Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Wed, 15 Apr 2009 08:07:42 -0400 (EDT)
From: wietse@...cupine.org (Wietse Venema)
To: Tomas Hoger <thoger@...hat.com>
CC: OSS Security <oss-security@...ts.openwall.com>, wietse@...cupine.org
Subject: Re: Some fun with tcp_wrappers

Tomas Hoger:
> Hi!
> 
> During the QA of our net-snmp updates for CVE-2008-6123, some more
> problems were spotted related to the use of tcp_wrappers by net-snmp.
> More specifically, any hostname based rules in hosts.{allow,deny} were
> not honored when defined for snmpd.  Further investigation showed that
> similar problem affects other applications calling hosts_ctl
> tcp_wrappers interface without providing a valid hostname.  Bug report
> for this issue is:
>   https://bugzilla.redhat.com/show_bug.cgi?id=491095

If some applications mis-use the library API then that is really
unfortunate.

Changing the library to work around application bugs is a BAD idea.
It helps only one platform and complicates cross-platform software
that does play by the rules.

I would recommend fixing applications that mis-use the library API.
To encourage application developers, the library could log a warning
and return a DENY result for improper calls such as a zero-length
hostname or address argument.

	Wietse

> Even though such behavior of tcp_wrappers seems to be the intended one
> (also CCing Wietse if he wants to comment on this, but I believe
> tcp_wrappers are no longer maintained upstream), but it does not seem
> to be what applications using tcp_wrappers, or users of such
> applications are expecting.  Additionally, tcp_wrappers as shipped in
> Red Hat Enterprise Linux 5 and all current Fedora versions include
> following patch for a while:
> 
> http://cvs.fedoraproject.org/viewvc/rpms/tcp_wrappers/devel/tcp_wrappers-7.6-220015.patch
> 
> It changes hosts_ctl to set up conversion functions to allow
> tcp_wrappers to do IP -> hostname resolution when needed.
> 
> Therefore, even though this may not really be a tcp_wrappers flaw, we
> are planning to release updates for older RHEL versions including the
> change.  This would address the problem for all affected applications,
> and doing DNS resolution on the tcp_wrappers side actually seems to be
> a better way to go (tcp_wrappers only resolve when needed based on the
> hosts access rules configured on the system, while resolution on the
> application side would have to be done for all hosts_ctl calls).
> 
> Additionally, this fostered further research into nfs-utils'
> CVE-2008-4552.  The way nfs-utils use tcp_wrappers is quite broken,
> resulting in various cases when hosts access rules are not honored
> according to the expectations of the system administrator, possibly
> allowing access when it should be denied.  The problem should mostly
> affect (but is not limited to) setups with hostname based rules used
> (which are problematic anyway, as those are ignored during DNS
> outages).  Details with rewrite of good_client can be found in:
>   https://bugzilla.redhat.com/show_bug.cgi?id=458676
> 
> The good_client function used by nfs-utils is copied from the portmap
> sources, so portmap is affected by the same problem too.  Additionally,
> other affected good_client copies / derived implementations can also be
> found in quota (with most problems no longer affecting current upstream
> version) and am-utils.  Upstreams were notified, but have not replied
> yet.
> 
> -- 
> Tomas Hoger / Red Hat Security Response Team
>

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux