Original issue date: May 29, 1997<BR>
Last revised: December 5, 1997<BR>
Added vendor information for NCR Corporation to the Updates section.
<P>A complete revision history is at the end of this file.
<P>The text of this advisory was originally released by AUSCERT as AA-97.03
ftpd Signal Handling Vulnerability on January 29, 1997, and updated on
April 18, 1997. To give this document wider distribution, we are reprinting
the updated AUSCERT advisory here with their permission. Only the contact
information at the end has changed: AUSCERT contact information has been
replaced with CERT/CC contact information.
<P>Although the text of the AUSCERT advisory has not changed, additional
vendor information has been added immediately after the AUSCERT text.
<P>We will update this advisory as we receive additional information. Look
for it in an "Updates" section at the end of the advisory.
<P><HR>
<P>AUSCERT has received information that there is a vulnerability in some
versions of ftpd distributed and installed under various Unix platforms.
<P>This vulnerability may allow regular and anonymous ftp users to read
or write to arbitrary files with root privileges.
<P>The vulnerabilities in ftpd affect various third party and vendor versions
of ftpd. AUSCERT recommends that sites take the steps outlined in section
3 as soon as possible.
<P>This advisory will be updated as more information becomes available.
<P><HR>
<H2>1. Description</H2>
AUSCERT has received information concerning a vulnerability in some vendor
and third party versions of the Internet File Transfer Protocol server,
ftpd(8).
<P>This vulnerability is caused by a signal handling routine increasing
process privileges to root, while still continuing to catch other signals.
This introduces a race condition which may allow regular, as well as anonymous
ftp, users to access files with root privileges. Depending on the configuration
of the ftpd server, this may allow intruders to read or write to arbitrary
files on the server.
<P>This attack requires an intruder to be able to make a network connection
to a vulnerable ftpd server.
<P>Sites should be aware that the ftp services are often installed by default.
Sites can check whether they are allowing ftp services by checking, for
example, /etc/inetd.conf:
<P># grep -i '^ftp' /etc/inetd.conf
<BR>
<P>Note that on some systems the inetd configuration file may have a different
name or be in a different location.
<BR>Please consult your documentation if the configuration file is not
found in
<P>/etc/inetd.conf.
<P>If your site is offering ftp services, you may be able to determine
the version of ftpd by checking the notice when first connecting.
<P>The vulnerability status of specific vendor and third party ftpd servers
can be found in Section 3.
<BR>Information involving this vulnerability has been made publicly available.
<H2>2. Impact</H2>
Regular and anonymous users may be able to access arbitrary files with
root privileges. Depending on the configuration, this may allow anonymous,
as well as regular, users to read or write to arbitrary files on the server
with root privileges.
<H2>3. Workarounds/Solution</H2>
AUSCERT recommends that sites prevent the possible exploitation of this
vulnerability by immediately applying vendor patches if they are available.
Specific vendor information regarding this vulnerability is given in Section
3.1.
<P>If the ftpd supplied by your vendor is vulnerable and no patches are
available, sites may wish to install a third party ftpd which does not
contain the vulnerability described in this advisory (Section 3.2).
<H3>3.1 Vendor patches</H3>
The following vendors have provided information concerning the vulnerability
status of their ftpd distribution.
<BR>Detailed information has been appended in Appendix A. If your vendor
is not listed below, you should contact your vendor directly.
<P>Berkeley Software Design, Inc.
<BR>Digital Equipment Corporation
<BR>The FreeBSD Project
<BR>Hewlett-Packard Corporation
<BR>IBM Corporation
<BR>The NetBSD Project
<BR>The OpenBSD Project
<BR>Red Hat Software
<BR>Silicon Graphics Inc.
<BR>Washington University ftpd (Academ beta version)
<BR>Wietse Venema's logdaemon ftpd
<H3>3.2 Third party ftpd distributions</H3>
AUSCERT has received information that the following third party ftpd distributions
do not contain the signal handling vulnerability described in this advisory:
<P>wu-ftpd 2.4.2-beta-12
<BR>logdaemon 5.6 ftpd
<P>Sites should ensure they are using the current version of this software.
Information on these distributions is contained in Appendix A.
<P>Sites should note that these third party ftpd distributions may offer
some different functionality to vendor versions of ftpd. AUSCERT advises
sites to read the documentation provided with the above third party ftpd
distributions before installing.
<P><HR>
<H2>Appendix A</H2>
<H3>Berkeley Software Design, Inc. (BSDI)</H3>
BSD/OS 2.1 is vulnerable to the ftpd problem described in this advisory.
Patches have been issued and may be retrieved via the <A HREF="mailto:patches@BSDI.COM">patches@BSDI.COM
</A>email server or from:
<P><A HREF="ftp://ftp.bsdi.com/bsdi/patches/patches-2.1/U210-033">ftp://ftp.bsdi.com/bsdi/patches/patches-2.1/U210-033</A>
<H3>Digital Equipment Corporation</H3>
DIGITAL UNIX Versions:
<P>3.2c, 3.2de1, 3.2de2, 3.2f, 3.2g, 4.0, 4.0a, 4.0b
<P>SOLUTION:
<P>This potential security vulnerability has been resolved
<BR>and an official patch kit is available for DIGITAL UNIX V3.2g, V4.0,
V4.0a, and V4.0b.
<P>This article will be updated accordingly when patch kits for DIGITAL
UNIX V3.2c, V3.2de1, V3.2de2, V3.2f become
<BR>available.
<P>The currently available patches may be obtained from your normal Digital
support channel or from the following
<BR>URL. (Select the appropriate version to locate this patch kit)
<P><A HREF="ftp://ftp.service.digital.com/patches/public/dunix">ftp://ftp.service.digital.com/patches/public/dunix</A>
<BR>
<BR>
<TABLE BORDER=0 COLS=5 WIDTH="100%" NOSAVE >
<TR>
<TD>VERSION</TD>
<TD>KIT ID</TD>
<TD>SIZE</TD>
<TD>CHECK</TD>
<TD>SUM</TD>
</TR>
<TR>
<TD>v3.2g</TD>
<TD>SSRT0448U_v32g.tar</TD>
<TD>296960</TD>
<TD>32064</TD>
<TD>290</TD>
</TR>
<TR>
<TD>v4.0</TD>
<TD>SSRT0448U_v40.tar</TD>
<TD>542720</TD>
<TD>07434</TD>
<TD>530</TD>
</TR>
<TR>
<TD>v4.0a</TD>
<TD>SSRT0448U_v40a.tar</TD>
<TD>542720</TD>
<TD>43691</TD>
<TD>530</TD>
</TR>
<TR>
<TD>v4.0b</TD>
<TD>SSRT0448U_v40b.tar</TD>
<TD>471040</TD>
<TD>45701</TD>
<TD>460</TD>
</TR>
</TABLE>
<P>Please refer to the applicable README notes information prior to the
installation of patch kits on your system.
<P>Note: The appropriate patch kit must be reinstalled following any upgrade
beginning with V3.2c
<BR>up to and including V4.0b.
<H3>The FreeBSD Project</H3>
The FreeBSD Project has informed AUSCERT that the vulnerability described
in this advisory has been fixed in FreeBSD-current (from January 27, 1997),
and will be fixed in the upcoming FreeBSD 2.2 release. All previous versions
of FreeBSD are vulnerable.
<H3>Hewlett-Packard Corporation</H3>
Hewlett-Packard has informed AUSCERT that the ftpd distributed with HP-UX
9.x and 10.x are vulnerable to this problem. Patches are currently in process.
<H3>IBM Corporation</H3>
The version of ftpd shipped with AIX is vulnerable to the conditions described
in the advisory. The following APARs will be available shortly:
<P>AIX 3.2 : APAR IX65536
<BR>AIX 4.1 : APAR IX65537
<BR>AIX 4.2 : APAR IX65538
<H4>To Order</H4>
APARs may be ordered using Electronic Fix Distribution (via FixDist) or
from the IBM Support Center. For more information on FixDist, reference
URL:
<P><A HREF="http://service.software.ibm.com/aixsupport/">http://service.software.ibm.com/aixsupport/</A>
<P>or send e-mail to <A HREF="mailto:aixserv@austin.ibm.com">aixserv@austin.ibm.com</A>
with a subject of "FixDist".
<BR>
<BR>IBM and AIX are registered trademarks of International Business Machines
Corporation.
<H3>The NetBSD Project</H3>
NetBSD (all versions) have the ftpd vulnerability described in this advisory.
It has since been fixed in NetBSD-current. NetBSD have also made patches
available and they can be retrieved from:
<P><A HREF="ftp://ftp.netbsd.org/pub/NetBSD/misc/security/19970123-ftpd">ftp://ftp.netbsd.org/pub/NetBSD/misc/security/19970123-ftpd</A>
<H3>The OpenBSD Project</H3>
OpenBSD 2.0 did have the vulnerability described in this advisory, but
has since been fixed in OpenBSD 2.0-current (from January 5, 1997).
<H3>Red Hat Software</H3>
The signal handling code in wu-ftpd has some security problems which allows
users to read all files on your system. A new version of wu-ftpd is now
available for Red Hat 4.0 which Red Hat suggests installing on all of your
systems. This new version uses the same fix posted to <A HREF="mailto:redhat-list@redhat.com">redhat-list@redhat.com</A>
by Savochkin Andrey Vladimirovich. Users of Red Hat Linux versions earlier
then 4.0 should upgrade to 4.0 and then apply all available security packages.
<P>Users whose computers have direct internet connections may apply this
update by using one of the following commands:
<P>Intel:
<BR>rpm -Uvh <A HREF="ftp://ftp.redhat.com/updates/4.0/i386/wu-ftpd-2.4.2b11-9.i386.rpm">ftp://ftp.redhat.com/updates/4.0/i386/wu-ftpd-2.4.2b11-9.i386.rpm</A>
<P>Alpha:
<BR>rpm -Uvh <A HREF="ftp://ftp.redhat.com/updates/4.0/axp/wu-ftpd-2.4.2b11-9.axp.rpm">ftp://ftp.redhat.com/updates/4.0/axp/wu-ftpd-2.4.2b11-9.axp.rpm</A>
<P>SPARC:
<BR>rpm -Uvh<A HREF="ftp://ftp.redhat.com/updates/4.0/sparc/wu-ftpd-2.4.2b11-9.sparc.rpm">ftp://ftp.redhat.com/updates/4.0/sparc/wu-ftpd-2.4.2b11-9.sparc.rpm</A>
<P>All of these packages have been signed with Red Hat's PGP key.
<H3>wu-ftpd Academ beta version</H3>
The current version of wu-ftpd (Academ beta version), wu-ftpd 2.4.2-beta-12,
does not contain the vulnerability described in this advisory. Sites using
earlier versions should upgrade to the current version immediately. At
the time of writing, the current version can be retrieved from:
<P><A HREF="ftp://ftp.academ.com/pub/wu-ftpd/private/">ftp://ftp.academ.com/pub/wu-ftpd/private/</A>
<BR>
<H3>logdaemon Distribution</H3>
The current version of Wietse Venema's logdaemon (5.6) package contains
an ftpd utility which addresses the vulnerability described in this advisory.
Sites using earlier versions of this package should upgrade immediately.
The current version of the logdaemon package can be retrieved from:
<P><A HREF="ftp://ftp.win.tue.nl/pub/security/">ftp://ftp.win.tue.nl/pub/security/</A>
<A HREF="ftp://ftp.auscert.org.au/pub/mirrors/ftp.win.tue.nl/logdaemon/">ftp://ftp.auscert.org.au/pub/mirrors/ftp.win.tue.nl/logdaemon/</A>
<A HREF="ftp://ftp.cert.dfn.de/pub/tools/net/logdaemon/">ftp://ftp.cert.dfn.de/pub/tools/net/logdaemon/</A>
<P>The MD5 checksum for Version 5.6 of the logdaemon package is:
<P>MD5 (logdaemon-5.6.tar.gz) = 5068f4214024ae56d180548b96e9f368
<P><HR>
<P>AUSCERT thanks David Greenman, Wietse Venema (visiting IBM T.J. Watson
Research) and Stan Barber (Academ Consulting Services) for their contributions
in finding solutions to this vulnerability. Thanks also to Dr Leigh Hume
(Macquarie University), CERT/CC, and DFNCERT for their assistance in this
matter. AUSCERT also thanks those vendors that provided feedback
and patch information contained in this advisory.
<P>
<HR>
<H2>UPDATES</H2>
Vendor Information Added by CERT/CC
<H3>Digital Equipment Corporation</H3>
AUG, 1997 DIGITAL UNIX Versions:
<P>3.2C, 3.2DE1, 3.2DE2, 3.2F, 3.2G, 4.0, 4.0A, 4.0B, 4.0C
<P>SOLUTION:
<P>This potential security vulnerability has been resolved
<BR>and may be obtained from your normal Digital support channel or from
the following URL.
<P>NOTE: Previously released singular ECO patches
<BR>that were identified for this problem have been superseded in the aggregate
versions
<BR>of the ECO patch kits.
<P><A HREF="ftp://ftp.service.digital.com/patches/public/dunix">ftp://ftp.service.digital.com/patches/public/dunix</A>
<P>(Select the appropriate version and it's aggregate patch kit).
<P>Please refer to the applicable README notes information
<BR>prior to the installation of patch kits on your system.
<H3>Hewlett-Packard Corporation</H3>
HP has covered this in our security bulletin HPSBUX9702-055, 19 February
1997. The Security Bulletin contains pointers to the patches:
<P>SOLUTION: Apply patch:
<P>PHNE_10008 for all platforms with HP-UX releases 9.X
<BR>PHNE_10009 for all platforms with HP-UX releases 10.0X/10.10
<BR>PHNE_10010 for all platforms with HP-UX releases 10.20
<BR>PHNE_10011 for all platforms with HP-UX releases 10.20 (kftpd)
<BR>
<BR>AVAILABILITY: All patches are available now.
<BR>
<H3>IBM Corporation</H3>
See the appropriate release below to determine your action.
<H4>AIX 3.2</H4>
Apply the following fix to your system:
<P>APAR - IX65536 (PTF - U447700)
<P>To determine if you have this PTF on your system, run the following
command:
<P>lslpp -lB U447700
<H4>AIX 4.1</H4>
Apply the following fix to your system:
<P>APAR - IX65537
<P>To determine if you have this APAR on your system, run the following
command:
<P>instfix -ik IX65537
<P>Or run the following command:
<P>lslpp -h bos.net.tcp.client
<P>Your version of bos.net.tcp.client should be 4.1.5.3 or later.
<H4>AIX 4.2</H4>
Apply the following fix to your system:
<P>APAR - IX65538
<P>To determine if you have this APAR on your system, run the following
command:
<P>instfix -ik IX65538
<P>Or run the following command:
<P>lslpp -h bos.net.tcp.client
<P>Your version of bos.net.tcp.client should be 4.2.1.0 or later.
<H4>To Order</H4>
APARs may be ordered using Electronic Fix Distribution (via FixDist) or
from the IBM Support Center. For more information on FixDist, reference
URL:
<P><A HREF="http://service.software.ibm.com/aixsupport/">http://service.software.ibm.com/aixsupport/</A>
<P>or send e-mail to <A HREF="mailto:aixserv@austin.ibm.com">aixserv@austin.ibm.com</A>
with a subject of "FixDist".
<BR>
<BR>IBM and AIX are registered trademarks of International Business Machines
Corporation.
<H3>NCR Corporation</H3>
NCR is delivering a set of operating system dependent patches which
contain an update for this problem. Accompanying each patch is a
README file which discusses the general purpose of the patch and
describes how to apply it to your system.
<P>
Recommended solution:
<P>Apply one of the following patches depending on the revision of the
inet package installed on your system. To check its version execute:
<P>
pkginfo -x inet
<PRE>
<P>For inet 5.01.xx.xx: - PINET501 (Version later than 05.01.01.49)
For inet 6.01.xx.xx: - PINET601 (Version later than 06.01.00.06)
For inet 6.02.xx.xx: - Fix included in the product as shipped with
MP-RAS UNIX 3.02. (In inet package after
revision 6.02.00c).
</PRE>
<H3>Silicon Graphics Inc.</H3>
The ftpd program (/usr/etc/ftpd) is installed on all IRIX systems by default.
<P>Patch information for this vulnerability is available in SGI"s Security
Advisory 19970801-01-PX, "IRIX ftpd Signal Handling Vulnerability" available
at
<P><A HREF="http://www.sgi.com/Support/Secur/security.html/">http://www.sgi.com/Support/Secur/security.html/</A>
<H3>Sun Microsystems, Inc.</H3>
Not vulnerable.
<P><HR>
<!--#include virtual="/include/footer_nocopyright.html" -->
<P>Copyright 1997 Carnegie Mellon University.</P>
<HR>
Revision History
<PRE>
Dec. 5, 1997 Addedd vendor information for NCR Corporation to
the Updates section.
Oct. 30, 1997 UPDATES, Vendor Information Added by CERT/CC -added information
for NCR.
Sep. 30, 1997 Updated copyright statement
Aug. 15, 1997 Section 3.1 and UPDATES - Added by CERT/CC.Vendor patch information
for Digital Equipment Corporation and Silicon Graphics, Inc.
June 3, 1997 Minor editorial formatting change.
June 9, 1997 UPDATES, Vendor Information Added by CERT/CC - added information
for Sun Microsystems, Inc.
</PRE>
|