94-01
95f7f0c09f606867f1aaf5200f6e1ec6b8b30b5cb579323f81937de7dbfddf44
=============================================================================
SA-94.01 SERT Advisory
18-Apr-1994
ftpd configuration advice
-----------------------------------------------------------------------------
The Security Emergency Response Team has received information that
certain configurations for the Washington University ftpd may leave
the system open to compromise. This vulnerability may also exist for
other versions of ftp.
1. Description
. The vulnerability is not enabled by default.
. The default configuration must be changed to cause the vulnerability.
. You must explicitly enable the SITE EXEC facility with the modified
configuration to cause the vulnerability.
. The vulnerability may exist even if you do not offer anonymous ftp
services.
. The potential for the vulnerability is platform independant.
. Although this Advisory mentions the wu-ftpd specifically, the
vulnerability may also be present in similar form in other versions of
ftp.
If you enable the SITE EXEC commands and allow files from ~ftp/bin,
~ftp/usr/bin, ~ftp/sbin, or similar directory configurations to be
executed, then you may have the vulnerability. If the pathname for
SITE EXEC commands relative to ~ftp is a directory that contains system
commands or includes a shell (e.g., ~ftp/bin -> /bin), then it is
possible for local users to gain root access. The exact directory
configurations that cause the vulnerability are dependant on the
platform and local configuration.
The rest of this Advisory is specifically targeted at the Washington
University archive ftp daemon configuration (wu-ftpd), although the
vulnerability may exist in other versions of ftp which use similar
configurations for the SITE EXEC facility.
In the configuration file src/pathnames.h, if you have modified the
_PATH_EXECPATH definition from its default setting of "/bin/ftp-exec"
to point to "/bin" or any other system directory containing executable
images, then you may have the vulnerability. The documentation states
that this directory is relative to ~ftp. This is misleading. The
pathname is relative to ~ftp for anonymous users only, and is relative
to "/" for normal user sessions. Some ftp service administrators
change their configuration to "/bin" to allow commands such as
"/bin/ls" to be executed.
For this example we assume that _PATH_EXECPATH has been changed to
point to "/bin" on a SunOS 4.x system. To test your configuration to
see if you are vulnerable, you can execute the following commands:
srchost> ftp ftphost
Connected to ftphost
220 ftphost FTP server (Version wu-2.4(2) Mon Apr 18 09:12:35 GMT+1000 1994) ready.
Name (srchost:user):
331 Password required for user.
Password:
230 User user logged in.
ftp> quote site exec echo problem
200-echo problem
200-problem
200 (end of 'echo problem')
ftp> quit
221 Goodbye.
srchost>
If you receive the line "200-problem", then your site is vulnerable.
Note that this does not work for anonymous ftp access.
If you have the vulnerability and you are unsure how to rectify it
immediately, you should disable your ftp daemon until the configuration
can be corrected.
2. Impact
Anyone who has a local account on the system offering ftp services with
the vulnerable configuration may gain root access. Support for
anonymous ftp access is not required to exploit this vulnerability.
3. Solution
Ensure that you do not allow files stored in standard system
directories to be executed by the SITE EXEC command.
If you wish to enable the SITE EXEC facility, then you should create a
configuration similar to the following:
a) Ensure that the _PATH_EXECPATH definition in pathnames.h is
"/bin/ftp-exec" and not "/bin" or any other system directory
containing a shell
b) Create ~ftp/bin/ftp-exec
c) Copy the statically linked binaries that you want available for
execution by SITE EXEC into the ~ftp/bin/ftp-exec directory
d) If you want the DIR ftp command, you will need a hard link from
~ftp/bin/ls to ~ftp/bin/ftp-exec/ls or a copy of ls in ~ftp/bin
This much enables SITE EXEC commands for anonymous users only.
e) If you want SITE EXEC facilities to be available to normal ftp
users, create a symbolic link from /bin/ftp-exec to
~ftp/bin/ftp-exec
You should follow file ownership, group membership and permissions
strictly according to your documentation.
SERT recommends that you stay with the default configuration of wu-ftpd
for the SITE EXEC facility. The INSTALL documentation indicates (by
**) that the _PATH_EXECPATH is relative to ~ftp. This is misleading
and only correct for anonymous ftp access. The path is relative to "/"
for normal user access.
----------------------------------------------------------------------------
The SERT team wishes to thank Jeff Aitken of Virginia Tech and Rob McMillan
from Griffith University for their advice and cooperation in this matter.
----------------------------------------------------------------------------
If you believe that your system has been compromised, contact SERT or your
representative in FIRST (Forum of Incident Response and Security Teams).
Internet Email: sert@sert.edu.au
Facsimile: (07) 365 4477
SERT Hotline: (07) 365 4417
SERT personnel answer during business hours (AEST - GMT+10:00).
(On call after hours for emergencies).
Security Emergency Response Team
c/- Prentice Centre
The University of Queensland
Qld. 4072.
Australia.