=============================================================================
SA-94.01      SERT Advisory
         18-Apr-1994
         ftpd configuration advice
-----------------------------------------------------------------------------

    The Security Emergency Response Team has received information that
    certain configurations for the Washington University ftpd may leave
    the system open to compromise.  This vulnerability may also exist for
    other versions of ftp.

1.  Description

    . The vulnerability is not enabled by default.
    . The default configuration must be changed to cause the vulnerability.
    . You must explicitly enable the SITE EXEC facility with the modified
      configuration to cause the vulnerability.
    . The vulnerability may exist even if you do not offer anonymous ftp
      services.
    . The potential for the vulnerability is platform independant.
    . Although this Advisory mentions the wu-ftpd specifically, the
      vulnerability may also be present in similar form in other versions of
      ftp.

    If you enable the SITE EXEC commands and allow files from ~ftp/bin,
    ~ftp/usr/bin, ~ftp/sbin, or similar directory configurations to be
    executed, then you may have the vulnerability.  If the pathname for
    SITE EXEC commands relative to ~ftp is a directory that contains system
    commands or includes a shell (e.g., ~ftp/bin -> /bin), then it is
    possible for local users to gain root access.  The exact directory
    configurations that cause the vulnerability are dependant on the
    platform and local configuration.

    The rest of this Advisory is specifically targeted at the Washington
    University archive ftp daemon configuration (wu-ftpd), although the
    vulnerability may exist in other versions of ftp which use similar
    configurations for the SITE EXEC facility.

    In the configuration file src/pathnames.h, if you have modified the
    _PATH_EXECPATH definition from its default setting of "/bin/ftp-exec"
    to point to "/bin" or any other system directory containing executable
    images, then you may have the vulnerability.  The documentation states
    that this directory is relative to ~ftp.  This is misleading. The
    pathname is relative to ~ftp for anonymous users only, and is relative
    to "/" for normal user sessions.  Some ftp service administrators
    change their configuration to "/bin" to allow commands such as
    "/bin/ls" to be executed.

    For this example we assume that _PATH_EXECPATH has been changed to
    point to "/bin" on a SunOS 4.x system.  To test your configuration to
    see if you are vulnerable, you can execute the following commands:
    srchost> ftp ftphost
    Connected to ftphost
    220 ftphost FTP server (Version wu-2.4(2) Mon Apr 18 09:12:35 GMT+1000 1994) ready.
    Name (srchost:user):
    331 Password required for user.
    Password:
    230 User user logged in.
    ftp> quote site exec echo problem
    200-echo problem
    200-problem
    200  (end of 'echo problem')
    ftp> quit
    221 Goodbye.
    srchost>

    If you receive the line "200-problem", then your site is vulnerable.
    Note that this does not work for anonymous ftp access.

    If you have the vulnerability and you are unsure how to rectify it
    immediately, you should disable your ftp daemon until the configuration
    can be corrected.

2.  Impact

    Anyone who has a local account on the system offering ftp services with
    the vulnerable configuration may gain root access.  Support for
    anonymous ftp access is not required to exploit this vulnerability.

3.  Solution

    Ensure that you do not allow files stored in standard system
    directories to be executed by the SITE EXEC command.

    If you wish to enable the SITE EXEC facility, then you should create a
    configuration similar to the following:
    a) Ensure that the _PATH_EXECPATH definition in pathnames.h is
       "/bin/ftp-exec" and not "/bin" or any other system directory
       containing a shell
    b) Create ~ftp/bin/ftp-exec
    c) Copy the statically linked binaries that you want available for
       execution by SITE EXEC into the ~ftp/bin/ftp-exec directory
    d) If you want the DIR ftp command, you will need a hard link from
       ~ftp/bin/ls to ~ftp/bin/ftp-exec/ls or a copy of ls in ~ftp/bin

    This much enables SITE EXEC commands for anonymous users only.

    e) If you want SITE EXEC facilities to be available to normal ftp
       users, create a symbolic link from /bin/ftp-exec to
       ~ftp/bin/ftp-exec

    You should follow file ownership, group membership and permissions
    strictly according to your documentation.

    SERT recommends that you stay with the default configuration of wu-ftpd
    for the SITE EXEC facility.  The INSTALL documentation indicates (by
    **) that the _PATH_EXECPATH is relative to ~ftp.  This is misleading
    and only correct for anonymous ftp access.  The path is relative to "/"
    for normal user access.

----------------------------------------------------------------------------
The SERT team wishes to thank Jeff Aitken of Virginia Tech and Rob McMillan
from Griffith University for their advice and cooperation in this matter.
----------------------------------------------------------------------------

If you believe that your system has been compromised, contact SERT or your
representative in FIRST (Forum of Incident Response and Security Teams).

Internet Email:  sert@sert.edu.au
Facsimile:  (07) 365 4477
SERT Hotline:  (07) 365 4417
    SERT personnel answer during business hours (AEST - GMT+10:00).
    (On call after hours for emergencies).

Security Emergency Response Team
c/- Prentice Centre
The University of Queensland
Qld.  4072.
Australia.