My original request was for help patching wu-ftpd-2.4-academ to work with
C2 security in ENHANCED mode under DU 3.2C. A number of people were kind
enough to send me patches or advice. Thanks go to:
Kent Frazier <frazier_at_tti.com>
Kevin Lentin <kevinl_at_cs.monash.edu.au>
Christophe Wolfhugel <wolf_at_pasteur.fr>
Richard Rogers <ittrmr_at_staffs.ac.uk>
Peter deFriesse <peter_at_oitunix.oit.umass.edu>
Patrick O'Brien <pobrien_at_cfa.harvard.edu>
Unfortunately, all of these patches were fatally flawed. All of them
worked, fundamentally, by bypassing the C2 security system and directly
accessing the shadow password data. Some of them also failed to cope
with password longer than 8 characters (which is the minimum length on
our system).
The problem here is that one of the main features of C2 is that it locks
accounts after a certain number of bad login attempts. If your ftpd
bypasses this system and access the password file directly, without
informing the C2 system of failed attempts, it becomes possible for
hackers to use your ftpd to test an arbitrary number of passwords. I know
that at least one site has been broken into because of a set up like this.
As I was about to sit down and write patches to use the SIA library
myself, a message came across the Bugtraq security mailing list
describing a bug in the SIA library prior to 4.0 (fixable with
ssrt0376_osf1032d), which included example code for using the SIA library
by way of a patch to wuftpd. What luck. Included is the sample code,
which I received from Paul Leyland <pcl_at_foo.oucs.ox.ac.uk>, for which he
credits his colleague Malcolm Beattie.
*Let me reiterate for emphasis: If you have patched wu-ftpd for C2 using
*any patch which works by definine SecureWare and/or using getprpw* calls,
*you have effectively disabled the failed login lockout feature of your C2
*security. Also, this feature may be broken if you have not installed
*sstr0376_osf1032d.
-Dave Diehl
Systems/Network Manager
Carleton College
.................................cut here....................................
*** Makefile~ Fri Apr 01 20:03:27 1994
--- Makefile Fri Aug 26 16:56:13 1994
***************
*** 1,8 ****
CC = cc
IFLAGS = -I.. -I../support
LFLAGS = -L../support -s -x
! CFLAGS = -O -DDEBUG ${IFLAGS} ${LFLAGS}
! LIBES = -lsupport
LIBC = /lib/libc.a
LINTFLAGS=
LKERB = -lauth -lckrb -lkrb -ldes
--- 1,8 ----
CC = cc
IFLAGS = -I.. -I../support
LFLAGS = -L../support -s -x
! CFLAGS = -O -DDEBUG -DOSF_AUTH ${IFLAGS} ${LFLAGS}
! LIBES = -lsecurity -lsupport
LIBC = /lib/libc.a
LINTFLAGS=
LKERB = -lauth -lckrb -lkrb -ldes
*** ftpd.c.orig Fri Aug 26 14:21:04 1994
--- ftpd.c Fri Aug 26 16:44:12 1994
***************
*** 110,115 ****
--- 110,120 ----
#include <sys/svcinfo.h>
#endif
+ #ifdef OSF_AUTH
+ #include <sia.h>
+ #include <siad.h>
+ #endif
+
#ifdef HAVE_DIRENT
#include <dirent.h>
#else
***************
*** 247,252 ****
--- 252,261 ----
int ultrix_check_pass(char *passwd, char *xpasswd);
#endif
+ #ifdef OSF_AUTH
+ int OSF_check_pass(char *passwd);
+ #endif
+
/* ls program commands and options for lreplies on and off */
char ls_long[50];
char ls_short[50];
***************
*** 1012,1017 ****
--- 1021,1028 ----
#ifdef ULTRIX_AUTH
if ((numfails = ultrix_check_pass(passwd, xpasswd)) < 0) {
+ #elif defined(OSF_AUTH)
+ if (osf_check_pass(passwd) < 0) {
#else
/* The strcmp does not catch null passwords! */
if (pw == NULL || *pw->pw_passwd == '\0' ||
***************
*** 2816,2818 ****
--- 2827,2885 ----
return -1;
}
#endif /* ULTRIX_AUTH */
+
+ #ifdef OSF_AUTH
+ int sia_collect_null(int timeout, int rendition, unsigned char *title,
+ int num_prompts, prompt_t *prompt)
+ {
+ return SIACOLSUCCESS;
+ }
+
+ static int
+ osf_check_pass(char *passwd)
+ {
+
+ SIAENTITY *entity = NULL;
+ char uname[32];
+ int auth_status;
+ int argc = 1;
+ char *argv[2];
+
+ argv[0] = "ftpd";
+ argv[1] = (char *) 0;
+ set_auth_parameters(argc, argv);
+
+ (void) strcpy(uname, pw->pw_name);
+
+ auth_status = sia_ses_init(&entity, argc, argv, NULL, uname, NULL, FALSE, NULL);
+ if (auth_status != SIASUCCESS)
+ {
+ syslog(LOG_ERR, "sia_ses_init() failed in osf_check_pass");
+ return -1;
+ }
+
+ if (pw == (struct passwd *) NULL) {
+ return -1;
+ }
+
+ auth_status = sia_ses_authent(sia_collect_null, passwd, entity);
+ if (auth_status != SIASUCCESS)
+ return -1;
+
+ auth_status = sia_ses_estab(sia_collect_null, entity);
+ if (auth_status != SIASUCCESS)
+ {
+ syslog(LOG_WARNING, "sia_ses_estab() failed in osf_check_pass");
+ return -1;
+ }
+
+ auth_status = sia_ses_release(&entity);
+ if (auth_status != SIASUCCESS)
+ {
+ syslog(LOG_ERR, "sia_ses_release() failed in osf_check_pass");
+ return -1;
+ }
+
+ return 0;
+ }
+ #endif /* OSF_AUTH */
Received on Thu Jun 13 1996 - 21:46:24 NZST