[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : ftpd Vulnerabilities

Title: ftpd Vulnerabilities
Released by: CERT
Date: 14th April 1994
Printable version: Click here
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1





=============================================================================

CERT(*) Advisory CA-94:08

Original issue date:  April 14, 1994

Last revised:September 23,1997

                Updated Copyright Statement



Topic: ftpd Vulnerabilities

- -----------------------------------------------------------------------------



The CERT Coordination Center has received information concerning two

vulnerabilities in some ftpd implementations.  The first is a

vulnerability with the SITE EXEC command feature of the FTP daemon

(ftpd) found in versions of ftpd that support the SITE EXEC feature.

This vulnerability allows local or remote users to gain root access.

The second vulnerability involves a race condition found in the ftpd

implementations listed in Section I. below.  This vulnerability allows

local users to gain root access.



Sites using these implementations are vulnerable even if they do not

support anonymous FTP.



As these vulnerabilities are widely known, we strongly recommend that any

site running a version of ftpd listed below take steps to immediately

upgrade or disable their FTP daemon.  Also potentially at risk are

sites whose ftpd is derived from the DECWRL or wuarchive ftpd code

containing the SITE EXEC feature.



For additional information or assistance, contact the developer or

vendor of your ftpd implementation.



We will update this advisory as we receive additional information.

Please check advisory files regularly for updates that relate to your site.



- -----------------------------------------------------------------------------



I.   Description



     There is a vulnerability in the SITE EXEC command feature of

     ftpd that allows any remote or local user to obtain root access.

     There is also a vulnerability due to a race condition in these

     implementations.



     Versions known to be vulnerable to these problems are:

          wuarchive ftpd versions 2.0-2.3 (version 2.2 patched the

               SITE EXEC problem, but not the race condition)

          DECWRL ftpd versions prior 5.93

          BSDI ftpd version 1.1 prior to patch 5



     The SITE EXEC vulnerability affects your ftpd only if the SITE

     EXEC command feature has been explicitly activated at your site.

     This functionality is not activated by default.  Sites that have

     not enabled the SITE EXEC feature are not at risk from this

     vulnerability.  However, since the race condition does not have

     an easily applied workaround, CERT recommends that you upgrade to

     one of the versions listed below.



II.  Impact



     Anyone (remote or local) can gain root access on a host running a

     vulnerable FTP daemon.  Support for anonymous FTP is not required

     to exploit this vulnerability.





III. Solution



     Affected sites can solve both of these problems by upgrading to

     the latest version of ftpd. These versions are listed below. Be

     certain to verify the checksum information to confirm that you

     have retrieved a valid copy.



     If you cannot install the new version in a timely manner, you

     should disable FTP service until you have corrected this problem.

     It is not sufficient to disable anonymous FTP.  You must disable

     the FTP daemon.



     For wuarchive ftpd, you can obtain version 2.4 via anonymous

     FTP from wuarchive.wustl.edu, in the "/packages/wuarchive-ftpd"

     directory.  If you are currently running version 2.3, a patch

     file is available.





                        BSD        SVR4

     File               Checksum   Checksum    MD5 Digital Signature

     -----------------  --------   ---------   --------------------------------

     wu-ftpd-2.4.tar.Z  38213  181  20337 362  cdcb237b71082fa23706429134d8c32e

     patch_2.3-2.4.Z    09291    8  51092  16  5558a04d9da7cdb1113b158aff89be8f



     For DECWRL ftpd, sites can obtain version 5.93 via anonymous FTP

     from gatekeeper.dec.com in the "/pub/misc/vixie" directory.



                        BSD        SVR4

     File               Checksum   Checksum    MD5 Digital Signature

     -----------------  --------   --------- --------------------------------

     ftpd.tar.gz        38443  60  1710 119  ae624eb607b4ee90e318b857e6573500



     For BSDI systems, patch 005 should be applied to version 1.1 of

     the BSD/386 software.  You can obtain the patch file via

     anonymous FTP from ftp.bsdi.com in the "/bsdi/patches-1.1"

     directory.



                        BSD        SVR4

     File               Checksum   Checksum    MD5 Digital Signature

     -----------------  --------   ---------   --------------------------------

     BU110-005          35337 272  54935 543   1f454d4d9d3e1397d1eff0432bd383cf



- ---------------------------------------------------------------------------

The CERT Coordination Center wishes to thank Neil Woods and Karl Strickland

for finding and reporting the wustl FTP daemon bug.  We also wish to thank

Bryan O'Connor and Chris Myers of Washington University in St. Louis,

Paul Vixie of Vixie Enterprises, and Tony Sanders of BSDI for their

invaluable assistance in resolving this problem.

- ---------------------------------------------------------------------------



If you believe that your system has been compromised, contact the CERT

Coordination Center or your representative in the Forum of Incident

Response and Security Teams (FIRST).



If you wish to send sensitive incident or vulnerability information to

CERT via electronic mail, CERT strongly advises that the e-mail be encrypted.

CERT can support a shared DES key, PGP (public key available via

anonymous FTP on info.cert.org), or PEM (contact CERT for details).



Internet E-mail: cert@cert.org

Telephone: 412-268-7090 (24-hour hotline)

           CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),

           and are on call for emergencies during other hours.



CERT Coordination Center

Software Engineering Institute

Carnegie Mellon University

Pittsburgh, PA 15213-3890



Past advisories, information about FIRST representatives, and other

information related to computer security are available via anonymous

FTP from info.cert.org.



- ------------------------------------------------------------------------------



Copyright 1994, 1996 Carnegie Mellon University. Conditions for use, disclaimers,

and sponsorship information can be found in

http://www.cert.org/legal_stuff.html and http://ftp.cert.org/pub/legal_stuff .

If you do not have FTP or web access, send mail to cert@cert.org with

"copyright" in the subject line.



CERT is registered in the U.S. Patent and Trademark Office.





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Revision history

Sep. 23, 1997   Updated Copyright statement

Aug. 30, 1996   Removed references to README files because advisories

                themselves are now updated.





-----BEGIN PGP SIGNATURE-----

Version: PGP for Personal Privacy 5.0

Charset: noconv



iQA/AwUBOBTABVr9kb5qlZHQEQI7xACg0vUbkchqbD1pQejq1E+EfbOT7bwAoL3M

8xU0uFQWKBeeq7yaoZssk3e/

=XCpF

-----END PGP SIGNATURE-----








(C) 1999-2000 All rights reserved.