Vulnerability Development mailing list archives

Re: FreeBSD listen()

From: vlad () SANDY RU (Vladimir Dubrovin)
Date: Fri, 5 Nov 1999 15:25:00 +0300


Hello CyberPsychotic,

31.10.99 0:53, you wrote: FreeBSD listen();

~:>> mode), which should take care of accepting only single connection and only
~:>> from proper source (which is surprisely being ignored by some daemons,
~:>> such as ncftpd f.e.).
C> ~ :Some programs, such as fxp rely on this kind of behaviour, while i agree
C> ~ :that there should be checking, we dont want to break good programs ...
C> ~ :

C> heh.. :-) the major problem, which we have here, is that when ftp daemon
C> doesn't verify source IP address of the party, which establishes data
C> connection, and the port number, which gets binded by bind() with portnum
C> = 0, is predictable, we get a security problem.

According  to  RFC  959  (FILE TRANSFER PROTOCOL - STATUS:STANDARD) IP
address shouldn't be checked:

-=-=-=-=-=-=-=-
      In another situation a user might wish to transfer files between
      two Hosts, neither of which is his local Host. He sets up TELNET
      connections to the two servers and then arranges for a data
      connection between them.  In this manner control information is
      passed to the user-PI but data is transferred between the server
      data transfer processes.
-=-=-=-=-=-=-=-

So, if your server does check the IP and doesn't allow connection from
another IP your server doesn't complies with RFC 959.

RFC  2228  which specifies security mechanism in FTP doesn't obsoletes
this.

C>  OpenBSD has fixed their bind() quite long ago (2.4 at least was already
C> fixed, current is 2.6), FreeBSD was said to have just plain increment per
C> call. So linux has. Solaris uses timer to generate port number (which is
C> `sorta' random, but could be predicted as well). Now when I tried to
C> convenience people who deal with linux-kernel development to deploy the
C> similar thing in kernel, (sample patch for 2.2.13 is at
C> http://www.kalug.lug.net/coding/kernel, might be buggy though, but works
C> for me just fine), I just got points that ftp daemon should do appropriate
C> things instead. :)) Quite humorous but looks like ftp developers would
C> claim that not their code, but kernel should take care of the solution to
C> the problem.. oh well, that is life :)

C> -Fyodor

  +=-=-=-=-=-=-=-=-=+
  |Vladimir Dubrovin|
  | Sandy Info, ISP |
  +=-=-=-=-=-=-=-=-=+

Current thread:

Re: FreeBSD listen() CyberPsychotic (Oct 30)
- Re: FreeBSD listen() Vladimir Dubrovin (Nov 05)
- Re: FreeBSD listen() Sebastian (Nov 05)
  - Re: FreeBSD listen() CyberPsychotic (Nov 03)
  - Re: FreeBSD listen() David Schwartz (Nov 05)
- Re: FreeBSD listen() Blue Boar (Nov 05)
  - Re: FreeBSD listen() Vladimir Dubrovin (Nov 05)
- <Possible follow-ups>
- Re: FreeBSD listen() D. J. Bernstein (Nov 05)
- Re: FreeBSD listen() D. J. Bernstein (Nov 08)