Do not attempt to open reverse channel until authentication phase has

succeeded.

Never allow the reverse channel to be to a privileged port.

Cannidate for:	2.1 and 2.2 branches

Reviewed by:	pst (with local cleanups)
Submitted by:	Cy Shubert <cy@cwsys.cwent.com>
Obtained from:	Jaeger <jaeger@dhp.com> via BUGTRAQ

2 files changed, 30 insertions, 17 deletions

diff --git a/libexec/rexecd/rexecd.8 b/libexec/rexecd/rexecd.8
index df89504..5103465 100644
--- a/libexec/rexecd/rexecd.8
+++ b/libexec/rexecd/rexecd.8
@@ -30,7 +30,7 @@
 .\" SUCH DAMAGE.
 .\"
 .\"     @(#)rexecd.8	8.2 (Berkeley) 12/11/93
-.\"	$Id$
+.\"	$Id: rexecd.8,v 1.3 1996/09/22 21:54:42 wosch Exp $
 .\"
 .Dd September 23, 1994
 .Dt REXECD 8
@@ -99,8 +99,11 @@ by
 .El
 .Sh CAVEATS
 .Nm Rexecd
-will no longer allow root logins, access for users listed in /etc/ftpusers,
-or access for users with no passwords, which were all serious security holes.
+will no longer allow root logins,
+access for users listed in /etc/ftpusers,
+access for users with no passwords,
+or reverse connections to privileged ports,
+which were all serious security holes.
 The entire concept of rexec/rexecd is a major security hole and an example
 of how not to do things.
 .Nm Rexecd
diff --git a/libexec/rexecd/rexecd.c b/libexec/rexecd/rexecd.c
index 61f020a..2905129 100644
--- a/libexec/rexecd/rexecd.c
+++ b/libexec/rexecd/rexecd.c
@@ -30,7 +30,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- *	$Id$
+ *	$Id: rexecd.c,v 1.8 1996/09/22 21:54:45 wosch Exp $
  */
 
 #ifndef lint
@@ -153,18 +153,6 @@ doit(f, fromp)
 		port = port * 10 + c - '0';
 	}
 	(void) alarm(0);
-	if (port != 0) {
-		s = socket(AF_INET, SOCK_STREAM, 0);
-		if (s < 0)
-			exit(1);
-		if (bind(s, (struct sockaddr *)&asin, sizeof (asin)) < 0)
-			exit(1);
-		(void) alarm(60);
-		fromp->sin_port = htons(port);
-		if (connect(s, (struct sockaddr *)fromp, sizeof (*fromp)) < 0)
-			exit(1);
-		(void) alarm(0);
-	}
 	getstr(user, sizeof(user), "username");
 	getstr(pass, sizeof(pass), "password");
 	getstr(cmdbuf, sizeof(cmdbuf), "command");
@@ -217,8 +205,30 @@ doit(f, fromp)
 		error("No remote directory.\n");
 		exit(1);
 	}
+
+	if (port != 0) {
+		if (port < IPPORT_RESERVED) {
+			syslog(LOG_ERR, "%s CONNECTION REFUSED to %s:%d "
+					"client requested privileged port",
+					user, remote, port);
+			error("Privileged port requested for stderr info.\n");
+			exit(1);
+		}
+		s = socket(AF_INET, SOCK_STREAM, 0);
+		if (s < 0)
+			exit(1);
+		if (bind(s, (struct sockaddr *)&asin, sizeof (asin)) < 0)
+			exit(1);
+		(void) alarm(60);
+		fromp->sin_port = htons(port);
+		if (connect(s, (struct sockaddr *)fromp, sizeof (*fromp)) < 0)
+			exit(1);
+		(void) alarm(0);
+	}
+
 	(void) write(2, "\0", 1);
-	if (port) {
+
+	if (port != 0) {
 		(void) pipe(pv);
 		pid = fork();
 		if (pid == -1)  {