PAWS security vulnerability

Tim Traver tt-list at simplenet.com
Fri May 20 09:32:51 PDT 2005


Ted,

you just can't stop being a dickhead, can you ???

I admitted what I did wrong (unlike you), and yes, I posted this to the 
wrong list. Big deal. A lot of things get posted to this list that are a 
thousand times worse.

Get off your high horse, and maybe use some manners instead of barking 
orders at everyone. I don't know which is worse. Trolls, or those that 
scream troll at the drop of a hat.

Tim.


Ted Mittelstaedt wrote:

>Tim,
>
>In my first e-mail I said:
>
>"If it works I would submit it to the FreeBSD security list"
>
>OK., so I see how you might have misinterpreted that.  But the sentence "if
>it works you would submit it to the
>FreeBSD security list" isn't grammatically correct.
>
>In my second e-mail I said:
>
>"I told you to post the patch and info to the appropriate FreeBSD security
>lists, and you aren't the least bit interested in doing what I told you"
>
>On the index page of http://www.freebsd.org there is a link called "FAQ"
>
>On that page is a link called "Security"
>
>On that page is the text:
>
>"...This point and others are often discussed on the mailing lists,
>particularly the FreeBSD security mailing list...."
>
>with a link to the appropriate mailing list.
>
>I find it real hard to believe you use FreeBSD on hundreds of servers and
>are unaware of the appropriate
>forum to post security questions.  The general freebsd questions mailing
>list is not this place.  You should
>have known this before you even posted your first question.  Reading
>instructions for products that you use
>is not optional, it is mandatory, and FreeBSD's instructions are on the
>website.
>
>You posted your query in the wrong forum, you got a patch in response which
>is far more than you should have
>got, you were directed, hinting at first, forcibly at second, to go to the
>appropriate forum to post the patch, the results of the patch, and your
>security questions.  You still, as far as I know, have not done this.
>
>So, OK maybe your not a troll and I assumed wrong.  But I will point out
>that you said absolutely nothing
>in your first post about who you are, what you are doing, why you even give
>a shit about this issue.  If you
>had simply opened your first post with "I was shown this vulnerability by
>our network security person
>and I have to respond to him in some fashion" or something like that, it
>would have gone a long way towards
>establishing credibility as to why you cared about this.  If even better you
>had done a bit of research and
>said "well the vulnerability shows that OpenBSD already patched for this,
>maybe FreeBSD should" or if
>even better than that you had said "I looked at the OpenBSD patch and it's
>really simple, could we use
>it on FreeBSD" that would have done a lot to establishing that you were at
>least willing to offer help and
>assistance.
>
>Instead, reread your second post - you not once offered to do anything, not
>even apply the patch to see
>if it compiled, all you did is ask for yet more research to be done for you.
>
>Well we all are busy, you don't have a lock on that, buddy.
>
>Apply the patch.  If the FreeBSD system doesn't panic then the patch isn't
>grossly wrong.  If you do not
>have a test system then don't apply it.  Either way, just take the patch to
>the appropriate FreeBSD security forum
>and post it with "some asshole on questions told me to apply this in results
>of <insert all research on this>
>is this the right way to fix it?"
>
>As I said, IF you are a fucking troll then you WOULDN'T do the above.  That
>means that if you WOULD do the
>above then you AREN'T a fucking troll.  You still have a chance to redeem
>yourself. Do it!
>
>FreeBSD is for adults, not kids.  Kids want the adults to do all their
>homework for them.  Adults at least
>try to do the homework, then call for help when they are stuck.  Look at
>your first 2 posts again and
>put yourself in my shoes - do those posts make you look like an adult, or a
>whiny kid wanting someone
>to do his homework for him?
>
>Ted
>
>  -----Original Message-----
>  From: Tim Traver [mailto:tt-list at simplenet.com]
>  Sent: Thursday, May 19, 2005 11:24 PM
>  To: Ted Mittelstaedt
>  Cc: bsd
>  Subject: Re: PAWS security vulnerability
>
>
>  Ted,
>
>  I don't know your experience lately with people on this or any other list,
>but that last personal attack was WAY out of line. I am not a Troll, nor
>have I ever been one. I use freeBSD extensively on hundreds of servers, but
>I am not a FreeBSD source contributor.
>
>  Yes, I was shown this "vulnerability" by our network security person, read
>it over, and thought that it might be a legitimate exploit. I even picked up
>on the fact that Microsoft had already patched it in the service pack 2,
>which may mean that it was under wraps for a while, and was suspicious. So,
>after doing a little research on the net myself and not finding much, I
>decided to post something to the list to see if anyone had heard anything
>about it, and if the FreeBSD commiters were working on a possible patch.
>
>  Maybe I wrote my post wrong, but it didn't deserve you biting my fucking
>head off.
>
>  Now, you'll probably start in on "well, if you run that many servers, then
>why don't you know what you're doing?". I do know what I'm doing. I would
>very well be able to apply your patch,and compile a new system. Problem is,
>I'm afraid I don't quite understand the vulnerability enough to properly
>test what it is supposed to fix...
>
>  I would first need a way to break it, and then after applying your patch,
>verify that I couldn't break it any longer. If I knew how to break it, then
>I would be a better programmer than you, which I am not, and have never
>claimed to be. From the description of the issue, it sounds like a single
>cleverly made TCP packet with a bogus timestamp on it could take down ALL of
>the TCP commections to that machine.
>
>  To quote the article :
>  "A large value is set by the attacker as the packet timestamp. When the
>target computer processes this packet, the internal timer is updated to the
>large attacker supplied value. This causes all other valid packets that are
>received subsequent to an attack to be dropped as they are deemed to be too
>old, or invalid."
>
>  That sounds like it is pretty serious to me. One packet takes down ALL TCP
>services to the machine. You make it sound like its no big deal...Is it
>valid ? I don't know. I never claimed to know. I wasn't crying wolf here,
>just asking...
>
>  So, my statement of  "I'm not sure I have the ability to test out your
>patch." should really have been, "I don't have the knowledge enough of the
>vulnerability to test whether or not your patch works."
>
>  And I would hardly consider "If it works, I would submit it to the
>security list" as some sort of command that I was supposed to follow. After
>reading that email, I thought that you were going to submit it to the
>security list. After all, its your fucking patch.
>
>  I am slowly working my way into the community, and would love to help with
>these kind of things. But, like many other busy sys admins, I don't have a
>whole lot of spare time to work on things like this. Yes, if it was a
>serious problem enough to where I had to have a patch right away, I might
>have to devote some work time and give it a try for the team. I'm not sure
>that I know how serious it is, as I've already stated that I don't fully
>understand the supposed "vulnerability".
>
>  I hardly made any kind of desparate demands for someone to quickly make me
>a patch. You might want to go re-read those posts...
>
>  I can understand why you may have suspected troll because of the vague
>questions, but man, you flew off the handle awefully quick. Maybe you just
>need a vacation.
>
>  You bashed OpenBSD for their knee jerk reactions, and I think you just
>made a big one...
>
>  Tim.
>
>
>
>
>  Ted Mittelstaedt wrote:
>Hi Tim,
>
>  If you don't have the ability to test out the patch then LEARN!
>
>  As the advisory said "no known exploits have been released"  I also
>noticed that the only 2 vendors listed as implementing a fix were
>Cisco and Microsoft. And Microsoft was NOT on the problem list for
>ANY of their patched OSs.  I would therefore assume that the release
>of this so-called vulnerability was carefully timed to take place
>AFTER Microsoft had got it's ass covered, to make them look good,
>and everyone else look bad.  I continue therefore to assume that this
>is a political security hole, not an actual security hole.
>
>  OpenBSD is well known for knee-jerk reactions to real and supposed
>security holes, so it's not surprising they released a patch right away
>- of course, little good that did them since this advisory trashed them
>anyway.  But knee jerk reactions don't always take all variables into
>account.
>
>  I rewrite their patch because it was simple and easy to apply to the
>FreeBSD source - but I did not write the networking code in FreeBSD and
>have no idea if it is correct, or if OpenBSD even wrote the fix properly,
>or if in fact this is a real vulnerability that anyone needs to be
>concerned about.  In theory, any flat-key lock can be picked in less
>than a minute (I've seen it done that fast, and done it myself somewhat
>more slowly) but that does not stop millions of them from being sold
>at Home Depot every year.  If people went to a different type of lock
>that was much harder to pick then the burglar might not break in
>by picking the lock - but instead by kicking in the door which has
>the side effect of destroying the door and frame, and there's a couple
>thousand bucks lost right there fixing that - and if all the burgler
>does is steal a $200 TV set, then your better off with the pickable lock.
>The point is that any change in the networking code
>may have side effects that are worse than the problem.
>
>  I posted the patch in order to head off a big long dumbass trashing
>discussion, because I suspected you were trolling - but I was willing
>to give you the benefit of the doubt.  If you were really
>concerned - such as if you worked for some company that had some
>stick-up-their-ass security officer that was bigger than his britches,
>and you had to have a fix RIGHT NOW - then this would have allowed you
>to apply the patch to shut up the bigger-than-britches security officer
>so you could continue about your business.  In the meantime then the
>networking and security group could have had discussion about the
>PROPER way to handle this.  Probably that's this patch, but maybe not.
>
>  Now I find what?  Well, it surely looks to me like I just spoiled
>your troll, so your going to pretend it was no big deal, make a lame-ass
>excuse about how you really didn't need the patch anyway and can't
>apply it because your incompetent, and fade into the woodwork.  I told
>you to post the patch and info to the appropriate FreeBSD security lists,
>and you aren't the least bit interested in doing what I told you.  Why -
>because you were only interested in this silly hypothetical PAWS exploit
>as long as nobody could say "FreeBSD has a fix, shut up and apply it",
>so you can go urinate on the parade here.  Now I just handed you a
>urinal, and your going to run away and pee on someone else.
>
>  I don't want to see a fucking thing more from you unless it's:
>
>"Guys, I DID WHAT I WAS TOLD TO DO and went to the FreeBSD security and
>networking
>mailing lists and posted what I was given and this is what they said"
>
>  If you aren't willing to lift a finger to do that, your a fucking
>troll.  Don't waste anyone else's time here.  Next time you ask for code,
>you better check out the going hourly rate for custom programming.
>
>Ted
>
>  -----Original Message-----
>From: owner-freebsd-questions at freebsd.org
>[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Tim Traver
>Sent: Thursday, May 19, 2005 1:27 PM
>To: Ted Mittelstaedt
>Cc: bsd
>Subject: Re: PAWS security vulnerability
>Importance: Low
>
>
>Ted,
>
>thanks for taking a look at this. I'm not sure I have the ability to
>test out your patch. Maybe someone else on this fine list can ?
>
>But this sounds like a pretty severe DOS issue that seems to be
>relatively simple to implement.
>
>Do you know if the 5.x branch is affected by this as well ?
>
>Tim.
>
>
>Ted Mittelstaedt wrote:
>
>    Hi Tim,
>
> Here is a slight mod of the OpenBSD patch for OpenBSD 3.6
>      that has been
>    rewritten for FreeBSD 4.11.  YMMV  If it works I would submit
>      it to the
>    FreeBSD
>security list.  The only change I made is OpenBSD defines "tiflags"
>FreeBSD defines
>"thflags" I assume they are the same thing.  The file is in
>/usr/src/sys/netinet
>
>Turning off the timestamps would be a good way to make your network go
>slow.
>
>*** tcp_input.c.original        Thu May 19 11:52:30 2005
>--- tcp_input.c Thu May 19 12:00:14 2005
>***************
>*** 976,984 ****
>--- 976,992 ----
>                * record the timestamp.
>                * NOTE that the test is modified according
>      to the latest
>                    * proposal of the tcplw at cray.com list (Braden
>1993/04/26).
>+                * NOTE2 additional check added as a result of PAWS
>vulnerability
>+                * documented in Cisco security notice
>cisco-sn-20050518-tcpts
>+                * from OpenBSD patch for OpenBSD 3.6 015_tcp.patch
>                */
>               if ((to.to_flags & TOF_TS) != 0 &&
>                   SEQ_LEQ(th->th_seq, tp->last_ack_sent)) {
>+                       if (SEQ_LEQ(tp->last_ack_sent,
>      th->th_seq + tlen
>    +
>+                               ((thflags & (TH_SYN|TH_FIN)) != 0)))
>+                                 tp->ts_recent = to.to_tsval;
>+                       else
>+                               tp->ts_recent = 0;
>                       tp->ts_recent_age = ticks;
>                       tp->ts_recent = to.to_tsval;
>               }
>
>Ted
>
>
>
>      -----Original Message-----
>From: owner-freebsd-questions at freebsd.org
>[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Tim Traver
>Sent: Thursday, May 19, 2005 10:09 AM
>To: bsd
>Subject: PAWS security vulnerability
>
>
>Hi all,
>
>ok, this article was just published about a PAWS TCP DOS
>vulnerability,
>and lists freeBSD 4.x as affected.
>
>http://www.securityfocus.com/bid/13676/info/
>
>Does anyone know how to turn the TCP timestamps off on FreeBSD 4.x ?
>
>and is 5.4 affected too ?
>
>Tim.
>
>_______________________________________________
>freebsd-questions at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>To unsubscribe, send any mail to
>"freebsd-questions-unsubscribe at freebsd.org"
>
>
>
>
>      _______________________________________________
>freebsd-questions at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>To unsubscribe, send any mail to
>"freebsd-questions-unsubscribe at freebsd.org"
>
>
>
>_______________________________________________
>freebsd-questions at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>  
>



More information about the freebsd-questions mailing list