-----BEGIN PGP SIGNED MESSAGE----- Subject: Caldera Security Advisory SA-1997.28: Vulnerability in netkit-ftp Caldera Security Advisory SA-1997.28 Original report date: 05-Aug-1997 RPM build date: 19-Nov-1997 Advisory issue date: 03-Dec-1997 Topic: Vulnerability in the netkit-ftp-0.10-3.i386.rpm package I. Problem Description On most Unix platforms when an FTP client processes an MGET command, it does not check the FTP server's response to the NLST command. It is possible that a malicious FTP server's NLST response might include lines to create files useful in a later attack on the client machine. Such files could be created anywhere the client user has write permission on the client machine. II. Impact On systems such as Caldera OpenLinux 1.1, use of FTP by an unprivileged user to a malicious site could result in the creation of files that would allow later attacks. Ultimately an attacker could gain root privileges. This problem was present on the following OpenLinux releases: CND 1.0 Base 1.0 Lite 1.1 Base 1.1 Standard 1.1 To determine if you are affected and need this update you may do the following: rpm -q netkit-ftp If the results do not show netkit-ftp-0.10-3 or later then you are vulnerable. CND 1.0 installations: Please note that the following operations require prior installation of the rpm update at: ftp://ftp.caldera.com/pub/cnd-1.0/updates/rpm-update.README Users of OpenLinux 1.0 should update to 1.1 first. III. Solution The solution to this problem requires the installation of a version of netkit-ftp which compares all file names returned by the server to the user-specified pattern and ignores those that do not match. A side effect of this fix is that retrieving all files in the current directory using "mget ." will now fail. The user will need to type "mget *" to obtain the desired result. The needed files are located on Caldera's FTP server (ftp.caldera.com): ftp://ftp.caldera.com/pub/openlinux/updates/1.1/current/RPMS/ and ftp://ftp.caldera.com/pub/openlinux/updates/1.1/current/SRPMS/ for the source. Their MD5 checksums are: 07563fc1b1bfdec1deea57d34e4c0411 RPMS/netkit-ftp-0.10-3.i386.rpm fc3206d88fd982d7b91508eb1b42b96b SRPMS/netkit-ftp-0.10-3.src.rpm These instructions are only valid for users that have previously updated their system to the new netkit package located in the directories listed above. rpm -U netkit-ftp-0.10-3.i386.rpm IV. References / Credits This advisory is based on the BUGTRAQ post with message ID <9708050647.AA02330@yaz-pistachio.MIT.EDU> posted by mhpower@MIT.EDU on 5-Aug-1997. This and other Caldera security resources are located at: http://www.caldera.com/tech-ref/security/ This security alert closes Caldera's internal problem report #878 V. PGP Signature This message was signed with the PGP key for . This key can be obtained from: ftp://ftp.caldera.com/pub/pgp-keys/ Or on an OpenLinux CDROM under: /OpenLinux/pgp-keys/ $Id: SA-1997.28,v 1.3 1997/12/03 23:13:14 ron Exp ron $ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNIXnwen+9R4958LpAQHuigP+LsZQIhKM3qQfI/przsYaERUgYIGQTp5/ XJFXyuqysf9D+wOyjQc12cDV/FVicEHxdKg3tPWCBfOdLcpwlrsErAaEolSDvaAl AXmCtzZDysmyOoxVQCSo7T/3Ewz8oDPt8b8lZHnR7xef8bieME4wpP/Ef69pX7cY 5oRhGTi2NVg= =uVhH -----END PGP SIGNATURE-----