**************************************************************************
Security Bulletin 9711 DISA Defense Communications System
June 2, 1997 Published by: DISN Security Coordination Center
(SCC@NIC.MIL) 1-(800) 365-3642
The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DISN facilities. Back issues may be obtained via FTP from NIC.MIL [207.132.116.5] using login= "anonymous" and password="guest". The bulletin pathname is scc/sec-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/sec-9705.txt). These are also available at our WWW site, http://nic.mil.
**************************************************************************
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
! !
! The following important advisory was issued by the Automated !
! Systems Security Incident Support Team (ASSIST) and is being !
! relayed unedited via the Defense Information Systems Agency's !
! Security Coordination Center distribution system as a means !
! of providing DISN subscribers with useful security information. !
! !
+ - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - +
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_____
___ ___ _____ ___ _____ | /
/\ / \ / \ | / \ | | / Integritas
/ \ \___ \___ | \___ | | < et
/____\ \ \ | \ | | \ Celeritas
/ \ \___/ \___/ __|__ \___/ | |_____\
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Release date: 29 May 1997
PLATFORM: Varied. See list of affected platforms below
IMPACT: An intruder can exploit a vulnerable version of ftp to potentially
access arbitrary files on the server with root privileges. This
could be exploited to gain root level access to the server
SOLUTIONS: ASSIST recommends that you immediately apply vendor patches if
available. If the vendor's ftp server is vulnerable and has not released a patch yet, sites may wish to install a third party ftpd which does not contain the vulnerability. ASSIST has made available wu-ftpd 2.4.2-beta-13 (fixed a few bugs from beta-13) on their ftp server.
ftp://ftp.assist.mil/pub/tools/wu-ftp/wu-ftpd-2.4.2-beta-13.tar.Z
[ Beginning of CERT Bulletin ]
=============================================================================
- - -----------------------------------------------------------------------------
The text of this advisory was originally released by AUSCERT as AA-97.03 ftpd Signal Handling Vulnerability on January 29, 1997, and updated on April 18, 1997. To give this document wider distribution, we are reprinting the updated AUSCERT advisory here with their permission. Only the contact information at the end has changed: AUSCERT contact information has been replaced with CERT/CC contact information.
Although the text of the AUSCERT advisory has not changed, additional vendor information has been added immediately after the AUSCERT text.
We will update this advisory as we receive additional information.
Look for it in an "Updates" section at the end of the advisory.
=============================================================================
AUSCERT has received information that there is a vulnerability in some versions of ftpd distributed and installed under various Unix platforms.
This vulnerability may allow regular and anonymous ftp users to read or write to arbitrary files with root privileges.
The vulnerabilities in ftpd affect various third party and vendor versions of ftpd. AUSCERT recommends that sites take the steps outlined in section 3 as soon as possible.
This advisory will be updated as more information becomes available.
- - ----------------------------------------------------------------------------
AUSCERT has received information concerning a vulnerability in some vendor and third party versions of the Internet File Transfer Protocol server, ftpd(8).
This vulnerability is caused by a signal handling routine increasing process privileges to root, while still continuing to catch other signals. This introduces a race condition which may allow regular, as well as anonymous ftp, users to access files with root privileges. Depending on the configuration of the ftpd server, this may allow intruders to read or write to arbitrary files on the server.
Sites should be aware that the ftp services are often installed by default. Sites can check whether they are allowing ftp services by checking, for example, /etc/inetd.conf:
# grep -i '^ftp' /etc/inetd.conf
Note that on some systems the inetd configuration file may have a different name or be in a different location. Please consult your documentation if the configuration file is not found in /etc/inetd.conf.
If your site is offering ftp services, you may be able to determine the version of ftpd by checking the notice when first connecting.
The vulnerability status of specific vendor and third party ftpd servers can be found in Section 3.
Information involving this vulnerability has been made publicly available.
Regular and anonymous users may be able to access arbitrary files with root privileges. Depending on the configuration, this may allow anonymous, as well as regular, users to read or write to arbitrary files on the server with root privileges.
AUSCERT recommends that sites prevent the possible exploitation of this vulnerability by immediately applying vendor patches if they are available. Specific vendor information regarding this vulnerability is given in Section 3.1.
If the ftpd supplied by your vendor is vulnerable and no patches are available, sites may wish to install a third party ftpd which does not contain the vulnerability described in this advisory (Section 3.2).
The following vendors have provided information concerning the vulnerability status of their ftpd distribution. Detailed information has been appended in Appendix A. If your vendor is not listed below, you should contact your vendor directly.
AUSCERT has received information that the following third party ftpd distributions do not contain the signal handling vulnerability described in this advisory:
Sites should ensure they are using the current version of this software. Information on these distributions is contained in Appendix A.
Sites should note that these third party ftpd distributions may offer some different functionality to vendor versions of ftpd. AUSCERT advises sites to read the documentation provided with the above third party ftpd distributions before installing.
...........................................................................
Berkeley Software Design, Inc. (BSDI)
=====================================
BSD/OS 2.1 is vulnerable to the ftpd problem described in this advisory. Patches have been issued and may be retrieved via the <patches@BSDI.COM> email server or from:
ftp://ftp.bsdi.com/bsdi/patches/patches-2.1/U210-033
DIGITAL UNIX Versions:
3.2c, 3.2de1, 3.2de2, 3.2f, 3.2g, 4.0, 4.0a, 4.0b
This article will be updated accordingly when patch kits for DIGITAL UNIX V3.2c, V3.2de1, V3.2de2, V3.2f become available.
ftp://ftp.service.digital.com/patches/public/dunix
VERSION KIT ID SIZE CHECK SUM
------- ---------------- ------ --------------
v3.2g SSRT0448U_v32g.tar 296960 32064 290
v4.0 SSRT0448U_v40.tar 542720 07434 530
v4.0a SSRT0448U_v40a.tar 542720 43691 530
v4.0b SSRT0448U_v40b.tar 471040 45701 460
Note: The appropriate patch kit must be reinstalled
The FreeBSD Project has informed AUSCERT that the
vulnerability described in this advisory has been fixed in FreeBSD-current
(from January 27, 1997), and will be fixed in the upcoming FreeBSD
2.2 release. All previous versions of FreeBSD are vulnerable.
Hewlett-Packard has informed AUSCERT that the ftpd
distributed with HP-UX 9.x and 10.x are vulnerable to this problem.
Patches are currently in process.
The version of ftpd shipped with AIX is vulnerable to the conditions described in the advisory. The following APARs will be available shortly:
APARs may be ordered using Electronic Fix Distribution (via FixDist) or from the IBM Support Center. For more information on FixDist, reference URL:
http://service.software.ibm.com/aixsupport/
or send e-mail to aixserv@austin.ibm.com with a subject
of "FixDist".
IBM and AIX are registered trademarks of International
Business Machines Corporation.
NetBSD (all versions) have the ftpd vulnerability described in this advisory. It has since been fixed in NetBSD-current. NetBSD have also made patches available and they can be retrieved from:
ftp://ftp.netbsd.org/pub/NetBSD/misc/security/19970123-ftpd
OpenBSD 2.0 did have the vulnerability described
in this advisory, but has since been fixed in OpenBSD 2.0-current
(from January 5, 1997).
The signal handling code in wu-ftpd has some security problems which allows users to read all files on your system. A new version of wu-ftpd is now available for Red Hat 4.0 which Red Hat suggests installing on all of your systems. This new version uses the same fix posted to redhat-list@redhat.com by Savochkin Andrey Vladimirovich. Users of Red Hat Linux versions earlier then 4.0 should upgrade to 4.0 and then apply all available security packages.
Users whose computers have direct internet connections may apply this update by using one of the following commands:
Intel:
rpm -Uvh ftp://ftp.redhat.com/updates/4.0/i386/wu-ftpd-2.4.2b11-9.i386.rpm
Alpha:
rpm -Uvh ftp://ftp.redhat.com/updates/4.0/axp/wu-ftpd-2.4.2b11-9.axp.rpm
rpm -Uvhftp://ftp.redhat.com/updates/4.0/sparc/wu-ftpd-2.4.2b11-9.sparc.rpm
All of these packages have been signed with Red Hat's
PGP key.
wu-ftpd Academ beta version
===========================
The current version of wu-ftpd (Academ beta version), wu-ftpd 2.4.2-beta-12, does not contain the vulnerability described in this advisory. Sites using earlier versions should upgrade to the current version immediately. At the time of writing, the current version can be retrieved from:
ftp://ftp.academ.com/pub/wu-ftpd/private/
logdaemon Distribution
======================
The current version of Wietse Venema's logdaemon (5.6) package contains an ftpd utility which addresses the vulnerability described in this advisory. Sites using earlier versions of this package should upgrade immediately. The current version of the logdaemon package can be retrieved from:
ftp://ftp.win.tue.nl/pub/security/
ftp://ftp.auscert.org.au/pub/mirrors/ftp.win.tue.nl/logdaemon/
ftp://ftp.cert.dfn.de/pub/tools/net/logdaemon/
The MD5 checksum for Version 5.6 of the logdaemon package is:
MD5 (logdaemon-5.6.tar.gz) = 5068f4214024ae56d180548b96e9f368
...........................................................................
- - ----------------------------------------------------------------------------
AUSCERT thanks David Greenman, Wietse Venema (visiting IBM T.J. Watson Research) and Stan Barber (Academ Consulting Services) for their contributions in finding solutions to this vulnerability. Thanks also to Dr Leigh Hume (Macquarie University), CERT/CC, and DFNCERT for their assistance in this matter. AUSCERT also thanks those vendors that provided feedback and patch information contained in this advisory.
- - ----------------------------------------------------------------------------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- - -----------------------------------------------------------------------------
18 Apr, 1997 Added vendor information for DIGITAL UNIX.
21 May, 1997 (to include availability of V3.2c
solution)
DIGITAL UNIX Versions:
3.2c, 3.2de1, 3.2de2, 3.2f, 3.2g, 4.0, 4.0a, 4.0b
The currently available patches may be obtained from
your normal Digital support channel. Assigned case ID SSRT0448U.
Note: The appropriate patch kit must be reinstalled
HP has covered this in our security bulletin HPSBUX9702-055,
19 February 1997. The Security Bulletin contains pointers to
the patches:
----
SOLUTION: Apply patch:
PHNE_10008 for all platforms with HP-UX releases
9.X PHNE_10009 for all platforms with HP-UX releases 10.0X/10.10
PHNE_10010 for all platforms with HP-UX releases 10.20 PHNE_10011
for all platforms with HP-UX releases 10.20 (kftpd)
AVAILABILITY: All patches are available now.
----
See the appropriate release below to determine your
action.
Apply the following fix to your system:
To determine if you have this PTF on your system, run the following command:
lslpp -lB U447700
Apply the following fix to your system:
command:
instfix -ik IX65537
Or run the following command:
lslpp -h bos.net.tcp.client
Your version of bos.net.tcp.client should be 4.1.5.3
or later.
Apply the following fix to your system:
To determine if you have this APAR on your system, run the following command:
instfix -ik IX65538
Or run the following command:
lslpp -h bos.net.tcp.client
Your version of bos.net.tcp.client should be 4.2.1.0
or later.
APARs may be ordered using Electronic Fix Distribution (via FixDist) or from the IBM Support Center. For more information on FixDist, reference URL:
http://service.software.ibm.com/aixsupport/
or send e-mail to aixserv@austin.ibm.com with a subject
of "FixDist".
IBM and AIX are registered trademarks of International Business Machines Corporation.
[ End of CERT Bulletin ]
- -------------------------------------------------------------------------
The ASSIST staff would like to thank the CERT Coordination Center for this bulletin as well as AUSCERT for the original bulletin that CERT/CC's was based upon.
- -------------------------------------------------------------------------
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
ASSIST is an element of the Defense Information Systems Agency (DISA), Global Operations and Security Center (GOSC), which provides service to the entire DoD community. Constituents of the DoD with questions about ASSIST or computer security issues, can contact ASSIST using one of the methods listed below. Non-DoD organizations/institutions, contact the Forum of Incident Response and Security Teams (FIRST) representative. To obtain a list of FIRST member organizations and their constituencies send an email to docserver@first.org with an empty "subject" line and a message body containing the line "send first-contacts".
___________________________
ASSIST Bulletins, tools and other security related information are available from:
To be added to our mailing list for ASSIST bulletins, send your e-mail address to:
assist-request@assist.mil In the subject line, type:
___________________________________
_________________
Back issues of ASSIST bulletins, and other security related information, are available from the ASSIST BBS at 703-607-4710, 327-4710, and through anonymous FTP from ftp.assist.mil (IP address 199.211.123.12). Note: ftp.assist.mil will only accept anonymous FTP connections from Milnet addresses that are registered with the NIC or DNS. If your system is not registered, you must provide your MILNET IP address to ASSIST before access can be provided.
Department of State Office of Defense Trade Controls. The PGP signature information will be attached to the end of ASSIST bulletins.
Reference herein to any specific commercial product,
process, or service by trade name, trademark manufacturer, or
otherwise, does not constitute or imply its endorsement, recommendation,
or favoring by ASSIST. The views and opinions of authors expressed
herein shall not be used for advertising or product endorsement
purposes.
****************************************************************************
* *
* *
* *
* *
* *
* *
* *
* *
****************************************************************************
PLEASE NOTE: Some users outside of the DOD computing communities may receive DISN Security Bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts.
This document was prepared as an service to the DOD
community. Neither the United States Government nor any of their
employees, makes any warranty, expressed or implied, or assumes
any legal liability or responsibility for the accuracy, completeness,
or usefulness of any information, product, or process disclosed,
or represents that its use would not infringe privately owned
rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government.
The opinions of the authors expressed herein do not necessarily
state or reflect those of the United States Government, and shall
not be used for advertising or product endorsement purposes.