[977] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] FTPd vulnerability and fix.

daemon@ATHENA.MIT.EDU (Christopher Creutzig)
Sun Jul 28 08:34:15 1996

Date: 27 Jul 1996 10:36:00 +0200
From: christopher@nescio.zerberus.de (Christopher Creutzig)
To: linux-security@tarsier.cv.nrao.edu



On Thu, 25 Jul 1996, Rogier Wolff wrote:

:> Good work. Do you have a little more time on your hands? May I ask
:> you to look into one more "problem" that exists. You've almost 
:> seen the problem yourself already.

 I've already thought about the problem you address, but the problem
is that I'm not very good at TCP/IP programming, so I don't know how
to look up whether a different IP address is a "good" one, i.e. one
for the same host.  Anyway, I made up a quick patch to allow the thing
you addressed, so here is a message you might send to the list:

--
Dear Netizens,

 I sent a patch to the list concerning ftp attacks we have been
watching.  People used our ftp server to send data to nameserver ports
on other machines and to probe other hosts for daemons connected to
ports <1024.  While I was at it, I also tought it to accept
/etc/ftponly as a non-/etc/shells-but-valid-login shell as proposed on
this list already.  Rogier Wolff asked whether I could also implement
aomething to stop people from sending data to arbitrary hosts, so that
wu-ftpd could be used on a firewall. The solution I implemented is not
very neat, but anyway, these are the patches, starting from

sunsite.unc.edu:/.../system/Network/file-transfer/wu-ftpd-2.4-fixed-tar.gz:

--8<--
diff -r -u wu-ftpd-2.4-fixed/src/config/config.lnx wu-ftpd-2.4-fixed-sec/src/config/config.lnx
--- wu-ftpd-2.4-fixed/src/config/config.lnx	Sat Jun  3 17:30:59 1995
+++ wu-ftpd-2.4-fixed-sec/src/config/config.lnx	Fri Jul 26 18:04:51 1996
@@ -13,10 +13,12 @@
 #define OVERWRITE
 #undef  REGEX
 #define SETPROCTITLE
 #define UPLOAD
 #undef  USG
 #define SVR4
+#define PARANOIA
+#undef  EXTRA_PARANOIA
 
 #include <varargs.h>
 #include <bsd.h>
diff -r -u wu-ftpd-2.4-fixed/src/config/config.lnx.no-shadow wu-ftpd-2.4-fixed-sec/src/config/config.lnx.no-shadow
--- wu-ftpd-2.4-fixed/src/config/config.lnx.no-shadow	Sat Jun  3 19:56:42 1995
+++ wu-ftpd-2.4-fixed-sec/src/config/config.lnx.no-shadow	Fri Jul 26 18:04:51 1996
@@ -17,6 +17,8 @@
 #define UPLOAD
 #undef  USG
 #define SVR4
+#define PARANOIA
+#undef  EXTRA_PARANOIA
 
 #include <varargs.h>
 #include <bsd.h>
diff -r -u wu-ftpd-2.4-fixed/src/config/config.lnx.shadow wu-ftpd-2.4-fixed-sec/src/config/config.lnx.shadow
--- wu-ftpd-2.4-fixed/src/config/config.lnx.shadow	Sat Jun  3 19:56:51 1995
+++ wu-ftpd-2.4-fixed-sec/src/config/config.lnx.shadow	Fri Jul 26 18:04:52 1996
@@ -17,6 +17,8 @@
 #define UPLOAD
 #undef  USG
 #define SVR4
+#define PARANOIA
+#undef  EXTRA_PARANOIA
 
 #include <varargs.h>
 #include <bsd.h>
diff -r -u wu-ftpd-2.4-fixed/src/ftpcmd.y wu-ftpd-2.4-fixed-sec/src/ftpcmd.y
--- wu-ftpd-2.4-fixed/src/ftpcmd.y	Sat Jun  3 16:36:21 1995
+++ wu-ftpd-2.4-fixed-sec/src/ftpcmd.y	Fri Jul 26 18:06:45 1996
@@ -95,6 +95,11 @@
 char    **ftpglob();
 off_t   restart_point;
 
+#ifdef PARANOIA
+extern struct sockaddr_in his_addr;
+extern char remotehost[], remoteaddr[];
+#endif /* PARANOIA */
+
 extern  char    *strunames[];
 extern  char    *typenames[];
 extern  char    *modenames[];
@@ -712,6 +717,32 @@
             a[0] = $1; a[1] = $3; a[2] = $5; a[3] = $7;
             p = (char *)&data_dest.sin_port;
             p[0] = $9; p[1] = $11;
+          /* just a little hacking defense: --ccr */
+          /* perhaps we should also limit PORT commands to the connecting
+             site? --ccr */
+#ifdef PARANOIA
+            if(ntohs(data_dest.sin_port)<1025)
+            {
+                 reply(421, "PORT command refused. This looks like hacking. Goodbye.");
+          /* We don't have remoteaddr etc. here. Therefore, we must log
+             without them. It shouldn't happen anyway. */
+                 syslog(LOG_NOTICE, 
+                   "PORT COMMAND REFUSED (low dest port %d) from %s [%s]",
+                   ntohs(data_dest.sin_port), remotehost, remoteaddr);
+                 dologout(0);
+            }
+#ifdef EXTRA_PARANOIA
+	    p = (char *)&his_addr.sin_addr;
+	    if(a[0] != p[0] || a[1] != p[1] || a[2] != p[2] || a[3] != p[3])
+	    {
+		reply(421, "PORT command refused. Please use the address you are connecting from.");
+		syslog(LOG_NOTICE,
+		  "PORT COMMAND REFUSED (bad address %d) from %s [%s]",
+		  inet_ntoa(data_dest.sin_addr), remotehost, remoteaddr);
+		dologout(0);
+	    }
+#endif /* EXTRA_PARANOIA */
+#endif /* PARANOIA */
             data_dest.sin_family = AF_INET;
         }
     ;
diff -r -u wu-ftpd-2.4-fixed/src/ftpd.c wu-ftpd-2.4-fixed-sec/src/ftpd.c
--- wu-ftpd-2.4-fixed/src/ftpd.c	Sat Jun  3 16:36:22 1995
+++ wu-ftpd-2.4-fixed-sec/src/ftpd.c	Sat Jul 13 15:48:25 1996
@@ -697,6 +697,7 @@
  * does not have a standard shell as returned by getusershell().  Disallow
  * anyone mentioned in the file _PATH_FTPUSERS to allow people such as root
  * and uucp to be avoided. */
+/* Apart from standard shells, allow /etc/ftponly as well. --ccr */
 user(char *name)
 {
     register char *cp;
@@ -721,7 +722,7 @@
 
     if (logged_in) {
         if (anonymous || guest) {
-            reply(530, "Can't change user from guest login.");
+            reply(530, "Can't change user from guest or limited login.");
             return;
         }
         end_login();
@@ -868,7 +869,8 @@
             if (strcmp(cp, shell) == 0)
                 break;
         endusershell();
-        if (cp == NULL || checkuser(name)) {
+        if ((cp == NULL && strcmp("/etc/ftponly", shell) != 0)
+        	|| checkuser(name)) {
             reply(530, "User %s access denied...", name);
             if (logging)
                 syslog(LOG_NOTICE,


[REW: Some mime-related mailing stuff messed up the message, including
the patch. I tried reversing that, but probably messed up. If this
is the case, Christopher, could you submit this directly to the list?]

-- 
Christopher Creutzig # Im Samtfelde 19 # D-33098 Paderborn # V+49-5251-71873
  # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
   das ihr techniker immer das letzte wort haben m???t, wahrscheinlich seid
               ihr doch einfach nur frauen.. (Autorin bekannt)



home help back first fref pref prev next nref lref last post