-----BEGIN PGP SIGNED MESSAGE----- ****************************************************************************** ------ ----- ----- --- ----- | ----- ---- | | | | | |--- | | | | | | | | | |-- | | | | |-- | | | | | | | | \ | | ----- ---- ----- ----- | \ ----- A D V I S O R Y 97.17 ****************************************************************************** Topic: ftpd Signal Handling Vulnerability Source: CERT/CC Creation Date: May 29, 1997 Last Updated: May 29, 1997 To aid in the wide distribution of essential security information, FedCIRC is forwarding the following information from CERT/CC Advisory CA-97.16. FedCIRC urges you to act on this information as soon as possible. If you have any questions, please contact FedCIRC: Telephone: +1 888 282 0870 Email: fedcirc@fedcirc.gov =======================FORWARDED TEXT STARTS HERE============================ ============================================================================= CERT* Advisory CA-97.16 Original issue date: May 29, 1997 Last revised: --- Topic: ftpd Signal Handling Vulnerability - - - ----------------------------------------------------------------------------- The text of this advisory was originally released by AUSCERT as AA-97.03 ftpd Signal Handling Vulnerability on January 29, 1997, and updated on April 18, 1997. To give this document wider distribution, we are reprinting the updated AUSCERT advisory here with their permission. Only the contact information at the end has changed: AUSCERT contact information has been replaced with CERT/CC contact information. Although the text of the AUSCERT advisory has not changed, additional vendor information has been added immediately after the AUSCERT text. We will update this advisory as we receive additional information. Look for it in an "Updates" section at the end of the advisory. ============================================================================= AUSCERT has received information that there is a vulnerability in some versions of ftpd distributed and installed under various Unix platforms. This vulnerability may allow regular and anonymous ftp users to read or write to arbitrary files with root privileges. The vulnerabilities in ftpd affect various third party and vendor versions of ftpd. AUSCERT recommends that sites take the steps outlined in section 3 as soon as possible. This advisory will be updated as more information becomes available. - - - ---------------------------------------------------------------------------- 1. Description AUSCERT has received information concerning a vulnerability in some vendor and third party versions of the Internet File Transfer Protocol server, ftpd(8). This vulnerability is caused by a signal handling routine increasing process privileges to root, while still continuing to catch other signals. This introduces a race condition which may allow regular, as well as anonymous ftp, users to access files with root privileges. Depending on the configuration of the ftpd server, this may allow intruders to read or write to arbitrary files on the server. This attack requires an intruder to be able to make a network connection to a vulnerable ftpd server. Sites should be aware that the ftp services are often installed by default. Sites can check whether they are allowing ftp services by checking, for example, /etc/inetd.conf: # grep -i '^ftp' /etc/inetd.conf Note that on some systems the inetd configuration file may have a different name or be in a different location. Please consult your documentation if the configuration file is not found in /etc/inetd.conf. If your site is offering ftp services, you may be able to determine the version of ftpd by checking the notice when first connecting. The vulnerability status of specific vendor and third party ftpd servers can be found in Section 3. Information involving this vulnerability has been made publicly available. 2. Impact Regular and anonymous users may be able to access arbitrary files with root privileges. Depending on the configuration, this may allow anonymous, as well as regular, users to read or write to arbitrary files on the server with root privileges. 3. Workarounds/Solution AUSCERT recommends that sites prevent the possible exploitation of this vulnerability by immediately applying vendor patches if they are available. Specific vendor information regarding this vulnerability is given in Section 3.1. If the ftpd supplied by your vendor is vulnerable and no patches are available, sites may wish to install a third party ftpd which does not contain the vulnerability described in this advisory (Section 3.2). 3.1 Vendor patches The following vendors have provided information concerning the vulnerability status of their ftpd distribution. Detailed information has been appended in Appendix A. If your vendor is not listed below, you should contact your vendor directly. Berkeley Software Design, Inc. Digital Equipment Corporation The FreeBSD Project Hewlett-Packard Corporation IBM Corporation The NetBSD Project The OpenBSD Project Red Hat Software Washington University ftpd (Academ beta version) Wietse Venema's logdaemon ftpd 3.2 Third party ftpd distributions AUSCERT has received information that the following third party ftpd distributions do not contain the signal handling vulnerability described in this advisory: wu-ftpd 2.4.2-beta-12 logdaemon 5.6 ftpd Sites should ensure they are using the current version of this software. Information on these distributions is contained in Appendix A. Sites should note that these third party ftpd distributions may offer some different functionality to vendor versions of ftpd. AUSCERT advises sites to read the documentation provided with the above third party ftpd distributions before installing. ........................................................................... Appendix A Berkeley Software Design, Inc. (BSDI) ===================================== BSD/OS 2.1 is vulnerable to the ftpd problem described in this advisory. Patches have been issued and may be retrieved via the email server or from: ftp://ftp.bsdi.com/bsdi/patches/patches-2.1/U210-033 Digital Equipment Corporation ============================= DIGITAL UNIX Versions: 3.2c, 3.2de1, 3.2de2, 3.2f, 3.2g, 4.0, 4.0a, 4.0b SOLUTION: This potential security vulnerability has been resolved and an official patch kit is available for DIGITAL UNIX V3.2g, V4.0, V4.0a, and V4.0b. This article will be updated accordingly when patch kits for DIGITAL UNIX V3.2c, V3.2de1, V3.2de2, V3.2f become available. The currently available patches may be obtained from your normal Digital support channel or from the following URL. (Select the appropriate version to locate this patch kit) ftp://ftp.service.digital.com/patches/public/dunix VERSION KIT ID SIZE CHECK SUM ------- ---------------- ------ -------------- v3.2g SSRT0448U_v32g.tar 296960 32064 290 v4.0 SSRT0448U_v40.tar 542720 07434 530 v4.0a SSRT0448U_v40a.tar 542720 43691 530 v4.0b SSRT0448U_v40b.tar 471040 45701 460 Please refer to the applicable README notes information prior to the installation of patch kits on your system. Note: The appropriate patch kit must be reinstalled following any upgrade beginning with V3.2c up to and including V4.0b. The FreeBSD Project =================== The FreeBSD Project has informed AUSCERT that the vulnerability described in this advisory has been fixed in FreeBSD-current (from January 27, 1997), and will be fixed in the upcoming FreeBSD 2.2 release. All previous versions of FreeBSD are vulnerable. Hewlett-Packard Corporation =========================== Hewlett-Packard has informed AUSCERT that the ftpd distributed with HP-UX 9.x and 10.x are vulnerable to this problem. Patches are currently in process. IBM Corporation =============== The version of ftpd shipped with AIX is vulnerable to the conditions described in the advisory. The following APARs will be available shortly: AIX 3.2: APAR IX65536 AIX 4.1: APAR IX65537 AIX 4.2: APAR IX65538 To Order -------- APARs may be ordered using Electronic Fix Distribution (via FixDist) or from the IBM Support Center. For more information on FixDist, reference URL: http://service.software.ibm.com/aixsupport/ or send e-mail to aixserv@austin.ibm.com with a subject of "FixDist". IBM and AIX are registered trademarks of International Business Machines Corporation. The NetBSD Project =================== NetBSD (all versions) have the ftpd vulnerability described in this advisory. It has since been fixed in NetBSD-current. NetBSD have also made patches available and they can be retrieved from: ftp://ftp.netbsd.org/pub/NetBSD/misc/security/19970123-ftpd The OpenBSD Project =================== OpenBSD 2.0 did have the vulnerability described in this advisory, but has since been fixed in OpenBSD 2.0-current (from January 5, 1997). Red Hat Software ================ The signal handling code in wu-ftpd has some security problems which allows users to read all files on your system. A new version of wu-ftpd is now available for Red Hat 4.0 which Red Hat suggests installing on all of your systems. This new version uses the same fix posted to redhat-list@redhat.com by Savochkin Andrey Vladimirovich. Users of Red Hat Linux versions earlier then 4.0 should upgrade to 4.0 and then apply all available security packages. Users whose computers have direct internet connections may apply this update by using one of the following commands: Intel: rpm -Uvh ftp://ftp.redhat.com/updates/4.0/i386/wu-ftpd-2.4.2b11-9.i386.rpm Alpha: rpm -Uvh ftp://ftp.redhat.com/updates/4.0/axp/wu-ftpd-2.4.2b11-9.axp.rpm SPARC: rpm -Uvhftp://ftp.redhat.com/updates/4.0/sparc/wu-ftpd-2.4.2b11-9.sparc.rpm All of these packages have been signed with Red Hat's PGP key. wu-ftpd Academ beta version =========================== The current version of wu-ftpd (Academ beta version), wu-ftpd 2.4.2-beta-12, does not contain the vulnerability described in this advisory. Sites using earlier versions should upgrade to the current version immediately. At the time of writing, the current version can be retrieved from: ftp://ftp.academ.com/pub/wu-ftpd/private/ logdaemon Distribution ====================== The current version of Wietse Venema's logdaemon (5.6) package contains an ftpd utility which addresses the vulnerability described in this advisory. Sites using earlier versions of this package should upgrade immediately. The current version of the logdaemon package can be retrieved from: ftp://ftp.win.tue.nl/pub/security/ ftp://ftp.auscert.org.au/pub/mirrors/ftp.win.tue.nl/logdaemon/ ftp://ftp.cert.dfn.de/pub/tools/net/logdaemon/ The MD5 checksum for Version 5.6 of the logdaemon package is: MD5 (logdaemon-5.6.tar.gz) = 5068f4214024ae56d180548b96e9f368 ........................................................................... - - - ---------------------------------------------------------------------------- AUSCERT thanks David Greenman, Wietse Venema (visiting IBM T.J. Watson Research) and Stan Barber (Academ Consulting Services) for their contributions in finding solutions to this vulnerability. Thanks also to Dr Leigh Hume (Macquarie University), CERT/CC, and DFNCERT for their assistance in this matter. AUSCERT also thanks those vendors that provided feedback and patch information contained in this advisory. - - - ---------------------------------------------------------------------------- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision History 18 Apr, 1997 Added vendor information for DIGITAL UNIX. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - - - ----------------------------------------------------------------------------- UPDATES Vendor Information Added by CERT/CC Digital Equipment Corporation ============================= Revision History 18 Apr, 1997 Added vendor information for DIGITAL UNIX. 21 May, 1997 (to include availibility of V3.2c solution) DIGITAL UNIX Versions: 3.2c, 3.2de1, 3.2de2, 3.2f, 3.2g, 4.0, 4.0a, 4.0b SOLUTION: This potential security vulnerability has been resolved and an official patch kit is available for DIGITAL UNIX V3.2c, V3.2g, V4.0, V4.0a, and V4.0b. This article will be updated accordingly when patch kits for DIGITAL UNIX V3.2de1, V3.2de2, V3.2f become available. The currently available patches may be obtained from your normal Digital support channel. Assigned case ID SSRT0448U. Please refer to the applicable README notes information prior to the installation of patch kits on your system. Note: The appropriate patch kit must be reinstalled following any upgrade beginning with V3.2c up to and including V4.0b. - DIGITAL EQUIPMENT CORPORATION Hewlett-Packard Corporation =========================== HP has covered this in our security bulletin HPSBUX9702-055, 19 February 1997. The Security Bulletin contains pointers to the patches: ---- SOLUTION: Apply patch: PHNE_10008 for all platforms with HP-UX releases 9.X PHNE_10009 for all platforms with HP-UX releases 10.0X/10.10 PHNE_10010 for all platforms with HP-UX releases 10.20 PHNE_10011 for all platforms with HP-UX releases 10.20 (kftpd) AVAILABILITY: All patches are available now. ---- IBM Corporation =============== See the appropriate release below to determine your action. AIX 3.2 ------- Apply the following fix to your system: APAR - IX65536 (PTF - U447700) To determine if you have this PTF on your system, run the following command: lslpp -lB U447700 AIX 4.1 ------- Apply the following fix to your system: APAR - IX65537 To determine if you have this APAR on your system, run the following command: instfix -ik IX65537 Or run the following command: lslpp -h bos.net.tcp.client Your version of bos.net.tcp.client should be 4.1.5.3 or later. AIX 4.2 ------- Apply the following fix to your system: APAR - IX65538 To determine if you have this APAR on your system, run the following command: instfix -ik IX65538 Or run the following command: lslpp -h bos.net.tcp.client Your version of bos.net.tcp.client should be 4.2.1.0 or later. To Order -------- APARs may be ordered using Electronic Fix Distribution (via FixDist) or from the IBM Support Center. For more information on FixDist, reference URL: http://service.software.ibm.com/aixsupport/ or send e-mail to aixserv@austin.ibm.com with a subject of "FixDist". IBM and AIX are registered trademarks of International Business Machines Corporation. - - - ----------------------------------------------------------------------------- If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (see http://www.first.org/team-info/). CERT/CC Contact Information - - - ---------------------------- Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4) and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA Using encryption We strongly urge you to encrypt sensitive information sent by email. We can support a shared DES key or PGP. Contact the CERT/CC for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key Getting security information CERT publications and other security information are available from http://www.cert.org/ ftp://info.cert.org/pub/ CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org In the subject line, type SUBSCRIBE your-email-address - - - --------------------------------------------------------------------------- * Registered U.S. Patent and Trademark Office. Copyright 1997 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and the copyright statement is included. The CERT Coordination Center is part of the Software Engineering Institute (SEI). The SEI is sponsored by the U.S. Department of Defense. - - - --------------------------------------------------------------------------- This file: ftp://info.cert.org/pub/cert_advisories/CA-97.16.ftpd http://www.cert.org click on "CERT Advisories" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision history ========================FORWARDED TEXT ENDS HERE============================= The National Institute of Standards and Technology (NIST) has established a Federal Computer Incident response Capability (FedCIRC) to assist federal civilians agencies in their incident handling efforts by providing proactive and reactive computer security related services. FedCIRC is a partnership among NIST, the Computer Incident Advisory Capability (CIAC), and the CERT* Coordination Center (CERT/CC). If you believe that your system has been compromised, please contact FedCIRC: Telephone: +1 888 282 0870 Email: fedcirc@fedcirc.gov Web Server: http://www.fedcirc.gov/ * Registered in U.S. Patent and Trademark Office The CERT Coordination Center is part of the Software Engineering Institute. The Software Engineering Institute is sponsored by the U.S. Department of Defense. CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.3, an Emacs/PGP interface iQCVAwUBM6WFWXVP+x0t4w7BAQHVjQQAxFqEj7J/Q+N/5VdTG5OuTI3whE8Z1FUK AfEUaCjt6zDjtXV8pXdoe93uT0Myx/q6WvvS34T9V6yPxxNJ9Pfy2kOM4HrlGG3P Eu94BxN+VkwROK7ebzZu2/jm5LbG9lgpil3OwZhnmBozt8J3L/OLcAVATwZeTuTd YCQ4zpNWopI= =vibB -----END PGP SIGNATURE-----