SA-1997.28.txt
8fd77c96708c608d01c2569154d350782051b413120d0187e225a7b038c9f14c
-----BEGIN PGP SIGNED MESSAGE-----
Subject: Caldera Security Advisory SA-1997.28: Vulnerability in netkit-ftp
Caldera Security Advisory SA-1997.28
Original report date: 05-Aug-1997
RPM build date: 19-Nov-1997
Advisory issue date: 03-Dec-1997
Topic: Vulnerability in the netkit-ftp-0.10-3.i386.rpm package
I. Problem Description
On most Unix platforms when an FTP client processes an MGET command,
it does not check the FTP server's response to the NLST command. It is
possible that a malicious FTP server's NLST response might include
lines to create files useful in a later attack on the client machine.
Such files could be created anywhere the client user has write
permission on the client machine.
II. Impact
On systems such as Caldera OpenLinux 1.1, use of FTP by an
unprivileged user to a malicious site could result in the
creation of files that would allow later attacks. Ultimately
an attacker could gain root privileges.
This problem was present on the following OpenLinux releases:
CND 1.0
Base 1.0
Lite 1.1
Base 1.1
Standard 1.1
To determine if you are affected and need this update you may do
the following:
rpm -q netkit-ftp
If the results do not show netkit-ftp-0.10-3 or later then you
are vulnerable.
CND 1.0 installations: Please note that the following operations
require prior installation of the rpm update at:
ftp://ftp.caldera.com/pub/cnd-1.0/updates/rpm-update.README
Users of OpenLinux 1.0 should update to 1.1 first.
III. Solution
The solution to this problem requires the installation of a version
of netkit-ftp which compares all file names returned by the server
to the user-specified pattern and ignores those that do not match.
A side effect of this fix is that retrieving all files in the
current directory using "mget ." will now fail. The user will need
to type "mget *" to obtain the desired result.
The needed files are located on Caldera's FTP server (ftp.caldera.com):
ftp://ftp.caldera.com/pub/openlinux/updates/1.1/current/RPMS/
and
ftp://ftp.caldera.com/pub/openlinux/updates/1.1/current/SRPMS/
for the source.
Their MD5 checksums are:
07563fc1b1bfdec1deea57d34e4c0411 RPMS/netkit-ftp-0.10-3.i386.rpm
fc3206d88fd982d7b91508eb1b42b96b SRPMS/netkit-ftp-0.10-3.src.rpm
These instructions are only valid for users that have previously
updated their system to the new netkit package located in the
directories listed above.
rpm -U netkit-ftp-0.10-3.i386.rpm
IV. References / Credits
This advisory is based on the BUGTRAQ post with message ID
<9708050647.AA02330@yaz-pistachio.MIT.EDU>
posted by mhpower@MIT.EDU on 5-Aug-1997.
This and other Caldera security resources are located at:
http://www.caldera.com/tech-ref/security/
This security alert closes Caldera's internal problem report #878
V. PGP Signature
This message was signed with the PGP key for <security@caldera.com>.
This key can be obtained from:
ftp://ftp.caldera.com/pub/pgp-keys/
Or on an OpenLinux CDROM under:
/OpenLinux/pgp-keys/
$Id: SA-1997.28,v 1.3 1997/12/03 23:13:14 ron Exp ron $
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNIXnwen+9R4958LpAQHuigP+LsZQIhKM3qQfI/przsYaERUgYIGQTp5/
XJFXyuqysf9D+wOyjQc12cDV/FVicEHxdKg3tPWCBfOdLcpwlrsErAaEolSDvaAl
AXmCtzZDysmyOoxVQCSo7T/3Ewz8oDPt8b8lZHnR7xef8bieME4wpP/Ef69pX7cY
5oRhGTi2NVg=
=uVhH
-----END PGP SIGNATURE-----