Copy Link
Add to Bookmark
Report

CERT Advisory 148

eZine's profile picture
Published in 
CERT Advisory
 · 4 years ago

  


-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
CERT* Advisory CA-97.16
Original issue date: May 29, 1997
Last revised: June 9, 1997
UPDATES, Vendor Information Added by CERT/CC - added information
for Sun Microsystems, Inc.

A complete revision history is at the end of this file.

Topic: ftpd Signal Handling Vulnerability

- -----------------------------------------------------------------------------

The text of this advisory was originally released by AUSCERT as AA-97.03
ftpd Signal Handling Vulnerability on January 29, 1997, and updated on
April 18, 1997. To give this document wider distribution, we are reprinting
the updated AUSCERT advisory here with their permission. Only the contact
information at the end has changed: AUSCERT contact information has been
replaced with CERT/CC contact information.

Although the text of the AUSCERT advisory has not changed, additional
vendor information has been added immediately after the AUSCERT text.

We will update this advisory as we receive additional information.
Look for it in an "Updates" section at the end of the advisory.

=============================================================================

AUSCERT has received information that there is a vulnerability in some
versions of ftpd distributed and installed under various Unix platforms.

This vulnerability may allow regular and anonymous ftp users to read or
write to arbitrary files with root privileges.

The vulnerabilities in ftpd affect various third party and vendor versions
of ftpd. AUSCERT recommends that sites take the steps outlined in section
3 as soon as possible.

This advisory will be updated as more information becomes available.

- ----------------------------------------------------------------------------

1. Description

AUSCERT has received information concerning a vulnerability in some
vendor and third party versions of the Internet File Transfer Protocol
server, ftpd(8).

This vulnerability is caused by a signal handling routine increasing
process privileges to root, while still continuing to catch other
signals. This introduces a race condition which may allow regular,
as well as anonymous ftp, users to access files with root privileges.
Depending on the configuration of the ftpd server, this may allow
intruders to read or write to arbitrary files on the server.

This attack requires an intruder to be able to make a network
connection to a vulnerable ftpd server.

Sites should be aware that the ftp services are often installed by
default. Sites can check whether they are allowing ftp services by
checking, for example, /etc/inetd.conf:

# grep -i '^ftp' /etc/inetd.conf

Note that on some systems the inetd configuration file may have a
different name or be in a different location. Please consult your
documentation if the configuration file is not found in
/etc/inetd.conf.

If your site is offering ftp services, you may be able to determine
the version of ftpd by checking the notice when first connecting.

The vulnerability status of specific vendor and third party ftpd
servers can be found in Section 3.

Information involving this vulnerability has been made publicly
available.

2. Impact

Regular and anonymous users may be able to access arbitrary files with
root privileges. Depending on the configuration, this may allow
anonymous, as well as regular, users to read or write to arbitrary
files on the server with root privileges.

3. Workarounds/Solution

AUSCERT recommends that sites prevent the possible exploitation of
this vulnerability by immediately applying vendor patches if they are
available. Specific vendor information regarding this vulnerability
is given in Section 3.1.

If the ftpd supplied by your vendor is vulnerable and no patches are
available, sites may wish to install a third party ftpd which does
not contain the vulnerability described in this advisory (Section 3.2).

3.1 Vendor patches

The following vendors have provided information concerning the
vulnerability status of their ftpd distribution. Detailed information
has been appended in Appendix A. If your vendor is not listed below,
you should contact your vendor directly.

Berkeley Software Design, Inc.
Digital Equipment Corporation
The FreeBSD Project
Hewlett-Packard Corporation
IBM Corporation
The NetBSD Project
The OpenBSD Project
Red Hat Software

Washington University ftpd (Academ beta version)
Wietse Venema's logdaemon ftpd

3.2 Third party ftpd distributions

AUSCERT has received information that the following third party ftpd
distributions do not contain the signal handling vulnerability
described in this advisory:

wu-ftpd 2.4.2-beta-12
logdaemon 5.6 ftpd

Sites should ensure they are using the current version of this
software. Information on these distributions is contained in Appendix A.

Sites should note that these third party ftpd distributions may offer
some different functionality to vendor versions of ftpd. AUSCERT
advises sites to read the documentation provided with the above third
party ftpd distributions before installing.

...........................................................................

Appendix A

Berkeley Software Design, Inc. (BSDI)
=====================================

BSD/OS 2.1 is vulnerable to the ftpd problem described in this
advisory. Patches have been issued and may be retrieved via the
<patches@BSDI.COM> email server or from:

ftp://ftp.bsdi.com/bsdi/patches/patches-2.1/U210-033


Digital Equipment Corporation
=============================

DIGITAL UNIX Versions:
3.2c, 3.2de1, 3.2de2, 3.2f, 3.2g, 4.0, 4.0a, 4.0b

SOLUTION:

This potential security vulnerability has been resolved
and an official patch kit is available for DIGITAL UNIX
V3.2g, V4.0, V4.0a, and V4.0b.

This article will be updated accordingly when patch kits
for DIGITAL UNIX V3.2c, V3.2de1, V3.2de2, V3.2f become
available.

The currently available patches may be obtained from your
normal Digital support channel or from the following URL.
(Select the appropriate version to locate this patch kit)

ftp://ftp.service.digital.com/patches/public/dunix

VERSION KIT ID SIZE CHECK SUM
------- ---------------- ------ --------------
v3.2g SSRT0448U_v32g.tar 296960 32064 290
v4.0 SSRT0448U_v40.tar 542720 07434 530
v4.0a SSRT0448U_v40a.tar 542720 43691 530
v4.0b SSRT0448U_v40b.tar 471040 45701 460


Please refer to the applicable README notes information
prior to the installation of patch kits on your system.

Note: The appropriate patch kit must be reinstalled
following any upgrade beginning with V3.2c
up to and including V4.0b.


The FreeBSD Project
===================

The FreeBSD Project has informed AUSCERT that the vulnerability
described in this advisory has been fixed in FreeBSD-current (from
January 27, 1997), and will be fixed in the upcoming FreeBSD 2.2
release. All previous versions of FreeBSD are vulnerable.


Hewlett-Packard Corporation
===========================

Hewlett-Packard has informed AUSCERT that the ftpd distributed with
HP-UX 9.x and 10.x are vulnerable to this problem. Patches are
currently in process.


IBM Corporation
===============

The version of ftpd shipped with AIX is vulnerable to the conditions
described in the advisory. The following APARs will be available
shortly:

AIX 3.2: APAR IX65536
AIX 4.1: APAR IX65537
AIX 4.2: APAR IX65538

To Order
--------
APARs may be ordered using Electronic Fix Distribution (via FixDist)
or from the IBM Support Center. For more information on FixDist,
reference URL:

http://service.software.ibm.com/aixsupport/

or send e-mail to aixserv@austin.ibm.com with a subject of "FixDist".


IBM and AIX are registered trademarks of International Business Machines
Corporation.


The NetBSD Project
===================

NetBSD (all versions) have the ftpd vulnerability described in this
advisory. It has since been fixed in NetBSD-current. NetBSD have
also made patches available and they can be retrieved from:

ftp://ftp.netbsd.org/pub/NetBSD/misc/security/19970123-ftpd


The OpenBSD Project
===================

OpenBSD 2.0 did have the vulnerability described in this advisory,
but has since been fixed in OpenBSD 2.0-current (from January 5, 1997).


Red Hat Software
================

The signal handling code in wu-ftpd has some security problems which
allows users to read all files on your system. A new version of wu-ftpd
is now available for Red Hat 4.0 which Red Hat suggests installing on
all of your systems. This new version uses the same fix posted to
redhat-list@redhat.com by Savochkin Andrey Vladimirovich. Users of
Red Hat Linux versions earlier then 4.0 should upgrade to 4.0 and then
apply all available security packages.

Users whose computers have direct internet connections may apply
this update by using one of the following commands:

Intel:
rpm -Uvh ftp://ftp.redhat.com/updates/4.0/i386/wu-ftpd-2.4.2b11-9.i386.rpm

Alpha:
rpm -Uvh ftp://ftp.redhat.com/updates/4.0/axp/wu-ftpd-2.4.2b11-9.axp.rpm

SPARC:
rpm -Uvhftp://ftp.redhat.com/updates/4.0/sparc/wu-ftpd-2.4.2b11-9.sparc.rpm

All of these packages have been signed with Red Hat's PGP key.


wu-ftpd Academ beta version
===========================

The current version of wu-ftpd (Academ beta version), wu-ftpd
2.4.2-beta-12, does not contain the vulnerability described in this
advisory. Sites using earlier versions should upgrade to the current
version immediately. At the time of writing, the current version can
be retrieved from:

ftp://ftp.academ.com/pub/wu-ftpd/private/


logdaemon Distribution
======================

The current version of Wietse Venema's logdaemon (5.6) package contains
an ftpd utility which addresses the vulnerability described in this
advisory. Sites using earlier versions of this package should
upgrade immediately. The current version of the logdaemon package
can be retrieved from:

ftp://ftp.win.tue.nl/pub/security/
ftp://ftp.auscert.org.au/pub/mirrors/ftp.win.tue.nl/logdaemon/
ftp://ftp.cert.dfn.de/pub/tools/net/logdaemon/

The MD5 checksum for Version 5.6 of the logdaemon package is:

MD5 (logdaemon-5.6.tar.gz) = 5068f4214024ae56d180548b96e9f368

...........................................................................

- ----------------------------------------------------------------------------
AUSCERT thanks David Greenman, Wietse Venema (visiting IBM T.J. Watson
Research) and Stan Barber (Academ Consulting Services) for their
contributions in finding solutions to this vulnerability. Thanks also to
Dr Leigh Hume (Macquarie University), CERT/CC, and DFNCERT for their
assistance in this matter. AUSCERT also thanks those vendors that provided
feedback and patch information contained in this advisory.
- ----------------------------------------------------------------------------

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
18 Apr, 1997 Added vendor information for DIGITAL UNIX.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- -----------------------------------------------------------------------------
UPDATES
Vendor Information Added by CERT/CC


Digital Equipment Corporation
=============================

Revision History
18 Apr, 1997 Added vendor information for DIGITAL UNIX.
21 May, 1997 (to include availibility of V3.2c solution)

DIGITAL UNIX Versions:
3.2c, 3.2de1, 3.2de2, 3.2f, 3.2g, 4.0, 4.0a, 4.0b

SOLUTION:

This potential security vulnerability has been resolved
and an official patch kit is available for DIGITAL UNIX
V3.2c, V3.2g, V4.0, V4.0a, and V4.0b.

This article will be updated accordingly when patch kits
for DIGITAL UNIX V3.2de1, V3.2de2, V3.2f become
available.

The currently available patches may be obtained from your
normal Digital support channel. Assigned case ID SSRT0448U.


Please refer to the applicable README notes information
prior to the installation of patch kits on your system.

Note: The appropriate patch kit must be reinstalled
following any upgrade beginning with V3.2c
up to and including V4.0b.

- DIGITAL EQUIPMENT CORPORATION


Hewlett-Packard Corporation
===========================

HP has covered this in our security bulletin HPSBUX9702-055,
19 February 1997. The Security Bulletin contains pointers to the patches:


----
SOLUTION: Apply patch:
PHNE_10008 for all platforms with HP-UX releases 9.X
PHNE_10009 for all platforms with HP-UX releases 10.0X/10.10
PHNE_10010 for all platforms with HP-UX releases 10.20
PHNE_10011 for all platforms with HP-UX releases 10.20 (kftpd)


AVAILABILITY: All patches are available now.
----


IBM Corporation
===============

See the appropriate release below to determine your action.


AIX 3.2
-------
Apply the following fix to your system:

APAR - IX65536 (PTF - U447700)

To determine if you have this PTF on your system, run the following
command:

lslpp -lB U447700


AIX 4.1
-------
Apply the following fix to your system:

APAR - IX65537

To determine if you have this APAR on your system, run the following
command:

instfix -ik IX65537

Or run the following command:

lslpp -h bos.net.tcp.client

Your version of bos.net.tcp.client should be 4.1.5.3 or later.


AIX 4.2
-------
Apply the following fix to your system:

APAR - IX65538

To determine if you have this APAR on your system, run the following
command:

instfix -ik IX65538

Or run the following command:

lslpp -h bos.net.tcp.client

Your version of bos.net.tcp.client should be 4.2.1.0 or later.


To Order
--------
APARs may be ordered using Electronic Fix Distribution (via FixDist)
or from the IBM Support Center. For more information on FixDist,
reference URL:

http://service.software.ibm.com/aixsupport/

or send e-mail to aixserv@austin.ibm.com with a subject of "FixDist".


IBM and AIX are registered trademarks of International Business Machines
Corporation.


Sun Microsystems, Inc.
======================

Not vulnerable.


- -----------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response
and Security Teams (see http://www.first.org/team-info/).


CERT/CC Contact Information
- ----------------------------
Email cert@cert.org

Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
and are on call for emergencies during other hours.

Fax +1 412-268-6989

Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA

Using encryption
We strongly urge you to encrypt sensitive information sent by email. We can
support a shared DES key or PGP. Contact the CERT/CC for more information.
Location of CERT PGP key
ftp://info.cert.org/pub/CERT_PGP.key

Getting security information
CERT publications and other security information are available from
http://www.cert.org/
ftp://info.cert.org/pub/

CERT advisories and bulletins are also posted on the USENET newsgroup
comp.security.announce

To be added to our mailing list for advisories and bulletins, send
email to
cert-advisory-request@cert.org
In the subject line, type
SUBSCRIBE your-email-address

- ---------------------------------------------------------------------------
* Registered U.S. Patent and Trademark Office.

Copyright 1997 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and the copyright statement is
included.

The CERT Coordination Center is part of the Software Engineering Institute
(SEI). The SEI is sponsored by the U.S. Department of Defense.
- ---------------------------------------------------------------------------

This file: ftp://info.cert.org/pub/cert_advisories/CA-97.16.ftpd
http://www.cert.org
click on "CERT Advisories"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision history

June 3, 1997 Minor editorial formatting change.

June 9, 1997 UPDATES, Vendor Information Added by CERT/CC - added
information for Sun Microsystems, Inc.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBM5xfwnVP+x0t4w7BAQEN/AQAlmEAesQzkyZbnEL7pgFvo5TLLETrrxI5
hbqiOHnM6HWfXXesDSSGmYne0m4uqfGjnrAYCYKUgFxOShYc5dKRiC/q+7mOZRH3
4Y/v+jYqROCmEh41rnc9Rn503QiJpBKW0EYLJNDJFEh5pfTqIINuBxQxYgNEMKUr
SkVFaTIcVfE=
=DI+w
-----END PGP SIGNATURE-----

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT