Re: [Full-Disclosure] MacOSX -FreeBSD
From: Stephen Menard (smenard_at_nbnet.nb.ca)
To: Full Disclosure <firstname.lastname@example.org> Date: Sat, 04 Dec 2004 13:08:48 -0400
> There is a security update, I just noticed it.
> Security Update 2004-12-02 delivers a number of security enhancements
> and is recommended for all Macintosh users. This update includes the
> following components:
> For detailed information on this Update, please visit this website:
> On 2-Dec-04, at 3:32 PM, Randall Craig wrote:
> On Thu, 2 Dec 2004 10:58:02 -0600, Randall Craig
> <email@example.com> wrote:
> Ok I am super duper new to this list and also new to *nix... i will
> never go back to M$ ceptin for gaming purposes... I am running on OS
> X.3.3 and was wanting to know if the Security Alert pertaining to
> FreeBSD would also affect my system. I know that BSD is running
> underneath OS X... I am fairly sure that Apple is aware of it by
This _may_ affect OSX don't have cuurent Mac OSX Access today
BUT because OSX is partially FreeBSD based
[I assume that the BSD Mention was simply a slip of the free fingers]
there is a _large difference_ ;
and if you check previous Apple updates they refer to FreeBSD 4 errors fixed
It would be best to assume it is vulnerable
[there are probably quite a few undiscovered bugs in OSX Country]
BUT Check to see if procfs or linprocfs is anywhere on the system as
I think the relevant info is this:
FreeBSD 4.x does not implement the /proc/self/cmdline pseudofile in
its linprocfs(5) file system, and is therefore only affected if the
procfs(5) file system is mounted.
as you can see from these security updates which mention FreeBSD
*Mac **OS **X **Security* update is available for download. To do so
open up the Software update in the System Panel and perform the
*security* update or download for Apples web site
<http://docs.info.apple.com/article.html?artnum=120111>. This update
fixes/upgrades/installs the following: advisory which DOES AFfect MacOSX
and was fixed
-----BEGIN PGP SIGNED MESSAGE-----
FreeBSD-SA-02:13 Security Advisory
Topic: OpenSSH contains exploitable off-by-one bug
Category: core, ports
Module: openssh, ports_openssh, openssh-portable
Credits: Joost Pol <firstname.lastname@example.org>
Affects: FreeBSD 4.4-RELEASE, 4.5-RELEASE
FreeBSD 4.5-STABLE prior to the correction date
openssh port prior to openssh-3.0.2_1
openssh-portable port prior to openssh-portable-3.0.2p1_1
Corrected: 2002-03-06 13:57:54 UTC (RELENG_4)
2002-03-07 14:40:56 UTC (RELENG_4_5)
2002-03-07 14:40:07 UTC (RELENG_4_4)
2002-03-06 13:53:38 UTC (ports/security/openssh)
2002-03-06 13:53:39 UTC (ports/security/openssh-portable)
FreeBSD only: NO
OpenSSH is a free version of the SSH protocol suite of network
connectivity tools. OpenSSH encrypts all traffic (including
passwords) to effectively eliminate eavesdropping, connection
hijacking, and other network-level attacks. Additionally, OpenSSH
provides a myriad of secure tunneling capabilities, as well as a
variety of authentication methods. `ssh' is the client application,
while `sshd' is the server.
II. Problem Description
OpenSSH multiplexes `channels' over a single TCP connection in order
to implement X11, TCP, and agent forwarding. An off-by-one error in
the code which manages channels can result in a reference to memory
beyond that allocated for channels. A malicious client or server may
be able to influence the contents of the memory so referenced.
An authorized remote user (i.e. a user that can successfully
authenticate on the target system) may be able to cause sshd to
execute arbitrary code with superuser privileges.
A malicious server may be able to cause a connecting ssh client to
execute arbitrary code with the privileges of the client user.
Do one of the following:
1) The FreeBSD malloc implementation can be configured to overwrite
or `junk' memory that is returned to the malloc arena. Due to the
details of exploiting this bug, configuring malloc to junk memory
will thwart the attack.
To configure a FreeBSD system to junk memory, execute the following
commands as root:
# ln -fs J /etc/malloc.conf
Note that this option will degrade system performance. See the
malloc(3) man page for full details on malloc options.
2) Disable the base system sshd by executing the following command as
# kill `cat /var/run/sshd.pid`
Be sure that sshd is not restarted when the system is restarted
by adding the following line to the end of /etc/rc.conf:
Deinstall the openssh or openssh-portable ports if you have one of
Do one of the following:
[For OpenSSH included in the base system]
1) Upgrade the vulnerable system to 4.4-RELEASEp9, 4.5-RELEASEp2,
or 4.5-STABLE after the correction date and rebuild.
2) FreeBSD 4.x systems prior to the correction date:
The following patch has been verified to apply to FreeBSD 4.4-RELEASE,
4.5-RELEASE, and 4.5-STABLE dated prior to the correction date. It
may or may not apply to older, unsupported versions of FreeBSD.
Download the patch and the detached PGP signature from the following
locations, and verify the signature using your PGP utility.
Execute the following commands as root:
# cd /usr/src
# patch < /path/to/sshd.patch
# cd /usr/src/secure/lib/libssh
# make depend && make all
# cd /usr/src/secure/usr.sbin/sshd
# make depend && make all install
# cd /usr/src/secure/usr.bin/ssh
# make depend && make all install
[For the OpenSSH ports]
One of the following:
1) Upgrade your entire ports collection and rebuild the OpenSSH port.
2) Deinstall the old package and install a new package obtained from
the following directory:
Packages are not automatically generated for other platforms at this
time due to lack of build resources.
3) Download a new port skeleton for the openssh or openssh-portable
and use it to rebuild the port.
4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in the FreeBSD ports collection.
Branch Version string
HEAD OpenSSH_2.9 FreeBSD localisations 20020307
RELENG_4 OpenSSH_2.9 FreeBSD localisations 20020307
RELENG_4_5 OpenSSH_2.9 FreeBSD localisations 20020307
RELENG_4_4 OpenSSH_2.3.0 FreeBSD localisations 20020307
To view the version string of the OpenSSH server, execute the
% /usr/sbin/sshd -\?
The version string is also displayed when a client connects to the
To view the version string of the OpenSSH client, execute the
% /usr/bin/ssh -V
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0083 to this issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
Apache Mod_SSL - updated to version 2.8.7-1.3.23 to address a buffer
overflow vulnerability <http://online.securityfocus.com/advisories/3937>
which could potentially be used to run arbitrary code in conjuction
Apache is updated to version 1.3.23.
groff updated version 1.17.2 to address the vulnerability CVE ID:
CAN-2002-0003 <http://online.securityfocus.com/advisories/3859>, where
an attacker could gain rights as the 'lp' user remotely.
mail_cmds is updated to fix a vulnerability where users could be added
to the mail group
OpenSSH - updated to version 3.1p1 to address the vulnerability reported
in *FreeBSD **Security* Advisory *FreeBSD*-SA-02:13
where an attacker could influence the contents of the memory.
PHP - updated to version 4.1.2 to address the vulnerability reported in
CERT CA-2002-05 <http://www.cert.org/advisories/CA-2002-05.html>, which
could allow an intruder to execute arbitrary code with the privileges of
the web server.
rsync - updated to version 2.5.2 addresses a vulnerability which could
lead to corruption of the stack and possibly to execution of arbitrary
code as the root user. *FreeBSD **Security* Advisory *FreeBSD*-SA-02:10
sudo - updated to version 1.6.5p2 to address the vulnerability reported
in *FreeBSD **Security* Advisory *FreeBSD*-SA-02:06
where a local user may obtain superuser privileges.
Full-Disclosure - We believe in it.