92 lines
3.6 KiB
Plaintext
92 lines
3.6 KiB
Plaintext
|
|
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
===========================================================================
|
|
CA-91:18 CERT Advisory
|
|
September 27, 1991
|
|
Active Internet tftp Attacks
|
|
|
|
- ---------------------------------------------------------------------------
|
|
|
|
The Computer Emergency Response Team/Coordination Center (CERT/CC) would
|
|
like to alert you to automated tftp probes that have been occurring over
|
|
the last few days. These probes have attacked Internet sites throughout
|
|
the world and in most cases the file retrieved was /etc/passwd. However,
|
|
other files such as /etc/rc may have been retrieved.
|
|
|
|
The CERT/CC is working with the site(s) that were used by intruders
|
|
to launch the attacks. We are actively contacting those sites where we
|
|
believe the retrievals were successful. We are urging all sites to
|
|
carefully check their system configurations concerning tftp usage.
|
|
|
|
- ---------------------------------------------------------------------------
|
|
|
|
I. Description
|
|
|
|
Unrestricted tftp access allows remote sites to retrieve
|
|
a copy of any world-readable file.
|
|
|
|
II. Impact
|
|
|
|
Anyone on the Internet can use tftp to retrieve copies of a
|
|
site's sensitive files. For example, the recent incident
|
|
involved retrieving /etc/passwd. The intruder can later
|
|
crack the password file and use the information to login
|
|
to the accounts. This method may provide access to the
|
|
root account.
|
|
|
|
III. Solution
|
|
|
|
A. Sites that do not need tftp should disable it immediately by
|
|
editing the system configuration file to comment out, or remove,
|
|
the line for tftpd. This file may be /etc/inetd.conf, /etc/servers,
|
|
or another file depending on your operating system. To cause
|
|
the change to be effective, it will be necessary to restart
|
|
inetd or force inetd to read the updated configuration file.
|
|
|
|
B. Sites that must use tftp (for example, for booting diskless
|
|
clients) should configure it such that the home directory is changed.
|
|
Example lines from /etc/inetd.conf might look like:
|
|
|
|
ULTRIX 4.0
|
|
tftp dgram udp nowait /etc/tftpd tftpd -r /tftpboot
|
|
|
|
SunOS 4.1
|
|
tftp dgram udp wait root /usr/etc/in.tftpd in.tftpd -s /tftpboot
|
|
|
|
As in item A. above, inetd must be restarted or forced to read
|
|
the updated configuration file to make the change effective.
|
|
|
|
C. If your system has had tftp configured as unrestricted, the CERT/CC
|
|
urges you to consider taking one of the steps outlined above and
|
|
change all the passwords on your system.
|
|
|
|
- ---------------------------------------------------------------------------
|
|
|
|
If you believe that your system has been compromised, contact CERT/CC via
|
|
telephone or e-mail.
|
|
|
|
Computer Emergency Response Team/Coordination Center (CERT/CC)
|
|
Software Engineering Institute
|
|
Carnegie Mellon University
|
|
Pittsburgh, PA 15213-3890
|
|
|
|
Internet E-mail: cert@cert.org
|
|
Telephone: 412-268-7090 24-hour hotline:
|
|
CERT/CC personnel answer 7:30a.m.-6:00p.m. EST/EDT,
|
|
on call for emergencies during other hours.
|
|
|
|
Past advisories and other computer security related information are available
|
|
for anonymous ftp from the cert.org (192.88.209.5) system.
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: 2.6.2
|
|
|
|
iQCVAwUBMaMwy3VP+x0t4w7BAQGgJAP9G53x4VXWRO0zObq+SLZo1ffczaXylzs7
|
|
d+1QnDBUZL/f/d+zW2oxz9BwgVJBxqiLRR4YLRu0BjuwzPz6RoBzoBIVOdRHBBZ0
|
|
KEwiCa+NB7hl5KLy7Ye3iSmn9Dq4p68n1mlmkZ5BjxKNy4R/7/X8P4jhoEeOjgrT
|
|
K5gg+S28FPo=
|
|
=0EAB
|
|
-----END PGP SIGNATURE-----
|
|
|