ftpd.txt

1999-08-17T00:00:00
ID PACKETSTORM:12216
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `-------------------------------------------------------------------------  
  
Netect, Inc.  
General Public Security Advisory  
  
% Advisory: palmetto.ftpd   
% Issue date: February 9, 1999  
% Revision: February 8, 1999  
% Contact: Jordan Ritter <jpr5@netect.com>  
  
  
[Topic]   
  
Remote buffer overflows in various FTP servers leads to potential root   
compromise.  
  
  
[Affected Systems]  
  
Any server running the latest version of ProFTPD (1.2.0pre1) or the  
latest version of Wuarchive ftpd (2.4.2-academ[BETA-18]). wu-ftpd is  
installed and enabled by default on most Linux variants such as RedHat  
and Slackware Linux. ProFTPD is new software recently adopted by many  
major internet companies for its improved performance and reliability.  
  
Investigation of this vulnerability is ongoing; the below lists  
software and operating systems for which Netect has definitive  
information.  
  
  
[Overview]  
  
Software that implements FTP is called an "ftp server", "ftp daemon",  
or "ftpd". On most vulnerable systems, the ftpd software is enabled  
and installed by default.  
  
There is a general class of vulnerability that exists in several  
popular ftp servers. Due to insufficient bounds checking, it is  
possible to subvert an ftp server by corrupting its internal stack  
space. By supplying carefully designed commands to the ftp server,  
intruders can force the the server to execute arbitrary commands with  
root privilege.  
  
On most vulnerable systems, the ftpd software is installed and enabled  
by default.  
  
  
[Impact]  
  
Intruders who are able to exploit this vulnerability can ultimately  
gain interactive access to the remote ftp server with root privelege.  
  
  
[Solution]  
  
Currently there are several ways to exploit the ftp servers in  
question. One temporary workaround against an anonymous attack is to  
disable any world writable directories the user may have access to by  
making them read only. This will prevent an attacker from building an  
unusually large path, which is required in order to execute these  
particular attacks.  
  
The permanent solution is to install a patch from your Vendor, or  
locate one provided by the Software's author or maintainer. See  
Appendices A and B for more specific information.   
  
Netect strongly encourages immediate upgrade and/or patching where  
available.   
  
Netect provides a strong software solution for the automatic detection  
and removal of security vulnerabilities. Current HackerShield  
customers can protect themselves from this vulnerability by either  
visiting the Netect website and downloading the latest RapidFire(tm)  
update, or by enabling automatic RapidFire(tm) updates (no user  
intervention required).  
  
https://www.netect.com/hsblform.htm  
Download a FREE 30 day copy of HackerShield complete with all the   
latest RapidFire(tm)updates.  
  
  
[Appendix A, Software Information]  
  
% ProFTPD  
  
Current version: 1.2.0pre1, released October 19, 1998.  
All versions prior to 1.2.0pre1: vulnerable.  
Fix: will be incorporated into 1.2.0pre2.  
  
Currently recommended action: upgrade to the new version when it  
becomes available, or apply the version 1.2.0pre1 patch found at:  
  
ftp://ftp.proftpd.org/patches/proftpd-1.2.0pre1-path_exploit.patch  
  
% wu-ftpd   
  
Current version: 2.4.2 (beta 18), unknown release date.  
All versions through 2.4.2 (beta 18): vulnerability dependant upon  
target platform, probably vulnerable either due to OS-provided  
runtime vulnerability or through use of replacement code supplied  
with the source kit. No patches have been made available.  
Fix: unknown.  
  
Currently recommended action: Upgrade to wu-ftpd VR series.  
  
% wu-ftpd VR series  
  
Current version: 2.4.2 (beta 18) VR12, released January 1, 1999.  
All versions prior to 2.4.2 (beta 18) VR10: vulnerable.  
Fix: incorporated into VR10, released November 1, 1998.  
  
Available from:   
ftp://ftp.vr.net/pub/wu-ftpd/  
Filenames:  
wu-ftpd-2.4.2-beta-18-vr12.tar.Z  
wu-ftpd-2.4.2-beta-18-vr12.tar.gz  
  
% BeroFTPD [NOT vulnerable]  
  
Current version: 1.3.1, released December 20, 1998.  
All versions prior to 1.2.0: vulnerable.  
Fix: incorporated into 1.2.0, released October 26, 1998.  
  
Available from:   
ftp://ftp.beroftpd.unix.eu.org/pub/BeroFTPD/  
ftp://ftp.croftj.net/usr/bero/BeroFTPD/  
ftp://ftp.sunet.se/pub/nir/ftp/servers/BeroFTPD/  
ftp://sunsite.cnlab-switch.ch/mirror/BeroFTPD/  
Filename:   
BeroFTPD-1.3.1.tar.gz  
  
% NcFTPd [NOT vulnerable]  
  
Current version: 2.3.5, released January 6, 1999.  
All versions prior to 2.3.4: unknown.  
  
Available from:   
http://www.ncftp.com/download/  
  
Notes:  
  
% NcFTPd 2.3.4 (libc5) ftp server has a remotely exploitable bug  
that results in the loss of the server's ability to log  
activity.  
  
% This bug cannot be exploited to gain unintended or priveleged  
access to a system running the NcFTPd 2.3.4 (libc5) ftp  
server, as tested.  
  
% The bug was reproducible only on a libc5 Linux system. The  
Linux glibc version of NcFTPd 2.3.4 ftp server is NOT  
vulnerable.  
  
% The bug does not appear to be present in the latest version,  
NcFTPd 2.3.5. Affected users may upgrade free of charge  
to the latest version.  
  
  
Thanks go to Gregory Lundberg for providing the information regarding  
wu-ftpd and BeroFTPD.  
  
  
[Appendix B, Vendors]  
  
% RedHat Software, Inc.   
  
% RedHat Version 5.2 and previous versions ARE vulnerable.  
  
Updates will be available from:  
ftp://updates.redhat.com/5.2/<arch>/  
Filename:   
wu-ftpd-2.4.2b18-2.1.<arch>.rpm  
  
% Walnut Creek CDROM and Patrick Volkerding  
  
% Slackware All versions ARE vulnerable.  
  
Updates will be available from:  
ftp://ftp.cdrom.com/pub/linux/slackware-3.6/slakware/n8/  
ftp://ftp.cdrom.com/pub/linux/slackware-current/slakware/n8/  
Filenames  
tcpip1.tgz (3.6) [971a5f57bec8894364c1e0d358ffbfd4]  
tcpip1.tgz (current) [c7460a456fcbf19afb49af8c8422ecbc]  
  
% Caldera Systems, Inc.  
  
% OpenLinux Latest version IS vulnerable  
  
Updates will be available from:  
ftp://ftp.calderasystems.com/pub/OpenLinux/updates/  
  
% SCO   
  
% UnixWare Version 7.0.1 and earlier (except 2.1.x) IS vulnerable.   
% OpenServer Versions 5.0.5 and earlier IS vulnerable.  
% CMW+ Version 3.0 is NOT vulnerable.  
% Open Desktop/Server Version 3.0 is NOT vulnerable.  
  
Binary versions of ftpd will be available shortly from the SCO ftp  
site:   
ftp://ftp.sco.com/SSE/sse021.ltr - cover letter  
ftp://ftp.sco.com/SSE/sse021.tar.Z - replacement binaries  
  
Notes:  
  
This fix is a binary for the following SCO operating systems:  
  
% SCO UnixWare 7.0.1 and earlier releases (not UnixWare 2.1.x)   
% SCO OpenServer 5.0.5 and earlier releases  
  
For the latest security bulletins and patches for SCO products,  
please refer to http://www.sco.com/security/.  
  
% IBM Corporation  
  
% AIX Versions 4.1.x, 4.2.x, and 4.3.x ARE NOT vulnerable.   
  
% Hewlett-Packard  
  
% HPUX Versions 10.x and 11.x ARE NOT vulnerable.  
  
HP is continuing their investigation.  
  
% Sun Microsystems, Inc.  
  
% SunOS All versions ARE NOT vulnerable.  
% Solaris All versions ARE NOT vulnerable.  
  
% Microsoft, Inc.  
  
% IIS Versions 3.0 and 4.0 ARE NOT vulnerable.  
  
% Compaq Computer Corporation  
  
% Digital UNIX V40b - V40e ARE NOT vulnerable.  
% TCP/IP(UCX) for OpenVMS V4.1, V4.2, V5.0 ARE NOT vulnerable.  
  
% Silicon Graphics, Inc. (SGI)  
  
% IRIX and Unicos  
  
Currently, Silicon Graphics, Inc. is investigating and no further  
information is available for public release at this time.  
  
As further information becomes available, additional advisories  
will be issued via the normal SGI security information distribution  
method including the wiretap mailing list.  
  
Silicon Graphics Security Headquarters  
http://www.sgi.com/Support/security/  
  
% NetBSD  
  
% NetBSD All versions ARE NOT vulnerable.  
  
[Appendix C, Netect Contact Information]  
  
Copyright (c) 1999 by Netect, Inc.   
  
The information contained herein is the property of Netect, Inc.  
  
------------------------------------------------------------------  
  
---------- Forwarded message ----------  
Date: Tue, 9 Feb 1999 18:20:51 -0500 (EST)  
>From: Cynthia Dale <silly@redhat.com>  
To: cdale@home.isolnet.com  
Subject: SECURITY: new wu-ftpd packages available (fwd)  
  
  
  
fnord.  
  
---------- Forwarded message ----------  
Date: Tue, 9 Feb 1999 17:34:10 -0500  
>From: Bill Nottingham <notting@redhat.com>  
Reply-To: redhat-watch-list@redhat.com  
To: redhat-watch-list@redhat.com  
Subject: SECURITY: new wu-ftpd packages available  
Resent-Date: 9 Feb 1999 22:56:28 -0000  
Resent-From: redhat-watch-list@redhat.com  
Resent-cc: recipient list not shown: ;  
  
A security vulnerability has been identified in all versions of the wu-ftpd  
server binary shipped with Red Hat Linux. For more information, see  
http://www.netect.com/advisory_0209.html  
  
New packages are available for Red Hat Linux 4.2, 5.0, 5.1, and 5.2. All  
users of Red Hat Linux are encouraged to upgrade to the new wu-ftpd releases  
immediately. As always, these packages have been signed with the Red Hat PGP  
key.  
  
Bill  
  
Red Hat Linux 5.0,5.1,5.2:  
==================  
  
alpha:  
rpm -Uvh ftp://updates.redhat.com/5.2/alpha/wu-ftpd-2.4.2b18-2.1.alpha.rpm  
  
i386:  
rpm -Uvh ftp://updates.redhat.com/5.2/i386/wu-ftpd-2.4.2b18-2.1.i386.rpm  
  
sparc:  
rpm -Uvh ftp://updates.redhat.com/5.2/sparc/wu-ftpd-2.4.2b18-2.1.sparc.rpm  
  
Source rpm:  
rpm -Uvh ftp://updates.redhat.com/5.2/SRPMS/wu-ftpd-2.4.2b18-2.1.src.rpm  
  
  
Red Hat Linux 4.2:  
==================  
  
alpha:  
rpm -Uvh ftp://updates.redhat.com/4.2/alpha/wu-ftpd-2.4.2b15-1.2.alpha.rpm  
  
i386:  
rpm -Uvh ftp://updates.redhat.com/4.2/i386/wu-ftpd-2.4.2b15-1.2.i386.rpm  
  
sparc:  
rpm -Uvh ftp://updates.redhat.com/4.2/sparc/wu-ftpd-2.4.2b15-1.2.sparc.rpm  
  
Source rpm:  
rpm -Uvh ftp://updates.redhat.com/4.2/SRPMS/wu-ftpd-2.4.2b15-1.2.src.rpm  
  
  
  
--  
To unsubscribe: mail redhat-watch-list-request@redhat.com with  
"unsubscribe" as the Subject.  
  
-------------------------------------------------------------------------  
  
Date: Fri, 12 Feb 1999 15:49:05 -0500  
From: Jordan Ritter <jpr5@NETECT.COM>  
To: BUGTRAQ@netspace.org  
Subject: palmetto.ftpd vulnerability clarification.  
  
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
  
Folks,  
  
I have received several emails from various engineering groups  
with concerns over ambiguity in Appendix B's (OS Vendors) vulnerability  
information. Specifically, some find it unclear as to whether or not  
machines are vulnerable running wu-ftpd or proftpd even though their  
Vendor reported the operating system as not vulnerable.  
  
To clarify, the specific versions of wu-ftpd and ProFTPD described in the  
advisory ARE vulnerable to the palmetto bug on any operating system. The  
Vendor responses detailed in Appendix B were essentially verification of  
whether or not the vulnerable software in question was packaged by default  
with their operating system.  
  
Any OS listed in Appendix B as NOT vulnerable indicates that:  
  
1. an installation of the OS does not include the vulnerable software  
in question, and  
2. the default FTP server that _is_ included in the installation is not  
vulnerable to this large pathname attack.  
  
  
  
Regards,  
  
  
Jordan Ritter  
Network Security Engineer  
Netect, Inc. Boston, MA  
  
"Quis custodiet ipsos custodes?"  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v0.9.2 (FreeBSD)  
Comment: For info see http://www.gnupg.org  
  
iD8DBQE2xJPE+siuashk00ERArWIAJ4ppDvEFF9TAxyJMowBcjJGtiPmewCgiNzS  
CDsX44Zpierz7f2f0BR81Bs=  
=fxYQ  
-----END PGP SIGNATURE-----  
  
------------------------------------------------------------------  
  
Date: Wed, 17 Feb 1999 23:37:34 +0500  
From: CyberPsychotic <mlists@GIZMO.KYRNET.KG>  
Reply-To: fygrave@tigerteam.net  
To: BUGTRAQ@netspace.org  
Subject: Re: Pro/wuFTPD DoS  
  
~ This is the bash path overlow (up to 2.0.0) which has been fixed in bash  
~ v2.02.  
  
~ > kills patched ProFTPD dead.  
~ >  
~ Hmmm i think that the problem here isn't overflow in ProFTPD.  
~ Here is a proof.  
~  
  
  
The problem IS an overflow in ProFTPD, I've sent a detailed report to  
bugtraq few days ago, but somewhy it still hasnt appeared on the list.  
To be quick, the problem sits in fs.c:fs_dircat() routine, which doesn't  
make boundary checks while concatinating directory names.  
  
----------------------------------------------------------------------------  
  
Date: Fri, 19 Feb 1999 19:56:59 +0500  
From: CyberPsychotic <fygrave@TIGERTEAM.NET>  
To: BUGTRAQ@netspace.org  
Subject: Re: Pro/wuFTPD DoS  
  
~ Maybe you should repost your email to bugtraq because Aleph1 may not  
~ have seen it (I think he is damn busy with 25000+ subscribers).  
~  
  
I think I will probably write it again, since I don't I have it saved  
somewhere. There's nothing fascinating actually. This seem to be a heap  
buffer overflow, which smashes pointers to the dirnames (thus you could  
probably get access to files outsite chrooted envinronment):  
Here's screenshot of gdb, attaching to running proftpd process before  
overflow took place:  
-  
--/gdb screenshot/---  
  
Program received signal SIGSEGV, Segmentation fault.  
  
0x4007c837 in strncpy (s1=0x41414141 <Address 0x41414141 out of bounds>,  
s2=0xbfffea88 'A' <repeats 186 times>, "/", 'A' <repeats 13 times>...,  
n=1094795585) at ../sysdeps/generic/strncpy.c:82  
../sysdeps/generic/strncpy.c:82: No such file or directory.  
(gdb) where  
#0 0x4007c837 in strncpy (s1=0x41414141 <Address 0x41414141 out of bounds>,  
s2=0xbfffea88 'A' <repeats 186 times>, "/", 'A' <repeats 13 times>...,  
n=1094795585) at ../sysdeps/generic/strncpy.c:82  
#1 0x8057963 in fs_clean_path (  
path=0x41414141 <Address 0x41414141 out of bounds>,  
buf=0x41414141 <Address 0x41414141 out of bounds>, maxlen=1094795585)  
at fs.c:776  
#2 0x41414141 in ?? ()  
Cannot access memory at address 0x41414141.  
(gdb)  
--/gdb screenshot/--  
  
The overflow causes SIGSEGV in fs_clean_path() routine, but it happened in  
fs_dircat(), which eventualy overwrote pointers to path, and buf. I didn't  
have time to check whether 1.2.pre2 is vulneriable to this. (tested with  
1.2.pre1 with patch appiled).  
  
  
hope this helps..  
  
  
regards  
  
~Fyodor  
--  
http://www.kalug.lug.net/ PGP key: hkp://keys.pgp.com/cyberpsychotic  
http://www.kalug.lug.net/fygrave email:fygrave@tigerteam.net  
"There are three kinds of people: men, women, and unix."  
  
`