|
FOR OFFICIAL DEPARTMENT OF ENERGY USE ONLY _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Advisory Notice Automated tftp Probe Attacks on UNIX Systems Connected to the Internet September 27, 1991, 1700 PDT Number B-44 ________________________________________________________________________ PROBLEM: Many systems connected to the Internet have been probed by tftp to allow intruders to copy the /etc/passwd and /etc/rc files. PLATFORM: UNIX systems supporting tftp. DAMAGE: Potential disclosure of easily-guessed passwords leading to unauthorized access to user accounts. SOLUTIONS: Either disable tftp if possible or limit the access of tftp if this utility is required. Assure that there are no easily guessed passwords on your systems. ________________________________________________________________________ Critical Facts about the Automated tftp Probes CIAC has learned of a series of Internet-based probes involving the tftp (trivial file transfer protocol) facility available on many UNIX platforms. An unpatched vulnerability in this facility can be used to obtain a copy of the /etc/passwd and /etc/rc files of remote systems (see CIAC bulletin of June 22, 1989). If successful, these probes fetch the /etc/passwd file (and potentially the /etc/rc file) on victim systems to crack passwords, resulting in unauthorized access to systems. There have been a large number of these attacks reported to CIAC, since an automated probe program is generating these attacks. Thus, it is possible for many systems at a site to be probed in a short time. If your system is connected to the Internet, you should assure that the tftp service is disabled on systems that do not require this functionality. (Typically, tftp is useful mainly for boot servers of diskless machines at boot-up). To disable tftp service, comment out the tftp entry in the /etc/inetd.conf file (or similar configuration file used by your UNIX operating system) by pre-pending a pound "#" sign to the line beginning "tftp..." Consult your operating system documentation concerning tftpd for additional details in disabling this service. If it is necessary for your system to support tftp, you should restrict tftp to a secure home directory. On many systems this is done automatically when the tftp daemon is invoked. For example, the tftp -s option within SunOS 4.X is used to ensure that a change to the home directory is successful and will also change its root directory to the home directory (chroot) to limit access to the remainder of the file system. In order to detect this form of attack, we recommend that you use a monitoring package that will log tftp and other service requests. The type of package appropriate to your site will depend on your specific network architecture. If you suspect your system has been probed (with unrestricted tftp), you should check your password file with a password guessing utility such as the Security Profile Inspector (SPI--available only to DOE sites), CRACK or COPS packages. We also recommend that you require a change of passwords on the root and user accounts. If you are an employee or contractor at a DOE site, you may have been contacted about these probes by other agencies' response teams. We request that any replies to these contacts be made directly to CIAC instead of other agencies' teams so that we can coordinate responding both within the DOE community and with other agencies' response teams. For additional information or assistance (including assistance on installing a monitoring package), please contact CIAC: David S. Brown Tom Longstaff (510) 423-9878**/(FTS) 543-9878 Or (510) 423-4416**/(FTS) 543-4416 dsbrown@llnl.gov longstaf@llnl.gov Send e-mail to ciac@llnl.gov or call CIAC at (510) 422-8193**/(FTS) 532-8193. FAX messages to: (510) 423-8002**/(FTS) 543-8002. **Note area code has changed from 415 CIAC would like to thank Doug Mildran and Craig Leres for their assistance. DARPA's Computer Emergency Response Team Coordination Center also provided some of the information used in this bulletin. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.