93-05
010fe54eec449059fd894abfe8625be74efbb7a3e0cfa2532d16ecddb8566c1e
=============================================================================
SA-93.05 SERT Advisory
25-Jun-93
Protecting Yourself From tftp Attacks
-----------------------------------------------------------------------------
Recently a tftp attack was launched from an overseas site against several
AARNet (and overseas) machines. The person responsible has been caught and
dealt with. This person admitted using tftp to steal /etc/passwd files from
UNIX machines, and then running a password cracking program against these
files. Some of the passwords were successfully guessed. See SERT Advisory
SA-93.04 (available from ftp.sert.edu.au:/security/sert/sert-advisory) on
how to choose better passwords.
tftp is unauthenticated file transfer. It is used for booting diskless
workstations and downloading server code or fonts to X terminals. A man
entry for this service states that "due to the lack of authentication
information, tftpd will allow only publicly readable files to be accessed.
Files may be written only if they already exist and are publicly writable.
Note: this extends the concept of "public" to include all users on all
hosts that can be reached through the network; this may not be appropriate
on all systems, and its implications should be considered before enabling
this service."
From this it can be seen that tftp can be abused. An attacker can easily
steal critical information from your system if tftp is enabled and not
configured safely. Please carefully consider how you configure your UNIX
machine with respect to tftp.
If you do not require tftp on your machine, then it can be disabled by
prepending a crosshatch symbol (#) to the tftp record in /etc/inted.conf.
For example, replace the following line:
tftp dgram udp wait root /usr/etc/in.tftpd in.tftpd -s /tftpboot
with:
#tftp dgram udp wait root /usr/etc/in.tftpd in.tftpd -s /tftpboot
Do not forget to issue a HANGUP signal (as root) to the inetd daemon if it is
already running:
hostname# kill -HUP <inetd PID> {Forces inetd to reread inetd.conf}
Kill any remaining tftp daemon(s) (if any are still running):
hostname# kill -KILL <tftpd PID(s)>
If you do require tftp on your machine, then consider using the following
techniques:
(i) Using tcp_wrapper to monitor and evaluate attempted connections. See the
tcp_wrapper documentation for the required changes to /etc/inetd.conf,
and the correct format for the hosts.allow and hosts.deny files.
(ii) Run the tftp daemon in secure mode, by specifying the -s flag in
/etc/inetd.conf. (The flag letter may differ from vendor to vendor.
Under Ultrix, the flag is -r). This flag ensures tftp's root directory
is changed to the flag argument, and that the directory change must be
successful.
(iii) Use C2 and/or a shadow password mechanism so that passwords are not
stored in /etc/passwd.
----------------------------------------------------------------------------
If you believe that your system has been compromised, contact SERT or your
representative in FIRST (Forum of Incident Response and Security Teams).
Internet Email: sert@sert.edu.au
Facsimile: (07) 365 4477
Telephone: (07) 365 4417
SERT personnel answer during business hours (AEST - GMT+10:00).
Security Emergency Response Team
Prentice Centre
The University of Queensland
Qld. 4072.
AUSTRALIA.