PAWS security vulnerability
Tim Traver
tt-list at simplenet.com
Fri May 20 09:32:51 PDT 2005
Ted,
you just can't stop being a dickhead, can you ???
I admitted what I did wrong (unlike you), and yes, I posted this to the
wrong list. Big deal. A lot of things get posted to this list that are a
thousand times worse.
Get off your high horse, and maybe use some manners instead of barking
orders at everyone. I don't know which is worse. Trolls, or those that
scream troll at the drop of a hat.
Tim.
Ted Mittelstaedt wrote:
>Tim,
>
>In my first e-mail I said:
>
>"If it works I would submit it to the FreeBSD security list"
>
>OK., so I see how you might have misinterpreted that. But the sentence "if
>it works you would submit it to the
>FreeBSD security list" isn't grammatically correct.
>
>In my second e-mail I said:
>
>"I told you to post the patch and info to the appropriate FreeBSD security
>lists, and you aren't the least bit interested in doing what I told you"
>
>On the index page of http://www.freebsd.org there is a link called "FAQ"
>
>On that page is a link called "Security"
>
>On that page is the text:
>
>"...This point and others are often discussed on the mailing lists,
>particularly the FreeBSD security mailing list...."
>
>with a link to the appropriate mailing list.
>
>I find it real hard to believe you use FreeBSD on hundreds of servers and
>are unaware of the appropriate
>forum to post security questions. The general freebsd questions mailing
>list is not this place. You should
>have known this before you even posted your first question. Reading
>instructions for products that you use
>is not optional, it is mandatory, and FreeBSD's instructions are on the
>website.
>
>You posted your query in the wrong forum, you got a patch in response which
>is far more than you should have
>got, you were directed, hinting at first, forcibly at second, to go to the
>appropriate forum to post the patch, the results of the patch, and your
>security questions. You still, as far as I know, have not done this.
>
>So, OK maybe your not a troll and I assumed wrong. But I will point out
>that you said absolutely nothing
>in your first post about who you are, what you are doing, why you even give
>a shit about this issue. If you
>had simply opened your first post with "I was shown this vulnerability by
>our network security person
>and I have to respond to him in some fashion" or something like that, it
>would have gone a long way towards
>establishing credibility as to why you cared about this. If even better you
>had done a bit of research and
>said "well the vulnerability shows that OpenBSD already patched for this,
>maybe FreeBSD should" or if
>even better than that you had said "I looked at the OpenBSD patch and it's
>really simple, could we use
>it on FreeBSD" that would have done a lot to establishing that you were at
>least willing to offer help and
>assistance.
>
>Instead, reread your second post - you not once offered to do anything, not
>even apply the patch to see
>if it compiled, all you did is ask for yet more research to be done for you.
>
>Well we all are busy, you don't have a lock on that, buddy.
>
>Apply the patch. If the FreeBSD system doesn't panic then the patch isn't
>grossly wrong. If you do not
>have a test system then don't apply it. Either way, just take the patch to
>the appropriate FreeBSD security forum
>and post it with "some asshole on questions told me to apply this in results
>of <insert all research on this>
>is this the right way to fix it?"
>
>As I said, IF you are a fucking troll then you WOULDN'T do the above. That
>means that if you WOULD do the
>above then you AREN'T a fucking troll. You still have a chance to redeem
>yourself. Do it!
>
>FreeBSD is for adults, not kids. Kids want the adults to do all their
>homework for them. Adults at least
>try to do the homework, then call for help when they are stuck. Look at
>your first 2 posts again and
>put yourself in my shoes - do those posts make you look like an adult, or a
>whiny kid wanting someone
>to do his homework for him?
>
>Ted
>
> -----Original Message-----
> From: Tim Traver [mailto:tt-list at simplenet.com]
> Sent: Thursday, May 19, 2005 11:24 PM
> To: Ted Mittelstaedt
> Cc: bsd
> Subject: Re: PAWS security vulnerability
>
>
> Ted,
>
> I don't know your experience lately with people on this or any other list,
>but that last personal attack was WAY out of line. I am not a Troll, nor
>have I ever been one. I use freeBSD extensively on hundreds of servers, but
>I am not a FreeBSD source contributor.
>
> Yes, I was shown this "vulnerability" by our network security person, read
>it over, and thought that it might be a legitimate exploit. I even picked up
>on the fact that Microsoft had already patched it in the service pack 2,
>which may mean that it was under wraps for a while, and was suspicious. So,
>after doing a little research on the net myself and not finding much, I
>decided to post something to the list to see if anyone had heard anything
>about it, and if the FreeBSD commiters were working on a possible patch.
>
> Maybe I wrote my post wrong, but it didn't deserve you biting my fucking
>head off.
>
> Now, you'll probably start in on "well, if you run that many servers, then
>why don't you know what you're doing?". I do know what I'm doing. I would
>very well be able to apply your patch,and compile a new system. Problem is,
>I'm afraid I don't quite understand the vulnerability enough to properly
>test what it is supposed to fix...
>
> I would first need a way to break it, and then after applying your patch,
>verify that I couldn't break it any longer. If I knew how to break it, then
>I would be a better programmer than you, which I am not, and have never
>claimed to be. From the description of the issue, it sounds like a single
>cleverly made TCP packet with a bogus timestamp on it could take down ALL of
>the TCP commections to that machine.
>
> To quote the article :
> "A large value is set by the attacker as the packet timestamp. When the
>target computer processes this packet, the internal timer is updated to the
>large attacker supplied value. This causes all other valid packets that are
>received subsequent to an attack to be dropped as they are deemed to be too
>old, or invalid."
>
> That sounds like it is pretty serious to me. One packet takes down ALL TCP
>services to the machine. You make it sound like its no big deal...Is it
>valid ? I don't know. I never claimed to know. I wasn't crying wolf here,
>just asking...
>
> So, my statement of "I'm not sure I have the ability to test out your
>patch." should really have been, "I don't have the knowledge enough of the
>vulnerability to test whether or not your patch works."
>
> And I would hardly consider "If it works, I would submit it to the
>security list" as some sort of command that I was supposed to follow. After
>reading that email, I thought that you were going to submit it to the
>security list. After all, its your fucking patch.
>
> I am slowly working my way into the community, and would love to help with
>these kind of things. But, like many other busy sys admins, I don't have a
>whole lot of spare time to work on things like this. Yes, if it was a
>serious problem enough to where I had to have a patch right away, I might
>have to devote some work time and give it a try for the team. I'm not sure
>that I know how serious it is, as I've already stated that I don't fully
>understand the supposed "vulnerability".
>
> I hardly made any kind of desparate demands for someone to quickly make me
>a patch. You might want to go re-read those posts...
>
> I can understand why you may have suspected troll because of the vague
>questions, but man, you flew off the handle awefully quick. Maybe you just
>need a vacation.
>
> You bashed OpenBSD for their knee jerk reactions, and I think you just
>made a big one...
>
> Tim.
>
>
>
>
> Ted Mittelstaedt wrote:
>Hi Tim,
>
> If you don't have the ability to test out the patch then LEARN!
>
> As the advisory said "no known exploits have been released" I also
>noticed that the only 2 vendors listed as implementing a fix were
>Cisco and Microsoft. And Microsoft was NOT on the problem list for
>ANY of their patched OSs. I would therefore assume that the release
>of this so-called vulnerability was carefully timed to take place
>AFTER Microsoft had got it's ass covered, to make them look good,
>and everyone else look bad. I continue therefore to assume that this
>is a political security hole, not an actual security hole.
>
> OpenBSD is well known for knee-jerk reactions to real and supposed
>security holes, so it's not surprising they released a patch right away
>- of course, little good that did them since this advisory trashed them
>anyway. But knee jerk reactions don't always take all variables into
>account.
>
> I rewrite their patch because it was simple and easy to apply to the
>FreeBSD source - but I did not write the networking code in FreeBSD and
>have no idea if it is correct, or if OpenBSD even wrote the fix properly,
>or if in fact this is a real vulnerability that anyone needs to be
>concerned about. In theory, any flat-key lock can be picked in less
>than a minute (I've seen it done that fast, and done it myself somewhat
>more slowly) but that does not stop millions of them from being sold
>at Home Depot every year. If people went to a different type of lock
>that was much harder to pick then the burglar might not break in
>by picking the lock - but instead by kicking in the door which has
>the side effect of destroying the door and frame, and there's a couple
>thousand bucks lost right there fixing that - and if all the burgler
>does is steal a $200 TV set, then your better off with the pickable lock.
>The point is that any change in the networking code
>may have side effects that are worse than the problem.
>
> I posted the patch in order to head off a big long dumbass trashing
>discussion, because I suspected you were trolling - but I was willing
>to give you the benefit of the doubt. If you were really
>concerned - such as if you worked for some company that had some
>stick-up-their-ass security officer that was bigger than his britches,
>and you had to have a fix RIGHT NOW - then this would have allowed you
>to apply the patch to shut up the bigger-than-britches security officer
>so you could continue about your business. In the meantime then the
>networking and security group could have had discussion about the
>PROPER way to handle this. Probably that's this patch, but maybe not.
>
> Now I find what? Well, it surely looks to me like I just spoiled
>your troll, so your going to pretend it was no big deal, make a lame-ass
>excuse about how you really didn't need the patch anyway and can't
>apply it because your incompetent, and fade into the woodwork. I told
>you to post the patch and info to the appropriate FreeBSD security lists,
>and you aren't the least bit interested in doing what I told you. Why -
>because you were only interested in this silly hypothetical PAWS exploit
>as long as nobody could say "FreeBSD has a fix, shut up and apply it",
>so you can go urinate on the parade here. Now I just handed you a
>urinal, and your going to run away and pee on someone else.
>
> I don't want to see a fucking thing more from you unless it's:
>
>"Guys, I DID WHAT I WAS TOLD TO DO and went to the FreeBSD security and
>networking
>mailing lists and posted what I was given and this is what they said"
>
> If you aren't willing to lift a finger to do that, your a fucking
>troll. Don't waste anyone else's time here. Next time you ask for code,
>you better check out the going hourly rate for custom programming.
>
>Ted
>
> -----Original Message-----
>From: owner-freebsd-questions at freebsd.org
>[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Tim Traver
>Sent: Thursday, May 19, 2005 1:27 PM
>To: Ted Mittelstaedt
>Cc: bsd
>Subject: Re: PAWS security vulnerability
>Importance: Low
>
>
>Ted,
>
>thanks for taking a look at this. I'm not sure I have the ability to
>test out your patch. Maybe someone else on this fine list can ?
>
>But this sounds like a pretty severe DOS issue that seems to be
>relatively simple to implement.
>
>Do you know if the 5.x branch is affected by this as well ?
>
>Tim.
>
>
>Ted Mittelstaedt wrote:
>
> Hi Tim,
>
> Here is a slight mod of the OpenBSD patch for OpenBSD 3.6
> that has been
> rewritten for FreeBSD 4.11. YMMV If it works I would submit
> it to the
> FreeBSD
>security list. The only change I made is OpenBSD defines "tiflags"
>FreeBSD defines
>"thflags" I assume they are the same thing. The file is in
>/usr/src/sys/netinet
>
>Turning off the timestamps would be a good way to make your network go
>slow.
>
>*** tcp_input.c.original Thu May 19 11:52:30 2005
>--- tcp_input.c Thu May 19 12:00:14 2005
>***************
>*** 976,984 ****
>--- 976,992 ----
> * record the timestamp.
> * NOTE that the test is modified according
> to the latest
> * proposal of the tcplw at cray.com list (Braden
>1993/04/26).
>+ * NOTE2 additional check added as a result of PAWS
>vulnerability
>+ * documented in Cisco security notice
>cisco-sn-20050518-tcpts
>+ * from OpenBSD patch for OpenBSD 3.6 015_tcp.patch
> */
> if ((to.to_flags & TOF_TS) != 0 &&
> SEQ_LEQ(th->th_seq, tp->last_ack_sent)) {
>+ if (SEQ_LEQ(tp->last_ack_sent,
> th->th_seq + tlen
> +
>+ ((thflags & (TH_SYN|TH_FIN)) != 0)))
>+ tp->ts_recent = to.to_tsval;
>+ else
>+ tp->ts_recent = 0;
> tp->ts_recent_age = ticks;
> tp->ts_recent = to.to_tsval;
> }
>
>Ted
>
>
>
> -----Original Message-----
>From: owner-freebsd-questions at freebsd.org
>[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Tim Traver
>Sent: Thursday, May 19, 2005 10:09 AM
>To: bsd
>Subject: PAWS security vulnerability
>
>
>Hi all,
>
>ok, this article was just published about a PAWS TCP DOS
>vulnerability,
>and lists freeBSD 4.x as affected.
>
>http://www.securityfocus.com/bid/13676/info/
>
>Does anyone know how to turn the TCP timestamps off on FreeBSD 4.x ?
>
>and is 5.4 affected too ?
>
>Tim.
>
>_______________________________________________
>freebsd-questions at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>To unsubscribe, send any mail to
>"freebsd-questions-unsubscribe at freebsd.org"
>
>
>
>
> _______________________________________________
>freebsd-questions at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>To unsubscribe, send any mail to
>"freebsd-questions-unsubscribe at freebsd.org"
>
>
>
>_______________________________________________
>freebsd-questions at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>
>
More information about the freebsd-questions
mailing list