COMMAND
ftpd
SYSTEMS AFFECTED
Berkeley Software Design, Inc.
Digital Equipment Corporation
The FreeBSD Project
Hewlett-Packard Corporation
IBM Corporation
The NetBSD Project
The OpenBSD Project
Red Hat Software
Silicon Graphics
Washington University ftpd (Academ beta version)
Wietse Venema's logdaemon ftpd
PROBLEM
This vulnerability is caused by a signal handling routine
increasing process privileges to root, while still continuing to
catch other signals. This introduces a race condition which may
allow regular, as well as anonymous ftp, users to access files
with root privileges. Depending on the configuration of the ftpd
server, this may allow intruders to read or write to arbitrary
files on the server.
This attack requires an intruder to be able to make a network
connection to a vulnerable ftpd server. Sites should be aware
that the ftp services are often installed by default.
Regular and anonymous users may be able to access arbitrary files
with root privileges. Depending on the configuration, this may
allow anonymous, as well as regular, users to read or write to
arbitrary files on the server with root privileges.
SOLUTION
You should install vendor patches if you're vulnerable. The
following vendors have provided information To AUSCERT concerning
the vulnerability status of their ftpd distribution.
Berkeley Software Design, Inc. (BSDI)
=====================================
BSD/OS 2.1 is vulnerable to the ftpd problem described in this
advisory. Patches have been issued and may be retrieved via the
<patches@BSDI.COM> email server or from:
ftp://ftp.bsdi.com/bsdi/patches/patches-2.1/U210-033
Digital Equipment Corporation
=============================
DIGITAL UNIX Versions are vulnerable:
3.2c, 3.2de1, 3.2de2, 3.2f, 3.2g, 4.0, 4.0a, 4.0b
This potential security vulnerability has been resolved and an
official patch kit is available for DIGITAL UNIX V3.2g, V4.0,
V4.0a, and V4.0b. This info will be updated accordingly when
patch kits for DIGITAL UNIX V3.2c, V3.2de1, V3.2de2, V3.2f become
available. The currently available patches may be obtained from
your normal Digital support channel or from the following URL:
ftp://ftp.service.digital.com/patches/public/dunix
The FreeBSD Project
===================
The FreeBSD Project has informed AUSCERT that the vulnerability
described in this advisory has been fixed in FreeBSD-current (from
January 27, 1997), and will be fixed in the upcoming FreeBSD 2.2
release. All previous versions of FreeBSD are vulnerable.
Hewlett-Packard Corporation
===========================
Hewlett-Packard has informed AUSCERT that the ftpd distributed
with HP-UX 9.x and 10.x are vulnerable to this problem. Patches
are following:
PHNE_10008 for all platforms with HP-UX releases 9.X
PHNE_10009 for all platforms with HP-UX releases 10.0X/10.10
PHNE_10010 for all platforms with HP-UX releases 10.20
PHNE_10011 for all platforms with HP-UX releases 10.20 (kftpd)
IBM Corporation
===============
The version of ftpd shipped with AIX is vulnerable to the
conditions described in the advisory. The following APARs will
be available shortly:
AIX 3.2: APAR IX65536
AIX 4.1: APAR IX65537
AIX 4.2: APAR IX65538
The NetBSD Project
===================
NetBSD (all versions) have the ftpd vulnerability described in
this advisory. It has since been fixed in NetBSD-current.
NetBSD have also made patches available and they can be retrieved
from:
ftp://ftp.netbsd.org/pub/NetBSD/misc/security/19970123-ftpd
The OpenBSD Project
===================
OpenBSD 2.0 did have the vulnerability described in this advisory,
but has since been fixed in OpenBSD 2.0-current (from January 5,
1997).
Red Hat Software
================
The signal handling code in wu-ftpd has some security problems
which allows users to read all files on your system. A new
version of wu-ftpd is now available for Red Hat 4.0 which Red Hat
suggests installing on all of your systems. This new version
uses the same fix posted to redhat-list@redhat.com by Savochkin
Andrey Vladimirovich. Users of Red Hat Linux versions earlier
then 4.0 should upgrade to 4.0 and then apply all available
security packages.
Silicon Graphics
================
OS Version Vulnerable? Patch # Other Actions
---------- ----------- ------- -------------
IRIX 3.x yes not avail Note
IRIX 4.x yes not avail Note
IRIX 5.0.x yes not avail Note
IRIX 5.1.x yes not avail Note
IRIX 5.2 yes not avail Note
IRIX 5.3 yes 2292
IRIX 6.0.x yes not avail Note
IRIX 6.1 yes not avail Note
IRIX 6.2 yes 1485
IRIX 6.3 no
IRIX 6.4 no
Note means to upgrade OS or disable ftp.
wu-ftpd Academ beta version
===========================
The current version of wu-ftpd (Academ beta version), wu-ftpd
2.4.2-beta-12, does not contain the vulnerability described in
this advisory. Sites using earlier versions should upgrade to
the current version immediately. At the time of writing, the
current version can be retrieved from:
ftp://ftp.academ.com/pub/wu-ftpd/private/
logdaemon Distribution
======================
The current version of Wietse Venema's logdaemon (5.6) package
contains an ftpd utility which addresses the vulnerability
described in this advisory. Sites using earlier versions of this
package should upgrade immediately. The current version of the
logdaemon package can be retrieved from:
ftp://ftp.win.tue.nl/pub/security/
ftp://ftp.auscert.org.au/pub/mirrors/ftp.win.tue.nl/logdaemon/
ftp://ftp.cert.dfn.de/pub/tools/net/logdaemon/