From owner-freebsd-security Sun Jun 8 19:05:23 1997 Return-Path: <owner-security> Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id TAA27613 for security-outgoing; Sun, 8 Jun 1997 19:05:23 -0700 (PDT) Received: from mail.telcentral.com (mail.telcentral.com [207.211.70.7]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id TAA27608 for <security@FreeBSD.ORG>; Sun, 8 Jun 1997 19:05:20 -0700 (PDT) Received: from mail.telcentral.com by mail.telcentral.com (NTMail 3.02.10) with ESMTP id la009579 for <security@FreeBSD.ORG>; Sun, 8 Jun 1997 21:05:11 -0500 Message-Id: <3.0.32.19970608210325.009c66a0@mail.telcentral.net> X-Sender: darkstar@mail.telcentral.net X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Sun, 08 Jun 1997 21:03:28 -0400 To: dg@root.com, yossman <yossman@yoss.canweb.net> From: Mark Rollings <darkstar@telcentral.net> Subject: Re: ftpd security weakness on FreeBSD (fwd) Cc: security@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Above any of the below mentioned deficiencies in the ftpd, CERT recently released an advisory on the ftpd for practically all OS's. The replacement mentioned below is not satisfactory in order to properly prevent attacks covered in the advisory. wu-ftp-2.4.2-beta-13 is the correct ftpd to compile for FreeBSD based machines. The advisory can be found in complete form at CERT. www.cert.org. Mark Rollings Systems Administrator TelCentral Internet www.telcentral.net darkstar@telcentral.net At 03:49 PM 6/8/97 -0700, David Greenman wrote: >>one of my users sent me this. just wondering if anyone has heard about >>this before. he claims freebsd.org is affected. >... >>---------- Forwarded message ---------- >>Date: Sun, 1 Jun 1997 22:14:03 +1000 >>To: yossman@canweb.net >>Subject: ftpd security weakness on FreeBSD >> >>Yoss, >> >>FreeBSD's ftpd has a bug (although I dont know if its a fetaure of FTP protocol >>or not (maybe newer RFC's discuss it)). >>Its possible to semi-hijack the ftpd into doing portscans to arbitrary >>hosts/ports. A good replacement would be wu-ftp 2.4.2 beta 11 or later. > > There are options for disallowing PORT commands to remote ports less than >1024 (priviledged ports) or addresses other than the originator's. Enabling >these options will violate the FTP RFC and might break support for ftp >proxies. The options were added to FreeBSD on Aug. 5, '96. > >-DG > >David Greenman >Core-team/Principal Architect, The FreeBSD Project >