DX Spider and Kernel > 2.6.1

DX Spider and Kernel > 2.6.1

[Ruben Navarro Huedo]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello friends:
We are running Dx-Spider:
DX Spider Cluster version 1.51 (build 57.263) on Linux
Under Debian Woody with:
ii  ax25-apps      0.0.6-1        Applications for AX25
ii  ax25-tools     0.0.8-2        AX-25 Tools
ii  libax25        0.0.10-1       ax25 libraries for hamradio applications
ii  libax25-dev    0.0.10-1       ax25 library development files

Spider is running OK with 2.6.1 but with 2.6.2 or 2.6.3 it doesn't accept ax25
connections.
With 2.6.2,3 ax25d runs Ok becouse we can connect to node.
Trying to connect to Spider we can see the conection but inmediatly it
disconects us:

EB5ESX de EA5ELX-5 26-Feb-2004 2258Z >
EA5RM connect <-This
EA5RM disconect  <-And this

We can only see this in the logs:
1077836333^DXCommand^EA5RM connected from 127.0.0.1
1077836334^DXCommand^EA5RM disconnected

What could be happening?
is anybody having this problem?

Thank's.

- -- 
Ruben Navarro Huedo
eb5esx (arroba) eb5esx.ampr.org
http://www.cabodesantapola.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFAPn/W0S5G8AO3zN8RAm2DAJ4jkinoToAyr3CV2ll66FWhr6Q0QwCeMQ/Y
PqZ3k+auLQrooqwKQuMFwi0=
=hf07
-----END PGP SIGNATURE-----

Re: DX Spider and Kernel > 2.6.1

[Jeroen Vreeken]

On 2004.02.27 00:23:02 +0100 Ruben Navarro Huedo wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello friends:
> We are running Dx-Spider:
> DX Spider Cluster version 1.51 (build 57.263) on Linux
> Under Debian Woody with:
> ii  ax25-apps      0.0.6-1        Applications for AX25
> ii  ax25-tools     0.0.8-2        AX-25 Tools
> ii  libax25        0.0.10-1       ax25 libraries for hamradio
> applications
> ii  libax25-dev    0.0.10-1       ax25 library development files
> 
> Spider is running OK with 2.6.1 but with 2.6.2 or 2.6.3 it doesn't accept
> ax25
> connections.
> With 2.6.2,3 ax25d runs Ok becouse we can connect to node.
> Trying to connect to Spider we can see the conection but inmediatly it
> disconects us:
> 
> EB5ESX de EA5ELX-5 26-Feb-2004 2258Z >
> EA5RM connect <-This
> EA5RM disconect  <-And this
> 
> We can only see this in the logs:
> 1077836333^DXCommand^EA5RM connected from 127.0.0.1
> 1077836334^DXCommand^EA5RM disconnected
> 
> What could be happening?
> is anybody having this problem?

Does anybody know of a dxspider host that I can connect over the internet?
It looks like a problem in the client... I can run that without much
problems here, but I don't have anything to connect to....

Jeroen

Would you run Linuxnode into an _OLD_ server?

[IZ4EFN Alessio]

Good morning guys,

just subscribed and jus starting bothering you with stupid question :)

My name is Alex, IZ4EFN and I'm setting up some Linux-ax25 servicies for my
local club.

One of these is a Linuxnode, connected via KISS to a node and via LAN to our
router server.

This is the question:

would you run JUST Linuxnode 0.3.2 on a Pentium 133, 32MB RAM?

Please note I don't need firewall or any kind of protection, nothing more
(my router server already provide this).
This would reduce the work of this poor hardware!

I'm asking this because, reading some bug reports and security exploit on
the web, it seems like Linuxnode uses a big amount of memory and resources
to administrate multiple telnet connection.

Any suggestion/comment appreciated (and QSLed by the buro, would say not so
far away from here).

Alessio, IZ4EFN

Re: Would you run Linuxnode into an _OLD_ server?

[Tomi Manninen]

On Sat, 2004-02-28 at 02:04, IZ4EFN Alessio wrote:

> I'm asking this because, reading some bug reports and security exploit on
> the web, it seems like Linuxnode uses a big amount of memory and resources
> to administrate multiple telnet connection.

As the author of LinuxNode I would be interested in what these bugs and 
exploits are... Please, anyone?

-- 
Tomi Manninen / OH2BNS / KP20ME04

Re: Would you run Linuxnode into an _OLD_ server?

[Aleksandar Ilic]

On Saturday 28 February 2004 01:04, IZ4EFN Alessio wrote:
> would you run JUST Linuxnode 0.3.2 on a Pentium 133, 32MB RAM?

Ciao Alessio,
4N1ZNX (NISNODE) works flawlessly on exactly the same hardware. Running 
linuxnode *and* XNet together. Come and check !

arrivederci,
Alek
-- 
  73 de YU1IS  -=-  ICQ# 62419462

Linuxnode vulnerability

[IZ4EFN Alessio]

> As the author of LinuxNode I would be interested in what these bugs and
> exploits are... Please, anyone?
>
> --
> Tomi Manninen / OH2BNS / KP20ME04


Maybe I was too tired two nigth ago...looking for information about
Linuxnode on Google (just typed "Linuxnode").

Anyway I found these:

****

http://lists.alphanet.ch/pipermail/gull-annonces/2003-September/000075.html

LinuxNode Remote Buffer Overflow Vulnerability
BugTraq ID: 8512
Remote: Yes
Date Published: Aug 29 2003
Relevant URL: http://www.securityfocus.com/bid/8512
Summary:
LinuxNode is an amateur packet radio node program.
It has been reported that LinuxNode is prone to a remote buffer overflow
condition.  The issue presents itself due to insufficient bounds checking.
A remote attacker may ultimately exploit this issue remotely and execute
arbitrary code in the context of the user who is running the vulnerable
software.  Successful exploitation may allow a attacker to gain
unauthorized access to the vulnerable host.
Explicit technical details regarding this vulnerability are not currently
available. This BID will be updated, as further details regarding this
issue are made public.
Although LinuxNode 0.3.0 has been reported to be vulnerable to this
problem, other versions may be affected as well.

****

http://secunia.com/advisories/9632/

Here Morgan SM6TKY says to upgrade to 0.3.2:

Some vulnerabilities have been identified in LinuxNode, which can be
exploited by malicious people to compromise a vulnerable system.

The vulnerabilities are caused due to a boundary error in the
"expand_string()" function as well as some format string errors. These can
be exploted to execute arbitrary code on an affected system.

Solution:
Update to version 0.3.2:
http://hes.iki.fi/pub/ham/unix/linux/ax25/

****

This is quite interesting, it regards the possibility to gain access on the
running machine:

http://xforce.iss.net/xforce/xfdb/13077

LinuxNode is a freely available amateur packet radio node program for
Linux-based operating systems. LinuxNode versions 0.3.2 and earlier are
vulnerable to a format string attack. A remote attacker can exploit this
vulnerability to cause a denial of service or execute arbitrary code on the
system.

Platforms Affected:
Debian Project Debian Linux 3.0
Tomi Manninen LinuxNode 0.3.2 and earlier

Remedy:

For Debian GNU/Linux 3.0 (woody):
Upgrade to the latest node package (0.3.0a-2woody1 or later), as listed in
Debian Security Advisory DSA 375-1. See References.

Consequences:

Gain Access

****

http://securitylab.ru/40026.html

This is another SM6TKY advice, with a woody patch for Debian.

****

Don't know if this can be useful Tomi, if I these information are incorrect
or doesn't regard this system please exuse me.

Let me know,

Alessio Sacchi IZ4EFN.

Re: Linuxnode vulnerability

[Tomi Manninen]

Hi,

All of these refer to the same bug(s). And they are all fixed already.

> http://xforce.iss.net/xforce/xfdb/13077
> 
> LinuxNode is a freely available amateur packet radio node program for
> Linux-based operating systems. LinuxNode versions 0.3.2 and earlier are
> vulnerable to a format string attack. A remote attacker can exploit this
> vulnerability to cause a denial of service or execute arbitrary code on the
> system.

This has incorrect wording as a result of a mix-up by the Debian 
security team. It should read "0.3.1 and earlier" or "before 0.3.2". 
If you follow the above link and then follow the link to the 
CAN-2003-0708 page you notice that they have corrected the wording 
now...

-- 
Tomi Manninen / OH2BNS / KP20ME04

Re: Would you run Linuxnode into an _OLD_ server?

[Rodolfo Brasnarof]

---
On 28 Feb 2004 at 1:04, IZ4EFN Alessio wrote:

> Good morning guys,
> 
> just subscribed and jus starting bothering you with stupid question :)
> 
> My name is Alex, IZ4EFN and I'm setting up some Linux-ax25 servicies for my
> local club.
> 
> One of these is a Linuxnode, connected via KISS to a node and via LAN to our
> router server.
> 
> This is the question:
> 
> would you run JUST Linuxnode 0.3.2 on a Pentium 133, 32MB RAM?

I'm doing something like this on a 100 MHZ 486 16M ram, and 
at work I have a router vpn server and stuff running on a 
486 dx 33 with 12MB of ram, and 600MB HD. I'm using 
Slackware 9.1 as base system, and custom 2.4.25 kernel. With 
a custom kernel you can save maybe 500k-1MB of ram by 
removing unnecesary things.

So, don't worry. This is such a poor hardware. It's a 
powerfull system.

Re: Would you run Linuxnode

[Bob Morgan]

Tomi Manninen writes:
 > On Sat, 2004-02-28 at 02:04, IZ4EFN Alessio wrote:
 > 
 > > I'm asking this because, reading some bug reports and security exploit on
 > > the web, it seems like Linuxnode uses a big amount of memory and resources
 > > to administrate multiple telnet connection.
 > 
 > As the author of LinuxNode I would be interested in what these bugs and 
 > exploits are... Please, anyone?
 > 
 > -- 
 > Tomi Manninen / OH2BNS / KP20ME04

Tomi,

I have been running node for several years with good results, and have
had few problems.  This is on servers that don't get much if any
physical access and have to run for months/years at a time, and they
just keep going.

Over the last year or so, I have been developing a daemon that will
be a gnu-license workalike replacement for the old dos aresdata
database system.  It involves multiple ax25 connects inbound to it,
and presently it does use node as a frontend, meaning that if I get
10 or 20 simultaneous connects, that many copies of node are launched.
On servers that have 32+ mb of ram, that doesn't seem to be a particular
challenge in itself, but it did cause me to write the database frontend
daemon to only run one copy of itself, and accept(poll) as many telnet
connects from node as it had users, since it became apparent quite early on
that I couldn't expect to launch 20+ copies each of node, frontend, and postgresql
dbase backend itself, and still have a server with a tolerable memory size.
So, I use the outbound telnet connect facility of node to facilitate
things and serve as the ax25 frontend itself, and this appears to work fine.
Additionally, node can provide the client with quite a few other services,
so the client doesn't have to disconnect from something else to use the db.
I probably ought to add that I am operating a mix of direct ax25 connects
and also some that arrive via the netrom layer, but no rose is implemented,
so I can't comment on rose.

In the process of debugging the daemon I was writing, it became apparent
that I had a memory leak someplace, and after some afternoons of
experimentation it became apparent that for each instance of a telnet
connection from node (launched by an incoming ax25 client), 8K of memory
would disappear from the freelist, for each instance of the continuously
connected ax25 user initting a telnet call to any tcp socket on the box
or elsewhere, and that all of the memory was recovered upon disconection
of the ax25 client.  In other words, a packet station connects to node,
and initiates 3 successive connects and disconnects through the telnet
facility of node, so 24K of memory are consumed, 8K at a time, but are recovered
upon the disconnect of the ax25 client from node.  I was seeing
this with both 2.2 and 2.4 kernels.  To my knowledge I haven't
seen any of the sporadic ax25 instabilities under 2.4 kernels that
have been reported on this list in the last month or so.  Unless
we have a hardware glitch or a power failure the servers keep running.
I recently had to physically relocate a 2.2 kernel packet server
with just over two years continuous runtime since previous boot,
when the EOC itself relocated across town (Austin TX), and it
was still serving packets and connects to node when I powered it down.
(The 2.4 kernel units have physically not existed that long here).

To my knowledge, there was no memory leak if the telnet facility of
node was not involved.

I am not certain without going back and looking at some of these
servers exactly what version of node this is, but it is a binary/src copy
that SuSe has furnished for several years, and I want to say 0.3.0
or something like that.  I tried running a binary of it just now at the office,
(directly from the command line, not via inbound ax25)
and I guess it doesn't have a -v option to tell me a version number. (hint).
Anyhow, maybe this will give a clue to a possible dormant problem.
I didn't consider the leak a critical problem here due to the fact
that the memory would eventually be recovered by the kernel, so for
me it just fit into the curiousity category to be eventually dealt
with.  If there is a buffer overflow problem lurking about, possibly
the two might even be related, and looking for this problem might
help find the other one.  As far as I am concerned, node is a useful
and fairly solid program, and I plan on continuing to use it.

I have come up with a few locally used hacks to node, one of which is
to facilitate the ***Linked to bbs and network callsign handoff,
and a few other tricks, but probably of limited general interest.
If I knew for sure which was the current revision I could eventually forward
a patch for these things.  I do use the program quite a bit
in our local area, and plan to do so for quite some time.

When I get past the point where the aresdata replacement advances
from a locally used alpha release to a beta, I plan on announcing it here.
For the time being, if anyone is interested, there is some local
documentation concerning its local use and testing on the local
ares website, www.tcares.org, and I think that the name of the
program I have chosen, gnuares, has since found its way onto google.
Again, when it gets a little farther along, I will make it known here.

73 de Bob WB5AOH