TCP wrapper not working ?
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| tcp-wrappers (Debian) |
Fix Released
|
Unknown
|
||
| tcp-wrappers (Ubuntu) |
Undecided
|
Unassigned | ||
| Feisty |
High
|
Kees Cook | ||
| Gutsy |
Undecided
|
Unassigned |
Bug Description
I couldn't block acces to portmap on Ubuntu 7.04. In fact it's the wall TCP wrappers that seems to have a problem...
Simple config for /etc/hosts.deny :
ALL: ALL
And /etc/hosts.allow :
ALL: 192.168.1.
Doesn't work (i still can access to portmap from an external host using rpcinfo -p)
So I tried more advanced config for /etc/hosts.deny :
ALL: .dedibox.fr
ALL: PARANOID EXCEPT 127.0.0.1.
ALL: ALL
Same result... Tried many other things like
portmap: ALL
OR
portmap: 88.191.36.232
No result, whatever I do, I can't block the access to portmap with TCP wrapper from outside with /etc/hosts.deny
tcpdchk -v results :
Using network configuration file: /etc/inetd.conf
>>> Rule /etc/hosts.allow line 16:
daemons: ALL
clients: 192.168.1.
access: granted
>>> Rule /etc/hosts.deny line 21:
daemons: ALL
clients: .dedibox.fr
access: denied
>>> Rule /etc/hosts.deny line 22:
daemons: ALL
clients: PARANOID EXCEPT 127.0.0.1.
access: denied
>>> Rule /etc/hosts.deny line 23:
daemons: ALL
clients: ALL
access: denied
Ok, so no syntax error is hidden I think, no problem detected...
root@php7-new ~> tcpdmatch portmap sd-6064.dedibox.fr
warning: portmap: service possibly not wrapped
client: hostname sd-6064.dedibox.fr
client: address 88.191.36.232
server: process portmap
access: granted
Why is it granted whatever I do ?? Why doesn't tpcdmatch tell me that it "matched line 21 hosts.deny" ? I can't understand...
About the tcpdmatch warning, manpage says pormap uses TCP wrapper, and ldd confirms it's linked to :
parisex@php7-new:~$ ldd /sbin/portmap
libnsl.so.1 => /lib/libnsl.so.1 (0x00002ad6b24f
libc.so.6 => /lib/libc.so.6 (0x00002ad6b270
But I don't think it's related to portmap, since tcpdmatch tells me 'access granted'
Not sure it's a security vulnerability (I might also have done something wrong), but just in case, I checked the box...
CVE References
Maxime Ritter (airmax) wrote : | #1 |
Maxime Ritter (airmax) wrote : | #2 |
Ok, I got it, same bug in Debian upstream :
http://
Fixed in 7.6.dbs-12
Kees Cook (kees) wrote : | #3 |
Thanks for this report. I can confirm what you see for Feisty. (It seems that Dapper and Edgy behave correctly.) I will backport the Debian fixes for Feisty shortly. (Since Debian's bug report is public, I will part this report public as well.)
Changed in tcp-wrappers: | |
status: | New → Fix Released |
assignee: | nobody → keescook |
status: | New → In Progress |
Changed in tcp-wrappers: | |
status: | In Progress → Fix Committed |
Kees Cook (kees) wrote : | #4 |
This has been published: http://
Changed in tcp-wrappers: | |
importance: | Undecided → High |
status: | Fix Committed → Fix Released |
Changed in tcp-wrappers: | |
status: | Unknown → Fix Released |
I copied these /etc/hosts.allow & /etc/hosts.deny to ~/bug, and then I ran tcpdmatch -d portmap 194.2.0.20
With my ubuntu 7.04 server :
root@php7-new ~/bug> tcpdmatch -d portmap 194.2.0.20
warning: portmap: service possibly not wrapped
client: address 194.2.0.20
server: process portmap
access: granted
Same thing, but on debian machine :
delldeb2:~/bug# tcpdmatch -d portmap 194.2.0.20
warning: portmap: service possibly not wrapped
client: address 194.2.0.20
server: process portmap
matched: hosts.deny line 23
access: denied
There is definitively something wrong with tcp wrapper on Ubuntu.
(broken) Ubuntu package version :
libwrap0 7.6.dbs-11build1
tcpd 7.6.dbs-11build1
(working) Debian package version :
libwrap0 7.6.dbs-8
tcpd 7.6.dbs-8