-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-99-03-FTP-Buffer-Overflows

  Original issue date: February 11, 1999
  Revised Date: July 7, 1999  Added updated information for Silicon Graphics,
  Inc. (SGI).

  Topic: Remote buffer overflows in various FTP servers leads to
  potential root compromise.
  Source: Netect, Inc.

  To aid in the wide distribution of essential security information, the
  CERT Coordination Center is forwarding the following information from
  Netect, Inc. Netect, Inc. urges you to act on this information as soon
  as possible. See Appendix C for Netect, Inc. contact information.
  Please contact them if you have any questions or need further
  information.

  =======================FORWARDED TEXT STARTS HERE==========================

Netect, Inc.
General Public Security Advisory

% Advisory: palmetto.ftpd
% Issue date: February 9, 1999
% Contact: Jordan Ritter
% Revision: February 11, 1999
 % Update: Appendices A and B corrected.


[Topic]

Remote buffer overflows in various FTP servers leads to potential root
compromise.


[Affected Systems]

Any server running the latest version of ProFTPD (1.2.0pre1) or the
latest version of Wuarchive ftpd (2.4.2-academ[BETA-18]).  wu-ftpd is
installed and enabled by default on most Linux variants such as RedHat
and Slackware Linux.  ProFTPD is new software recently adopted by many
major internet companies for its improved performance and reliability.

Investigation of this vulnerability is ongoing; the below lists
software and operating systems for which Netect has definitive
information.


[Overview]

Software that implements FTP is called an "ftp server", "ftp daemon",
or "ftpd".  On most vulnerable systems, the ftpd software is enabled
and installed by default.

There is a general class of vulnerability that exists in several
popular ftp servers.  Due to insufficient bounds checking, it is
possible to subvert an ftp server by corrupting its internal stack
space.  By supplying carefully designed commands to the ftp server,
intruders can force the the server to execute arbitrary commands with
root privilege.

On most vulnerable systems, the ftpd software is installed and enabled
by default.


[Impact]

Intruders who are able to exploit this vulnerability can ultimately
gain interactive access to the remote ftp server with root privilege.


[Solution]

Currently there are several ways to exploit the ftp servers in
question.  One temporary workaround against an anonymous attack is to
disable any world writable directories the user may have access to by
making them read only.  This will prevent an attacker from building an
unusually large path, which is required in order to execute these
particular attacks.

The permanent solution is to install a patch from your Vendor, or
locate one provided by the Software's author or maintainer.  See
Appendices A and B for more specific information.

Netect strongly encourages immediate upgrade and/or patching where
available.

Netect provides a strong software solution for the automatic detection
and removal of security vulnerabilities.  Current HackerShield
customers can protect themselves from this vulnerability by either
visiting the Netect website and downloading the latest RapidFire(tm)
update, or by enabling automatic RapidFire(tm) updates (no user
intervention required).

Interested in protecting your network today?  Visit the Netect website
at http://www.netect.com/ and download a FREE 30 day copy of
HackerShield, complete with all the latest RapidFire(tm) updates to
safeguard your network from hackers.


[Appendix A, Software Information]

% ProFTPD

 Current version: 1.2.0pre1, released October 19, 1998.
 All versions prior to 1.2.0pre1: vulnerable.
 Fix: will be incorporated into 1.2.0pre2.

 Currently recommended action: upgrade to the new version when it
   becomes available, or apply the version 1.2.0pre1 patch found at:

 ftp://ftp.proftpd.org/patches/proftpd-1.2.0pre1-path_exploit2.patch

% wu-ftpd

 Current version: 2.4.2 (beta 18), unknown release date.
 All versions through 2.4.2 (beta 18): vulnerability dependant upon
   target platform, probably vulnerable either due to OS-provided
   runtime vulnerability or through use of replacement code supplied
   with the source kit.  No patches have been made available.
 Fix: unknown.

 Currently recommended action: Upgrade to wu-ftpd VR series.

 % wu-ftpd VR series

   Current version: 2.4.2 (beta 18) VR13, released January 28, 1999.
   All versions prior to 2.4.2 (beta 18) VR10: vulnerable.
   Fix: incorporated into VR10, released November 1, 1998.

   Available from:
       ftp://ftp.vr.net/pub/wu-ftpd/
   Filenames:
       wu-ftpd-2.4.2-beta-18-vr13.tar.Z
       wu-ftpd-2.4.2-beta-18-vr13.tar.gz

% BeroFTPD [NOT vulnerable]

 Current version: 1.3.3, released February 7, 1999.
 All versions prior to 1.2.0: vulnerable.
 Fix: incorporated into 1.2.0, released October 26, 1998.

 Available from:
    ftp://ftp.croftj.net/usr/bero/BeroFTPD/
    ftp://ftp.sunet.se/pub/nir/ftp/servers/BeroFTPD/
    ftp://sunsite.cnlab-switch.ch/mirror/BeroFTPD/
 Filename:
    BeroFTPD-1.3.3.tar.gz

% NcFTPd [NOT vulnerable]

 Current version: 2.4.0, released February 6, 1999.
 All versions prior to 2.3.4: unknown.

 Available from:
    http://www.ncftp.com/download/

 Notes:

   % NcFTPd 2.3.4 (libc5) ftp server has a remotely exploitable bug
      that results in the loss of the server's ability to log
      activity.

   % This bug cannot be exploited to gain unintended or privileged
      access to a system running the NcFTPd 2.3.4 (libc5) ftp
      server, as tested.

   % The bug was reproducible only on a libc5 Linux system.  The
      Linux glibc version of NcFTPd 2.3.4 ftp server is NOT
      vulnerable.

   % The bug does not appear to be present in version NcFTPd 2.3.5 or
      later.  Affected users may upgrade free of charge to the latest
      version.

Thanks go to Gregory Lundberg for providing the information regarding
wu-ftpd and BeroFTPD.


[Appendix B, Vendors]

% RedHat Software, Inc.

 % RedHat      Version 5.2 and previous versions ARE vulnerable.

 Updates will be available from:
     ftp://updates.redhat.com/5.2/<arch>
 Filename:
     wu-ftpd-2.4.2b18-2.1.<arch>.rpm

% Walnut Creek CDROM and Patrick Volkerding

 % Slackware   All versions ARE vulnerable.

 Updates will be available from:
     ftp://ftp.cdrom.com/pub/linux/slackware-3.6/slakware/n8/
     ftp://ftp.cdrom.com/pub/linux/slackware-current/slakware/n8/
 Filenames
     tcpip1.tgz (3.6)     [971a5f57bec8894364c1e0d358ffbfd4]
     tcpip1.tgz (current) [e1e9a9a50ad65bab1e120a7bf60f6011]

 Notes:

   % The md5 checksums are current for the above mentioned Revision
    date only.

% Caldera Systems, Inc.

 % OpenLinux   Latest version IS vulnerable

 Updates will be available from:
     ftp://ftp.calderasystems.com/pub/OpenLinux/updates/

% SCO

 % UnixWare    Version 7.0.1 and earlier (except 2.1.x) IS vulnerable.
 % OpenServer  Versions 5.0.5 and earlier IS vulnerable.
 % CMW+                  Version 3.0 is NOT vulnerable.
 % Open Desktop/Server   Version 3.0 is NOT vulnerable.

 Binary versions of ftpd will be available shortly from the SCO ftp
 site:
     ftp://ftp.sco.com/SSE/sse021.ltr - cover letter
     ftp://ftp.sco.com/SSE/sse021.tar.Z - replacement binaries

 Notes:

  This fix is a binary for the following SCO operating systems:

     % SCO UnixWare 7.0.1 and earlier releases (not UnixWare 2.1.x)
     % SCO OpenServer 5.0.5 and earlier releases

  For the latest security bulletins and patches for SCO products,
  please refer to http://www.sco.com/security/.

% IBM Corporation

 % AIX         Versions 4.1.x, 4.2.x, and 4.3.x ARE NOT vulnerable.

% Hewlett-Packard

 % HPUX        Versions 10.x and 11.x ARE NOT vulnerable.

 HP is continuing their investigation.

% Sun Microsystems, Inc.

 % SunOS       All versions ARE NOT vulnerable.
 % Solaris     All versions ARE NOT vulnerable.

% Microsoft, Inc.

 % IIS         Versions 3.0 and 4.0 ARE NOT vulnerable.

% Compaq Computer Corporation

 % Digital UNIX                V40b - V40e ARE NOT vulnerable.
 % TCP/IP(UCX) for OpenVMS     V4.1, V4.2, V5.0 ARE NOT vulnerable.

% Silicon Graphics, Inc. (SGI)

 % IRIX and Unicos

    Currently, Silicon Graphics, Inc. is investigating and no further
    information is available for public release at this time.

    As further information becomes available, additional advisories
    will be issued via the normal SGI security information distribution
    method including the wiretap mailing list.

    Silicon Graphics Security Headquarters
    http://www.sgi.com/Support/security/

% NetBSD

 % NetBSD      All versions ARE NOT vulnerable.

[Appendix C, Netect Contact Information]

Copyright (c) 1999 by Netect, Inc.

The information contained herein is the property of Netect, Inc.

The contact for this advisory is Jordan Ritter .  PGP
signed/encrypted email is preferred.

Visit http://www.netect.com/ for more information.

  ========================FORWARDED TEXT ENDS HERE============================

  CERT/CC has received the following additional information:

 Fujitsu [NOT vulnerable]

 Fujitsu's UXP/V operating system is not vulnerable.  The reason behind this
 is the ftod of UXP/V does not have static buffers to store the current
 working directory.

 Silicon Graphics, Inc. (SGI)

 IRIX and Unicos
        IRIX operating system is not vulnerable.

 Cray Unicos and Unicos MK
         Unicos and Unicos/MK is not vulnerable.
  ______________________________________________________________________

  This document is available from:
  http://www.cert.org/advisories/CA-99-03-FTP-Buffer-Overflows.html.
  ______________________________________________________________________

CERT/CC Contact Information

  Email: [email protected]
         Phone: +1 412-268-7090 (24-hour hotline)
         Fax: +1 412-268-6989
         Postal address:
         CERT Coordination Center
         Software Engineering Institute
         Carnegie Mellon University
         Pittsburgh PA 15213-3890
         U.S.A.

  CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
  Monday through Friday; they are on call for emergencies during other
  hours, on U.S. holidays, and on weekends.

Using encryption

  We strongly urge you to encrypt sensitive information sent by email.
  Our public PGP key is available from http://www.cert.org/CERT_PGP.key.
  If you prefer to use DES, please call the CERT hotline for more
  information.

Getting security information

  CERT publications and other security information are available from
  our web site http://www.cert.org/.

  To be added to our mailing list for advisories and bulletins, send
  email to [email protected] and include SUBSCRIBE
  your-email-address in the subject of your message.

  * "CERT" and "CERT Coordination Center" are registered in the U.S.
  Patent and Trademark Office
  ______________________________________________________________________

  NO WARRANTY
  Any material furnished by Carnegie Mellon University and the Software
  Engineering Institute is furnished on an "as is" basis. Carnegie
  Mellon University makes no warranties of any kind, either expressed or
  implied as to any matter including, but not limited to, warranty of
  fitness for a particular purpose or merchantability, exclusivity or
  results obtained from use of the material. Carnegie Mellon University
  does not make any warranty of any kind with respect to freedom from
  patent, trademark, or copyright infringement.
  ______________________________________________________________________

Revision History

Jul 07, 1999  Added updated information for Silicon Graphics, Inc. (SGI)
Mar 16, 1999  Additional information for Fujitsu has been added

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBN4PNG3VP+x0t4w7BAQFJewP/bEPlXdhzNHkqA6UaNgAOeNIVh3Cqr5bG
5OJy5lxJ7DmupGJXYZMiUBRSQCHSJAYG0Ahffp7Vl7K1gS1IBsjXlasKuBkeVatW
s7QS0dMBsK5cRRz8BY3nUd5ifnkL7kH1QclX5+X2aTcB0nXMrWaQqq+UDSAUs8Dm
XV51P0fTrco=
=iZlS
-----END PGP SIGNATURE-----