The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Info Request: Vulnerability of TFTP

To: marc@redhat.com, adam@yggdrasil.com, ron@caldera.com, security@debian.org, volkerdi@wcarchive.cdrom.com
Subject: Info Request: Vulnerability of TFTP
From: "Alexander O. Yuriev" <alex@yuriev.com>
Date: Sun, 23 Mar 97 14:02:48 -0500
Cc: cert@cert.org, auscert@auscert.org.au
Delivered-to: bruce-lists--debian-private@lists.debian.org
Delivered-to: security@debian.org
Resent-cc: recipient list not shown: ;
Resent-date: 23 Mar 1997 19:04:16 -0000
Resent-from: debian-private@lists.debian.org
Resent-message-id: <"0Dokz1.0.b64.mwNDp"@debian>
Resent-sender: debian-private-request@lists.debian.org

This is the information request for the official patches for the tftp of the
NetKit 0.9. This information will be used in the upcoming LSF update. Please
provide the MD5 fingerprints for the fixed packages and sign the message
with PGP.

	Best wishes,
	Alex

Return-Path: linux-security-request@redhat.com
Received: from mail2.redhat.com (mail2.redhat.com [199.183.24.247])
	by ding.mailhub.com (8.8.5/8.8.5) with SMTP id MAA13416
	for <alex@yuriev.com>; Sun, 23 Mar 1997 12:08:10 -0500 (EST)
Received: (qmail 8466 invoked by uid 501); 23 Mar 1997 17:07:57 -0000
Received: (qmail 8453 invoked from network); 23 Mar 1997 17:07:54 -0000
Received: from phobos.illtel.denver.co.us (abelits@207.33.75.1)
  by mail2.redhat.com with SMTP; 23 Mar 1997 17:07:52 -0000
Received: from localhost (abelits@localhost) by phobos.illtel.denver.co.us (8.8.5/8.6.9) with SMTP id JAA11028 for <linux-security@redhat.com>; Sun, 23 Mar 1997 09:11:35 -0800
Date: Sun, 23 Mar 1997 09:11:34 -0800 (PST)
From: Alex Belits <abelits@phobos.illtel.denver.co.us>
Reply-To: Alex Belits <abelits@phobos.illtel.denver.co.us>
To: linux-security@redhat.com
Cc: linux-alert@redhat.com
Subject: Re: [linux-security] tftpd bug (was: "Secure" tftpd source for Linux?)
In-Reply-To: <199703230052.RAA17444@rintintin.Colorado.EDU>
Message-ID: <Pine.LNX.3.95.970323062449.9204A-100000@phobos.illtel.denver.co.us>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

[Mod: David Holland's message added to the back, linux-alert added to the
list of addresses -- alex]

On Sat, 22 Mar 1997, Ben Cantrick wrote:

>   It's a cute little hack, and it seems to work. But I am convinced that
> someone must have seen the need and done this before. My extended forays
> into the web via several search engines have failed to turn up anything
> relevant. So I'm curious if anyone on the list knows of (or better, has)
> freely distributable source for a "secure" tftpd.

  tftpd in FreeBSD distribution uses chroot() and sets its uid to nobody.
I don't think, it does anything reasonable with groups.

But... I've looked at both Linux (NetKit 0.09) and FreeBSD (2.2-ALPHA)
tftpd and found rather strange code in Linux tftpd's validate_access()
function:

---8<---
        syslog(LOG_ERR, "tftpd: trying to get file: %s\n", filename);

        if (*filename != '/') {
                syslog(LOG_ERR, "tftpd: serving file from %s\n", dirs[0]);
                chdir(dirs[0]);
        } else {
                for (dirp = dirs; *dirp; dirp++)
                        if (strncmp(filename, *dirp, strlen(*dirp)) == 0)
                                break;
                if (*dirp==0 && dirp!=dirs)
                        return (EACCESS);
        }
        /*
         * prevent tricksters from getting around the directory restrictions
         */
        for (cp = filename + 1; *cp; cp++)
                if(*cp == '.' && strncmp(cp-1, "/../", 4) == 0)
                        return(EACCESS);

--->8---

...it checks _only_ for "/../" and start _always_ from the second
character in the filename (in other words, if filename is empty, it will
"analyze" the memory after it where other piece of code places mode, so at
least it won't do anything destructive). But it also assumes all not
starting from '/' filenames to be relative to some directory, and never
checks them for "../" that FreeBSD one does. So (see code above for
locations of calls to syslog()):

---8<---
Mar 23 06:55:08 phobos in.tftpd[9799]: connect from phobos.illtel.denver.co.us
Mar 23 06:55:08 phobos tftpd[9800]: tftpd: trying to get file: ../etc/passwd 
Mar 23 06:55:08 phobos tftpd[9800]: tftpd: serving file from /tftpboot 
--->8---

...and obviously it was /tftpboot/../etc/passwd aka /etc/passwd

  Not that it does any damage by itself, but it definitely wasn't supposed
to do that. FreeBSD tftpd disallows such things.

   According to copyright notices, both tftpd are derived from some old
(1983) Berkeley code, and Linux one has some general clumsiness all over
its code (and default /tftpboot directory didn't exist until 0.09, 0.08
seems to require the list of directories, or it will just SIGSEGV
on NULL pointer).

FreeBSD tftpd compiles with command line:

gcc -O -DLOG_FTP=LOG_DAEMON -o tftpd  tftpd.c tftpsubs.c 

and works fine if -ls /tftpboot is added as options to its command line.
Otherwise it only checks file permissions without even trying to become
"nobody" and thus opens hole for non-executable directories (even if
directory is non-executable for anyone but root, files in it will be
accessible). Also it's necessary to hardlink /dev/log under chroot
directory to keep logging functional.

--
Alex

P.S. how such umm... not obviously secure code got into tftpd in the first
place after that many revisions that definitely were done to increase
security? After all, changes between NetKit revisions _do_ make sense.

Return-Path: dholland@hcs.harvard.edu

 > [tftpd source mapped to /dev/null]
 >
 > Finally, it prevents ".." and "." in filename to be used to go up:

He's right; it doesn't block leading ".." in the case where the
filename doesn't begin with "/". 

Someone already caught this and the fix is going to be in the next
release; in the meantime here's a patch.

 > > P.S. how such umm... not obviously secure code got into tftpd in the first
 > > place after that many revisions that definitely were done to increase
 > > security? After all, changes between NetKit revisions _do_ make sense.

It needs an intensive rewrite. Don't hold your breath... :(

*** tftpd.c	1996/12/29 18:42:40	1.8
--- tftpd.c	1997/03/08 11:31:00
***************
*** 40,44 ****
   */
  char rcsid[] = 
!   "$Id: tftpd.c,v 1.8 1996/12/29 18:42:40 dholland Exp $";

  /*
--- 40,44 ----
   */
  char rcsid[] = 
!   "$Id: tftpd.c,v 1.9 1997/03/08 11:30:30 dholland Exp $";

  /*
***************
*** 298,301 ****
--- 298,303 ----
  	 * prevent tricksters from getting around the directory restrictions
  	 */
+ 	if (!strncmp(filename, "../", 3)) 
+ 		return EACCESS;
  	for (cp = filename + 1; *cp; cp++)
  		if(*cp == '.' && strncmp(cp-1, "/../", 4) == 0)

-- 
   - David A. Holland          | Number of words in the English language that
     dholland@eecs.harvard.edu | exist because of typos or misreadings: 381

Follow-Ups:
- Re: Info Request: Vulnerability of TFTP
  - From: Peter Tobias <tobias@et-inf.fho-emden.de>

Prev by Date: Re: new maintainers
Next by Date: institutionalizing neither democracy nor dictatorship
Previous by thread: Re: Call for vote: Impeachment of the president
Next by thread: Re: Info Request: Vulnerability of TFTP
Index(es):
- Date
- Thread