CA-99-03-FTP-Buffer-Overflows.txt

`Date: Thu, 11 Feb 1999 18:17:10 -0500  
From: CERT Advisory <[email protected]>  
Reply-To: [email protected]  
To: [email protected]  
Subject: CERT Advisory CA-99.03 - FTP-Buffer-Overflows  
  
-----BEGIN PGP SIGNED MESSAGE-----  
  
CERT Advisory CA-99-03-FTP-Buffer-Overflows  
  
Original issue date: February 11, 1999  
  
Topic: Remote buffer overflows in various FTP servers leads to  
potential root compromise.  
Source: Netect, Inc.  
  
To aid in the wide distribution of essential security information, the  
CERT Coordination Center is forwarding the following information from  
Netect, Inc. Netect, Inc. urges you to act on this information as soon  
as possible. See Appendix C for Netect, Inc. contact information.  
Please contact them if you have any questions or need further  
information.  
  
=======================FORWARDED TEXT STARTS HERE===========================  
  
Netect, Inc.  
General Public Security Advisory  
  
% Advisory: palmetto.ftpd  
% Issue date: February 9, 1999  
% Contact: Jordan Ritter  
% Revision: February 11, 1999  
% Update: Appendices A and B corrected.  
  
  
[Topic]  
  
Remote buffer overflows in various FTP servers leads to potential root  
compromise.  
  
  
[Affected Systems]  
  
Any server running the latest version of ProFTPD (1.2.0pre1) or the  
latest version of Wuarchive ftpd (2.4.2-academ[BETA-18]). wu-ftpd is  
installed and enabled by default on most Linux variants such as RedHat  
and Slackware Linux. ProFTPD is new software recently adopted by many  
major internet companies for its improved performance and reliability.  
  
Investigation of this vulnerability is ongoing; the below lists  
software and operating systems for which Netect has definitive  
information.  
  
  
[Overview]  
  
Software that implements FTP is called an "ftp server", "ftp daemon",  
or "ftpd". On most vulnerable systems, the ftpd software is enabled  
and installed by default.  
  
There is a general class of vulnerability that exists in several  
popular ftp servers. Due to insufficient bounds checking, it is  
possible to subvert an ftp server by corrupting its internal stack  
space. By supplying carefully designed commands to the ftp server,  
intruders can force the the server to execute arbitrary commands with  
root privilege.  
  
On most vulnerable systems, the ftpd software is installed and enabled  
by default.  
  
  
[Impact]  
  
Intruders who are able to exploit this vulnerability can ultimately  
gain interactive access to the remote ftp server with root privilege.  
  
  
[Solution]  
  
Currently there are several ways to exploit the ftp servers in  
question. One temporary workaround against an anonymous attack is to  
disable any world writable directories the user may have access to by  
making them read only. This will prevent an attacker from building an  
unusually large path, which is required in order to execute these  
particular attacks.  
  
The permanent solution is to install a patch from your Vendor, or  
locate one provided by the Software's author or maintainer. See  
Appendices A and B for more specific information.  
  
Netect strongly encourages immediate upgrade and/or patching where  
available.  
  
Netect provides a strong software solution for the automatic detection  
and removal of security vulnerabilities. Current HackerShield  
customers can protect themselves from this vulnerability by either  
visiting the Netect website and downloading the latest RapidFire(tm)  
update, or by enabling automatic RapidFire(tm) updates (no user  
intervention required).  
  
Interested in protecting your network today? Visit the Netect website  
at http://www.netect.com/ and download a FREE 30 day copy of  
HackerShield, complete with all the latest RapidFire(tm) updates to  
safeguard your network from hackers.  
  
  
[Appendix A, Software Information]  
  
% ProFTPD  
  
Current version: 1.2.0pre1, released October 19, 1998.  
All versions prior to 1.2.0pre1: vulnerable.  
Fix: will be incorporated into 1.2.0pre2.  
  
Currently recommended action: upgrade to the new version when it  
becomes available, or apply the version 1.2.0pre1 patch found at:  
  
ftp://ftp.proftpd.org/patches/proftpd-1.2.0pre1-path_exploit2.patch  
  
% wu-ftpd  
  
Current version: 2.4.2 (beta 18), unknown release date.  
All versions through 2.4.2 (beta 18): vulnerability dependant upon  
target platform, probably vulnerable either due to OS-provided  
runtime vulnerability or through use of replacement code supplied  
with the source kit. No patches have been made available.  
Fix: unknown.  
  
Currently recommended action: Upgrade to wu-ftpd VR series.  
  
% wu-ftpd VR series  
  
Current version: 2.4.2 (beta 18) VR13, released January 28, 1999.  
All versions prior to 2.4.2 (beta 18) VR10: vulnerable.  
Fix: incorporated into VR10, released November 1, 1998.  
  
Available from:  
ftp://ftp.vr.net/pub/wu-ftpd/  
Filenames:  
wu-ftpd-2.4.2-beta-18-vr13.tar.Z  
wu-ftpd-2.4.2-beta-18-vr13.tar.gz  
  
% BeroFTPD [NOT vulnerable]  
  
Current version: 1.3.3, released February 7, 1999.  
All versions prior to 1.2.0: vulnerable.  
Fix: incorporated into 1.2.0, released October 26, 1998.  
  
Available from:  
ftp://ftp.croftj.net/usr/bero/BeroFTPD/  
ftp://ftp.sunet.se/pub/nir/ftp/servers/BeroFTPD/  
ftp://sunsite.cnlab-switch.ch/mirror/BeroFTPD/  
Filename:  
BeroFTPD-1.3.3.tar.gz  
  
% NcFTPd [NOT vulnerable]  
  
Current version: 2.4.0, released February 6, 1999.  
All versions prior to 2.3.4: unknown.  
  
Available from:  
http://www.ncftp.com/download/  
  
Notes:  
  
% NcFTPd 2.3.4 (libc5) ftp server has a remotely exploitable bug  
that results in the loss of the server's ability to log  
activity.  
  
% This bug cannot be exploited to gain unintended or privileged  
access to a system running the NcFTPd 2.3.4 (libc5) ftp  
server, as tested.  
  
% The bug was reproducible only on a libc5 Linux system. The  
Linux glibc version of NcFTPd 2.3.4 ftp server is NOT  
vulnerable.  
  
% The bug does not appear to be present in version NcFTPd 2.3.5 or  
later. Affected users may upgrade free of charge to the latest  
version.  
  
  
Thanks go to Gregory Lundberg for providing the information regarding  
wu-ftpd and BeroFTPD.  
  
  
[Appendix B, Vendors]  
  
% RedHat Software, Inc.  
  
% RedHat Version 5.2 and previous versions ARE vulnerable.  
  
Updates will be available from:  
ftp://updates.redhat.com/5.2/<arch>  
Filename:  
wu-ftpd-2.4.2b18-2.1.<arch>.rpm  
  
% Walnut Creek CDROM and Patrick Volkerding  
  
% Slackware All versions ARE vulnerable.  
  
Updates will be available from:  
ftp://ftp.cdrom.com/pub/linux/slackware-3.6/slakware/n8/  
ftp://ftp.cdrom.com/pub/linux/slackware-current/slakware/n8/  
Filenames  
tcpip1.tgz (3.6) [971a5f57bec8894364c1e0d358ffbfd4]  
tcpip1.tgz (current) [e1e9a9a50ad65bab1e120a7bf60f6011]  
  
Notes:  
  
% The md5 checksums are current for the above mentioned Revision  
date only.  
  
% Caldera Systems, Inc.  
  
% OpenLinux Latest version IS vulnerable  
  
Updates will be available from:  
ftp://ftp.calderasystems.com/pub/OpenLinux/updates/  
  
% SCO  
  
% UnixWare Version 7.0.1 and earlier (except 2.1.x) IS vulnerable.  
% OpenServer Versions 5.0.5 and earlier IS vulnerable.  
% CMW+ Version 3.0 is NOT vulnerable.  
% Open Desktop/Server Version 3.0 is NOT vulnerable.  
  
Binary versions of ftpd will be available shortly from the SCO ftp  
site:  
ftp://ftp.sco.com/SSE/sse021.ltr - cover letter  
ftp://ftp.sco.com/SSE/sse021.tar.Z - replacement binaries  
  
Notes:  
  
This fix is a binary for the following SCO operating systems:  
  
% SCO UnixWare 7.0.1 and earlier releases (not UnixWare 2.1.x)  
% SCO OpenServer 5.0.5 and earlier releases  
  
For the latest security bulletins and patches for SCO products,  
please refer to http://www.sco.com/security/.  
  
% IBM Corporation  
  
% AIX Versions 4.1.x, 4.2.x, and 4.3.x ARE NOT vulnerable.  
  
% Hewlett-Packard  
  
% HPUX Versions 10.x and 11.x ARE NOT vulnerable.  
  
HP is continuing their investigation.  
  
% Sun Microsystems, Inc.  
  
% SunOS All versions ARE NOT vulnerable.  
% Solaris All versions ARE NOT vulnerable.  
  
% Microsoft, Inc.  
  
% IIS Versions 3.0 and 4.0 ARE NOT vulnerable.  
  
% Compaq Computer Corporation  
  
% Digital UNIX V40b - V40e ARE NOT vulnerable.  
% TCP/IP(UCX) for OpenVMS V4.1, V4.2, V5.0 ARE NOT vulnerable.  
  
% Silicon Graphics, Inc. (SGI)  
  
% IRIX and Unicos  
  
Currently, Silicon Graphics, Inc. is investigating and no further  
information is available for public release at this time.  
  
As further information becomes available, additional advisories  
will be issued via the normal SGI security information distribution  
method including the wiretap mailing list.  
  
Silicon Graphics Security Headquarters  
http://www.sgi.com/Support/security/  
  
% NetBSD  
  
% NetBSD All versions ARE NOT vulnerable.  
  
[Appendix C, Netect Contact Information]  
  
Copyright (c) 1999 by Netect, Inc.  
  
The information contained herein is the property of Netect, Inc.  
  
The contact for this advisory is Jordan Ritter . PGP  
signed/encrypted email is preferred.  
  
Visit http://www.netect.com/ for more information.  
  
========================FORWARDED TEXT ENDS HERE============================  
______________________________________________________________________  
  
This document is available from:  
http://www.cert.org/advisories/CA-99-03-FTP-Buffer-Overflows.html.  
______________________________________________________________________  
  
CERT/CC Contact Information  
  
Email: [email protected]  
Phone: +1 412-268-7090 (24-hour hotline)  
Fax: +1 412-268-6989  
Postal address:  
CERT Coordination Center  
Software Engineering Institute  
Carnegie Mellon University  
Pittsburgh PA 15213-3890  
U.S.A.  
  
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)  
Monday through Friday; they are on call for emergencies during other  
hours, on U.S. holidays, and on weekends.  
  
Using encryption  
  
We strongly urge you to encrypt sensitive information sent by email.  
Our public PGP key is available from http://www.cert.org/CERT_PGP.key.  
If you prefer to use DES, please call the CERT hotline for more  
information.  
  
Getting security information  
  
CERT publications and other security information are available from  
our web site http://www.cert.org/.  
  
To be added to our mailing list for advisories and bulletins, send  
email to [email protected] and include SUBSCRIBE  
your-email-address in the subject of your message.  
  
* "CERT" and "CERT Coordination Center" are registered in the U.S.  
Patent and Trademark Office  
______________________________________________________________________  
  
NO WARRANTY  
Any material furnished by Carnegie Mellon University and the Software  
Engineering Institute is furnished on an "as is" basis. Carnegie  
Mellon University makes no warranties of any kind, either expressed or  
implied as to any matter including, but not limited to, warranty of  
fitness for a particular purpose or merchantability, exclusivity or  
results obtained from use of the material. Carnegie Mellon University  
does not make any warranty of any kind with respect to freedom from  
patent, trademark, or copyright infringement.  
______________________________________________________________________  
  
Revision History  
  
-----BEGIN PGP SIGNATURE-----  
Version: 2.6.2  
  
iQCVAwUBNsNeYHVP+x0t4w7BAQE6mAQAlD3tFRsp1NR+IG57AZHD2QyeyJuK5YRG  
wPyEqlACyQJOLm6ENFEHzaSRNUfZjUDlRGclguyVUHYq8nw7C1Yxwljulj+2sQcV  
Genph5A8KD8ry2vpinV7mlqsrbEfhZA0xdYztAXnktHByW6QtsBCRHr+n0f2CDtN  
aPujCLWXnuk=  
=BuDD  
-----END PGP SIGNATURE-----  
  
`