FreeBSD 2.2.5 Security problem

From: Missouri FreeNet Administration (measlat_private)
Date: Sat Jan 02 1999 - 14:14:22 PST

Next message: Scott: "Re: Revisiting ufsdump under Solaris 2.6"

Previous message: Steven Alexander: "PATH variable in zip-slackware 2.0.35"
Next in thread: User NEAL: "Re: FreeBSD 2.2.5 Security problem"
Reply: User NEAL: "Re: FreeBSD 2.2.5 Security problem"
Reply: Jason Young: "Re: FreeBSD 2.2.5 Security problem"
Reply: Eivind Eklund: "Re: FreeBSD 2.2.5 Security problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Greetings, how is everyone after the 30 day pig-out? ;-0

We originally posted this problem to the FreeBSD GNATS system on
December 20th, and still haven't heard so much as an acknowledgement
of the report (GNATS#: i386/9141).  I figured with the holidays, they
were all busy, and would [eventually] get to it, but today I checked
and saw that several GNATS reports on either side of this one (some
as recent as today) have been looked at, processed, and even closed!
So...

FreeBSD 2.2.5-R (other rev's not tested) fail to log penetration attempts
on quiescent systems properly when using syslog (to any target).  Failed
login attempts (*any* number of them) will not be reported until a user name
which is *different* from the failed name is entered.  For example, I can
attempt to penetrate the root password *all day long* without getting a
syslog report, provided a name other than root is not entered.  The reson
for this is that there is an attempt to de-verbosify syslog reporting in
FBSD which accumulates a counter for events, and then reports a cumulative
total.  In this attempt to save verbiage, they are tallying all the failed
attempts, *rather* than *reporting* them!

This is (obviously) not going to be an issue on a busy system, as
*someone* other than the target account is likely to log in and flush the
counter report, but on a selected system, such as a name server, this
could be a devastating flaw...


Yours,
J.A. Terranson
sysadminat_private

--
If Governments really want us to behave like civilized human beings, they
should give serious consideration towards setting a better example:
Ruling by force, rather than consensus; the unrestrained application of
unjust laws (which the victim-populations were never allowed input on in
the first place); the State policy of justice only for the rich and
elected; the intentional abuse and occassionally destruction of entire
populations merely to distract an already apathetic and numb electorate...
This type of demogoguery must surely wipe out the fascist United States
as surely as it wiped out the fascist Union of Soviet Socialist Republics.

The views expressed here are mine, and NOT those of my employers,
associates, or others.  Besides, if it *were* the opinion of all of
those people, I doubt there would be a problem to bitch about in the
first place...
--------------------------------------------------------------------

Next message: Scott: "Re: Revisiting ufsdump under Solaris 2.6"
Previous message: Steven Alexander: "PATH variable in zip-slackware 2.0.35"
Next in thread: User NEAL: "Re: FreeBSD 2.2.5 Security problem"
Reply: User NEAL: "Re: FreeBSD 2.2.5 Security problem"
Reply: Jason Young: "Re: FreeBSD 2.2.5 Security problem"
Reply: Eivind Eklund: "Re: FreeBSD 2.2.5 Security problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:27:05 PDT