1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
<HTML>
<HEAD>
<TITLE>Tutorial - TFTP file access</TITLE>
<LINK REV="made" HREF="mailto:satan@fish.com">
</HEAD>
<BODY BGCOLOR="#FFFFFF">
<H1><IMG SRC="../../images/satan.gif">TFTP file access</H1>
<HR>
<H3>Summary</H3>
File access via the TFTP service.
<H3>Impact</H3>
Unauthorized remote access to system or user files.
<H3>Background</H3>
The TFTP (trivial file transfer protocol) service provides remote
access to files, without asking for a password. It is typically used
for the initialization of diskless computers, of X terminals, or of
other dedicated hardware.
<H3>The problem</H3>
When the TFTP daemon does not limit access to specific files or hosts,
a remote intruder can use the service to obtain copies of the password
file or of other system or user files, or to remotely overwrite files.
<H3>Fix</H3>
<ul>
<li>Restrict TFTP access to only limited subtree of the file system.
Consult your tftpd manual pages for details.
<li>When no access restriction is possible, restrict TFTP access by
using a tcp wrapper.
</ul>
<H3>Other tips</H3>
<ul>
<li>See the
<a href="../../docs/admin_guide_to_cracking.html#tftp">Admin
Guide to Cracking</a> for an example of why this is a problem.
</ul>
</BODY>
</HTML>
|
