Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 08 Jun 1997 21:03:28 -0400
From:      Mark Rollings <darkstar@telcentral.net>
To:        dg@root.com, yossman <yossman@yoss.canweb.net>
Cc:        security@FreeBSD.ORG
Subject:   Re: ftpd security weakness on FreeBSD (fwd) 
Message-ID:  <3.0.32.19970608210325.009c66a0@mail.telcentral.net>

next in thread | raw e-mail | index | archive | help
Above any of the below mentioned deficiencies in the ftpd, CERT recently
released an advisory on the ftpd for practically all OS's.  The replacement
mentioned below is not satisfactory in order to properly prevent attacks
covered in the advisory.  wu-ftp-2.4.2-beta-13 is the correct ftpd to
compile for FreeBSD based machines.  The advisory can be found in complete
form at CERT.   www.cert.org.


Mark Rollings
Systems Administrator
TelCentral Internet
www.telcentral.net
darkstar@telcentral.net

At 03:49 PM 6/8/97 -0700, David Greenman wrote:
>>one of my users sent me this.  just wondering if anyone has heard about
>>this before.  he claims freebsd.org is affected.
>...
>>---------- Forwarded message ----------
>>Date: Sun, 1 Jun 1997 22:14:03 +1000
>>To: yossman@canweb.net
>>Subject: ftpd security weakness on FreeBSD
>>
>>Yoss,
>>
>>FreeBSD's ftpd has a bug (although I dont know if its a fetaure of FTP
protocol
>>or not (maybe newer RFC's discuss it)).
>>Its possible to semi-hijack the ftpd into doing portscans to arbitrary
>>hosts/ports. A good replacement would be wu-ftp 2.4.2 beta 11 or later.
>
>   There are options for disallowing PORT commands to remote ports less than
>1024 (priviledged ports) or addresses other than the originator's. Enabling
>these options will violate the FTP RFC and might break support for ftp
>proxies. The options were added to FreeBSD on Aug. 5, '96.
>
>-DG
>
>David Greenman
>Core-team/Principal Architect, The FreeBSD Project
>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.32.19970608210325.009c66a0>