============================================================================= SA-93.05 SERT Advisory 25-Jun-93 Protecting Yourself From tftp Attacks ----------------------------------------------------------------------------- Recently a tftp attack was launched from an overseas site against several AARNet (and overseas) machines. The person responsible has been caught and dealt with. This person admitted using tftp to steal /etc/passwd files from UNIX machines, and then running a password cracking program against these files. Some of the passwords were successfully guessed. See SERT Advisory SA-93.04 (available from ftp.sert.edu.au:/security/sert/sert-advisory) on how to choose better passwords. tftp is unauthenticated file transfer. It is used for booting diskless workstations and downloading server code or fonts to X terminals. A man entry for this service states that "due to the lack of authentication information, tftpd will allow only publicly readable files to be accessed. Files may be written only if they already exist and are publicly writable. Note: this extends the concept of "public" to include all users on all hosts that can be reached through the network; this may not be appropriate on all systems, and its implications should be considered before enabling this service." From this it can be seen that tftp can be abused. An attacker can easily steal critical information from your system if tftp is enabled and not configured safely. Please carefully consider how you configure your UNIX machine with respect to tftp. If you do not require tftp on your machine, then it can be disabled by prepending a crosshatch symbol (#) to the tftp record in /etc/inted.conf. For example, replace the following line: tftp dgram udp wait root /usr/etc/in.tftpd in.tftpd -s /tftpboot with: #tftp dgram udp wait root /usr/etc/in.tftpd in.tftpd -s /tftpboot Do not forget to issue a HANGUP signal (as root) to the inetd daemon if it is already running: hostname# kill -HUP {Forces inetd to reread inetd.conf} Kill any remaining tftp daemon(s) (if any are still running): hostname# kill -KILL If you do require tftp on your machine, then consider using the following techniques: (i) Using tcp_wrapper to monitor and evaluate attempted connections. See the tcp_wrapper documentation for the required changes to /etc/inetd.conf, and the correct format for the hosts.allow and hosts.deny files. (ii) Run the tftp daemon in secure mode, by specifying the -s flag in /etc/inetd.conf. (The flag letter may differ from vendor to vendor. Under Ultrix, the flag is -r). This flag ensures tftp's root directory is changed to the flag argument, and that the directory change must be successful. (iii) Use C2 and/or a shadow password mechanism so that passwords are not stored in /etc/passwd. ---------------------------------------------------------------------------- If you believe that your system has been compromised, contact SERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: sert@sert.edu.au Facsimile: (07) 365 4477 Telephone: (07) 365 4417 SERT personnel answer during business hours (AEST - GMT+10:00). Security Emergency Response Team Prentice Centre The University of Queensland Qld. 4072. AUSTRALIA.