-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Tim Traver
Sent: Friday, May 20, 2005 9:33 AM
To: Ted Mittelstaedt
Cc: bsd
Subject: Re: PAWS security vulnerability
Ted,
you just can't stop being a dickhead, can you ???
I admitted what I did wrong (unlike you), and yes, I posted
this to the
wrong list. Big deal. A lot of things get posted to this list
that are a
thousand times worse.
Get off your high horse, and maybe use some manners instead of barking
orders at everyone. I don't know which is worse. Trolls, or those that
scream troll at the drop of a hat.
Tim.
Ted Mittelstaedt wrote:
Tim,
In my first e-mail I said:
"If it works I would submit it to the FreeBSD security list"
OK., so I see how you might have misinterpreted that. But
the sentence "if
it works you would submit it to the
FreeBSD security list" isn't grammatically correct.
In my second e-mail I said:
"I told you to post the patch and info to the appropriate
FreeBSD security
lists, and you aren't the least bit interested in doing what
I told you"
On the index page of http://www.freebsd.org there is a link
called "FAQ"
On that page is a link called "Security"
On that page is the text:
"...This point and others are often discussed on the mailing lists,
particularly the FreeBSD security mailing list...."
with a link to the appropriate mailing list.
I find it real hard to believe you use FreeBSD on hundreds of
servers and
are unaware of the appropriate
forum to post security questions. The general freebsd
questions mailing
list is not this place. You should
have known this before you even posted your first question. Reading
instructions for products that you use
is not optional, it is mandatory, and FreeBSD's instructions
are on the
website.
You posted your query in the wrong forum, you got a patch in
response which
is far more than you should have
got, you were directed, hinting at first, forcibly at second,
to go to the
appropriate forum to post the patch, the results of the
patch, and your
security questions. You still, as far as I know, have not done this.
So, OK maybe your not a troll and I assumed wrong. But I
will point out
that you said absolutely nothing
in your first post about who you are, what you are doing, why
you even give
a shit about this issue. If you
had simply opened your first post with "I was shown this
vulnerability by
our network security person
and I have to respond to him in some fashion" or something
like that, it
would have gone a long way towards
establishing credibility as to why you cared about this. If
even better you
had done a bit of research and
said "well the vulnerability shows that OpenBSD already
patched for this,
maybe FreeBSD should" or if
even better than that you had said "I looked at the OpenBSD
patch and it's
really simple, could we use
it on FreeBSD" that would have done a lot to establishing
that you were at
least willing to offer help and
assistance.
Instead, reread your second post - you not once offered to do
anything, not
even apply the patch to see
if it compiled, all you did is ask for yet more research to
be done for you.
Well we all are busy, you don't have a lock on that, buddy.
Apply the patch. If the FreeBSD system doesn't panic then
the patch isn't
grossly wrong. If you do not
have a test system then don't apply it. Either way, just
take the patch to
the appropriate FreeBSD security forum
and post it with "some asshole on questions told me to apply
this in results
of <insert all research on this>
is this the right way to fix it?"
As I said, IF you are a fucking troll then you WOULDN'T do
the above. That
means that if you WOULD do the
above then you AREN'T a fucking troll. You still have a
chance to redeem
yourself. Do it!
FreeBSD is for adults, not kids. Kids want the adults to do all their
homework for them. Adults at least
try to do the homework, then call for help when they are
stuck. Look at
your first 2 posts again and
put yourself in my shoes - do those posts make you look like
an adult, or a
whiny kid wanting someone
to do his homework for him?
Ted
-----Original Message-----
From: Tim Traver [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 19, 2005 11:24 PM
To: Ted Mittelstaedt
Cc: bsd
Subject: Re: PAWS security vulnerability
Ted,
I don't know your experience lately with people on this or
any other list,
but that last personal attack was WAY out of line. I am not a
Troll, nor
have I ever been one. I use freeBSD extensively on hundreds
of servers, but
I am not a FreeBSD source contributor.
Yes, I was shown this "vulnerability" by our network
security person, read
it over, and thought that it might be a legitimate exploit. I
even picked up
on the fact that Microsoft had already patched it in the
service pack 2,
which may mean that it was under wraps for a while, and was
suspicious. So,
after doing a little research on the net myself and not
finding much, I
decided to post something to the list to see if anyone had
heard anything
about it, and if the FreeBSD commiters were working on a
possible patch.
Maybe I wrote my post wrong, but it didn't deserve you
biting my fucking
head off.
Now, you'll probably start in on "well, if you run that
many servers, then
why don't you know what you're doing?". I do know what I'm
doing. I would
very well be able to apply your patch,and compile a new
system. Problem is,
I'm afraid I don't quite understand the vulnerability enough
to properly
test what it is supposed to fix...
I would first need a way to break it, and then after
applying your patch,
verify that I couldn't break it any longer. If I knew how to
break it, then
I would be a better programmer than you, which I am not, and
have never
claimed to be. From the description of the issue, it sounds
like a single
cleverly made TCP packet with a bogus timestamp on it could
take down ALL of
the TCP commections to that machine.
To quote the article :
"A large value is set by the attacker as the packet
timestamp. When the
target computer processes this packet, the internal timer is
updated to the
large attacker supplied value. This causes all other valid
packets that are
received subsequent to an attack to be dropped as they are
deemed to be too
old, or invalid."
That sounds like it is pretty serious to me. One packet
takes down ALL TCP
services to the machine. You make it sound like its no big
deal...Is it
valid ? I don't know. I never claimed to know. I wasn't
crying wolf here,
just asking...
So, my statement of "I'm not sure I have the ability to
test out your
patch." should really have been, "I don't have the knowledge
enough of the
vulnerability to test whether or not your patch works."
And I would hardly consider "If it works, I would submit it to the
security list" as some sort of command that I was supposed to
follow. After
reading that email, I thought that you were going to submit it to the
security list. After all, its your fucking patch.
I am slowly working my way into the community, and would
love to help with
these kind of things. But, like many other busy sys admins, I
don't have a
whole lot of spare time to work on things like this. Yes, if it was a
serious problem enough to where I had to have a patch right
away, I might
have to devote some work time and give it a try for the team.
I'm not sure
that I know how serious it is, as I've already stated that I
don't fully
understand the supposed "vulnerability".
I hardly made any kind of desparate demands for someone to
quickly make me
a patch. You might want to go re-read those posts...
I can understand why you may have suspected troll because
of the vague
questions, but man, you flew off the handle awefully quick.
Maybe you just
need a vacation.
You bashed OpenBSD for their knee jerk reactions, and I
think you just
made a big one...
Tim.
Ted Mittelstaedt wrote:
Hi Tim,
If you don't have the ability to test out the patch then LEARN!
As the advisory said "no known exploits have been released" I also
noticed that the only 2 vendors listed as implementing a fix were
Cisco and Microsoft. And Microsoft was NOT on the problem list for
ANY of their patched OSs. I would therefore assume that the release
of this so-called vulnerability was carefully timed to take place
AFTER Microsoft had got it's ass covered, to make them look good,
and everyone else look bad. I continue therefore to assume that this
is a political security hole, not an actual security hole.
OpenBSD is well known for knee-jerk reactions to real and supposed
security holes, so it's not surprising they released a patch
right away
- of course, little good that did them since this advisory
trashed them
anyway. But knee jerk reactions don't always take all variables into
account.
I rewrite their patch because it was simple and easy to apply to the
FreeBSD source - but I did not write the networking code in
FreeBSD and
have no idea if it is correct, or if OpenBSD even wrote the
fix properly,
or if in fact this is a real vulnerability that anyone needs to be
concerned about. In theory, any flat-key lock can be picked in less
than a minute (I've seen it done that fast, and done it
myself somewhat
more slowly) but that does not stop millions of them from being sold
at Home Depot every year. If people went to a different type of lock
that was much harder to pick then the burglar might not break in
by picking the lock - but instead by kicking in the door which has
the side effect of destroying the door and frame, and there's a couple
thousand bucks lost right there fixing that - and if all the burgler
does is steal a $200 TV set, then your better off with the
pickable lock.
The point is that any change in the networking code
may have side effects that are worse than the problem.
I posted the patch in order to head off a big long dumbass trashing
discussion, because I suspected you were trolling - but I was willing
to give you the benefit of the doubt. If you were really
concerned - such as if you worked for some company that had some
stick-up-their-ass security officer that was bigger than his britches,
and you had to have a fix RIGHT NOW - then this would have allowed you
to apply the patch to shut up the bigger-than-britches
security officer
so you could continue about your business. In the meantime then the
networking and security group could have had discussion about the
PROPER way to handle this. Probably that's this patch, but maybe not.
Now I find what? Well, it surely looks to me like I just spoiled
your troll, so your going to pretend it was no big deal, make
a lame-ass
excuse about how you really didn't need the patch anyway and can't
apply it because your incompetent, and fade into the woodwork. I told
you to post the patch and info to the appropriate FreeBSD
security lists,
and you aren't the least bit interested in doing what I told
you. Why -
because you were only interested in this silly hypothetical
PAWS exploit
as long as nobody could say "FreeBSD has a fix, shut up and apply it",
so you can go urinate on the parade here. Now I just handed you a
urinal, and your going to run away and pee on someone else.
I don't want to see a fucking thing more from you unless it's:
"Guys, I DID WHAT I WAS TOLD TO DO and went to the FreeBSD
security and
networking
mailing lists and posted what I was given and this is what they said"
If you aren't willing to lift a finger to do that, your a fucking
troll. Don't waste anyone else's time here. Next time you
ask for code,
you better check out the going hourly rate for custom programming.
Ted
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Tim Traver
Sent: Thursday, May 19, 2005 1:27 PM
To: Ted Mittelstaedt
Cc: bsd
Subject: Re: PAWS security vulnerability
Importance: Low
Ted,
thanks for taking a look at this. I'm not sure I have the ability to
test out your patch. Maybe someone else on this fine list can ?
But this sounds like a pretty severe DOS issue that seems to be
relatively simple to implement.
Do you know if the 5.x branch is affected by this as well ?
Tim.
Ted Mittelstaedt wrote:
Hi Tim,
Here is a slight mod of the OpenBSD patch for OpenBSD 3.6
that has been
rewritten for FreeBSD 4.11. YMMV If it works I would submit
it to the
FreeBSD
security list. The only change I made is OpenBSD defines "tiflags"
FreeBSD defines
"thflags" I assume they are the same thing. The file is in
/usr/src/sys/netinet
Turning off the timestamps would be a good way to make your network go
slow.
*** tcp_input.c.original Thu May 19 11:52:30 2005
--- tcp_input.c Thu May 19 12:00:14 2005
***************
*** 976,984 ****
--- 976,992 ----
* record the timestamp.
* NOTE that the test is modified according
to the latest
* proposal of the [EMAIL PROTECTED] list (Braden
1993/04/26).
+ * NOTE2 additional check added as a result of PAWS
vulnerability
+ * documented in Cisco security notice
cisco-sn-20050518-tcpts
+ * from OpenBSD patch for OpenBSD 3.6 015_tcp.patch
*/
if ((to.to_flags & TOF_TS) != 0 &&
SEQ_LEQ(th->th_seq, tp->last_ack_sent)) {
+ if (SEQ_LEQ(tp->last_ack_sent,
th->th_seq + tlen
+
+ ((thflags & (TH_SYN|TH_FIN)) != 0)))
+ tp->ts_recent = to.to_tsval;
+ else
+ tp->ts_recent = 0;
tp->ts_recent_age = ticks;
tp->ts_recent = to.to_tsval;
}
Ted
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Tim Traver
Sent: Thursday, May 19, 2005 10:09 AM
To: bsd
Subject: PAWS security vulnerability
Hi all,
ok, this article was just published about a PAWS TCP DOS
vulnerability,
and lists freeBSD 4.x as affected.
http://www.securityfocus.com/bid/13676/info/
Does anyone know how to turn the TCP timestamps off on FreeBSD 4.x ?
and is 5.4 affected too ?
Tim.
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"[EMAIL PROTECTED]"
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"[EMAIL PROTECTED]"
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"[EMAIL PROTECTED]"
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"[EMAIL PROTECTED]"
