Chronophage.net Blog

“Sudo’s command matching routine expects actual commands to include one or more slash (‘/’) characters. The flaw is that sudo’s path resolution code did not add a “./” prefix to commands found in the current working directory. This creates an ambiguity between a “sudoedit” command found in the cwd and the “sudoedit” pseudo-command in the sudoers file. As a result, a user may be able to run an arbitrary command named “sudoedit” in the current working directory. For the attack to be successful, the PATH environment variable must include “.” and may not include any other directory that contains a “sudoedit” command.”
(From http://portaudit.FreeBSD.org/1a9f678d-48ca-11df-85f8-000c29a67389.html)

I actually read about this on Full Disclosure. This is very similar to an earlier exploit. Sudo is a great tool, but you always have to be *very* careful who you give sudo access to.

Certain…Parties… Have intoned I am  goofy for implementing weird “mail bouncy thing” that is sometimes frustrating and is a silly anti-spam technique. Well, that would be Greylisting, and while it’s weird, it also drops a lot of spam getting through.

Greylisting is a very simple technique. It basically is a daemon attached to database that keeps track of who externally sent mail to who internally. When a new domain/ip-address combination pops up, it bounces that transaction with a temporary, 450 bounce. This is per the RFC, and any properly implemented SMTP server should adhere to it, re-queue the message, and send it again later. If the server sends it before a specified “too early” window (in my case, 2 mins, but that’s fairly aggressive) it’s bounced again. If the message comes back after the “too early” window, but before 24 hours, it’s passed, and an entry is made in the database allowing that address to send mail unhindered for a few days. If enough messages come from the same ip address and the same domain pass greylisting, that whole domain is white-listed.

Greylisting is effective because it keeps non-compliant SMTP servers from sending mail to your server. Most virus infected computers that send or relay spam won’t re-queue messages, or will re-queue them for only the briefest amount of time.

Problems with Greylisting are legitimate, but mis-configured SMTP servers either not re-queuing the messages because they are set to treat 400 series bounces as 500 series, or permanent bounces. Or they re-queue the messages, but report to the original sender that the message bounced.

Yahoo implements a more esoteric set up, where they have 4 servers listed in the MX record, and at any time, any of them will bounce messages. This is another way to test for non RFC compliant servers, as a server is supposed to try all of the MX entries in turn, by weight value. Most virus infected computers won’t do that.

Because some of my users may have problems with receiving mail, I have a web-based interface to the Greylisting daemon’s database that allows me to opt addresses or domains out of Greylisting.

I’ve always run Greylisting, so I don’t have any comparison stats, but this guy does.

Software that I’m using for this:

• SQLGrey
• SQLGrey Web Interface (SGWI)

It seems that they are being blocked. I called technical support and requested that the “Case be escalated.” From my limited experience, this seems to be an AT&T issue, as I can reach my Google Voice number from a landline, and I’m not getting a fast busy, or other such errors. If this is not resolved in 24 hours, I will be filing a complaint with the FCC and MN’s Attorney General.

People are so curious nowadays… Today I’ve received one NMAP ping from Colorado State (I’m guessing since I recently downloaded NMAP) and one “Version” query from ISC.org. Or at least, I think I have. Oh well, no harm done.

Say what you want about Kaminsky. I mean, the man is crazy. However, being on call when your employer, a regional ISP, reboots both the primary and secondary DNS servers, makes you appreciate how important DNS is in the grand scheme of internet things. Granted, his attack is fairly novel, but yeah… I’m glad ISC makes updating BIND nice and easy.

Where the hackers are crowing and exploits are flowing, seeding new ph34r.
It’s the most wonderful time of the year.
It’s the hap-happiest season of all,
when your software’s updating and admins are hating users not on the ball. It’s the hap-happiest season of all!

Seriously, can we spread out BH DefCon et al? I mean, not that I mind updating day after day…