-----BEGIN PGP SIGNED MESSAGE-----

Subject: Caldera Security Advisory SA-1997.28: Vulnerability in netkit-ftp

Caldera Security Advisory SA-1997.28

Original report date:  05-Aug-1997
RPM build date:    19-Nov-1997
Advisory issue date:  03-Dec-1997

Topic: Vulnerability in the netkit-ftp-0.10-3.i386.rpm package


I. Problem Description

  On most Unix platforms when an FTP client processes an MGET command,
  it does not check the FTP server's response to the NLST command. It is
  possible that a malicious FTP server's NLST response might include
  lines to create files useful in a later attack on the client machine.
  Such files could be created anywhere the client user has write
  permission on the client machine.


II. Impact

  On systems such as Caldera OpenLinux 1.1, use of FTP by an
  unprivileged user to a malicious site could result in the
  creation of files that would allow later attacks.  Ultimately
  an attacker could gain root privileges.

  This problem was present on the following OpenLinux releases:

    CND 1.0
    Base 1.0
    Lite 1.1
    Base 1.1
    Standard 1.1

  To determine if you are affected and need this update you may do
  the following:

    rpm -q netkit-ftp

  If the results do not show netkit-ftp-0.10-3 or later then you
  are vulnerable.

  CND 1.0 installations: Please note that the following operations
  require prior installation of the rpm update at:

  ftp://ftp.caldera.com/pub/cnd-1.0/updates/rpm-update.README

  Users of OpenLinux 1.0 should update to 1.1 first.


III. Solution

  The solution to this problem requires the installation of a version
  of netkit-ftp which compares all file names returned by the server
  to the user-specified pattern and ignores those that do not match.

  A side effect of this fix is that retrieving all files in the
  current directory using "mget ." will now fail. The user will need
  to type "mget *" to obtain the desired result.
  
  The needed files are located on Caldera's FTP server (ftp.caldera.com):

  ftp://ftp.caldera.com/pub/openlinux/updates/1.1/current/RPMS/
    and
  ftp://ftp.caldera.com/pub/openlinux/updates/1.1/current/SRPMS/
    for the source.

  Their MD5 checksums are:

  07563fc1b1bfdec1deea57d34e4c0411  RPMS/netkit-ftp-0.10-3.i386.rpm
  fc3206d88fd982d7b91508eb1b42b96b  SRPMS/netkit-ftp-0.10-3.src.rpm

  These instructions are only valid for users that have previously
  updated their system to the new netkit package located in the
  directories listed above.

  rpm -U netkit-ftp-0.10-3.i386.rpm


IV. References / Credits

  This advisory is based on the BUGTRAQ post with message ID
  <9708050647.AA02330@yaz-pistachio.MIT.EDU>
  posted by mhpower@MIT.EDU on 5-Aug-1997.

  This and other Caldera security resources are located at:

    http://www.caldera.com/tech-ref/security/

  This security alert closes Caldera's internal problem report #878


V. PGP Signature

  This message was signed with the PGP key for <security@caldera.com>.

  This key can be obtained from:
    ftp://ftp.caldera.com/pub/pgp-keys/

  Or on an OpenLinux CDROM under:
    /OpenLinux/pgp-keys/

  $Id: SA-1997.28,v 1.3 1997/12/03 23:13:14 ron Exp ron $

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNIXnwen+9R4958LpAQHuigP+LsZQIhKM3qQfI/przsYaERUgYIGQTp5/
XJFXyuqysf9D+wOyjQc12cDV/FVicEHxdKg3tPWCBfOdLcpwlrsErAaEolSDvaAl
AXmCtzZDysmyOoxVQCSo7T/3Ewz8oDPt8b8lZHnR7xef8bieME4wpP/Ef69pX7cY
5oRhGTi2NVg=
=uVhH
-----END PGP SIGNATURE-----