From owner-cvs-all Tue Jan 21 10:43:19 2003 Delivered-To: cvs-all@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2ABA737B401; Tue, 21 Jan 2003 10:43:18 -0800 (PST) Received: from sccrmhc01.attbi.com (sccrmhc01.attbi.com [204.127.202.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4F50B43ED8; Tue, 21 Jan 2003 10:43:17 -0800 (PST) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org (12-234-89-252.client.attbi.com[12.234.89.252]) by sccrmhc01.attbi.com (sccrmhc01) with ESMTP id <2003012118431600100hpgu3e>; Tue, 21 Jan 2003 18:43:16 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.6/8.12.3) with ESMTP id h0LIhFeq007189; Tue, 21 Jan 2003 10:43:15 -0800 (PST) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.6/8.12.6/Submit) id h0LIhExq007188; Tue, 21 Jan 2003 10:43:14 -0800 (PST) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Tue, 21 Jan 2003 10:43:14 -0800 From: "Crist J. Clark" To: Maxim Sobolev Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/libexec/ftpd ftpd.c Message-ID: <20030121184314.GB6871@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <200301210513.h0L5D2DB061636@repoman.freebsd.org> <3E2D7FE0.A89831BC@portaone.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3E2D7FE0.A89831BC@portaone.com> User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Jan 21, 2003 at 07:14:08PM +0200, Maxim Sobolev wrote: > "Crist J. Clark" wrote: > > > > cjc 2003/01/20 21:13:02 PST > > > > Modified files: > > libexec/ftpd ftpd.c > > Log: > > The FTP daemon was vulnerable to a DoS where an attacker could bind() > > up port 20 for an extended period of time and thus lock out all other > > users from establishing PORT data connections. Don't hold on to the > > bind() while we loop around waiting to see if we can make our > > connection. > > > > Being a DoS, it has security implications, giving it a short MFC > > time. > > Huh? What DoS and security implications you are talking about? Without > having root, an user will be unable to bind on port 20 anyway, and > this is default behaviour of FreeBSD. Therefore, I don't tnink that a > short MFC timeframe and subsequent merging into security branches are > really justified. ftpd(8) runs with root privileges for just this reason, to be able to bind to 20/tcp. As for what DoS I am talking about, see, http://docs.freebsd.org/cgi/getmsg.cgi?fetch=22424+0+current/freebsd-security And follow the steps. I can give more detailed instructions or an automated script to do the attack if required. Note that this is a cross platform issue. I originally ran into this problem (accidentally) on Solaris. Check your favorite ftpd today. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message