Re: Is debian OpenBSD ftpd secure?

To: Mike Moran <Mike.Moran@ee.ed.ac.uk>
Cc: bds@jhb.ucs.co.za, Debian Security List <debian-security@lists.debian.org>
Subject: Re: Is debian OpenBSD ftpd secure?
From: Berend De Schouwer <bds@jhb.ucs.co.za>
Date: Tue, 30 Jan 2001 16:59:00 +0200
Message-id: <[🔎] 20010130165900.C1540@bds.ucs.co.za>
Reply-to: bds@jhb.ucs.co.za
In-reply-to: <[🔎] 3A76D18F.DE7EEEA2@ee.ed.ac.uk>; from Mike.Moran@ee.ed.ac.uk on Tue, Jan 30, 2001 at 16:37:03 +0200
References: <[🔎] 3A76C58E.B16C2053@ee.ed.ac.uk> <[🔎] 20010130162534.A1540@bds.ucs.co.za> <[🔎] 3A76D18F.DE7EEEA2@ee.ed.ac.uk>

On Tue, 30 Jan 2001 16:37:03 Mike Moran wrote:
| Berend De Schouwer wrote:
| > 
| > On Tue, 30 Jan 2001 15:45:50 Mike Moran wrote:
| [ ... ]
| > 
| > | However, SAINT still seems to pick this up as a vulnerability. Is
| this
| > | just because the SAINT detection routines get fooled by the
| > | almost-successful login, or is there actually a real vulnerability?
| > 
| > It shouldn't.  Its "best practice" to ALWAYS ask for a password,
| > even if the account is disabled.  Does SAINT give any more info?
| 
| Not that I remember (I don't have SAINT available here right now). It
| just highlighted the OpenBSD server in its vulnerability list, and gave
| a link to a list of known problems with a whole load of ftp servers.

Nothing specific?  Then please try the SAINT people for info.

| OpenBSD was mentioned in the section about anonymous access
| vulnerability. However, from my reading, it is only vulnerable if the
| "anonymous" account is available for login. Still, I'd like to be sure
| that it isn't vulnerable; the previous (RH) machine I was on got hit by
| the Ramen Worm last week, so I'd like to be doubly sure I am safe from
| similar attacks on debian.

If the ftpd server is vulnerable if anonymous is allowed, it usually
means its vulnerable if "at least" anonymous is allowed.  Usually
its "even worse" if other logins are available.

The two bugs I do know about, which got fixed in OpenBSD over the
last year, are the setproctitle() bug, and the replydirname() bug.

Are there any others?

The version in potato (just apt-get source ftpd now), does not
contain the replydirname() function at all, and setproctitle() seems
fine.  Disclaimer applies.

Someone correct me if I am wrong...
 
| Are there any other SAINT-like vulnerability testers that I could double
| check it with?

Maybe nessus?

| -- 
| Mike.Moran@ee.ed.ac.uk 
|                    Web: http://houseofmoran.com/
|                AvantGo: http://houseofmoran.com/Lite/
| 
Kind regards,				  
Berend                                  

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Berend De Schouwer, +27-11-712-1435, UCS

Reply to:

References:
- Is debian OpenBSD ftpd secure?
  - From: Mike Moran <Mike.Moran@ee.ed.ac.uk>
- Re: Is debian OpenBSD ftpd secure?
  - From: Berend De Schouwer <bds@jhb.ucs.co.za>
- Re: Is debian OpenBSD ftpd secure?
  - From: Mike Moran <Mike.Moran@ee.ed.ac.uk>

Prev by Date: Re: Is debian OpenBSD ftpd secure?
Next by Date: Re: portsentry dangerous? hardly; RTFM. (was Re: checking security logs)
Previous by thread: Re: Is debian OpenBSD ftpd secure?
Next by thread: CA-2000-22 Feedback VU-23382365 (LPRng)
Index(es):
- Date
- Thread