=============================================================================
SA-94.01                        SERT Advisory
                                18-Apr-1994
                          ftpd configuration advice
-----------------------------------------------------------------------------

   The Security Emergency Response Team has received information that
   certain configurations for the Washington University ftpd may leave
   the system open to compromise.  This vulnerability may also exist for
   other versions of ftp.

1.  Description

   . The vulnerability is not enabled by default.
   . The default configuration must be changed to cause the vulnerability.
   . You must explicitly enable the SITE EXEC facility with the modified
     configuration to cause the vulnerability.
   . The vulnerability may exist even if you do not offer anonymous ftp
     services.
   . The potential for the vulnerability is platform independant.
   . Although this Advisory mentions the wu-ftpd specifically, the
     vulnerability may also be present in similar form in other versions of
     ftp.

   If you enable the SITE EXEC commands and allow files from ~ftp/bin,
   ~ftp/usr/bin, ~ftp/sbin, or similar directory configurations to be
   executed, then you may have the vulnerability.  If the pathname for
   SITE EXEC commands relative to ~ftp is a directory that contains system
   commands or includes a shell (e.g., ~ftp/bin -> /bin), then it is
   possible for local users to gain root access.  The exact directory
   configurations that cause the vulnerability are dependant on the
   platform and local configuration.

   The rest of this Advisory is specifically targeted at the Washington
   University archive ftp daemon configuration (wu-ftpd), although the
   vulnerability may exist in other versions of ftp which use similar
   configurations for the SITE EXEC facility.

   In the configuration file src/pathnames.h, if you have modified the
   _PATH_EXECPATH definition from its default setting of "/bin/ftp-exec"
   to point to "/bin" or any other system directory containing executable
   images, then you may have the vulnerability.  The documentation states
   that this directory is relative to ~ftp.  This is misleading. The
   pathname is relative to ~ftp for anonymous users only, and is relative
   to "/" for normal user sessions.  Some ftp service administrators
   change their configuration to "/bin" to allow commands such as
   "/bin/ls" to be executed.

   For this example we assume that _PATH_EXECPATH has been changed to
   point to "/bin" on a SunOS 4.x system.  To test your configuration to
   see if you are vulnerable, you can execute the following commands:
   srchost> ftp ftphost
   Connected to ftphost
   220 ftphost FTP server (Version wu-2.4(2) Mon Apr 18 09:12:35 GMT+1000 1994) ready.
   Name (srchost:user):
   331 Password required for user.
   Password:
   230 User user logged in.
   ftp> quote site exec echo problem
   200-echo problem
   200-problem
   200  (end of 'echo problem')
   ftp> quit
   221 Goodbye.
   srchost>

   If you receive the line "200-problem", then your site is vulnerable.
   Note that this does not work for anonymous ftp access.

   If you have the vulnerability and you are unsure how to rectify it
   immediately, you should disable your ftp daemon until the configuration
   can be corrected.

2.  Impact

   Anyone who has a local account on the system offering ftp services with
   the vulnerable configuration may gain root access.  Support for
   anonymous ftp access is not required to exploit this vulnerability.

3.  Solution

   Ensure that you do not allow files stored in standard system
   directories to be executed by the SITE EXEC command.

   If you wish to enable the SITE EXEC facility, then you should create a
   configuration similar to the following:
   a) Ensure that the _PATH_EXECPATH definition in pathnames.h is
      "/bin/ftp-exec" and not "/bin" or any other system directory
      containing a shell
   b) Create ~ftp/bin/ftp-exec
   c) Copy the statically linked binaries that you want available for
      execution by SITE EXEC into the ~ftp/bin/ftp-exec directory
   d) If you want the DIR ftp command, you will need a hard link from
      ~ftp/bin/ls to ~ftp/bin/ftp-exec/ls or a copy of ls in ~ftp/bin

   This much enables SITE EXEC commands for anonymous users only.

   e) If you want SITE EXEC facilities to be available to normal ftp
      users, create a symbolic link from /bin/ftp-exec to
      ~ftp/bin/ftp-exec

   You should follow file ownership, group membership and permissions
   strictly according to your documentation.

   SERT recommends that you stay with the default configuration of wu-ftpd
   for the SITE EXEC facility.  The INSTALL documentation indicates (by
   **) that the _PATH_EXECPATH is relative to ~ftp.  This is misleading
   and only correct for anonymous ftp access.  The path is relative to "/"
   for normal user access.

----------------------------------------------------------------------------
The SERT team wishes to thank Jeff Aitken of Virginia Tech and Rob McMillan
from Griffith University for their advice and cooperation in this matter.
----------------------------------------------------------------------------

If you believe that your system has been compromised, contact SERT or your
representative in FIRST (Forum of Incident Response and Security Teams).

Internet Email: [email protected]
Facsimile:      (07) 365 4477
SERT Hotline:   (07) 365 4417
               SERT personnel answer during business hours (AEST - GMT+10:00).
               (On call after hours for emergencies).

Security Emergency Response Team
c/- Prentice Centre
The University of Queensland
Qld.  4072.
Australia.

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.