PAWS security vulnerability

Tim Traver tt-list at simplenet.com
Fri May 20 21:28:46 PDT 2005


Ted,

I did take it to the security list (freebsd-security at freebsd.org). Since 
I did not actually know if this was an issue yet, I figure I would ask 
it to the appropriate list before sending it directly to the security 
officers. I'd rather not waste their time until I knew it was an issue.

I guess maybe you don't subscribe to that list. At the time, neither did 
I, because I can't subscribe to ALL of the lists...

The answer was that your patch was flawed, and that there was already a 
patch for it in CVS anyway.

I figured from your high chair, that you would have seen the post when 
it was made this morning, and the response back from one of the people 
on the list about it.

I didn't feel the need to update you about it since you've been so 
friendly to me. And since no one else joined in on the conversation, I 
figured I would let that info sit on the security list for people to find.

Tim.


Ted Mittelstaedt wrote:

>You STILL haven't taken this to the correct security mailing list, after
>being told gently, then yelled at, then told firmly.  What do we have to
>do to get you to do this?
>
>Ted
>
>  
>
>>-----Original Message-----
>>From: owner-freebsd-questions at freebsd.org
>>[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Tim Traver
>>Sent: Friday, May 20, 2005 9:33 AM
>>To: Ted Mittelstaedt
>>Cc: bsd
>>Subject: Re: PAWS security vulnerability
>>
>>
>>Ted,
>>
>>you just can't stop being a dickhead, can you ???
>>
>>I admitted what I did wrong (unlike you), and yes, I posted
>>this to the
>>wrong list. Big deal. A lot of things get posted to this list
>>that are a
>>thousand times worse.
>>
>>Get off your high horse, and maybe use some manners instead of barking
>>orders at everyone. I don't know which is worse. Trolls, or those that
>>scream troll at the drop of a hat.
>>
>>Tim.
>>
>>
>>Ted Mittelstaedt wrote:
>>
>>    
>>
>>>Tim,
>>>
>>>In my first e-mail I said:
>>>
>>>"If it works I would submit it to the FreeBSD security list"
>>>
>>>OK., so I see how you might have misinterpreted that.  But
>>>      
>>>
>>the sentence "if
>>    
>>
>>>it works you would submit it to the
>>>FreeBSD security list" isn't grammatically correct.
>>>
>>>In my second e-mail I said:
>>>
>>>"I told you to post the patch and info to the appropriate
>>>      
>>>
>>FreeBSD security
>>    
>>
>>>lists, and you aren't the least bit interested in doing what
>>>      
>>>
>>I told you"
>>    
>>
>>>On the index page of http://www.freebsd.org there is a link
>>>      
>>>
>>called "FAQ"
>>    
>>
>>>On that page is a link called "Security"
>>>
>>>On that page is the text:
>>>
>>>"...This point and others are often discussed on the mailing lists,
>>>particularly the FreeBSD security mailing list...."
>>>
>>>with a link to the appropriate mailing list.
>>>
>>>I find it real hard to believe you use FreeBSD on hundreds of
>>>      
>>>
>>servers and
>>    
>>
>>>are unaware of the appropriate
>>>forum to post security questions.  The general freebsd
>>>      
>>>
>>questions mailing
>>    
>>
>>>list is not this place.  You should
>>>have known this before you even posted your first question.  Reading
>>>instructions for products that you use
>>>is not optional, it is mandatory, and FreeBSD's instructions
>>>      
>>>
>>are on the
>>    
>>
>>>website.
>>>
>>>You posted your query in the wrong forum, you got a patch in
>>>      
>>>
>>response which
>>    
>>
>>>is far more than you should have
>>>got, you were directed, hinting at first, forcibly at second,
>>>      
>>>
>>to go to the
>>    
>>
>>>appropriate forum to post the patch, the results of the
>>>      
>>>
>>patch, and your
>>    
>>
>>>security questions.  You still, as far as I know, have not done this.
>>>
>>>So, OK maybe your not a troll and I assumed wrong.  But I
>>>      
>>>
>>will point out
>>    
>>
>>>that you said absolutely nothing
>>>in your first post about who you are, what you are doing, why
>>>      
>>>
>>you even give
>>    
>>
>>>a shit about this issue.  If you
>>>had simply opened your first post with "I was shown this
>>>      
>>>
>>vulnerability by
>>    
>>
>>>our network security person
>>>and I have to respond to him in some fashion" or something
>>>      
>>>
>>like that, it
>>    
>>
>>>would have gone a long way towards
>>>establishing credibility as to why you cared about this.  If
>>>      
>>>
>>even better you
>>    
>>
>>>had done a bit of research and
>>>said "well the vulnerability shows that OpenBSD already
>>>      
>>>
>>patched for this,
>>    
>>
>>>maybe FreeBSD should" or if
>>>even better than that you had said "I looked at the OpenBSD
>>>      
>>>
>>patch and it's
>>    
>>
>>>really simple, could we use
>>>it on FreeBSD" that would have done a lot to establishing
>>>      
>>>
>>that you were at
>>    
>>
>>>least willing to offer help and
>>>assistance.
>>>
>>>Instead, reread your second post - you not once offered to do
>>>      
>>>
>>anything, not
>>    
>>
>>>even apply the patch to see
>>>if it compiled, all you did is ask for yet more research to
>>>      
>>>
>>be done for you.
>>    
>>
>>>Well we all are busy, you don't have a lock on that, buddy.
>>>
>>>Apply the patch.  If the FreeBSD system doesn't panic then
>>>      
>>>
>>the patch isn't
>>    
>>
>>>grossly wrong.  If you do not
>>>have a test system then don't apply it.  Either way, just
>>>      
>>>
>>take the patch to
>>    
>>
>>>the appropriate FreeBSD security forum
>>>and post it with "some asshole on questions told me to apply
>>>      
>>>
>>this in results
>>    
>>
>>>of <insert all research on this>
>>>is this the right way to fix it?"
>>>
>>>As I said, IF you are a fucking troll then you WOULDN'T do
>>>      
>>>
>>the above.  That
>>    
>>
>>>means that if you WOULD do the
>>>above then you AREN'T a fucking troll.  You still have a
>>>      
>>>
>>chance to redeem
>>    
>>
>>>yourself. Do it!
>>>
>>>FreeBSD is for adults, not kids.  Kids want the adults to do all their
>>>homework for them.  Adults at least
>>>try to do the homework, then call for help when they are
>>>      
>>>
>>stuck.  Look at
>>    
>>
>>>your first 2 posts again and
>>>put yourself in my shoes - do those posts make you look like
>>>      
>>>
>>an adult, or a
>>    
>>
>>>whiny kid wanting someone
>>>to do his homework for him?
>>>
>>>Ted
>>>
>>> -----Original Message-----
>>> From: Tim Traver [mailto:tt-list at simplenet.com]
>>> Sent: Thursday, May 19, 2005 11:24 PM
>>> To: Ted Mittelstaedt
>>> Cc: bsd
>>> Subject: Re: PAWS security vulnerability
>>>
>>>
>>> Ted,
>>>
>>> I don't know your experience lately with people on this or
>>>      
>>>
>>any other list,
>>    
>>
>>>but that last personal attack was WAY out of line. I am not a
>>>      
>>>
>>Troll, nor
>>    
>>
>>>have I ever been one. I use freeBSD extensively on hundreds
>>>      
>>>
>>of servers, but
>>    
>>
>>>I am not a FreeBSD source contributor.
>>>
>>> Yes, I was shown this "vulnerability" by our network
>>>      
>>>
>>security person, read
>>    
>>
>>>it over, and thought that it might be a legitimate exploit. I
>>>      
>>>
>>even picked up
>>    
>>
>>>on the fact that Microsoft had already patched it in the
>>>      
>>>
>>service pack 2,
>>    
>>
>>>which may mean that it was under wraps for a while, and was
>>>      
>>>
>>suspicious. So,
>>    
>>
>>>after doing a little research on the net myself and not
>>>      
>>>
>>finding much, I
>>    
>>
>>>decided to post something to the list to see if anyone had
>>>      
>>>
>>heard anything
>>    
>>
>>>about it, and if the FreeBSD commiters were working on a
>>>      
>>>
>>possible patch.
>>    
>>
>>> Maybe I wrote my post wrong, but it didn't deserve you
>>>      
>>>
>>biting my fucking
>>    
>>
>>>head off.
>>>
>>> Now, you'll probably start in on "well, if you run that
>>>      
>>>
>>many servers, then
>>    
>>
>>>why don't you know what you're doing?". I do know what I'm
>>>      
>>>
>>doing. I would
>>    
>>
>>>very well be able to apply your patch,and compile a new
>>>      
>>>
>>system. Problem is,
>>    
>>
>>>I'm afraid I don't quite understand the vulnerability enough
>>>      
>>>
>>to properly
>>    
>>
>>>test what it is supposed to fix...
>>>
>>> I would first need a way to break it, and then after
>>>      
>>>
>>applying your patch,
>>    
>>
>>>verify that I couldn't break it any longer. If I knew how to
>>>      
>>>
>>break it, then
>>    
>>
>>>I would be a better programmer than you, which I am not, and
>>>      
>>>
>>have never
>>    
>>
>>>claimed to be. From the description of the issue, it sounds
>>>      
>>>
>>like a single
>>    
>>
>>>cleverly made TCP packet with a bogus timestamp on it could
>>>      
>>>
>>take down ALL of
>>    
>>
>>>the TCP commections to that machine.
>>>
>>> To quote the article :
>>> "A large value is set by the attacker as the packet
>>>      
>>>
>>timestamp. When the
>>    
>>
>>>target computer processes this packet, the internal timer is
>>>      
>>>
>>updated to the
>>    
>>
>>>large attacker supplied value. This causes all other valid
>>>      
>>>
>>packets that are
>>    
>>
>>>received subsequent to an attack to be dropped as they are
>>>      
>>>
>>deemed to be too
>>    
>>
>>>old, or invalid."
>>>
>>> That sounds like it is pretty serious to me. One packet
>>>      
>>>
>>takes down ALL TCP
>>    
>>
>>>services to the machine. You make it sound like its no big
>>>      
>>>
>>deal...Is it
>>    
>>
>>>valid ? I don't know. I never claimed to know. I wasn't
>>>      
>>>
>>crying wolf here,
>>    
>>
>>>just asking...
>>>
>>> So, my statement of  "I'm not sure I have the ability to
>>>      
>>>
>>test out your
>>    
>>
>>>patch." should really have been, "I don't have the knowledge
>>>      
>>>
>>enough of the
>>    
>>
>>>vulnerability to test whether or not your patch works."
>>>
>>> And I would hardly consider "If it works, I would submit it to the
>>>security list" as some sort of command that I was supposed to
>>>      
>>>
>>follow. After
>>    
>>
>>>reading that email, I thought that you were going to submit it to the
>>>security list. After all, its your fucking patch.
>>>
>>> I am slowly working my way into the community, and would
>>>      
>>>
>>love to help with
>>    
>>
>>>these kind of things. But, like many other busy sys admins, I
>>>      
>>>
>>don't have a
>>    
>>
>>>whole lot of spare time to work on things like this. Yes, if it was a
>>>serious problem enough to where I had to have a patch right
>>>      
>>>
>>away, I might
>>    
>>
>>>have to devote some work time and give it a try for the team.
>>>      
>>>
>>I'm not sure
>>    
>>
>>>that I know how serious it is, as I've already stated that I
>>>      
>>>
>>don't fully
>>    
>>
>>>understand the supposed "vulnerability".
>>>
>>> I hardly made any kind of desparate demands for someone to
>>>      
>>>
>>quickly make me
>>    
>>
>>>a patch. You might want to go re-read those posts...
>>>
>>> I can understand why you may have suspected troll because
>>>      
>>>
>>of the vague
>>    
>>
>>>questions, but man, you flew off the handle awefully quick.
>>>      
>>>
>>Maybe you just
>>    
>>
>>>need a vacation.
>>>
>>> You bashed OpenBSD for their knee jerk reactions, and I
>>>      
>>>
>>think you just
>>    
>>
>>>made a big one...
>>>
>>> Tim.
>>>
>>>
>>>
>>>
>>> Ted Mittelstaedt wrote:
>>>Hi Tim,
>>>
>>> If you don't have the ability to test out the patch then LEARN!
>>>
>>> As the advisory said "no known exploits have been released"  I also
>>>noticed that the only 2 vendors listed as implementing a fix were
>>>Cisco and Microsoft. And Microsoft was NOT on the problem list for
>>>ANY of their patched OSs.  I would therefore assume that the release
>>>of this so-called vulnerability was carefully timed to take place
>>>AFTER Microsoft had got it's ass covered, to make them look good,
>>>and everyone else look bad.  I continue therefore to assume that this
>>>is a political security hole, not an actual security hole.
>>>
>>> OpenBSD is well known for knee-jerk reactions to real and supposed
>>>security holes, so it's not surprising they released a patch
>>>      
>>>
>>right away
>>    
>>
>>>- of course, little good that did them since this advisory
>>>      
>>>
>>trashed them
>>    
>>
>>>anyway.  But knee jerk reactions don't always take all variables into
>>>account.
>>>
>>> I rewrite their patch because it was simple and easy to apply to the
>>>FreeBSD source - but I did not write the networking code in
>>>      
>>>
>>FreeBSD and
>>    
>>
>>>have no idea if it is correct, or if OpenBSD even wrote the
>>>      
>>>
>>fix properly,
>>    
>>
>>>or if in fact this is a real vulnerability that anyone needs to be
>>>concerned about.  In theory, any flat-key lock can be picked in less
>>>than a minute (I've seen it done that fast, and done it
>>>      
>>>
>>myself somewhat
>>    
>>
>>>more slowly) but that does not stop millions of them from being sold
>>>at Home Depot every year.  If people went to a different type of lock
>>>that was much harder to pick then the burglar might not break in
>>>by picking the lock - but instead by kicking in the door which has
>>>the side effect of destroying the door and frame, and there's a couple
>>>thousand bucks lost right there fixing that - and if all the burgler
>>>does is steal a $200 TV set, then your better off with the
>>>      
>>>
>>pickable lock.
>>    
>>
>>>The point is that any change in the networking code
>>>may have side effects that are worse than the problem.
>>>
>>> I posted the patch in order to head off a big long dumbass trashing
>>>discussion, because I suspected you were trolling - but I was willing
>>>to give you the benefit of the doubt.  If you were really
>>>concerned - such as if you worked for some company that had some
>>>stick-up-their-ass security officer that was bigger than his britches,
>>>and you had to have a fix RIGHT NOW - then this would have allowed you
>>>to apply the patch to shut up the bigger-than-britches
>>>      
>>>
>>security officer
>>    
>>
>>>so you could continue about your business.  In the meantime then the
>>>networking and security group could have had discussion about the
>>>PROPER way to handle this.  Probably that's this patch, but maybe not.
>>>
>>> Now I find what?  Well, it surely looks to me like I just spoiled
>>>your troll, so your going to pretend it was no big deal, make
>>>      
>>>
>>a lame-ass
>>    
>>
>>>excuse about how you really didn't need the patch anyway and can't
>>>apply it because your incompetent, and fade into the woodwork.  I told
>>>you to post the patch and info to the appropriate FreeBSD
>>>      
>>>
>>security lists,
>>    
>>
>>>and you aren't the least bit interested in doing what I told
>>>      
>>>
>>you.  Why -
>>    
>>
>>>because you were only interested in this silly hypothetical
>>>      
>>>
>>PAWS exploit
>>    
>>
>>>as long as nobody could say "FreeBSD has a fix, shut up and apply it",
>>>so you can go urinate on the parade here.  Now I just handed you a
>>>urinal, and your going to run away and pee on someone else.
>>>
>>> I don't want to see a fucking thing more from you unless it's:
>>>
>>>"Guys, I DID WHAT I WAS TOLD TO DO and went to the FreeBSD
>>>      
>>>
>>security and
>>    
>>
>>>networking
>>>mailing lists and posted what I was given and this is what they said"
>>>
>>> If you aren't willing to lift a finger to do that, your a fucking
>>>troll.  Don't waste anyone else's time here.  Next time you
>>>      
>>>
>>ask for code,
>>    
>>
>>>you better check out the going hourly rate for custom programming.
>>>
>>>Ted
>>>
>>> -----Original Message-----
>>>From: owner-freebsd-questions at freebsd.org
>>>[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Tim Traver
>>>Sent: Thursday, May 19, 2005 1:27 PM
>>>To: Ted Mittelstaedt
>>>Cc: bsd
>>>Subject: Re: PAWS security vulnerability
>>>Importance: Low
>>>
>>>
>>>Ted,
>>>
>>>thanks for taking a look at this. I'm not sure I have the ability to
>>>test out your patch. Maybe someone else on this fine list can ?
>>>
>>>But this sounds like a pretty severe DOS issue that seems to be
>>>relatively simple to implement.
>>>
>>>Do you know if the 5.x branch is affected by this as well ?
>>>
>>>Tim.
>>>
>>>
>>>Ted Mittelstaedt wrote:
>>>
>>>   Hi Tim,
>>>
>>>Here is a slight mod of the OpenBSD patch for OpenBSD 3.6
>>>     that has been
>>>   rewritten for FreeBSD 4.11.  YMMV  If it works I would submit
>>>     it to the
>>>   FreeBSD
>>>security list.  The only change I made is OpenBSD defines "tiflags"
>>>FreeBSD defines
>>>"thflags" I assume they are the same thing.  The file is in
>>>/usr/src/sys/netinet
>>>
>>>Turning off the timestamps would be a good way to make your network go
>>>slow.
>>>
>>>*** tcp_input.c.original        Thu May 19 11:52:30 2005
>>>--- tcp_input.c Thu May 19 12:00:14 2005
>>>***************
>>>*** 976,984 ****
>>>--- 976,992 ----
>>>               * record the timestamp.
>>>               * NOTE that the test is modified according
>>>     to the latest
>>>                   * proposal of the tcplw at cray.com list (Braden
>>>1993/04/26).
>>>+                * NOTE2 additional check added as a result of PAWS
>>>vulnerability
>>>+                * documented in Cisco security notice
>>>cisco-sn-20050518-tcpts
>>>+                * from OpenBSD patch for OpenBSD 3.6 015_tcp.patch
>>>               */
>>>              if ((to.to_flags & TOF_TS) != 0 &&
>>>                  SEQ_LEQ(th->th_seq, tp->last_ack_sent)) {
>>>+                       if (SEQ_LEQ(tp->last_ack_sent,
>>>     th->th_seq + tlen
>>>   +
>>>+                               ((thflags & (TH_SYN|TH_FIN)) != 0)))
>>>+                                 tp->ts_recent = to.to_tsval;
>>>+                       else
>>>+                               tp->ts_recent = 0;
>>>                      tp->ts_recent_age = ticks;
>>>                      tp->ts_recent = to.to_tsval;
>>>              }
>>>
>>>Ted
>>>
>>>
>>>
>>>     -----Original Message-----
>>>From: owner-freebsd-questions at freebsd.org
>>>[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Tim Traver
>>>Sent: Thursday, May 19, 2005 10:09 AM
>>>To: bsd
>>>Subject: PAWS security vulnerability
>>>
>>>
>>>Hi all,
>>>
>>>ok, this article was just published about a PAWS TCP DOS
>>>vulnerability,
>>>and lists freeBSD 4.x as affected.
>>>
>>>http://www.securityfocus.com/bid/13676/info/
>>>
>>>Does anyone know how to turn the TCP timestamps off on FreeBSD 4.x ?
>>>
>>>and is 5.4 affected too ?
>>>
>>>Tim.
>>>
>>>_______________________________________________
>>>freebsd-questions at freebsd.org mailing list
>>>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>>To unsubscribe, send any mail to
>>>"freebsd-questions-unsubscribe at freebsd.org"
>>>
>>>
>>>
>>>
>>>     _______________________________________________
>>>freebsd-questions at freebsd.org mailing list
>>>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>>To unsubscribe, send any mail to
>>>"freebsd-questions-unsubscribe at freebsd.org"
>>>
>>>
>>>
>>>_______________________________________________
>>>freebsd-questions at freebsd.org mailing list
>>>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>>To unsubscribe, send any mail to
>>>      
>>>
>>"freebsd-questions-unsubscribe at freebsd.org"
>>    
>>
>>>      
>>>
>>_______________________________________________
>>freebsd-questions at freebsd.org mailing list
>>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>To unsubscribe, send any mail to
>>"freebsd-questions-unsubscribe at freebsd.org"
>>
>>    
>>
>
>  
>


More information about the freebsd-questions mailing list