From ipfw@ya3.so-net.ne.jp  Mon Aug  6 06:45:43 2001
Return-Path: <ipfw@ya3.so-net.ne.jp>
Received: from mgate11.so-net.ne.jp (mgate11.so-net.ne.jp [210.139.254.158])
	by hub.freebsd.org (Postfix) with ESMTP id 4046F37B405
	for <FreeBSD-gnats-submit@freebsd.org>; Mon,  6 Aug 2001 06:45:43 -0700 (PDT)
	(envelope-from ipfw@ya3.so-net.ne.jp)
Received: from mail.ya3.so-net.ne.jp (mspool11.so-net.ne.jp [210.139.248.11])
	by mgate11.so-net.ne.jp (8.9.3/3.7W01060506) with ESMTP id WAA22662
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 6 Aug 2001 22:45:42 +0900 (JST)
Received: from localhost (pdf4a47.kngwnt01.ap.so-net.ne.jp [202.223.74.71])
	by mail.ya3.so-net.ne.jp  with ESMTP id f76DjeX26619
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 6 Aug 2001 22:45:41 +0900 (JST)
Message-Id: <20010806224917T.koya@pluto.math.yokohama-cu.ac.jp>
Date: Mon, 06 Aug 2001 22:49:17 +0900
From: Yoshihiro Koya <Yoshihiro.Koya@math.yokohama-cu.ac.jp>
Sender: Yoshihiro Koya <koya@math.yokohama-cu.ac.jp>
To: FreeBSD-gnats-submit@freebsd.org
Subject: ftpd leaks password typed as username by mistake
X-Send-Pr-Version: 3.113

>Number:         29487
>Category:       bin
>Synopsis:       ftpd leaks password typed as username by mistake
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    yar
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Aug 06 06:50:01 PDT 2001
>Closed-Date:    Fri Feb 14 04:46:11 PST 2003
>Last-Modified:  Fri Feb 14 04:46:11 PST 2003
>Originator:     Yoshihiro Koya
>Release:        FreeBSD 4.4-PRERELEASE i386
>Organization:
Yokohama City Univ., Dept. of Math. Sci.
>Environment:
System: FreeBSD presario.my.domain 4.4-PRERELEASE FreeBSD 4.4-PRERELEASE #0: Mon Aug 6 18:00:24 JST 2001 root@presario.my.domain:/usr/obj/usr/src/sys/presario i386

ftpd.c:
     $FreeBSD: src/libexec/ftpd/ftpd.c,v 1.62.2.10 2001/07/19 05:44:08 dd Exp $
>Description:
It might quite often to type the password instead of username 
to ftp clients by mistake.
In that case, ftpd(8) on FreeBSD logges the usenames into
/var/log/messages as follows

	Aug  6 22:19:28 presario ftpd[814]: FTP LOGIN FAILED FROM localhost, mypass 

On the other hand, evey user on the system can access /var/log/messages.
It might cause security related problems. 
>How-To-Repeat:
	Type your password as a username to ftp.
	And check your /var/log/messages.
>Fix:

Index: ftpd.c
===================================================================
RCS file: /home/ncvs/src/libexec/ftpd/ftpd.c,v
retrieving revision 1.62.2.10
diff -u -r1.62.2.10 ftpd.c
--- ftpd.c	2001/07/19 05:44:08	1.62.2.10
+++ ftpd.c	2001/08/06 13:34:11
@@ -1228,9 +1228,15 @@
 		if (rval) {
 			reply(530, "Login incorrect.");
 			if (logging)
-				syslog(LOG_NOTICE,
-				    "FTP LOGIN FAILED FROM %s, %s",
-				    remotehost, curname);
+				if (getpwnam(curname)){
+					syslog(LOG_NOTICE,
+					    "FTP LOGIN FAILED FROM %s, %s",
+					    remotehost, curname);
+				} else {
+					syslog(LOG_NOTICE,
+					    "FTP LOGIN FAILED FROM %s, (unknown user)",
+					    remotehost);
+				}
 			pw = NULL;
 			if (login_attempts++ >= 5) {
 				syslog(LOG_NOTICE,
>Release-Note:
>Audit-Trail:

From: Mike Heffner <mheffner@novacoxmail.com>
To: Yoshihiro Koya <Yoshihiro.Koya@math.yokohama-cu.ac.jp>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: RE: bin/29487: ftpd leaks password typed as username by mistake
Date: Mon, 06 Aug 2001 21:38:28 -0400 (EDT)

 This message is in MIME format
 --_=XFMail.1.5.0.FreeBSD:20010806213828:313=_
 Content-Type: text/plain; charset=us-ascii
 
 
 On 06-Aug-2001 Yoshihiro Koya wrote:
 | 
 | It might quite often to type the password instead of username 
 | to ftp clients by mistake.
 | In that case, ftpd(8) on FreeBSD logges the usenames into
 | /var/log/messages as follows
 
 But this information is sometimes relevant if you would like to be able to tell
 the difference between an attacker probing several different accounts and a
 normal user mistyping their username.
 
 | 
 |       Aug  6 22:19:28 presario ftpd[814]: FTP LOGIN FAILED FROM localhost,
 mypass 
 | 
 | On the other hand, evey user on the system can access /var/log/messages.
 | It might cause security related problems. 
 
 A better way might be to log the username info to a different facility, auth,
 authpriv or something that's not logged to a world readable file.
 
 Mike
 
 -- 
   Mike Heffner         <mheffner@[acm.]vt.edu>
   Fredericksburg, VA       <mikeh@FreeBSD.org>
 
 
 --_=XFMail.1.5.0.FreeBSD:20010806213828:313=_
 Content-Type: application/pgp-signature
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.0.6 (FreeBSD)
 Comment: For info see http://www.gnupg.org
 
 iD8DBQE7b0aUFokZQs3sv5kRAvS+AKCFhrmFF/Y+jFxyiGmYAC11C42U+ACfbZy9
 8pSMvryZGjCD35OBP11OWwU=
 =heQY
 -----END PGP SIGNATURE-----
 
 --_=XFMail.1.5.0.FreeBSD:20010806213828:313=_--
 End of MIME message

From: Yoshihiro Koya <Yoshihiro.Koya@math.yokohama-cu.ac.jp>
To: mheffner@vt.edu, mheffner@novacoxmail.com
Cc: Yoshihiro.Koya@math.yokohama-cu.ac.jp,
	FreeBSD-gnats-submit@freebsd.org
Subject: RE: bin/29487: ftpd leaks password typed as username by mistake
Date: Wed, 08 Aug 2001 14:40:45 +0900

 Hello,
 
 From: Mike Heffner <mheffner@novacoxmail.com>
 Subject: RE: bin/29487: ftpd leaks password typed as username by mistake
 Date: Mon, 06 Aug 2001 21:38:28 -0400 (EDT)
 Message-ID: <XFMail.20010806213828.mheffner@novacoxmail.com>
 
 > On 06-Aug-2001 Yoshihiro Koya wrote:
 > | 
 > | It might quite often to type the password instead of username 
 > | to ftp clients by mistake.
 > | In that case, ftpd(8) on FreeBSD logges the usenames into
 > | /var/log/messages as follows
 > 
 > But this information is sometimes relevant if you would like to be able to tell
 > the difference between an attacker probing several different accounts and a
 > normal user mistyping their username.
 
 Yes. I agree with you. But, I thought at that time that the defect 
 that ftpd may leak the password is more harmful than the defect that
 I'm not able to distinguish the deference between  mistype and attacks.
 
 > | 
 > |       Aug  6 22:19:28 presario ftpd[814]: FTP LOGIN FAILED FROM localhost,
 > mypass 
 > | 
 > | On the other hand, evey user on the system can access /var/log/messages.
 > | It might cause security related problems. 
 > 
 > A better way might be to log the username info to a different facility, auth,
 > authpriv or something that's not logged to a world readable file.
 
 I agree with you again. I think that your suggestion might be a 
 better one. 
 
 koya
State-Changed-From-To: open->analyzed 
State-Changed-By: ashp 
State-Changed-When: Thu Jan 17 18:57:16 PST 2002 
State-Changed-Why:  
While nobody has decided to commit this patch, the issue is potentially 
of issue to a junior hacker.  Therefore this patch gets moved to analyzed, 
rather than suspended. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=29487 
State-Changed-From-To: analyzed->suspended 
State-Changed-By: ashp 
State-Changed-When: Mon Jan 21 07:13:32 PST 2002 
State-Changed-Why:  
Sheldon feels this is better filed as suspended. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=29487 
State-Changed-From-To: suspended->patched 
State-Changed-By: yar 
State-Changed-When: Tue Feb 11 04:38:40 PST 2003 
State-Changed-Why:  
Since no junior hacker had arised to deal with this problem, 
a somewhat older one decided to peek at it. 

Fixed in CURRENT in the way login(1) had been using since the beginning. 
Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=29487 
Responsible-Changed-From-To: freebsd-bugs->yar 
Responsible-Changed-By: yar 
Responsible-Changed-When: Tue Feb 11 04:43:19 PST 2003 
Responsible-Changed-Why:  
MFC reminder. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=29487 
State-Changed-From-To: patched->closed 
State-Changed-By: yar 
State-Changed-When: Fri Feb 14 04:43:12 PST 2003 
State-Changed-Why:  
STABLE ftpd(8) now logs bad usernames to LOG_AUTHPRIV, as does CURRENT one. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=29487 
>Unformatted:
