166 lines
7.0 KiB
Plaintext
166 lines
7.0 KiB
Plaintext
|
|
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
=============================================================================
|
|
CERT(sm) Advisory CA-94:08
|
|
Original issue date: April 14, 1994
|
|
Last revised: August 30, 1996
|
|
Removed references to README files.
|
|
|
|
A complete revision history is at the end of this file.
|
|
|
|
Topic: ftpd Vulnerabilities
|
|
- -----------------------------------------------------------------------------
|
|
|
|
The CERT Coordination Center has received information concerning two
|
|
vulnerabilities in some ftpd implementations. The first is a
|
|
vulnerability with the SITE EXEC command feature of the FTP daemon
|
|
(ftpd) found in versions of ftpd that support the SITE EXEC feature.
|
|
This vulnerability allows local or remote users to gain root access.
|
|
The second vulnerability involves a race condition found in the ftpd
|
|
implementations listed in Section I. below. This vulnerability allows
|
|
local users to gain root access.
|
|
|
|
Sites using these implementations are vulnerable even if they do not
|
|
support anonymous FTP.
|
|
|
|
As these vulnerabilities are widely known, we strongly recommend that any
|
|
site running a version of ftpd listed below take steps to immediately
|
|
upgrade or disable their FTP daemon. Also potentially at risk are
|
|
sites whose ftpd is derived from the DECWRL or wuarchive ftpd code
|
|
containing the SITE EXEC feature.
|
|
|
|
For additional information or assistance, contact the developer or
|
|
vendor of your ftpd implementation.
|
|
|
|
We will update this advisory as we receive additional information.
|
|
Please check advisory files regularly for updates that relate to your site.
|
|
|
|
- -----------------------------------------------------------------------------
|
|
|
|
I. Description
|
|
|
|
There is a vulnerability in the SITE EXEC command feature of
|
|
ftpd that allows any remote or local user to obtain root access.
|
|
There is also a vulnerability due to a race condition in these
|
|
implementations.
|
|
|
|
Versions known to be vulnerable to these problems are:
|
|
wuarchive ftpd versions 2.0-2.3 (version 2.2 patched the
|
|
SITE EXEC problem, but not the race condition)
|
|
DECWRL ftpd versions prior 5.93
|
|
BSDI ftpd version 1.1 prior to patch 5
|
|
|
|
The SITE EXEC vulnerability affects your ftpd only if the SITE
|
|
EXEC command feature has been explicitly activated at your site.
|
|
This functionality is not activated by default. Sites that have
|
|
not enabled the SITE EXEC feature are not at risk from this
|
|
vulnerability. However, since the race condition does not have
|
|
an easily applied workaround, CERT recommends that you upgrade to
|
|
one of the versions listed below.
|
|
|
|
II. Impact
|
|
|
|
Anyone (remote or local) can gain root access on a host running a
|
|
vulnerable FTP daemon. Support for anonymous FTP is not required
|
|
to exploit this vulnerability.
|
|
|
|
|
|
III. Solution
|
|
|
|
Affected sites can solve both of these problems by upgrading to
|
|
the latest version of ftpd. These versions are listed below. Be
|
|
certain to verify the checksum information to confirm that you
|
|
have retrieved a valid copy.
|
|
|
|
If you cannot install the new version in a timely manner, you
|
|
should disable FTP service until you have corrected this problem.
|
|
It is not sufficient to disable anonymous FTP. You must disable
|
|
the FTP daemon.
|
|
|
|
For wuarchive ftpd, you can obtain version 2.4 via anonymous
|
|
FTP from wuarchive.wustl.edu, in the "/packages/wuarchive-ftpd"
|
|
directory. If you are currently running version 2.3, a patch
|
|
file is available.
|
|
|
|
|
|
BSD SVR4
|
|
File Checksum Checksum MD5 Digital Signature
|
|
----------------- -------- --------- --------------------------------
|
|
wu-ftpd-2.4.tar.Z 38213 181 20337 362 cdcb237b71082fa23706429134d8c32e
|
|
patch_2.3-2.4.Z 09291 8 51092 16 5558a04d9da7cdb1113b158aff89be8f
|
|
|
|
For DECWRL ftpd, sites can obtain version 5.93 via anonymous FTP
|
|
from gatekeeper.dec.com in the "/pub/misc/vixie" directory.
|
|
|
|
BSD SVR4
|
|
File Checksum Checksum MD5 Digital Signature
|
|
----------------- -------- --------- --------------------------------
|
|
ftpd.tar.gz 38443 60 1710 119 ae624eb607b4ee90e318b857e6573500
|
|
|
|
For BSDI systems, patch 005 should be applied to version 1.1 of
|
|
the BSD/386 software. You can obtain the patch file via
|
|
anonymous FTP from ftp.bsdi.com in the "/bsdi/patches-1.1"
|
|
directory.
|
|
|
|
BSD SVR4
|
|
File Checksum Checksum MD5 Digital Signature
|
|
----------------- -------- --------- --------------------------------
|
|
BU110-005 35337 272 54935 543 1f454d4d9d3e1397d1eff0432bd383cf
|
|
|
|
- ---------------------------------------------------------------------------
|
|
The CERT Coordination Center wishes to thank Neil Woods and Karl Strickland
|
|
for finding and reporting the wustl FTP daemon bug. We also wish to thank
|
|
Bryan O'Connor and Chris Myers of Washington University in St. Louis,
|
|
Paul Vixie of Vixie Enterprises, and Tony Sanders of BSDI for their
|
|
invaluable assistance in resolving this problem.
|
|
- ---------------------------------------------------------------------------
|
|
|
|
If you believe that your system has been compromised, contact the CERT
|
|
Coordination Center or your representative in the Forum of Incident
|
|
Response and Security Teams (FIRST).
|
|
|
|
If you wish to send sensitive incident or vulnerability information to
|
|
CERT via electronic mail, CERT strongly advises that the e-mail be encrypted.
|
|
CERT can support a shared DES key, PGP (public key available via
|
|
anonymous FTP on info.cert.org), or PEM (contact CERT for details).
|
|
|
|
Internet E-mail: cert@cert.org
|
|
Telephone: 412-268-7090 (24-hour hotline)
|
|
CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
|
|
and are on call for emergencies during other hours.
|
|
|
|
CERT Coordination Center
|
|
Software Engineering Institute
|
|
Carnegie Mellon University
|
|
Pittsburgh, PA 15213-3890
|
|
|
|
Past advisories, information about FIRST representatives, and other
|
|
information related to computer security are available via anonymous
|
|
FTP from info.cert.org.
|
|
|
|
Copyright 1994, 1996 Carnegie Mellon University
|
|
This material may be reproduced and distributed without permission provided
|
|
it is used for noncommercial purposes and the copyright statement is
|
|
included.
|
|
|
|
CERT is a service mark of Carnegie Mellon University.
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
Revision history
|
|
|
|
Aug. 30, 1996 Removed references to README files because advisories
|
|
themselves are now updated.
|
|
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: 2.6.2
|
|
|
|
iQCVAwUBMiSVF3VP+x0t4w7BAQEGBwQA0sdzRoD/BiQswWHbBSVNS+4frJCV/gqh
|
|
HdYIXEc2daaTpDhgBks76nBNwhsT9vh6nk2cblcSu0yLOM+9nyDjk2IF3+QT4346
|
|
T3quUaEk1gyXxrNjt/m9yyuS7X/BGksoklFpa8DwJkZNIQmRe5qif4erCBjYin+I
|
|
mqEPWTUWUA4=
|
|
=Xul6
|
|
-----END PGP SIGNATURE-----
|
|
|