e-17.ftp-daemon-vulns
d83a14111315fef549a1c6ea3bc656f5ec929a8d219813c56f86c9373bb5c34a
_____________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
_____________________________________________________
INFORMATION BULLETIN
FTP Daemon Vulnerabilities
April 14, 1994 1130 PDT Number E-17
______________________________________________________________________________
PROBLEM: Vulnerabilities in several implementations of the FTP daemon.
PLATFORM: Unix systems with the following implementations of the FTP
daemon: DECWRL ftpd versions before 5.93, wuarchive ftpd
versions 2.0-2.3, and BSDI ftpd version 1.1. prior to patch 5.
DAMAGE: Anyone (remote or local) can gain root access on a host
running a vulnerable daemon.
SOLUTION: Upgrade to a secure version of the FTP daemon.
______________________________________________________________________________
VULNERABILITY Details of these vulnerabilities are being actively discussed
ASSESSMENT: on several Internet mailing lists. CIAC urges affected sites
to upgrade immediately.
______________________________________________________________________________
Critical Information about FTP Daemon Vulnerabilities
CIAC has received information concerning the existence of two vulnerabilities
in FTP daemons derived from the DECWRL ftpd source code. The following FTP
daemons are known to be vulnerable:
- DECWRL ftpd versions before 5.93
- wuarchive ftpd versions 2.0-2.3
- BSDI ftpd version 1.1 prior to patch 5
The first vulnerability involves the SITE EXEC command feature of these FTP
daemons. It only affects those daemons in which the SITE EXEC functions have
been explicitly activated; they are not enabled by default. The vulnerability
allows any user, remote or local, to execute commands as root on the system
running the FTP daemon. The second vulnerability is the result of a race
condition in the daemon. It allows the creation of setuid root files on the
FTP server, permitting unauthorized access to the system.
There is no known workaround to remove both vulnerabilities; therefore, CIAC
strongly advises affected sites to upgrade to one of the versions of the
daemon listed below. If an upgrade cannot be completed in a timely manner,
FTP service should be disabled by commenting out the ftp configuration line in
/etc/inetd.conf and restarting inetd. Disabling only anonymous FTP does not
remove the vulnerabilities.
Upgrade Information
===================
Version 2.4 of wuarchive ftpd is available via anonymous FTP from
wuarchive.wustl.edu in the directory /packages/wuarchive-ftpd. A patch
to upgrade from version 2.3 to 2.4 is also available:
BSD SVR4
File Checksum Checksum MD5 Digital Signature
----------------- --------- --------- --------------------------------
wu-ftpd-2.4.tar.Z 38213 181 20337 362 cdcb237b71082fa23706429134d8c32e
patch_2.3-2.4.Z 09291 8 51092 16 5558a04d9da7cdb1113b158aff89be8f
Version 5.93 of DECWRL ftpd is available via anonymous FTP from
gatekeeper.dec.com in the directory /pub/misc/vixie:
BSD SVR4
File Checksum Checksum MD5 Digital Signature
----------------- --------- --------- --------------------------------
ftpd.tar.gz 38443 60 1710 119 ae624eb607b4ee90e318b857e6573500
For BSDI systems, patch 005 should be applied to version 1.1 of the BSD/386
software. The patch file is available via anonymous FTP from ftp.bsdi.com in
the directory /bsdi/patches-1.1:
BSD SVR4
File Checksum Checksum MD5 Digital Signature
----------------- --------- --------- --------------------------------
BU110-005 35337 272 54935 543 1f454d4d9d3e1397d1eff0432bd383cf
______________________________________________________________________________
CIAC wishes to thank the CERT Coordination Center for their response to this
problem.
______________________________________________________________________________
For additional information or assistance, please contact CIAC:
Voice: 510-422-8193
FAX: 510-423-8002
STU-III: 510-423-2604
E-mail: ciac@llnl.gov
Previous CIAC Bulletins and other information are available via anonymous
FTP from irbis.llnl.gov (IP address 128.115.19.60).
CIAC has two self-subscribing mailing lists for its two types of electronic
publications: 1. Advisories (highest priority, time critical information) or
Bulletins (important computer security information) and 2. Notes (computer
security articles of general interest). Our mailing lists are managed by a
public domain software package called ListProcessor, which ignores E-mail
header subject lines. To subscribe (add yourself) to one of our mailing lists,
send E-mail to: ciac-listproc@llnl.gov with the following request as the E-mail
message body, substituting CIAC-BULLETIN or CIAC-NOTES for [list-name] and
valid information for the other items in parentheses:
subscribe [list-name] Full_Name Phone_number
______________________________________________________________________________
PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins. If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations and
their constituencies can be obtained by sending email to docserver@first.org
with an empty subject line and a message body containing the line: send
first-contacts.
This document was prepared as an account of work sponsored by an agency of the
United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately owned
rights. Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring by
the United States Government or the University of California. The views and
opinions of authors expressed herein do not necessarily state or reflect those
of the United States Government nor the University of California, and shall not
be used for advertising or product endorsement purposes.