[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Remote buffer overflows in various FTP servers leads to potential root compromise

Title: Remote buffer overflows in various FTP servers leads to potential root compromise
Released by: CERT
Date: 11th February 1999
Printable version: Click here
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



CERT Advisory CA-99-03-FTP-Buffer-Overflows



   Original issue date: February 11, 1999

   Revised Date: July 7, 1999  Added updated information for Silicon Graphics,

   Inc. (SGI).



   Topic: Remote buffer overflows in various FTP servers leads to

   potential root compromise.

   Source: Netect, Inc.



   To aid in the wide distribution of essential security information, the

   CERT Coordination Center is forwarding the following information from

   Netect, Inc. Netect, Inc. urges you to act on this information as soon

   as possible. See Appendix C for Netect, Inc. contact information.

   Please contact them if you have any questions or need further

   information.



   =======================FORWARDED TEXT STARTS HERE==========================



Netect, Inc.

General Public Security Advisory



% Advisory: palmetto.ftpd

% Issue date: February 9, 1999

% Contact: Jordan Ritter

% Revision: February 11, 1999

  % Update: Appendices A and B corrected.





[Topic]



Remote buffer overflows in various FTP servers leads to potential root

compromise.





[Affected Systems]



Any server running the latest version of ProFTPD (1.2.0pre1) or the

latest version of Wuarchive ftpd (2.4.2-academ[BETA-18]).  wu-ftpd is

installed and enabled by default on most Linux variants such as RedHat

and Slackware Linux.  ProFTPD is new software recently adopted by many

major internet companies for its improved performance and reliability.



Investigation of this vulnerability is ongoing; the below lists

software and operating systems for which Netect has definitive

information.





[Overview]



Software that implements FTP is called an "ftp server", "ftp daemon",

or "ftpd".  On most vulnerable systems, the ftpd software is enabled

and installed by default.



There is a general class of vulnerability that exists in several

popular ftp servers.  Due to insufficient bounds checking, it is

possible to subvert an ftp server by corrupting its internal stack

space.  By supplying carefully designed commands to the ftp server,

intruders can force the the server to execute arbitrary commands with

root privilege.



On most vulnerable systems, the ftpd software is installed and enabled

by default.





[Impact]



Intruders who are able to exploit this vulnerability can ultimately

gain interactive access to the remote ftp server with root privilege.





[Solution]



Currently there are several ways to exploit the ftp servers in

question.  One temporary workaround against an anonymous attack is to

disable any world writable directories the user may have access to by

making them read only.  This will prevent an attacker from building an

unusually large path, which is required in order to execute these

particular attacks.



The permanent solution is to install a patch from your Vendor, or

locate one provided by the Software's author or maintainer.  See

Appendices A and B for more specific information.



Netect strongly encourages immediate upgrade and/or patching where

available.



Netect provides a strong software solution for the automatic detection

and removal of security vulnerabilities.  Current HackerShield

customers can protect themselves from this vulnerability by either

visiting the Netect website and downloading the latest RapidFire(tm)

update, or by enabling automatic RapidFire(tm) updates (no user

intervention required).



Interested in protecting your network today?  Visit the Netect website

at http://www.netect.com/ and download a FREE 30 day copy of

HackerShield, complete with all the latest RapidFire(tm) updates to

safeguard your network from hackers.





[Appendix A, Software Information]



% ProFTPD



  Current version: 1.2.0pre1, released October 19, 1998.

  All versions prior to 1.2.0pre1: vulnerable.

  Fix: will be incorporated into 1.2.0pre2.



  Currently recommended action: upgrade to the new version when it

    becomes available, or apply the version 1.2.0pre1 patch found at:



  http://ftp.proftpd.org/patches/proftpd-1.2.0pre1-path_exploit2.patch



% wu-ftpd



  Current version: 2.4.2 (beta 18), unknown release date.

  All versions through 2.4.2 (beta 18): vulnerability dependant upon

    target platform, probably vulnerable either due to OS-provided

    runtime vulnerability or through use of replacement code supplied

    with the source kit.  No patches have been made available.

  Fix: unknown.



  Currently recommended action: Upgrade to wu-ftpd VR series.



  % wu-ftpd VR series



    Current version: 2.4.2 (beta 18) VR13, released January 28, 1999.

    All versions prior to 2.4.2 (beta 18) VR10: vulnerable.

    Fix: incorporated into VR10, released November 1, 1998.



    Available from:

        http://ftp.vr.net/pub/wu-ftpd/

    Filenames:

        wu-ftpd-2.4.2-beta-18-vr13.tar.Z

        wu-ftpd-2.4.2-beta-18-vr13.tar.gz



% BeroFTPD [NOT vulnerable]



  Current version: 1.3.3, released February 7, 1999.

  All versions prior to 1.2.0: vulnerable.

  Fix: incorporated into 1.2.0, released October 26, 1998.



  Available from:

     http://ftp.croftj.net/usr/bero/BeroFTPD/

     http://ftp.sunet.se/pub/nir/ftp/servers/BeroFTPD/

     http://sunsite.cnlab-switch.ch/mirror/BeroFTPD/

  Filename:

     BeroFTPD-1.3.3.tar.gz



% NcFTPd [NOT vulnerable]



  Current version: 2.4.0, released February 6, 1999.

  All versions prior to 2.3.4: unknown.



  Available from:

     http://www.ncftp.com/download/



  Notes:



    % NcFTPd 2.3.4 (libc5) ftp server has a remotely exploitable bug

       that results in the loss of the server's ability to log

       activity.



    % This bug cannot be exploited to gain unintended or privileged

       access to a system running the NcFTPd 2.3.4 (libc5) ftp

       server, as tested.



    % The bug was reproducible only on a libc5 Linux system.  The

       Linux glibc version of NcFTPd 2.3.4 ftp server is NOT

       vulnerable.



    % The bug does not appear to be present in version NcFTPd 2.3.5 or

       later.  Affected users may upgrade free of charge to the latest

       version.



Thanks go to Gregory Lundberg for providing the information regarding

wu-ftpd and BeroFTPD.





[Appendix B, Vendors]



% RedHat Software, Inc.



  % RedHat      Version 5.2 and previous versions ARE vulnerable.



  Updates will be available from:

      http://updates.redhat.com/5.2/

  Filename:

      wu-ftpd-2.4.2b18-2.1..rpm



% Walnut Creek CDROM and Patrick Volkerding



  % Slackware   All versions ARE vulnerable.



  Updates will be available from:

      http://ftp.cdrom.com/pub/linux/slackware-3.6/slakware/n8/

      http://ftp.cdrom.com/pub/linux/slackware-current/slakware/n8/

  Filenames

      tcpip1.tgz (3.6)     [971a5f57bec8894364c1e0d358ffbfd4]

      tcpip1.tgz (current) [e1e9a9a50ad65bab1e120a7bf60f6011]



  Notes:



    % The md5 checksums are current for the above mentioned Revision

     date only.



% Caldera Systems, Inc.



  % OpenLinux   Latest version IS vulnerable



  Updates will be available from:

      http://ftp.calderasystems.com/pub/OpenLinux/updates/



% SCO



  % UnixWare    Version 7.0.1 and earlier (except 2.1.x) IS vulnerable.

  % OpenServer  Versions 5.0.5 and earlier IS vulnerable.

  % CMW+                  Version 3.0 is NOT vulnerable.

  % Open Desktop/Server   Version 3.0 is NOT vulnerable.



  Binary versions of ftpd will be available shortly from the SCO ftp

  site:

      http://ftp.sco.com/SSE/sse021.ltr - cover letter

      http://ftp.sco.com/SSE/sse021.tar.Z - replacement binaries



  Notes:



   This fix is a binary for the following SCO operating systems:



      % SCO UnixWare 7.0.1 and earlier releases (not UnixWare 2.1.x)

      % SCO OpenServer 5.0.5 and earlier releases



   For the latest security bulletins and patches for SCO products,

   please refer to http://www.sco.com/security/.



% IBM Corporation



  % AIX         Versions 4.1.x, 4.2.x, and 4.3.x ARE NOT vulnerable.



% Hewlett-Packard



  % HPUX        Versions 10.x and 11.x ARE NOT vulnerable.



  HP is continuing their investigation.



% Sun Microsystems, Inc.



  % SunOS       All versions ARE NOT vulnerable.

  % Solaris     All versions ARE NOT vulnerable.



% Microsoft, Inc.



  % IIS         Versions 3.0 and 4.0 ARE NOT vulnerable.



% Compaq Computer Corporation



  % Digital UNIX                V40b - V40e ARE NOT vulnerable.

  % TCP/IP(UCX) for OpenVMS     V4.1, V4.2, V5.0 ARE NOT vulnerable.



% Silicon Graphics, Inc. (SGI)



  % IRIX and Unicos



     Currently, Silicon Graphics, Inc. is investigating and no further

     information is available for public release at this time.



     As further information becomes available, additional advisories

     will be issued via the normal SGI security information distribution

     method including the wiretap mailing list.



     Silicon Graphics Security Headquarters

     http://www.sgi.com/Support/security/



% NetBSD



  % NetBSD      All versions ARE NOT vulnerable.



[Appendix C, Netect Contact Information]



Copyright (c) 1999 by Netect, Inc.



The information contained herein is the property of Netect, Inc.



The contact for this advisory is Jordan Ritter .  PGP

signed/encrypted email is preferred.



Visit http://www.netect.com/ for more information.



   ========================FORWARDED TEXT ENDS HERE============================



   CERT/CC has received the following additional information:



  Fujitsu [NOT vulnerable]



  Fujitsu's UXP/V operating system is not vulnerable.  The reason behind this

  is the ftod of UXP/V does not have static buffers to store the current

  working directory.



  Silicon Graphics, Inc. (SGI)



  IRIX and Unicos

         IRIX operating system is not vulnerable.



  Cray Unicos and Unicos MK

          Unicos and Unicos/MK is not vulnerable.

   ______________________________________________________________________



   This document is available from:

   http://www.cert.org/advisories/CA-99-03-FTP-Buffer-Overflows.html.

   ______________________________________________________________________



CERT/CC Contact Information



   Email: cert@cert.org

          Phone: +1 412-268-7090 (24-hour hotline)

          Fax: +1 412-268-6989

          Postal address:

          CERT Coordination Center

          Software Engineering Institute

          Carnegie Mellon University

          Pittsburgh PA 15213-3890

          U.S.A.



   CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)

   Monday through Friday; they are on call for emergencies during other

   hours, on U.S. holidays, and on weekends.



Using encryption



   We strongly urge you to encrypt sensitive information sent by email.

   Our public PGP key is available from http://www.cert.org/CERT_PGP.key.

   If you prefer to use DES, please call the CERT hotline for more

   information.



Getting security information



   CERT publications and other security information are available from

   our web site http://www.cert.org/.



   To be added to our mailing list for advisories and bulletins, send

   email to cert-advisory-request@cert.org and include SUBSCRIBE

   your-email-address in the subject of your message.



   * "CERT" and "CERT Coordination Center" are registered in the U.S.

   Patent and Trademark Office

   ______________________________________________________________________



   NO WARRANTY

   Any material furnished by Carnegie Mellon University and the Software

   Engineering Institute is furnished on an "as is" basis. Carnegie

   Mellon University makes no warranties of any kind, either expressed or

   implied as to any matter including, but not limited to, warranty of

   fitness for a particular purpose or merchantability, exclusivity or

   results obtained from use of the material. Carnegie Mellon University

   does not make any warranty of any kind with respect to freedom from

   patent, trademark, or copyright infringement.

   ______________________________________________________________________



Revision History



Jul 07, 1999  Added updated information for Silicon Graphics, Inc. (SGI)

Mar 16, 1999  Additional information for Fujitsu has been added



-----BEGIN PGP SIGNATURE-----

Version: PGP for Personal Privacy 5.0

Charset: noconv



iQA/AwUBOBTB7Fr9kb5qlZHQEQKHbwCgum/ZqHUPGY5LNpYbYWeqpvHcFNYAnR3E

qtkaX0NZMFk8J8wniIrpg7Zw

=3oxA

-----END PGP SIGNATURE-----








(C) 1999-2000 All rights reserved.