Kazuki Omo | 4 Nov 03:03 2005

Re: Systems stops booting while displaying "Filesystem is clean."

Hi, Sonixxfx,

You can download my .config file and /etc/lids directory file from

http://www.honto.info/config.kubuntu
http://www.honto.info/lids.kubuntu.tar.gz 

Also, when I tested Apache on LIDS with 2.4-kubuntu, I didn't use 
initrd disk image on /boot/grub/menu.lst.
When I used initrd, LIDS didn't seem to work properly. Though I set up
Driver, or something as "built-in kernel" and didn't use initrd.

Regards,

On Thu, Oct 27, 2005 at 09:05:28PM +0200, Sonixxfx wrote:
> Hi again Kazuki,
>  I am very sorry for the late reply, but I was again very busy. I have also
> tried to setup lids all this time.
>  I have forgotten if I patched my kernel with the openwall-lids patch or the
> plain lids patch, but I am using kernel 2.4.31 on Debian now.
>  I still don't have full access to my system from a Lids free session. Some
> programs need rules they would only need when the run outside a Lids free
> session to run properly in a LFS. These programs for example are apache,
> mail and postfix. This LFS problem I have is likely caused because of my
> knowlegde of Lids. I am wondering if there is a kernel setting that can
> cause this.
>  At this moment I have almost finished setting up Lids on my system. I have
> setup rules for the programs that won't run properly from a LFS. I guess it
> won't hurd much.
>  I also had a problem with the ACL discovery function. I have done
(Continue reading)

Kazuki Omo | 4 Nov 03:11 2005

New Capabilities

Dear, Lists,

I can't point out properly, but after some version of Linux kernel,
in linux/include/linux/capability.h, it says

#define CAP_AUDIT_WRITE      29

#define CAP_AUDIT_CONTROL    30

I guess current version of LIDS can't manage these capabilities.
Am I right?

Regards,
--

-- 
Kazuki Omo: omok <at> honto.info
LIDS Japanese Information:
Japanese: http://www.selinux.gr.jp/LIDS-JP/index.html
English:  http://www.selinux.gr.jp/LIDS-JP/LIDS_en/index.html

-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
Alaois Luby | 10 Nov 23:02 2005

Russell: just think about it

Good day,
Qu ng for y ications - vis rmaEx op
it overpayi our Medd it our Pha press Sh
 
V P V A C X A r I m I a L o A b A n I z G i L a U a R e I x M c A n S  
 85,45  
 69,95  
 99,95  
Christian Piva Franzen | 14 Nov 04:10 2005
Picon

Lids preventing buffer overflow

hy everyone,

    First of all, sorry my terrible english.

    I'm using LIDS 2.2.1, Kernel 2.6.13.2 in my course conclusion work
and tested it with a date/time server containing a buffer overflow
vulnerability. It tries to guess the return address sending diferent
offsets each time it runs. Most of it was obtained from
http://packetstormsecurity.org/advisories/b0f/sc.tgz

    I tested it using the same machine as a server (the one with the
vulnerability) and the client.

    Running just one instance of the exploit didn't work, but when I
used five instances I could obtain the Shell, that is, the exploit
worked.

Exit without LIDS:
      Stack pointer: 0xbfffecd8
             Offset: 3550
Return Address: 0xbffffab6 (guess ;)
*** servidor DATA/HORA versao 1.0 ***
prompt "username" received.
Sending buffer...200 bytes
Sending /usr/bin/id...

      Stack pointer: 0xbfffecd8
             Offset: 3600
Return Address: 0xbffffae8 (guess ;)
*** servidor DATA/HORA versao 1.0 ***
prompt "username" received.
Sending buffer...200 bytes
Sending /usr/bin/id...
uid=1000(sysadm) gid=1000(sysadm)
groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(sysadm)

Exit with LIDS:

      Stack pointer: 0xbfd3b868
             Offset: 4050
Return Address: 0xbfd3c83a (guess ;)
*** servidor DATA/HORA versao 1.0 ***
prompt "username" received.
Sending buffer...200 bytes
Sending /usr/bin/id...
      Stack pointer: 0xbfbb0698
             Offset: 4100
Return Address: 0xbfbb169c (guess ;)
*** servidor DATA/HORA versao 1.0 ***
prompt "username" received.
Sending buffer...200 bytes
Sending /usr/bin/id...
uid=1000(sysadm) gid=1000(sysadm)
groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(sysadm)

     Does anyone knows which feature in LIDS prevented the buffer
overflow with one process? And why it couldn't stop it when I had five
processes runing together?

    The only diference i saw is that the stack pointer is always the
same without LIDS, but with LIDS most of it change between each run.

    I would appreciate any help.

[]'s
Christian Piva Franzen
Brazil.

-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
Meaveen Kestner | 14 Nov 13:44 2005
Picon

Antonio It Works Great

 
Quit  ying fo ons - vi cineCh p
overpa r your Meddicati sit our Medi est Sho
 
C L V I e I A v A L i G I t R S ra A  3,00  2,78  1,56
Kazuki Omo | 15 Nov 02:25 2005

Re: Lids preventing buffer overflow

Hi, Christian,

Sorry for my bad english too:-)

AFAIK, LIDS only enhancing Access Control. I guess LIDS won't protect
your server from buffer overflow vulnerability. But, from LIDS concept, 
you can't kill protected process or can't access hidden files
even if you could obtain shell.

If you want to protect your machine from buffe overflow, exec-shield
might to be a better solution.
I don't know we can use exec-shield and LIDS on same system, 
but we can try. (Or, lids-1.2.2-ow1 with OpenWall Linux can protect
too.)

SELinux is also can't protect from buffer overflow I guess. 
But most of buffer overflow attack can't work on SELinux because of 
SELinux's concept(least(actually, very very granulate) permission). 
Even if attack will success, attacker can't obtain shell or something 
caused from least permission.

Anyway, I want to test "sc.tgz" too.

Regards,

OMO

On Mon, Nov 14, 2005 at 12:10:47AM -0300, Christian Piva Franzen wrote:
> hy everyone,
> 
>     First of all, sorry my terrible english.
> 
>     I'm using LIDS 2.2.1, Kernel 2.6.13.2 in my course conclusion work
> and tested it with a date/time server containing a buffer overflow
> vulnerability. It tries to guess the return address sending diferent
> offsets each time it runs. Most of it was obtained from
> http://packetstormsecurity.org/advisories/b0f/sc.tgz
> 
>     I tested it using the same machine as a server (the one with the
> vulnerability) and the client.
> 
>     Running just one instance of the exploit didn't work, but when I
> used five instances I could obtain the Shell, that is, the exploit
> worked.
> 
> Exit without LIDS:
>       Stack pointer: 0xbfffecd8
>              Offset: 3550
> Return Address: 0xbffffab6 (guess ;)
> *** servidor DATA/HORA versao 1.0 ***
> prompt "username" received.
> Sending buffer...200 bytes
> Sending /usr/bin/id...
> 
>       Stack pointer: 0xbfffecd8
>              Offset: 3600
> Return Address: 0xbffffae8 (guess ;)
> *** servidor DATA/HORA versao 1.0 ***
> prompt "username" received.
> Sending buffer...200 bytes
> Sending /usr/bin/id...
> uid=1000(sysadm) gid=1000(sysadm)
> groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(sysadm)
> 
> 
> Exit with LIDS:
> 
>       Stack pointer: 0xbfd3b868
>              Offset: 4050
> Return Address: 0xbfd3c83a (guess ;)
> *** servidor DATA/HORA versao 1.0 ***
> prompt "username" received.
> Sending buffer...200 bytes
> Sending /usr/bin/id...
>       Stack pointer: 0xbfbb0698
>              Offset: 4100
> Return Address: 0xbfbb169c (guess ;)
> *** servidor DATA/HORA versao 1.0 ***
> prompt "username" received.
> Sending buffer...200 bytes
> Sending /usr/bin/id...
> uid=1000(sysadm) gid=1000(sysadm)
> groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(sysadm)
> 
> 
>      Does anyone knows which feature in LIDS prevented the buffer
> overflow with one process? And why it couldn't stop it when I had five
> processes runing together?
> 
>     The only diference i saw is that the stack pointer is always the
> same without LIDS, but with LIDS most of it change between each run.
> 
>     I would appreciate any help.
> 
> []'s
> Christian Piva Franzen
> Brazil.
> 
> 
> -------------------------------------------------------
> SF.Net email is sponsored by:
> Tame your development challenges with Apache's Geronimo App Server. Download
> it for free - -and be entered to win a 42" plasma tv or your very own
> Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
> _______________________________________________
> lids-user mailing list
> lids-user <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lids-user
> 

--

-- 
Kazuki Omo: omok <at> honto.info
LIDS Japanese Information:
Japanese: http://www.selinux.gr.jp/LIDS-JP/index.html
English:  http://www.selinux.gr.jp/LIDS-JP/LIDS_en/index.html

-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
Kazuki Omo | 15 Nov 02:42 2005

LIDS patched kernel(vanilla) for Debian

Dear, all,

We released LIDS-patched kernel(vanilla) for Debian(sarge).
You can download it from

http://www.selinux.gr.jp/LIDS-JP/download.html

You need to download and install by "dpkg -i" command.

Note: The kernel is "vanilla", so you might have some trouble from lack
of patches from debian.

Regards,

OMO
--

-- 
Kazuki Omo: omok <at> honto.info
LIDS Japanese Information:
Japanese: http://www.selinux.gr.jp/LIDS-JP/index.html
English:  http://www.selinux.gr.jp/LIDS-JP/LIDS_en/index.html

-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
ravecLubs | 15 Nov 06:49 2005
Picon

Re: Welcome to the "lids-user" mailing list (Digest mode)

In a message dated 11/14/2005 6:36:05 PM Pacific Standard Time, lids-user-request <at> lists.sourceforge.net writes:
lids-user <at> lists.sourceforge.net
 


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If I could get AOL to make a .wav that plays everytime one of you receives an email from me...
It would say this:

"You've got retard mail"

Gotta love foot in mouth syndrome!
/).(\ HeH /).(\

matt | 22 Nov 08:37 2005
Picon

Can't delete ACL

Hi guys

I have installed lids-1.2.2-2.4.30 onto our slackware 10.2 server and
I am struggling with this at the moment, I have created an acl:

	lidsconf -A -o /etc/postfix -j DENY

and now I would like to delete them and I have tried:

	lidsconf -D -o /etc/postfix -j DENY

but for some reason I get this error:

	Using ACL FILE: /etc/lids/lids.conf
	DELETE
          effective capability = 0x1ad8ca04

	lidsconf: the file does not exit in acl file

Any ideas on what I might be doing wrong ?

-- 
matt erasmus <matt <at> dcdata.co.za>
DCData

--

-- 
This email and all contents are subject to the following disclaimer:
http://www.dcdata.co.za/emaildisclaimer.html

-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
Kazuki Omo | 24 Nov 03:32 2005

Re: Can't delete ACL

Dear, Matt,

I got same error on my environment.
I'm using lids-1.2.2-2.4.31-sk with Debain(sarge) 2.4.31.

It seems bug or something.
Until fix the bug, you can modify /etc/lids/lids.conf to delete the ACL
directly.

Regards,

On Tue, Nov 22, 2005 at 09:37:46AM +0200, matt wrote:
> Hi guys
> 
> I have installed lids-1.2.2-2.4.30 onto our slackware 10.2 server and
> I am struggling with this at the moment, I have created an acl:
> 
> 	lidsconf -A -o /etc/postfix -j DENY
> 
> and now I would like to delete them and I have tried:
> 
> 	lidsconf -D -o /etc/postfix -j DENY
> 
> but for some reason I get this error:
> 
> 	Using ACL FILE: /etc/lids/lids.conf
> 	DELETE
>          effective capability = 0x1ad8ca04
> 
> 	lidsconf: the file does not exit in acl file
> 
> Any ideas on what I might be doing wrong ?
> 
> -- 
> matt erasmus <matt <at> dcdata.co.za>
> DCData
> 
> -- 
> This email and all contents are subject to the following disclaimer:
> http://www.dcdata.co.za/emaildisclaimer.html
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
> Register for a JBoss Training Course.  Free Certification Exam
> for All Training Attendees Through End of 2005. For more info visit:
> http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
> _______________________________________________
> lids-user mailing list
> lids-user <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lids-user
> 

--

-- 
Kazuki Omo: omok <at> honto.info
LIDS Japanese Information:
Japanese: http://www.selinux.gr.jp/LIDS-JP/index.html
English:  http://www.selinux.gr.jp/LIDS-JP/LIDS_en/index.html

-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click

Gmane