Linux NetKit

[ history security download ]

In the summer of 1996 I took over responsibility for the Linux NetKit package. This is the package that consists of such little-used and insignificant programs as telnet and finger.

Installing these things had always been a chancy business, all the way back to the days when there was NET1 and NET2 and you were lucky to get binaries that ran, much less source that would compile. Florian LaRoche's NetKit packages did a good job of reigning in that chaos. Finally there was one single authoritative source for most of the programs and there was a known place one could go and pick them up.

Unfortunately getting NetKits to compile was a bit of a chore, and Florian himself disappeared off the net for a while, so by June of 1996 there hadn't been any updates in a good while and various changes to the kernel and libc made the existing NetKit versions excessively hard to work with. More importantly, there was at least one outstanding security problem.

There had been a bunch of NetKits, but only NetKit-A and NetKit-B had wide distribution. NetKit-A was almost entirely just repackaging of things maintained by other people, while NetKit-B contained a pile of modified BSD code that had been maintained by Florian. Since most of the contents of NetKit-A had been updated separately since NetKit-A was last released, I simply killed off NetKit-A, and continued with just NetKit-B.

I released NetKit-B-0.07 in July of 1996, which fixed five security holes in different programs. One of these (in rlogin) had been known previously and was part of the motivation for finding the package a new maintainer. The other four I found myself in the course of preparing the release. More importantly (at least to some people) the July NetKit release compiled cleanly out of the box, even with a pile of gcc warning options enabled.

NetKit-B-0.08 was released in August, fixing more security problems and catching up on a backlog of changes and patches floating around the net. In September, for the next release, I decided to drop the now meaningless "B", and so the next version was simply NetKit-0.09, although it didn't actually appear until December.

NetKit 0.10 appeared in early 1997, but it doesn't quite exist in that form. After substantial debate I decided to split the NetKit package into about a dozen and a half components. These can now all be downloaded separately. The reasoning is that NetKit was never exactly *complete* - you needed a bunch of other stuff along with it to get a full system with network support - and for various reasons it wasn't ever going to be. So having everything bundled together wasn't especially meaningful, and if each distinct piece is packaged separately it's a lot easier to find the one particular thing you're looking for on an ftp archive. More importantly, the pieces can now be released and updated separately: there's no need for telnet to hold up fixes to inetd (like happened with the 0.09 release) so the turnaround time on security problems should be much lower now.

In the fall of 1997 I realized I was not doing a good enough job keeping things up to date. It was time to pass the torch on. I am no longer the NetKit maintainer. Please send NetKit-related correspondence to netbug@ftp.uk.linux.org.

Security

Naturally, since most of the NetKit programs are right at the point where untrusted offsite people interact with the system, security is a major consideration. Unfortunately, the BSD source the NetKit code derives from hasn't proven to be as solid as we might like.

Versions of NetKit prior to 0.09 should not be used under any circumstances. In general, it is unwise to use anything other than the latest version, which should now be higher than the last (0.10) release I made.

The following security issues appeared while I was maintainer:

Vulnerability to DNS spoofing buffer overflow attacks. There are at least two variations on this:
- Returning really long h_name results that end up used in string operations without bounds checking. (*)
- Returning really long h_addr results, with h_length set correspondingly.
Other buffer overrun problems (arguments, environment data, data received from the network, you name it...)
Symbolic link problems (and hard link problems).
Careless use of world-writeable areas such as /tmp.
Careless use of nonreentrant libc functions.
Missing checks for proper privilege before taking action.
Failure to drop privilege when appropriate (if not necessary).
Invoking the shell while setuid.
Incautious transmission of untrusted data to programs not expecting hostile input.
Denial of service from SYN/RST games with TCP.

The details can be found elsewhere.

(*) One of these, in ntalkd, became the subject of a CERT advisory (CA-97.04) in January 1997. You'll note I'm mentioned by name in the Linux vendor information, which is intentionally inaccurate -- the bug in question was fixed in NetKit-B-0.07, not 0.08, but 0.08 fixes other important bugs and we hoped to get more people to upgrade this way.

The sad part is that the information was public for six months before the CERT advisory appeared and most of the commercial vendors were still caught napping; it only became an issue because somebody posted an exploit script to alt.security. The frightening part is that a similar degree of inattention has been paid to an almost identical bug in telnetd I found and fixed at the same time... and there must be an exploit loose, it's only a minor change to the one for talkd. Be very afraid.

Download the NetKit

The official site is at ftp.uk.linux.org. Note that things are found in several subdirectories.
You can also get it from sunsite.unc.edu.

Linux NetKit

Security

Download the NetKit

15 juillet 1998