Ubuntu

TCP wrapper not working ?

Reported by Maxime Ritter on 2007-08-28
254
Affects Status Importance Assigned to Milestone
tcp-wrappers (Debian)
Fix Released
Unknown
tcp-wrappers (Ubuntu)
Undecided
Unassigned
Declined for Dapper by Kees Cook
Feisty
High
Kees Cook
Gutsy
Undecided
Unassigned

Bug Description

I couldn't block acces to portmap on Ubuntu 7.04. In fact it's the wall TCP wrappers that seems to have a problem...

Simple config for /etc/hosts.deny :
  ALL: ALL
And /etc/hosts.allow :
  ALL: 192.168.1.
Doesn't work (i still can access to portmap from an external host using rpcinfo -p)

So I tried more advanced config for /etc/hosts.deny :
   ALL: .dedibox.fr
   ALL: PARANOID EXCEPT 127.0.0.1.
   ALL: ALL

Same result... Tried many other things like
   portmap: ALL
OR
   portmap: 88.191.36.232

No result, whatever I do, I can't block the access to portmap with TCP wrapper from outside with /etc/hosts.deny

tcpdchk -v results :
Using network configuration file: /etc/inetd.conf

>>> Rule /etc/hosts.allow line 16:
daemons: ALL
clients: 192.168.1.
access: granted

>>> Rule /etc/hosts.deny line 21:
daemons: ALL
clients: .dedibox.fr
access: denied

>>> Rule /etc/hosts.deny line 22:
daemons: ALL
clients: PARANOID EXCEPT 127.0.0.1.
access: denied

>>> Rule /etc/hosts.deny line 23:
daemons: ALL
clients: ALL
access: denied

Ok, so no syntax error is hidden I think, no problem detected...

root@php7-new ~> tcpdmatch portmap sd-6064.dedibox.fr
warning: portmap: service possibly not wrapped
client: hostname sd-6064.dedibox.fr
client: address 88.191.36.232
server: process portmap
access: granted

Why is it granted whatever I do ?? Why doesn't tpcdmatch tell me that it "matched line 21 hosts.deny" ? I can't understand...

About the tcpdmatch warning, manpage says pormap uses TCP wrapper, and ldd confirms it's linked to :
parisex@php7-new:~$ ldd /sbin/portmap
        libwrap.so.0 => /lib/libwrap.so.0 (0x00002ad6b22e9000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x00002ad6b24f2000)
        libc.so.6 => /lib/libc.so.6 (0x00002ad6b270a000)
        /lib64/ld-linux-x86-64.so.2 (0x00002ad6b20cc000)

But I don't think it's related to portmap, since tcpdmatch tells me 'access granted'

Not sure it's a security vulnerability (I might also have done something wrong), but just in case, I checked the box...

CVE References

Maxime Ritter (airmax) wrote :

I copied these /etc/hosts.allow & /etc/hosts.deny to ~/bug, and then I ran tcpdmatch -d portmap 194.2.0.20

With my ubuntu 7.04 server :
root@php7-new ~/bug> tcpdmatch -d portmap 194.2.0.20
warning: portmap: service possibly not wrapped
client: address 194.2.0.20
server: process portmap
access: granted

Same thing, but on debian machine :
delldeb2:~/bug# tcpdmatch -d portmap 194.2.0.20
warning: portmap: service possibly not wrapped
client: address 194.2.0.20
server: process portmap
matched: hosts.deny line 23
access: denied

There is definitively something wrong with tcp wrapper on Ubuntu.

(broken) Ubuntu package version :
libwrap0 7.6.dbs-11build1
tcpd 7.6.dbs-11build1

(working) Debian package version :
libwrap0 7.6.dbs-8
tcpd 7.6.dbs-8

Maxime Ritter (airmax) wrote :

Ok, I got it, same bug in Debian upstream :

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=405342

Fixed in 7.6.dbs-12

Kees Cook (kees) wrote :

Thanks for this report. I can confirm what you see for Feisty. (It seems that Dapper and Edgy behave correctly.) I will backport the Debian fixes for Feisty shortly. (Since Debian's bug report is public, I will part this report public as well.)

Changed in tcp-wrappers:
status: New → Fix Released
assignee: nobody → keescook
status: New → In Progress
Kees Cook (kees) on 2007-08-29
Changed in tcp-wrappers:
status: In Progress → Fix Committed
Kees Cook (kees) wrote :

This has been published: http://www.ubuntu.com/usn/usn-507-1

Changed in tcp-wrappers:
importance: Undecided → High
status: Fix Committed → Fix Released
Changed in tcp-wrappers:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.