[977] in linux-security and linux-alert archive
[linux-security] FTPd vulnerability and fix.
daemon@ATHENA.MIT.EDU (Christopher Creutzig)
Sun Jul 28 08:34:15 1996
Date: 27 Jul 1996 10:36:00 +0200
From: christopher@nescio.zerberus.de (Christopher Creutzig)
To: linux-security@tarsier.cv.nrao.edu
On Thu, 25 Jul 1996, Rogier Wolff wrote:
:> Good work. Do you have a little more time on your hands? May I ask
:> you to look into one more "problem" that exists. You've almost
:> seen the problem yourself already.
I've already thought about the problem you address, but the problem
is that I'm not very good at TCP/IP programming, so I don't know how
to look up whether a different IP address is a "good" one, i.e. one
for the same host. Anyway, I made up a quick patch to allow the thing
you addressed, so here is a message you might send to the list:
--
Dear Netizens,
I sent a patch to the list concerning ftp attacks we have been
watching. People used our ftp server to send data to nameserver ports
on other machines and to probe other hosts for daemons connected to
ports <1024. While I was at it, I also tought it to accept
/etc/ftponly as a non-/etc/shells-but-valid-login shell as proposed on
this list already. Rogier Wolff asked whether I could also implement
aomething to stop people from sending data to arbitrary hosts, so that
wu-ftpd could be used on a firewall. The solution I implemented is not
very neat, but anyway, these are the patches, starting from
sunsite.unc.edu:/.../system/Network/file-transfer/wu-ftpd-2.4-fixed-tar.gz:
--8<--
diff -r -u wu-ftpd-2.4-fixed/src/config/config.lnx wu-ftpd-2.4-fixed-sec/src/config/config.lnx
--- wu-ftpd-2.4-fixed/src/config/config.lnx Sat Jun 3 17:30:59 1995
+++ wu-ftpd-2.4-fixed-sec/src/config/config.lnx Fri Jul 26 18:04:51 1996
@@ -13,10 +13,12 @@
#define OVERWRITE
#undef REGEX
#define SETPROCTITLE
#define UPLOAD
#undef USG
#define SVR4
+#define PARANOIA
+#undef EXTRA_PARANOIA
#include <varargs.h>
#include <bsd.h>
diff -r -u wu-ftpd-2.4-fixed/src/config/config.lnx.no-shadow wu-ftpd-2.4-fixed-sec/src/config/config.lnx.no-shadow
--- wu-ftpd-2.4-fixed/src/config/config.lnx.no-shadow Sat Jun 3 19:56:42 1995
+++ wu-ftpd-2.4-fixed-sec/src/config/config.lnx.no-shadow Fri Jul 26 18:04:51 1996
@@ -17,6 +17,8 @@
#define UPLOAD
#undef USG
#define SVR4
+#define PARANOIA
+#undef EXTRA_PARANOIA
#include <varargs.h>
#include <bsd.h>
diff -r -u wu-ftpd-2.4-fixed/src/config/config.lnx.shadow wu-ftpd-2.4-fixed-sec/src/config/config.lnx.shadow
--- wu-ftpd-2.4-fixed/src/config/config.lnx.shadow Sat Jun 3 19:56:51 1995
+++ wu-ftpd-2.4-fixed-sec/src/config/config.lnx.shadow Fri Jul 26 18:04:52 1996
@@ -17,6 +17,8 @@
#define UPLOAD
#undef USG
#define SVR4
+#define PARANOIA
+#undef EXTRA_PARANOIA
#include <varargs.h>
#include <bsd.h>
diff -r -u wu-ftpd-2.4-fixed/src/ftpcmd.y wu-ftpd-2.4-fixed-sec/src/ftpcmd.y
--- wu-ftpd-2.4-fixed/src/ftpcmd.y Sat Jun 3 16:36:21 1995
+++ wu-ftpd-2.4-fixed-sec/src/ftpcmd.y Fri Jul 26 18:06:45 1996
@@ -95,6 +95,11 @@
char **ftpglob();
off_t restart_point;
+#ifdef PARANOIA
+extern struct sockaddr_in his_addr;
+extern char remotehost[], remoteaddr[];
+#endif /* PARANOIA */
+
extern char *strunames[];
extern char *typenames[];
extern char *modenames[];
@@ -712,6 +717,32 @@
a[0] = $1; a[1] = $3; a[2] = $5; a[3] = $7;
p = (char *)&data_dest.sin_port;
p[0] = $9; p[1] = $11;
+ /* just a little hacking defense: --ccr */
+ /* perhaps we should also limit PORT commands to the connecting
+ site? --ccr */
+#ifdef PARANOIA
+ if(ntohs(data_dest.sin_port)<1025)
+ {
+ reply(421, "PORT command refused. This looks like hacking. Goodbye.");
+ /* We don't have remoteaddr etc. here. Therefore, we must log
+ without them. It shouldn't happen anyway. */
+ syslog(LOG_NOTICE,
+ "PORT COMMAND REFUSED (low dest port %d) from %s [%s]",
+ ntohs(data_dest.sin_port), remotehost, remoteaddr);
+ dologout(0);
+ }
+#ifdef EXTRA_PARANOIA
+ p = (char *)&his_addr.sin_addr;
+ if(a[0] != p[0] || a[1] != p[1] || a[2] != p[2] || a[3] != p[3])
+ {
+ reply(421, "PORT command refused. Please use the address you are connecting from.");
+ syslog(LOG_NOTICE,
+ "PORT COMMAND REFUSED (bad address %d) from %s [%s]",
+ inet_ntoa(data_dest.sin_addr), remotehost, remoteaddr);
+ dologout(0);
+ }
+#endif /* EXTRA_PARANOIA */
+#endif /* PARANOIA */
data_dest.sin_family = AF_INET;
}
;
diff -r -u wu-ftpd-2.4-fixed/src/ftpd.c wu-ftpd-2.4-fixed-sec/src/ftpd.c
--- wu-ftpd-2.4-fixed/src/ftpd.c Sat Jun 3 16:36:22 1995
+++ wu-ftpd-2.4-fixed-sec/src/ftpd.c Sat Jul 13 15:48:25 1996
@@ -697,6 +697,7 @@
* does not have a standard shell as returned by getusershell(). Disallow
* anyone mentioned in the file _PATH_FTPUSERS to allow people such as root
* and uucp to be avoided. */
+/* Apart from standard shells, allow /etc/ftponly as well. --ccr */
user(char *name)
{
register char *cp;
@@ -721,7 +722,7 @@
if (logged_in) {
if (anonymous || guest) {
- reply(530, "Can't change user from guest login.");
+ reply(530, "Can't change user from guest or limited login.");
return;
}
end_login();
@@ -868,7 +869,8 @@
if (strcmp(cp, shell) == 0)
break;
endusershell();
- if (cp == NULL || checkuser(name)) {
+ if ((cp == NULL && strcmp("/etc/ftponly", shell) != 0)
+ || checkuser(name)) {
reply(530, "User %s access denied...", name);
if (logging)
syslog(LOG_NOTICE,
[REW: Some mime-related mailing stuff messed up the message, including
the patch. I tried reversing that, but probably messed up. If this
is the case, Christopher, could you submit this directly to the list?]
--
Christopher Creutzig # Im Samtfelde 19 # D-33098 Paderborn # V+49-5251-71873
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
das ihr techniker immer das letzte wort haben m???t, wahrscheinlich seid
ihr doch einfach nur frauen.. (Autorin bekannt)