From support@us.external.hp.com Wed Mar 13 00:59:34 1996
Date: Wed, 13 Mar 1996 01:02:26 -0800
From: HPSL Mail Service <support@us.external.hp.com>
Reply to: support-feedback@us.external.hp.com
To: Damien Sorder <jericho@netcom.com>
Subject: RE: send doc HPSBUX9405-010

--------
## Regarding your request:
   Send Doc HPSBUX9405-010

The following are the results of your request from the HP SupportLine mail
service.

===============================================================================
Document Id: [HPSBUX9405-010]
Date Loaded: [05-05-94]

Description: ftpd: SITE CHMOD / race condition vulnerability
===============================================================================

-----------------------------------------------------------------------
        HEWLETT-PACKARD SECURITY BULLETIN: #00010, 4 May 94
                  ******** ADVISORY ONLY ********
-----------------------------------------------------------------------

_______________________________________________________________________

ISSUE #1: Ftpd race condition security problem announced by CIAC,CERT.
PLATFORM: All HP-UX systems
STATUS:   NOT present on HP-UX.
ADVICE:   Continue to use ftpd distributed with HP-UX.

ISSUE #2: HP-UX ftpd man page recommends wrong ownership of ftp home
          directory.
PLATFORM: All HP-UX systems.
STATUS:   Present on all HP-UX systems.
ADVICE:   Root should own ftp home directory.
_______________________________________________________________________


I. ftpd Race Condition

   A. Nature of the Problem

      Recent announcements by CIAC (E-17) and CERT (CA-94:08) warned
      of a potential danger caused by a race condition in later
      versions of ftpd.  With this problem, certain versions of
      ftpd would allow unauthorized access to files in the ftp
      directory structure.

      (A previous HP Security Bulletin #00007 dealt with the ftp
      problem caused by SITE EXEC and also discussed in the CIAC
      and CERT announcments.)

   B. Status of HP-UX

      HP-UX ftpd does NOT have this race condition problem, so
      this security threat does NOT exist.

      Some HP-UX users may have chosen to run the non-HP
      version of ftpd available from source archives such
      as the wuarchive.  These ftpds may be vulnerable and
      these users should heed the CIAC/CERT warnings.

   C. Recommended Actions

      HP-UX users should continue to use the ftpd distributed
      with the release tapes or provided in official HP-UX patches.



II. HP-UX ftpd SITE CHMOD Command

   A. Nature of the Problem

      The HP-UX ftpd allows an anonymous ftp user to issue a SITE
      CHMOD command to change the permissions on any file owned by
      owned by ftp.  This could permit unauthorized access of files
      owned by the ftp user.

      The ftpd man page provides appropriate recommendations
      for the permissions and ownership of all the sub-directories,
      but erroneously recommends that the ~ftp home directory be
      owned by ftp.  This allows an anonymous ftp user to change
      the permission on the ~ftp home directory, and control
      (read/modify/delete) any files owned by ftp in the
      ~ftp home directory.

   B. Status of HP-UX

      HP-UX ftpd does support SITE CHMOD, so this potential
      security vulnerability does exist.

   C. Recommended Actions

      The ftpd man page provides correct information except for
      the ownership of the ftp home directory: it should be owned
      by root, not ftp.

      Also, system administrators should be aware that ftp-owned
      files in ftp-owned directories can be modified by anonymous
      ftp.  While this may be desirable for incoming ftp files
      (send by an anonymous user), this is probably undesirable
      for distribution files.  For such files, administrators
      should use root ownership.



Appendix A. Contacting CERT

   1. For complete details on CERT, use anonymous ftp to retrieve
      ~pub/cert_faq from cert.org.  The advisory mentioned above
      can be retreived using anonymous ftp to cert.org: it is kept
      in ~pub/cert_advisories/CA-94:08.ftpd.vulnerabilities.

   2. Write to cert@cert.org.

   3. Call 1 412-268-7090 (24-hour hotline)


Appendix B. Contacting CIAC (US Dept of Energy)

   1. Call 510-422-8193
   2. Write to ciac@llnl.gov.
   3. Subscribe to mailing lists, by sending body text containing:
        subscribe  CIAC-BULLETIN  Full_Name  Phone_number
      to ciac-listproc@llnl.gov.

-----------------------------------------------------------------------
To subscribe to automatically receive NEW future HP Security Bulletins
from the HP SupportLine mail service via electronic mail, send the
following in the TEXT PORTION OF THE MESSAGE to
support@support.mayfield.hp.com (no Subject is required):

   subscribe security_info

To retrieve the index of all HP Security Bulletins, send the following:

   send security_info_list

To obtain a copy of the HP SupportLine mail service user's guide,
send the following to support@support.mayfield.hp.com:

   send guide.txt


For security concerns, write to:

        security-alert@hp.com

-----------------------------------------------------------------------