBSD.org> <DERAADT.97Apr18181055@zeus.pacifier.com> <5jdgaf$34i@cynic.portal.ca> NNTP-Posting-Host: zeus.theos.com In-reply-to: cjs@cynic.portal.ca's message of 20 Apr 1997 09:30:07 -0700 Xref: euryale.cc.adfa.oz.au comp.unix.bsd.bsdi.misc:6683 comp.unix.bsd.misc:3021 comp.security.unix:33758 In article <5jdgaf$34i@cynic.portal.ca> cjs@cynic.portal.ca (Curt Sampson) writes: In article <DERAADT.97Apr18181055@zeus.pacifier.com>, Theo de Raadt <deraadt@theos.com> wrote: > >Yeah, FreeBSD has fixed a few holes. As has OpenBSD. Although I notice your FTP server still has no way of doing anonymous uploads that are secure from abuse by warez-traders. Oh my, how relevant! You've been looking at our ftp server source? We had a lot of fun fixing problems in there. About 6 people have worked in there. There were a lot of quirky bugs which might conceivably be used in bad ways. As well as the obvious security problem here or there, some nasty, some not. Yeah, there are still bugs in our ftpd. Especially that horrible misuse of yacc and longjmp and the quirky lexer that, well, isn't really a normal lexer and.. but we think that quirk isn't a real hole, just a quirky command input bug. We tried to be as careful as we could be. However the NetBSD ftpd and the entire rest of the NetBSD tree still appears to have NO checks for the ftp bounce problem. Even something so basic! And the source routing controls in the kernel appear completely insufficient compared to the threat. I could dump a large list of undealt problems here simply by listing problems discussed on bugtraq. At this point I could probably bring up some biblical analogy about a very large piece of wood being stuck in your eye. But heck, let's spend our time making snide comments instead of working to fix security problems and share the information so that the fixes can be as widely distributed as possible. Yes, Curt, that's exactly what you are doing!!! I look forward to the day we are able to look at cvs logs for the NetBSD source tree! So that we can see some sharing of information from the other side, if you know what I mean. In the meantime, anyone who is interested in the OpenBSD ftpd can do: setenv CVSROOT anoncvs@anoncvs.openbsd.org:/cvs setenv CVS_RSH ssh cvs get src/libexec/ftpd cd src/libexec/ftpd cvs log ftpd.c Oh my god, there's a lot of fixes in there! Curt, you are `fictionalizing' when you make statements to suggest that members of the OpenBSD project are not "working to fix security problems" or do not "share the information". It's all there, anyone can read the diffs and logs. The fixes are there, and they are shared with the world. To bea read by ANYONE. EVERYONE. The information is all out there. I know for a fact that a lot of crackers are looking at our diffs, because it often tells them how other systems are vulnerable. If anyone doesn't like this: Tough. Get with the times. The group you get your operating system from is being slack. If that isn't the exact form of information sharing that you would like to see, please tell me what kind you want. Perhaps you'd like me to send mail to the NetBSD core group every day telling them of another hole they've not fixed. "Hello, you've still not fixed port rebinding with less specific bindings, port 2049 is wide open for reuse and monitoring by any user -- I sure am glad I don't run your insecure operating system!" "Hi! Me again! You wouldn't believe the things you can cause a portmap to do if you spoof packets. Don't your users run rpc services?" Oh, and about "making snide comments". Oh ok, I'll admit it. Sometimes a snide comment or two helps to increase awareness. Curt, have fun fixing your ftpd. It certainly is a good place to start. And if reading our logs and diffs increases your awareness of the problems, please remember to give credit to the people who worked on ours, ok? When we got fixes from other people, we gave credit. -- This space not left unintentionally unblank. deraadt@openbsd.org www.OpenBSD.org -- We're fixing security problems so you can sleep at night. (If it wasn't so fascinating I might get some sleep myself...)