[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Active Internet tftp Attacks

Title: Active Internet tftp Attacks
Released by: CERT
Date: 27th September 1991
Printable version: Click here

Hash: SHA1



Last Revised:  September 18,1997

                Attached copyright statement

                                CERT Advisory

                              September 27, 1991

                         Active Internet tftp Attacks

- ---------------------------------------------------------------------------

The Computer Emergency Response Team/Coordination Center (CERT/CC) would

like to alert you to automated tftp probes that have been occurring over

the last few days.  These probes have attacked Internet sites throughout 

the world and in most cases the file retrieved was /etc/passwd.  However, 

other files such as /etc/rc may have been retrieved. 

The CERT/CC is working with the site(s) that were used by intruders

to launch the attacks.  We are actively contacting those sites where we

believe the retrievals were successful.  We are urging all sites to 

carefully check their system configurations concerning tftp usage.

- ---------------------------------------------------------------------------

I.   Description

     Unrestricted tftp access allows remote sites to retrieve

     a copy of any world-readable file.

II.  Impact

     Anyone on the Internet can use tftp to retrieve copies of a

     site's sensitive files.  For example, the recent incident

     involved retrieving /etc/passwd.  The intruder can later

     crack the password file and use the information to login 

     to the accounts.  This method may provide access to the 

     root account.

III. Solution


     A.  Sites that do not need tftp should disable it immediately by

     editing the system configuration file to comment out, or remove,

     the line for tftpd.  This file may be /etc/inetd.conf, /etc/servers,

     or another file depending on your operating system.  To cause 

     the change to be effective, it will be necessary to restart

     inetd or force inetd to read the updated configuration file.

     B.  Sites that must use tftp (for example, for booting diskless

     clients) should configure it such that the home directory is changed.  

     Example lines from /etc/inetd.conf might look like:

     ULTRIX 4.0

     tftp   dgram  udp  nowait  /etc/tftpd  tftpd -r /tftpboot

     SunOS 4.1

     tftp   dgram  udp  wait  root  /usr/etc/in.tftpd in.tftpd -s /tftpboot

     As in item A. above, inetd must be restarted or forced to read 

     the updated configuration file to make the change effective.

     C.  If your system has had tftp configured as unrestricted, the CERT/CC

     urges you to consider taking one of the steps outlined above and

     change all the passwords on your system.

- ---------------------------------------------------------------------------

If you believe that your system has been compromised, contact CERT/CC via

telephone or e-mail.

Computer Emergency Response Team/Coordination Center (CERT/CC)

Software Engineering Institute

Carnegie Mellon University

Pittsburgh, PA 15213-3890

Internet E-mail: cert@cert.org

Telephone: 412-268-7090 24-hour hotline:

           CERT/CC personnel answer 7:30a.m.-6:00p.m. EST/EDT,

           on call for emergencies during other hours.

Past advisories and other computer security related information are available

for anonymous ftp from the cert.org ( system.

- --------------------------------------------------------------------------

Copyright 1991 Carnegie Mellon University. Conditions for use, disclaimers,

and sponsorship information can be found in

http://www.cert.org/legal_stuff.html and http://ftp.cert.org/pub/legal_stuff .

If you do not have FTP or web access, send mail to cert@cert.org with

"copyright" in the subject line.

CERT is registered in the U.S. Patent and Trademark Office.


Revision History

September 18,1997 Attached Copyright Statement


Version: PGP for Personal Privacy 5.0

Charset: noconv





(C) 1999-2000 All rights reserved.