From owner-csa@sprocket.nosc.MIL Sat Feb 27 14:43:18 1999
From: owner-csa@sprocket.nosc.MIL
To: CSA-List@sprocket.nosc.MIL
Date: Tue, 16 Feb 1999 07:07:21 -0500
Subject: IAVA 1999-0003 Remote FTP Vulnerability 

Automated Systems Security Incident Support Team (ASSIST)

Advisory  1999-0003

Release date: 11 Feb 1999

TOPIC: Remote FTP Vulnerability 

DESCRIPTION:  ASSIST has been informed that a number of add on 
FTP servers have a vulnerability that is remotely exploitable.  
This vulnerability is due to a programming flaw that allows an 
intruder to execute arbitrary code on the victim system.

PLATFORM:  Any system with an installation of a vulnerable FTP server
(see atttached bulletin).   

IMPACT:  An intruder could gain unrestricted access to a system as 
a result of this vulnerability

SOLUTION:  If your site is running one of the mentioned FTP servers, 
upgrade immediately to a patched version.  Refer to the attached bulletin 
bulletin for vendor information. 
 
A site can test for this vulnerability by checking the header of all 
systems runnning a FTP server.  The server type and version number should
be listed. 

--------------- Attached Bulletin ------------------------

Netect, Inc.
General Public Security Advisory

% Advisory: palmetto.ftpd
% Issue date: February 9, 1999
% Revision: February 8, 1999
% Contact: Jordan Ritter <jpr5@netect.com>


[Topic]

Remote buffer overflows in various FTP servers leads to potential root
compromise.


[Affected Systems]

Any server running the latest version of ProFTPD (1.2.0pre1) or the
latest version of Wuarchive ftpd (2.4.2-academ[BETA-18]).  wu-ftpd is
installed and enabled by default on most Linux variants such as RedHat
and Slackware Linux.  ProFTPD is new software recently adopted by many
major internet companies for its improved performance and reliability.

Investigation of this vulnerability is ongoing; the below lists
software and operating systems for which Netect has definitive
information.


[Overview]

Software that implements FTP is called an "ftp server", "ftp daemon",
or "ftpd".  On most vulnerable systems, the ftpd software is enabled
and installed by default.

There is a general class of vulnerability that exists in several
popular ftp servers.  Due to insufficient bounds checking, it is
possible to subvert an ftp server by corrupting its internal stack
space.  By supplying carefully designed commands to the ftp server,
intruders can force the the server to execute arbitrary commands with
root privilege.

On most vulnerable systems, the ftpd software is installed and enabled
by default.


[Impact]

Intruders who are able to exploit this vulnerability can ultimately
gain interactive access to the remote ftp server with root privilege.


[Solution]

Currently there are several ways to exploit the ftp servers in
question.  One temporary workaround against an anonymous attack is to
disable any world writable directories the user may have access to by
making them read only.  This will prevent an attacker from building an
unusually large path, which is required in order to execute these
particular attacks.

The permanent solution is to install a patch from your Vendor, or
locate one provided by the Software's author or maintainer.  See
Appendices A and B for more specific information.

Netect strongly encourages immediate upgrade and/or patching where
available.

Netect provides a strong software solution for the automatic detection
and removal of security vulnerabilities.  Current HackerShield
customers can protect themselves from this vulnerability by either
visiting the Netect website and downloading the latest RapidFire(tm)
update, or by enabling automatic RapidFire(tm) updates (no user
intervention required).

Interested in protecting your network today?  Visit the Netect website
at http://www.netect.com/ and download a FREE 30 day copy of
HackerShield, complete with all the latest RapidFire(tm) updates to
safeguard your network from hackers.


[Appendix A, Software Information]

% ProFTPD

  Current version: 1.2.0pre1, released October 19, 1998.
  All versions prior to 1.2.0pre1: vulnerable.
  Fix: will be incorporated into 1.2.0pre2.

  Currently recommended action: upgrade to the new version when it
    becomes available, or apply the version 1.2.0pre1 patch found at:

  ftp://ftp.proftpd.org/patches/proftpd-1.2.0pre1-path_exploit.patch

% wu-ftpd

  Current version: 2.4.2 (beta 18), unknown release date.
  All versions through 2.4.2 (beta 18): vulnerability dependant upon
    target platform, probably vulnerable either due to OS-provided
    runtime vulnerability or through use of replacement code supplied
    with the source kit.  No patches have been made available.
  Fix: unknown.

  Currently recommended action: Upgrade to wu-ftpd VR series.

  % wu-ftpd VR series

    Current version: 2.4.2 (beta 18) VR12, released January 1, 1999.
    All versions prior to 2.4.2 (beta 18) VR10: vulnerable.
    Fix: incorporated into VR10, released November 1, 1998.

    Available from:
        ftp://ftp.vr.net/pub/wu-ftpd/
    Filenames:
        wu-ftpd-2.4.2-beta-18-vr12.tar.Z
        wu-ftpd-2.4.2-beta-18-vr12.tar.gz

% BeroFTPD [NOT vulnerable]

  Current version: 1.3.1, released December 20, 1998.
  All versions prior to 1.2.0: vulnerable.
  Fix: incorporated into 1.2.0, released October 26, 1998.

  Available from:
     ftp://ftp.beroftpd.unix.eu.org/pub/BeroFTPD/
     ftp://ftp.croftj.net/usr/bero/BeroFTPD/
     ftp://ftp.sunet.se/pub/nir/ftp/servers/BeroFTPD/
     ftp://sunsite.cnlab-switch.ch/mirror/BeroFTPD/
  Filename:
     BeroFTPD-1.3.1.tar.gz

% NcFTPd [NOT vulnerable]

  Current version: 2.3.5, released January 6, 1999.
  All versions prior to 2.3.4: unknown.

  Available from:
     http://www.ncftp.com/download/

  Notes:

    % NcFTPd 2.3.4 (libc5) ftp server has a remotely exploitable bug
       that results in the loss of the server's ability to log
       activity.

    % This bug cannot be exploited to gain unintended or privileged
       access to a system running the NcFTPd 2.3.4 (libc5) ftp
       server, as tested.

    % The bug was reproducible only on a libc5 Linux system.  The
       Linux glibc version of NcFTPd 2.3.4 ftp server is NOT
       vulnerable.

    % The bug does not appear to be present in the latest version,
       NcFTPd 2.3.5.  Affected users may upgrade free of charge
       to the latest version.


Thanks go to Gregory Lundberg for providing the information regarding
wu-ftpd and BeroFTPD.


[Appendix B, Vendors]

% RedHat Software, Inc.

  % RedHat      Version 5.2 and previous versions ARE vulnerable.

  Updates will be available from:
      ftp://updates.redhat.com/5.2/<arch>/
  Filename:
      wu-ftpd-2.4.2b18-2.1.<arch>.rpm

% Walnut Creek CDROM and Patrick Volkerding

  % Slackware   All versions ARE vulnerable.

  Updates will be available from:
      ftp://ftp.cdrom.com/pub/linux/slackware-3.6/slakware/n8/
      ftp://ftp.cdrom.com/pub/linux/slackware-current/slakware/n8/
  Filenames
      tcpip1.tgz (3.6)     [971a5f57bec8894364c1e0d358ffbfd4]
      tcpip1.tgz (current) [c7460a456fcbf19afb49af8c8422ecbc]

% Caldera Systems, Inc.

  % OpenLinux   Latest version IS vulnerable

  Updates will be available from:
      ftp://ftp.calderasystems.com/pub/OpenLinux/updates/

% SCO

  % UnixWare    Version 7.0.1 and earlier (except 2.1.x) IS vulnerable.
  % OpenServer  Versions 5.0.5 and earlier IS vulnerable.
  % CMW+                  Version 3.0 is NOT vulnerable.
  % Open Desktop/Server   Version 3.0 is NOT vulnerable.

  Binary versions of ftpd will be available shortly from the SCO ftp
  site:
      ftp://ftp.sco.com/SSE/sse021.ltr - cover letter
      ftp://ftp.sco.com/SSE/sse021.tar.Z - replacement binaries

  Notes:

   This fix is a binary for the following SCO operating systems:

      % SCO UnixWare 7.0.1 and earlier releases (not UnixWare 2.1.x)
      % SCO OpenServer 5.0.5 and earlier releases

   For the latest security bulletins and patches for SCO products,
   please refer to http://www.sco.com/security/.

% IBM Corporation

  % AIX         Versions 4.1.x, 4.2.x, and 4.3.x ARE NOT vulnerable.

% Hewlett-Packard

  % HPUX        Versions 10.x and 11.x ARE NOT vulnerable.

  HP is continuing their investigation.

% Sun Microsystems, Inc.

  % SunOS       All versions ARE NOT vulnerable.
  % Solaris     All versions ARE NOT vulnerable.

% Microsoft, Inc.

  % IIS         Versions 3.0 and 4.0 ARE NOT vulnerable.

% Compaq Computer Corporation

  % Digital UNIX                V40b - V40e ARE NOT vulnerable.
  % TCP/IP(UCX) for OpenVMS     V4.1, V4.2, V5.0 ARE NOT vulnerable.

% Silicon Graphics, Inc. (SGI)

  % IRIX and Unicos

     Currently, Silicon Graphics, Inc. is investigating and no further
     information is available for public release at this time.

     As further information becomes available, additional advisories
     will be issued via the normal SGI security information distribution
     method including the wiretap mailing list.

     Silicon Graphics Security Headquarters
     http://www.sgi.com/Support/security/

% NetBSD

  % NetBSD      All versions ARE NOT vulnerable.


[Appendix C, Netect Contact Information]

Copyright (c) 1999 by Netect, Inc.

The information contained herein is the property of Netect, Inc.

The contact for this advisory is Jordan Ritter <jpr5@netect.com>.  PGP
signed/encrypted email is preferred.

Visit http://www.netect.com/ for more information.



___________________________ 
ASSIST CONTACT INFORMATION:

NIPRNET E-mail: assist@assist.mil 
SIPRNET E-mail: assist@assist.disa.smil.mil
Phone:  (800)-357-4231 (DSN 327-4700) 24 hour hotline 
Fax:    (703) 607-4735 (DSN 327-4735) Unclassified

ASSIST Bulletins, tools and other security related information are
available from:
    http://www.assist.mil/ 
    http://www.assist.disa.smil.mil
    ftp://ftp.assist.mil/

____ 
OTHER DoD CERT CONTACT INFORMATION:  
Air Force CERT Phone: (800) 854-0187 
Air Force CERT Email: afcert@afcert.csap.af.mil

Navy CIRT Phone: (800) 628-8893 
Navy CIRT Email: navcirt@fiwc.navy.mil

Army CERT Phone: (888) 203-6332 
Army CERT Email: acert@vulcan.belvoir.army.mil


Back issues of ASSIST bulletins, and other security related
information, through anonymous  FTP from ftp.assist.mil (IP address
199.211.123.12).  Note:  ftp.assist.mil will only accept anonymous FTP
connections from  NIPRNET addresses that are registered with the NIC
or DNS. If your system is not registered, you must provide your
NIPRNET IP address to ASSIST before access can be provided.

ASSIST uses Pretty Good Privacy (PGP) as the digital signature
mechanism for bulletins.   PGP incorporates the RSAREF(tm)
Cryptographic Toolkit under license from RSA Data Security, Inc.  A
copy of that license is available via anonymous FTP from
net-dist.mit.edu (IP 18.72.0.3) in the file /pub/PGP/rsalicen.txt.  In
accordance with the terms of that license,  PGP may be used for
non-commercial purposes only.  Instructions for downloading the PGP
software can also be obtained from net-dist.mit.edu in the
pub/PGP/README file.  PGP and RSAREF may be subject to the export
control laws of the United States of America as implemented by the
United States

Department of State Office of Defense Trade Controls.  The PGP
signature information will be attached to the end of ASSIST bulletins.

Reference herein to any specific commercial product, process, or
service by trade name, trademark manufacturer, or otherwise, does not
constitute or imply its endorsement, recommendation, or favoring by
ASSIST.  The views and opinions of authors expressed herein shall not
be used for advertising or product endorsement purposes.