exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

S-97-06.asc

S-97-06.asc
Posted Jan 10, 2000

Subject ftpd race condition Date 29-Jan-97

SHA-256 | 55787802f3ae704930048903e036ad08f65810c72f1b893d9981372290b7a71d

S-97-06.asc

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===============================================================================
>> CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl. Links <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>> <<
>> CERT-NL also has stopped the CERT-CC-Mirror service. Due to this the <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the <<
>> complete CERT-CC advisory texts: http://www.cert.org <<
===============================================================================
===============================================================================
Security Advisory CERT-NL
===============================================================================
Author/Source : Teun Nijssen Index : S-97-06
Distribution : World Page : 1
Classification: External Version: 1
Subject : ftpd race condition Date : 29-Jan-97
===============================================================================

By courtesy of AUSCERT we received
information on a vulnerability in various implementations of the ftp daemon

CERT-NL recommends to check relevance of this advisory against ftp service
software.

==============================================================================
AA-97.03 AUSCERT Advisory
ftpd Signal Handling Vulnerability
29 January 1997

Last Revised: --

---------------------------------------------------------------------------

AUSCERT has received information that there is a vulnerability in some
versions of ftpd distributed and installed under various Unix platforms.

This vulnerability may allow regular and anonymous ftp users to read or
write to arbitrary files with root privileges.

The vulnerabilities in ftpd affect various third party and vendor versions
of ftpd. AUSCERT recommends that sites take the steps outlined in section
3 as soon as possible.

This advisory will be updated as more information becomes available.

---------------------------------------------------------------------------

1. Description

AUSCERT has received information concerning a vulnerability in some
vendor and third party versions of the Internet File Transfer Protocol
server, ftpd(8).

This vulnerability is caused by a signal handling routine increasing
process privileges to root, while still continuing to catch other
signals. This introduces a race condition which may allow regular,
as well as anonymous ftp, users to access files with root privileges.
Depending on the configuration of the ftpd server, this may allow
intruders to read or write to arbitrary files on the server.

This attack requires an intruder to be able to make a network
connection to a vulnerable ftpd server.

Sites should be aware that the ftp services are often installed by
default. Sites can check whether they are allowing ftp services by
checking, for example, /etc/inetd.conf:

# grep -i '^ftp' /etc/inetd.conf

Note that on some systems the inetd configuration file may have a
different name or be in a different location. Please consult your
documentation if the configuration file is not found in
/etc/inetd.conf.

If your site is offering ftp services, you may be able to determine
the version of ftpd by checking the notice when first connecting.

The vulnerability status of specific vendor and third party ftpd
servers can be found in Section 3.

Information involving this vulnerability has been made publicly
available.

2. Impact

Regular and anonymous users may be able to access arbitrary files with
root privileges. Depending on the configuration, this may allow
anonymous, as well as regular, users to read or write to arbitrary
files on the server with root privileges.

3. Workarounds/Solution

AUSCERT recommends that sites prevent the possible exploitation of
this vulnerability by immediately applying vendor patches if they are
available. Specific vendor information regarding this vulnerability
is given in Section 3.1.

If the ftpd supplied by your vendor is vulnerable and no patches are
available, sites may wish to install a third party ftpd which does
not contain the vulnerability described in this advisory (Section 3.2).

3.1 Vendor patches

The following vendors have provided information concerning the
vulnerability status of their ftpd distribution. Detailed information
has been appended in Appendix A. If your vendor is not listed below,
you should contact your vendor directly.

Berkeley Software Design, Inc.
Digital Equipment Corporation
The FreeBSD Project
Hewlett-Packard Corporation
IBM Corporation
The NetBSD Project
The OpenBSD Project
Red Hat Software

Washington University ftpd (Academ beta version)
Wietse Venema's logdaemon ftpd

3.2 Third party ftpd distributions

AUSCERT has received information that the following third party ftpd
distributions do not contain the signal handling vulnerability
described in this advisory:

wu-ftpd 2.4.2-beta-12
logdaemon 5.6 ftpd

Sites should ensure they are using the current version of this
software. Information on these distributions is contained in Appendix A.

Sites should note that these third party ftpd distributions may offer
some different functionality to vendor versions of ftpd. AUSCERT
advises sites to read the documentation provided with the above third
party ftpd distributions before installing.

...........................................................................

Appendix A

Berkeley Software Design, Inc. (BSDI)
=====================================

BSD/OS 2.1 is vulnerable to the ftpd problem described in this
advisory. Patches have been issued and may be retrieved via the
<patches@BSDI.COM> email server or from:

ftp://ftp.bsdi.com/bsdi/patches/patches-2.1/U210-033


Digital Equipment Corporation
=============================

At the time of writing this document, patches(binary kits) are in
progress and final testing is expected to begin soon. Digital will
provide notice of the completion/availability of the kits through AES
services (DIA, DSNlink FLASH) and be available from your normal Digital
Support channel.


The FreeBSD Project
===================

The FreeBSD Project has informed AUSCERT that the vulnerability
described in this advisory has been fixed in FreeBSD-current (from
January 27, 1997), and will be fixed in the upcoming FreeBSD 2.2
release. All previous versions of FreeBSD are vulnerable.


Hewlett-Packard Corporation
===========================

Hewlett-Packard has informed AUSCERT that the ftpd distributed with
HP-UX 9.x and 10.x are vulnerable to this problem. Patches are
currently in process.


IBM Corporation
===============

The version of ftpd shipped with AIX is vulnerable to the conditions
described in the advisory. The following APARs will be available
shortly:

AIX 3.2: APAR IX65536
AIX 4.1: APAR IX65537
AIX 4.2: APAR IX65538

To Order
--------
APARs may be ordered using Electronic Fix Distribution (via FixDist)
or from the IBM Support Center. For more information on FixDist,
reference URL:

http://service.software.ibm.com/aixsupport/

or send e-mail to aixserv@austin.ibm.com with a subject of "FixDist".


IBM and AIX are registered trademarks of International Business Machines
Corporation.


The NetBSD Project
===================

NetBSD (all versions) have the ftpd vulnerability described in this
advisory. It has since been fixed in NetBSD-current. NetBSD have
also made patches available and they can be retrieved from:

ftp://ftp.netbsd.org/pub/NetBSD/misc/security/19970123-ftpd


The OpenBSD Project
===================

OpenBSD 2.0 did have the vulnerability described in this advisory,
but has since been fixed in OpenBSD 2.0-current (from January 5, 1997).


Red Hat Software
================

The signal handling code in wu-ftpd has some security problems which
allows users to read all files on your system. A new version of wu-ftpd
is now available for Red Hat 4.0 which Red Hat suggests installing on
all of your systems. This new version uses the same fix posted to
redhat-list@redhat.com by Savochkin Andrey Vladimirovich. Users of
Red Hat Linux versions earlier then 4.0 should upgrade to 4.0 and then
apply all available security packages.

Users whose computers have direct internet connections may apply
this update by using one of the following commands:

Intel:
rpm -Uvh ftp://ftp.redhat.com/updates/4.0/i386/wu-ftpd-2.4.2b11-9.i386.rpm

Alpha:
rpm -Uvh ftp://ftp.redhat.com/updates/4.0/axp/wu-ftpd-2.4.2b11-9.axp.rpm

SPARC:
rpm -Uvhftp://ftp.redhat.com/updates/4.0/sparc/wu-ftpd-2.4.2b11-9.sparc.rpm

All of these packages have been signed with Red Hat's PGP key.


wu-ftpd Academ beta version
===========================

The current version of wu-ftpd (Academ beta version), wu-ftpd
2.4.2-beta-12, does not contain the vulnerability described in this
advisory. Sites using earlier versions should upgrade to the current
version immediately. At the time of writing, the current version can
be retrieved from:

ftp://ftp.academ.com/pub/wu-ftpd/private/


logdaemon Distribution
======================

The current version of Wietse Venema's logdaemon (5.6) package contains
an ftpd utility which addresses the vulnerability described in this
advisory. Sites using earlier versions of this package should
upgrade immediately. The current version of the logdaemon package
can be retrieved from:

ftp://ftp.win.tue.nl/pub/security/
ftp://ftp.auscert.org.au/pub/mirrors/ftp.win.tue.nl/logdaemon/
ftp://ftp.cert.dfn.de/pub/tools/net/logdaemon/

The MD5 checksum for Version 5.6 of the logdaemon package is:

MD5 (logdaemon-5.6.tar.gz) = 5068f4214024ae56d180548b96e9f368

---------------------------------------------------------------------------
AUSCERT thanks David Greenman, Wietse Venema (visiting IBM T.J. Watson
Research)
and Stan Barber (Academ Consulting Services) for their contributions in finding
solutions to this vulnerability. Thanks also to Dr Leigh Hume (Macquarie
University), CERT/CC, and DFNCERT for their assistance in this matter. AUSCERT
also thanks those vendors that provided feedback and patch information
contained
in this advisory. -
---------------------------------------------------------------------------

==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).

All CERT-NL material is available under:
http://cert.surfnet.nl/

In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).

Email: cert-nl@surfnet.nl ATTENDED REGULARLY ALL DAYS
Phone: +31 302 305 305 BUSINESS HOURS ONLY
Fax: +31 302 305 329 BUSINESS HOURS ONLY
Snailmail: SURFnet bv
Attn. CERT-NL
P.O. Box 19035
NL - 3501 DA UTRECHT
The Netherlands

NOODGEVALLEN: 06 22 92 35 64 ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64 ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQA/AwUBOL6ISDSYjBqwfc9jEQKeEgCfREo50ucl1B/HH5JMbaYlB3ILmEYAoIGM
mo6TQSzmw0MJ7TXwHKZRWk2p
=SOJP
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close