Do not attempt to open reverse channel until authentication phase has

succeeded. Never allow the reverse channel to be to a privileged port. Cannidate for: 2.1 and 2.2 branches Reviewed by: pst (with local cleanups) Submitted by: Cy Shubert <cy@cwsys.cwent.com> Obtained from: Jaeger <jaeger@dhp.com> via BUGTRAQ
1996-11-19 18:03:16 +00:00 · 1996-11-19 18:03:16 +00:00 · 6c6cc60e38
commit 6c6cc60e38
parent 3d989d58d8
2 changed files with 30 additions and 17 deletions
--- a/libexec/rexecd/rexecd.8
+++ b/libexec/rexecd/rexecd.8
@ -30,7 +30,7 @@
 .\" SUCH DAMAGE.
 .\"
 .\"     @(#)rexecd.8	8.2 (Berkeley) 12/11/93
-.\"	$Id$
+.\"	$Id: rexecd.8,v 1.3 1996/09/22 21:54:42 wosch Exp $
 .\"
 .Dd September 23, 1994
 .Dt REXECD 8
@ -99,8 +99,11 @@ by
 .El
 .Sh CAVEATS
 .Nm Rexecd
-will no longer allow root logins, access for users listed in /etc/ftpusers,
-or access for users with no passwords, which were all serious security holes.
+will no longer allow root logins,
+access for users listed in /etc/ftpusers,
+access for users with no passwords,
+or reverse connections to privileged ports,
+which were all serious security holes.
 The entire concept of rexec/rexecd is a major security hole and an example
 of how not to do things.
 .Nm Rexecd
--- a/libexec/rexecd/rexecd.c
+++ b/libexec/rexecd/rexecd.c
@ -30,7 +30,7 @@
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
- *	$Id$
+ *	$Id: rexecd.c,v 1.8 1996/09/22 21:54:45 wosch Exp $
 */

 #ifndef lint
@ -153,18 +153,6 @@ doit(f, fromp)
 		port = port * 10 + c - '0';
 	}
 	(void) alarm(0);
-	if (port != 0) {
-		s = socket(AF_INET, SOCK_STREAM, 0);
-		if (s < 0)
-			exit(1);
-		if (bind(s, (struct sockaddr *)&asin, sizeof (asin)) < 0)
-			exit(1);
-		(void) alarm(60);
-		fromp->sin_port = htons(port);
-		if (connect(s, (struct sockaddr *)fromp, sizeof (*fromp)) < 0)
-			exit(1);
-		(void) alarm(0);
-	}
 	getstr(user, sizeof(user), "username");
 	getstr(pass, sizeof(pass), "password");
 	getstr(cmdbuf, sizeof(cmdbuf), "command");
@ -217,8 +205,30 @@ doit(f, fromp)
 		error("No remote directory.\n");
 		exit(1);
 	}
+
+	if (port != 0) {
+		if (port < IPPORT_RESERVED) {
+			syslog(LOG_ERR, "%s CONNECTION REFUSED to %s:%d "
+					"client requested privileged port",
+					user, remote, port);
+			error("Privileged port requested for stderr info.\n");
+			exit(1);
+		}
+		s = socket(AF_INET, SOCK_STREAM, 0);
+		if (s < 0)
+			exit(1);
+		if (bind(s, (struct sockaddr *)&asin, sizeof (asin)) < 0)
+			exit(1);
+		(void) alarm(60);
+		fromp->sin_port = htons(port);
+		if (connect(s, (struct sockaddr *)fromp, sizeof (*fromp)) < 0)
+			exit(1);
+		(void) alarm(0);
+	}
+
 	(void) write(2, "\0", 1);
-	if (port) {
+
+	if (port != 0) {
 		(void) pipe(pv);
 		pid = fork();
 		if (pid == -1)  {