-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-97.03 AUSCERT Advisory
ftpd Signal Handling Vulnerability
29 January 1997
Last Revised: 19 August, 1997
Added vendor information for Silicon Graphics Inc.
A complete revision history is at the end of this file.
- ---------------------------------------------------------------------------
AUSCERT has received information that there is a vulnerability in some
versions of ftpd distributed and installed under various Unix platforms.
This vulnerability may allow regular and anonymous ftp users to read or
write to arbitrary files with root privileges.
The vulnerabilities in ftpd affect various third party and vendor versions
of ftpd. AUSCERT recommends that sites take the steps outlined in section
3 as soon as possible.
This advisory will be updated as more information becomes available.
- ---------------------------------------------------------------------------
1. Description
AUSCERT has received information concerning a vulnerability in some
vendor and third party versions of the Internet File Transfer Protocol
server, ftpd(8).
This vulnerability is caused by a signal handling routine increasing
process privileges to root, while still continuing to catch other
signals. This introduces a race condition which may allow regular,
as well as anonymous ftp, users to access files with root privileges.
Depending on the configuration of the ftpd server, this may allow
intruders to read or write to arbitrary files on the server.
This attack requires an intruder to be able to make a network
connection to a vulnerable ftpd server.
Sites should be aware that the ftp services are often installed by
default. Sites can check whether they are allowing ftp services by
checking, for example, /etc/inetd.conf:
# grep -i '^ftp' /etc/inetd.conf
Note that on some systems the inetd configuration file may have a
different name or be in a different location. Please consult your
documentation if the configuration file is not found in
/etc/inetd.conf.
If your site is offering ftp services, you may be able to determine
the version of ftpd by checking the notice when first connecting.
The vulnerability status of specific vendor and third party ftpd
servers can be found in Section 3.
Information involving this vulnerability has been made publicly
available.
2. Impact
Regular and anonymous users may be able to access arbitrary files with
root privileges. Depending on the configuration, this may allow
anonymous, as well as regular, users to read or write to arbitrary
files on the server with root privileges.
3. Workarounds/Solution
AUSCERT recommends that sites prevent the possible exploitation of
this vulnerability by immediately applying vendor patches if they are
available. Specific vendor information regarding this vulnerability
is given in Section 3.1.
If the ftpd supplied by your vendor is vulnerable and no patches are
available, sites may wish to install a third party ftpd which does
not contain the vulnerability described in this advisory (Section 3.2).
3.1 Vendor patches
The following vendors have provided information concerning the
vulnerability status of their ftpd distribution. Detailed information
has been appended in Appendix A. If your vendor is not listed below,
you should contact your vendor directly.
Berkeley Software Design, Inc.
Digital Equipment Corporation
Hewlett-Packard Corporation
IBM Corporation
Red Hat Software
Silicon Graphics Inc.
Sun Microsystems
The FreeBSD Project
The NetBSD Project
The OpenBSD Project
Washington University ftpd (Academ beta version)
Wietse Venema's logdaemon ftpd
3.2 Third party ftpd distributions
AUSCERT has received information that the following third party ftpd
distributions do not contain the signal handling vulnerability
described in this advisory:
wu-ftpd 2.4.2-beta-12
logdaemon 5.6 ftpd
Sites should ensure they are using the current version of this
software. Information on these distributions is contained in Appendix A.
Sites should note that these third party ftpd distributions may offer
some different functionality to vendor versions of ftpd. AUSCERT
advises sites to read the documentation provided with the above third
party ftpd distributions before installing.
..........................................................................
Appendix A
Berkeley Software Design, Inc. (BSDI)
=====================================
BSD/OS 2.1 is vulnerable to the ftpd problem described in this
advisory. Patches have been issued and may be retrieved via the
<
[email protected]> email server or from:
ftp://ftp.bsdi.com/bsdi/patches/patches-2.1/U210-033
Digital Equipment Corporation
=============================
DIGITAL UNIX Versions:
3.2c, 3.2de1, 3.2de2, 3.2f, 3.2g, 4.0, 4.0a, 4.0b, 4.0c
SOLUTION:
This potential security vulnerability has been resolved and may be
obtained from your normal Digital support channel or from the following
URL.
NOTE: Previously released singular ECO patches that were
identified for this problem have been superseded in
the aggregate versions of the ECO patch kits.
ftp://ftp.service.digital.com/patches/public/dunix
(Select the appropriate version and it's aggregate patch kit).
Please refer to the applicable README notes information prior to the
installation of patch kits on your system.
- DIGITAL EQUIPMENT CORPORATION
Hewlett-Packard Corporation
===========================
AUSCERT has been informed that Hewlett-Packard has covered this in
their security bulletin HPSBUX9702-055, 19 February 1997. The security
bulletin contains pointers to the patches:
SOLUTION: Apply patch:
PHNE_10008 for all platforms with HP-UX releases 9.X
PHNE_10009 for all platforms with HP-UX releases 10.0X/10.10
PHNE_10010 for all platforms with HP-UX releases 10.20
PHNE_10011 for all platforms with HP-UX releases 10.20 (kftpd)
AVAILABILITY: All patches are available now.
IBM Corporation
===============
See the appropriate release below to determine your action.
AIX 3.2
-------
Apply the following fix to your system:
APAR - IX65536 (PTF - U447700)
To determine if you have this PTF on your system, run the following
command:
lslpp -lB U447700
AIX 4.1
-------
Apply the following fix to your system:
APAR - IX65537
To determine if you have this PTF on your system, run the following
command:
instfix -ik IX65537
Or run the following command:
lslpp -h bos.net.tcp.client
Your version of bos.net.tcp.client should be 4.1.5.3 or later.
AIX 4.2
-------
Apply the following fix to your system:
APAR - IX65538
To determine if you have this APAR on your system, run the following
command:
instfix -ik IX65538
Or run the following command:
lslpp -h bos.net.tcp.client
Your version of bos.net.tcp.client should be 4.2.1.0 or later.
To Order
--------
APARs may be ordered using Electronic Fix Distribution (via FixDist)
or from the IBM Support Center. For more information on FixDist,
reference URL:
http://service.software.ibm.com/aixsupport/
or send e-mail to
[email protected] with a subject of "FixDist".
IBM and AIX are registered trademarks of International Business Machines
Corporation.
Red Hat Software
================
The signal handling code in wu-ftpd has some security problems which
allows users to read all files on your system. A new version of wu-ftpd
is now available for Red Hat 4.0 which Red Hat suggests installing on
all of your systems. This new version uses the same fix posted to
[email protected] by Savochkin Andrey Vladimirovich. Users of
Red Hat Linux versions earlier then 4.0 should upgrade to 4.0 and then
apply all available security packages.
Users whose computers have direct internet connections may apply this
update by using one of the following commands:
Intel:
rpm -Uvh
ftp://ftp.redhat.com/updates/4.0/i386/wu-ftpd-2.4.2b11-9.i386.rpm
Alpha:
rpm -Uvh
ftp://ftp.redhat.com/updates/4.0/axp/wu-ftpd-2.4.2b11-9.axp.rpm
SPARC:
rpm -Uvh
ftp://ftp.redhat.com/updates/4.0/sparc/wu-ftpd-2.4.2b11-9.sparc.rpm
All of these packages have been signed with Red Hat's PGP key.
Silicon Graphics Inc.
=====================
AUSCERT has been informed that Silicon Graphics Inc. has released
patches which address the vulnerability discussed in this advisory.
AUSCERT recommends that sites apply theses patches as soon as possible.
OS Version Vulnerable? Patch # Other Actions
---------- ----------- ------- -------------
IRIX 3.x yes not avail Note 1
IRIX 4.x yes not avail Note 1
IRIX 5.0.x yes not avail Note 1
IRIX 5.1.x yes not avail Note 1
IRIX 5.2 yes not avail Note 1
IRIX 5.3 yes 2292
IRIX 6.0.x yes not avail Note 1
IRIX 6.1 yes not avail Note 1
IRIX 6.2 yes 1485
IRIX 6.3 no
IRIX 6.4 no
Note 1 recommends upgrading the operating system or disabling the
ftp service.
These patches can be retrieved from:
http://www.sgi.com/Support/Secur/security.html
Silicon Graphics has also released a security bulletin containing
information on the above patches. The original release of this bulletin
can be retrieved from:
ftp://sgigate.sgi.com/security/19970801-01-PX
Sun Microsystems
================
Sun Microsystems has informed AUSCERT that the ftpd distributed with
Sun OS and Solaris is not vulnerable to this problem.
The FreeBSD Project
===================
The FreeBSD Project has informed AUSCERT that the vulnerability
described in this advisory has been fixed in FreeBSD 2.1.7, all
versions of FreeBSD 2.2 and FreeBSD-current (from January 27th, 1997).
All previous versions of FreeBSD are vulnerable.
The NetBSD Project
===================
NetBSD (all versions) have the ftpd vulnerability described in this
advisory. It has since been fixed in NetBSD-current. NetBSD have
also made patches available and they can be retrieved from:
ftp://ftp.netbsd.org/pub/NetBSD/misc/security/19970123-ftpd
The OpenBSD Project
===================
OpenBSD 2.0 did have the vulnerability described in this advisory,
but has since been fixed in OpenBSD 2.0-current (from January 5, 1997).
wu-ftpd Academ beta version
===========================
The current version of wu-ftpd (Academ beta version), wu-ftpd
2.4.2-beta-12, does not contain the vulnerability described in this
advisory. Sites using earlier versions should upgrade to the current
version immediately. At the time of writing, the current version can
be retrieved from:
ftp://ftp.academ.com/pub/wu-ftpd/private/
logdaemon Distribution
======================
The current version of Wietse Venema's logdaemon (5.6) package contains
an ftpd utility which addresses the vulnerability described in this
advisory. Sites using earlier versions of this package should
upgrade immediately. The current version of the logdaemon package
can be retrieved from:
ftp://ftp.win.tue.nl/pub/security/
ftp://ftp.auscert.org.au/pub/mirrors/ftp.win.tue.nl/logdaemon/
ftp://ftp.cert.dfn.de/pub/tools/net/logdaemon/
The MD5 checksum for Version 5.6 of the logdaemon package is:
MD5 (logdaemon-5.6.tar.gz) = 5068f4214024ae56d180548b96e9f368
..........................................................................
- ---------------------------------------------------------------------------
AUSCERT thanks David Greenman, Wietse Venema (visiting IBM T.J. Watson
Research) and Stan Barber (Academ Consulting Services) for their
contributions in finding solutions to this vulnerability. Thanks also to
Dr Leigh Hume (Macquarie University), CERT/CC, and DFNCERT for their
assistance in this matter. AUSCERT also thanks those vendors that provided
feedback and patch information contained in this advisory.
- ---------------------------------------------------------------------------
The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate. However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures. AUSCERT takes no responsibility for the
consequences of applying the contents of this document.
If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AUSCERT is located at The University of Queensland within the Prentice
Centre. AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).
AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT
Advisories, and other computer security information.
AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email:
[email protected]
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld. 4072.
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
19 Aug, 1997 Added vendor information for Silicon Graphics Inc.
12 Aug, 1997 Updated vendor information for DIGITAL UNIX.
17 Jun, 1997 Added updated vendor information Digital Equipment
Corporation, for Hewlett-Packard Corporation, IBM
Corporation, Sun Microsystems and The FreeBSD Project.
18 Apr, 1997 Added vendor information for DIGITAL UNIX.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment:
ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBM/mIWyh9+71yA2DNAQEadAQAgHH7Z00piecZALjDF7lr/F7NtLv3uVow
PKbE0T9Y1FfWGH+BTyflT912kdn6+He4jvG+oJZI0JwVGsFk6qHudhdA7pSiriwp
v4iGNFYxZP9RuNgVNE/JUka9Yj4AUgHBMJyPmh+4Z2PtmcXS0JUO2jD9/VDUbZU8
9Tp1JRjaHKw=
=J80Y
-----END PGP SIGNATURE-----
