Vulnerability Development mailing list archives
Re: FreeBSD listen()
From: fygrave () SCORPIONS NET (CyberPsychotic)
Date: Sun, 31 Oct 1999 02:53:50 +0500
~:> mode), which should take care of accepting only single connection and only ~:> from proper source (which is surprisely being ignored by some daemons, ~:> such as ncftpd f.e.). ~:Some programs, such as fxp rely on this kind of behaviour, while i agree ~:that there should be checking, we dont want to break good programs ... ~: heh..:-) the major problem, which we have here, is that when ftp daemon doesn't verify source IP address of the party, which establishes data connection, and the port number, which gets binded by bind() with portnum = 0, is predictable, we get a security problem. OpenBSD has fixed their bind() quite long ago (2.4 at least was already fixed, current is 2.6), FreeBSD was said to have just plain increment per call. So linux has. Solaris uses timer to generate port number (which is `sorta' random, but could be predicted as well). Now when I tried to convenience people who deal with linux-kernel development to deploy the similar thing in kernel, (sample patch for 2.2.13 is at http://www.kalug.lug.net/coding/kernel, might be buggy though, but works for me just fine), I just got points that ftp daemon should do appropriate things instead. :)) Quite humorous but looks like ftp developers would claim that not their code, but kernel should take care of the solution to the problem.. oh well, that is life :) -Fyodor
Current thread:
- Re: FreeBSD listen() CyberPsychotic (Oct 30)
- Re: FreeBSD listen() Vladimir Dubrovin (Nov 05)
- Re: FreeBSD listen() Sebastian (Nov 05)
- Re: FreeBSD listen() CyberPsychotic (Nov 03)
- Re: FreeBSD listen() David Schwartz (Nov 05)
- Re: FreeBSD listen() Blue Boar (Nov 05)
- Re: FreeBSD listen() Vladimir Dubrovin (Nov 05)
- <Possible follow-ups>
- Re: FreeBSD listen() D. J. Bernstein (Nov 05)
- Re: FreeBSD listen() D. J. Bernstein (Nov 08)