115 lines
4.5 KiB
Plaintext
115 lines
4.5 KiB
Plaintext
|
|
||
|
|
-----BEGIN PGP SIGNED MESSAGE-----
|
||
|
|
|
||
|
|
|
||
|
|
CA-88:01
|
||
|
|
CERT Advisory
|
||
|
|
December 1988
|
||
|
|
ftpd vulnerability
|
||
|
|
- -----------------------------------------------------------------------------
|
||
|
|
|
||
|
|
** The sendmail portion of this advisory is superseded by CA-95:05. **
|
||
|
|
|
||
|
|
There have been several problems or attacks which have occurred in the
|
||
|
|
past few weeks. In order to help secure your systems we have gathered
|
||
|
|
the following suggestions:
|
||
|
|
|
||
|
|
1) Check that you are using version 5.59 of sendmail with the
|
||
|
|
debug option DISABLED. To verify the version try the following
|
||
|
|
commands. Use the telnet program to connect to your mail server.
|
||
|
|
Telnet to your hostname or localhost with 25 following the host.
|
||
|
|
The sendmail program will print a banner which will have the
|
||
|
|
version number in it. You need to be running version 5.59.
|
||
|
|
Version 5.61 will be released on Monday 12/12/1988. Any
|
||
|
|
version less than 5.59 is a security problem.
|
||
|
|
|
||
|
|
The following is a sample of the telnet command.
|
||
|
|
|
||
|
|
% telnet localhost 25
|
||
|
|
Trying...
|
||
|
|
Connected to localhost.SEI.CMU.EDU.
|
||
|
|
220 ed.sei.cmu.edu Sendmail 5.59 ready at Wed, 7 Dec 88 15:45:55 EST
|
||
|
|
Quit
|
||
|
|
221 ed.sei.cmu.edu closing connection
|
||
|
|
Connection closed by foreign host.
|
||
|
|
%
|
||
|
|
|
||
|
|
2) Verify with your systems support staff that the ftpd program
|
||
|
|
patches have been installed. Removing anonymous ftp is now
|
||
|
|
known to NOT plug all security holes. If you are not sure,
|
||
|
|
ftp to ucbarpa.berkeley.edu, login as anonymous password ftp
|
||
|
|
and get ftpd.shar. This file contains the sources to the
|
||
|
|
latest BSD release of the ftpd program.
|
||
|
|
|
||
|
|
3) Check your /etc/passwd file for bogus entries. Look for
|
||
|
|
unauthorized accounts with the uid field set to zero (only
|
||
|
|
the root account should have uid=0). Remove any unauthorized
|
||
|
|
entries. The following is an example of what you might find.
|
||
|
|
|
||
|
|
install::0:1::/:
|
||
|
|
|
||
|
|
To check your /etc/passwd files for spurious accounts with uid 0,
|
||
|
|
you can use the following awk program:
|
||
|
|
|
||
|
|
% awk -F: '$3 == 0 {print $0}' /etc/passwd
|
||
|
|
|
||
|
|
If you are running YP on your machine, do:
|
||
|
|
|
||
|
|
% ypcat passwd | awk [...as above]
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
4) Look for modified /bin/login and /usr/ucb/telnet files.
|
||
|
|
Several sites have found these programs with new "backdoors"
|
||
|
|
added. Use the strings program to search /bin/login for the
|
||
|
|
strings OURPW, knaobj, and knaboj. If in doubt, reload the
|
||
|
|
/bin/login and /usr/ucb/telnet executables from your
|
||
|
|
distribution tape.
|
||
|
|
|
||
|
|
% strings /bin/login | egrep '(OURPW|knaboj|knaobj)'
|
||
|
|
|
||
|
|
|
||
|
|
5) Educate your users to create hard to guess passwords. Account
|
||
|
|
codes, first or last names, and common words are not very
|
||
|
|
secure passwords. A few examples of common words are words
|
||
|
|
that refer to your town, location, or company and words that
|
||
|
|
are found in /usr/dict/words. Be especially careful of accounts
|
||
|
|
where the password is the account name (easy to check, easy to
|
||
|
|
guess.
|
||
|
|
|
||
|
|
6) In general, before you allow a user access to the Internet,
|
||
|
|
you must be sure you know who they are. In other words, all
|
||
|
|
users should be forced through a login/password sequence
|
||
|
|
(no unpassworded accounts and preferably someplace which logs
|
||
|
|
connections) before you let them get outside your local network.
|
||
|
|
Be especially careful with TCP/IP terminal servers.
|
||
|
|
|
||
|
|
7) check the last logs for normal logins as accounts which normally
|
||
|
|
run utility programs (sync, who, etc), watch for unreasonable
|
||
|
|
times.. watch for ftp's with funny logins (who, etc).
|
||
|
|
- ---------------------------------------------------------------------------
|
||
|
|
|
||
|
|
Computer Emergency Response Team (CERT)
|
||
|
|
Software Engineering Institute
|
||
|
|
Carnegie Mellon University
|
||
|
|
Pittsburgh, PA 15213-3890
|
||
|
|
|
||
|
|
Internet: cert@cert.org
|
||
|
|
Telephone: 412-268-7090 24-hour hotline: CERT personnel answer
|
||
|
|
7:30a.m.-6:00p.m. EST, on call for
|
||
|
|
emergencies other hours.
|
||
|
|
|
||
|
|
Past advisories and other information are available for anonymous ftp
|
||
|
|
from cert.org (192.88.209.5).
|
||
|
|
|
||
|
|
-----BEGIN PGP SIGNATURE-----
|
||
|
|
Version: 2.6.2
|
||
|
|
|
||
|
|
iQCVAwUBMiXuH3VP+x0t4w7BAQGD4AP/a2niPn1hVQ7yFojZZb5hsz7irvwEZEkF
|
||
|
|
8EMjmbCJm+emqluYBTKgT8ebqBCfn99aD8ccNdmOx3GU4G4k8xJDqbdAM76K2G7G
|
||
|
|
uEPbDPYF6AxEdQsGfYqYJ+rjc+5V7yLuo2pkGwtUvI9dKAplkp807EzLGVnRQRjp
|
||
|
|
dpTZeFpP+Wk=
|
||
|
|
=5q5N
|
||
|
|
-----END PGP SIGNATURE-----
|
||
|
|
|