TCP wrapper not working ?

Reported by Maxime Ritter on 2007-08-28
Affects Status Importance Assigned to Milestone
tcp-wrappers (Debian)
Fix Released
tcp-wrappers (Ubuntu)
Declined for Dapper by Kees Cook
Kees Cook

Bug Description

I couldn't block acces to portmap on Ubuntu 7.04. In fact it's the wall TCP wrappers that seems to have a problem...

Simple config for /etc/hosts.deny :
And /etc/hosts.allow :
  ALL: 192.168.1.
Doesn't work (i still can access to portmap from an external host using rpcinfo -p)

So I tried more advanced config for /etc/hosts.deny :
   ALL: .dedibox.fr

Same result... Tried many other things like
   portmap: ALL

No result, whatever I do, I can't block the access to portmap with TCP wrapper from outside with /etc/hosts.deny

tcpdchk -v results :
Using network configuration file: /etc/inetd.conf

>>> Rule /etc/hosts.allow line 16:
daemons: ALL
clients: 192.168.1.
access: granted

>>> Rule /etc/hosts.deny line 21:
daemons: ALL
clients: .dedibox.fr
access: denied

>>> Rule /etc/hosts.deny line 22:
daemons: ALL
access: denied

>>> Rule /etc/hosts.deny line 23:
daemons: ALL
clients: ALL
access: denied

Ok, so no syntax error is hidden I think, no problem detected...

root@php7-new ~> tcpdmatch portmap sd-6064.dedibox.fr
warning: portmap: service possibly not wrapped
client: hostname sd-6064.dedibox.fr
client: address
server: process portmap
access: granted

Why is it granted whatever I do ?? Why doesn't tpcdmatch tell me that it "matched line 21 hosts.deny" ? I can't understand...

About the tcpdmatch warning, manpage says pormap uses TCP wrapper, and ldd confirms it's linked to :
parisex@php7-new:~$ ldd /sbin/portmap
        libwrap.so.0 => /lib/libwrap.so.0 (0x00002ad6b22e9000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x00002ad6b24f2000)
        libc.so.6 => /lib/libc.so.6 (0x00002ad6b270a000)
        /lib64/ld-linux-x86-64.so.2 (0x00002ad6b20cc000)

But I don't think it's related to portmap, since tcpdmatch tells me 'access granted'

Not sure it's a security vulnerability (I might also have done something wrong), but just in case, I checked the box...

CVE References

Maxime Ritter (airmax) wrote :

I copied these /etc/hosts.allow & /etc/hosts.deny to ~/bug, and then I ran tcpdmatch -d portmap

With my ubuntu 7.04 server :
root@php7-new ~/bug> tcpdmatch -d portmap
warning: portmap: service possibly not wrapped
client: address
server: process portmap
access: granted

Same thing, but on debian machine :
delldeb2:~/bug# tcpdmatch -d portmap
warning: portmap: service possibly not wrapped
client: address
server: process portmap
matched: hosts.deny line 23
access: denied

There is definitively something wrong with tcp wrapper on Ubuntu.

(broken) Ubuntu package version :
libwrap0 7.6.dbs-11build1
tcpd 7.6.dbs-11build1

(working) Debian package version :
libwrap0 7.6.dbs-8
tcpd 7.6.dbs-8

Maxime Ritter (airmax) wrote :

Ok, I got it, same bug in Debian upstream :


Fixed in 7.6.dbs-12

Kees Cook (kees) wrote :

Thanks for this report. I can confirm what you see for Feisty. (It seems that Dapper and Edgy behave correctly.) I will backport the Debian fixes for Feisty shortly. (Since Debian's bug report is public, I will part this report public as well.)

Changed in tcp-wrappers:
status: New → Fix Released
assignee: nobody → keescook
status: New → In Progress
Kees Cook (kees) on 2007-08-29
Changed in tcp-wrappers:
status: In Progress → Fix Committed
Kees Cook (kees) wrote :

This has been published: http://www.ubuntu.com/usn/usn-507-1

Changed in tcp-wrappers:
importance: Undecided → High
status: Fix Committed → Fix Released
Changed in tcp-wrappers:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.