gnu@hoptoad.UUCP (04/20/86)
Index: network Category: security Severity: critical Status: open Release: Sun Unix 3.0 FCS Customer: John Gilmore Nebula Consultants 1805 Golden Gate Ave. San Francisco, CA 94115 +1 415 931 4667 voice sun!hoptoad!gnu data Description: The tftp daemon allows anyone on the internetwork to read any publicly readable file (e.g. /etc/passwd) on the system. This has been true since 4.2BSD on Vaxen. In earlier systems it was possible to turn off this daemon and avoid the bug. In 3.0, the bug has not been fixed, and tftp has been made required for servers, since it is used to boot clients. Repeat-By: % tftp host > get /etc/passwd /tmp/pw > get /etc/hosts.equiv /tmp/he > get /.rhosts /tmp/rh > q % examine them, run password breaking programs, break in. Fix: Fix the tftp daemon to provide the same level of security as the ftp daemon (eg. do a "chroot" to a private directory). -- John Gilmore {sun,ptsfa,lll-crg,ihnp4}!hoptoad!gnu jgilmore@lll-crg.arpa Post no bills.