Caldera Security Advisory CSSA-2002-SCO.23 - A vulnerability found in the Open UNIX and UnixWare FTP daemon can allow remote attackers to hijack passive FTP data connections.
2ba86861d069c9bc17521caaefcb7ca1c5ad9ae7377ab0c78f4293019c0c4363
______________________________________________________________________________
Caldera International, Inc. Security Advisory
Subject: Open UNIX 8.0.0 UnixWare 7.1.1 : ftpd allows data connection hijacking via PASV mode
Advisory number: CSSA-2002-SCO.23
Issue date: 2002 May 30
Cross reference:
______________________________________________________________________________
1. Problem Description
In FTP PASV mode, the client makes a control connection to the
FTP server (typically port 21/tcp) and requests a PASV data
connection. The server responds by listening for client
connections on a specified port number, which is supplied to
the client via the control connection. If an attacker can make
a connection to the listening port before the client connects,
the server will transmit the data to the attacker instead of
the client.
To exploit this vulnerability, the attacker must intercept or
guess the port number that the server will use, then make its
connection attempt before the client establishes a data
connection. If the server chooses port numbers using an easily
identifiable pattern (such as incrementally), this
vulnerability is trivial to exploit.
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------------
Open UNIX 8.0.0 /usr/sbin/in.ftpd
UnixWare 7.1.1 /usr/sbin/in.ftpd
3. Solution
The proper solution is to install the latest packages.
4. Open UNIX 8.0.0
4.1 Location of Fixed Binaries
ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.23
4.2 Verification
MD5 (erg501602b.pkg.Z) = e25467ff65349f5f388698fdd39161b5
md5 is available for download from
ftp://stage.caldera.com/pub/security/tools/
4.3 Installing Fixed Binaries
Upgrade the affected binaries with the following commands:
Download erg501602b.pkg.Z to the /var/spool/pkg directory
# uncompress /var/spool/pkg/erg501602b.pkg.Z
# pkgadd -d /var/spool/pkg/erg501602b.pkg
5. UnixWare 7.1.1
5.1 Location of Fixed Binaries
ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.23
5.2 Verification
MD5 (erg501602b.pkg.Z) = e25467ff65349f5f388698fdd39161b5
md5 is available for download from
ftp://stage.caldera.com/pub/security/tools/
5.3 Installing Fixed Binaries
Upgrade the affected binaries with the following commands:
Download erg501602b.pkg.Z to the /var/spool/pkg directory
# uncompress /var/spool/pkg/erg501602b.pkg.Z
# pkgadd -d /var/spool/pkg/erg501602b.pkg
6. References
Specific references for this advisory:
http://www.kb.cert.org/vuls/id/2558
Caldera UNIX security resources:
http://stage.caldera.com/support/security/
Caldera OpenLinux security resources:
http://www.caldera.com/support/security/index.html
This security fix closes Caldera incidents sr863902, fz520882,
erg501602.
7. Disclaimer
Caldera International, Inc. is not responsible for the
misuse of any of the information we provide on this website
and/or through our security advisories. Our advisories are
a service to our customers intended to promote secure
installation and use of Caldera products.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjz2b9MACgkQaqoBO7ipriHNkACdECYPA32CWHQKnSf3gB2UN9yr
7eEAniVHO/Fv4nd3xE45mgy7oAZma2VI
=OxoK
-----END PGP SIGNATURE-----