PASS TO SITE/FACILITY/COMMAND INFORMATION SYSTEM SECURITY OFFICER
(ISSO), SPECIAL SECURITY OFFICER (SSO), INFORMATION RESOURCE MANAGER
(IRM) AND AUTOMATED DATA PROCESSOR (ADP) COORDINATORS
SUBJECT: WUARCHIVE FTPD VULNERABILITY (AUTOMATED SYSTEM SECURITY
INCIDENT SUPPORT TEAM (ASSIST) BULLETIN 93-12).
1.  A VULNERABILITY HAS BEEN DISCOVERED IN VERSIONS OF FTPD AVAILABLE
BEFORE 8 APRIL 1993, FROM
WUARCHIVE.WUSTL.EDU:/PACKAGES/FTPD.WUARCHIVE.SHAR, AND MANY OTHER
ANONYMOUS FTP SITES.  ASSIST STRONGLY RECOMMENDS THAT ANY SITE USING
ONE OF THESE VERSIONS OF FTPD IMMEDIATELY IMPLEMENT ONE OF THE
CORRECTIVE ACTIONS DESCRIBED IN THIS BULLETIN, OR REMOVE THIS SERVICE
FROM THE SYSTEM.  THE VULNERABILITY EXISTS IN THE ACCESS CONTROL
MECHANISM OF FTPD, AND COULD ALLOW ANYONE (REMOTE OR LOCAL) TO GAIN
ACCESS TO ANY ACCOUNT, INCLUDING ROOT, ON A HOST RUNNING ONE OF THESE
VERSIONS OF FTPD.
2.  AFFECTED SITES CAN CORRECT THIS PROBLEM USING EITHER ONE OF THE
FOLLOWING TWO METHODS, AND SHOULD STRONGLY CONSIDER DISABLING THE
SERVICE UNTIL THE PROBLEM IS CORRECTED:
A. A NEW VERSION OF FTPD HAS BEEN RELEASED THAT PROVIDES NEW FEATURES
AND ALSO FIXES THIS SECURITY PROBLEM.  SITES CAN OBTAIN THIS NEW 
VERSION VIA ANONYMOUS FTP FROM WUARCHIVE.WUSTL.EDU (128.252.135.4).
THE FILES ARE LOCATED IN:
                                              SIZE       CHECKSUM
/PACKAGES/WUARCHIVE-FTPD/WU-FTPD-2.0.SHAR    421953        08786
/PACKAGES/WUARCHIVE-FTPD/WU-FTPD-2.0.TAR     491520        27466
B. MAKE MODIFICATIONS TO YOUR EXISTING WUARCHIVE FTPD SOURCES USING
THE DIFF OUTPUT PROVIDED BELOW, SOURCES, RECOMPILE, AND INSTALL
ACCORDING TO THE INSTRUCTIONS PROVIDED.
*** FTPD.C.ORIG
--- FTPD.C
***************
*** 413,418 ****
--- 413,420 ----
                END_LOGIN();
        }
  
+       ANONYMOUS = 0;
+ 
        IF (!STRCASECMP(NAME, "FTP") || !STRCASECMP(NAME,
"ANONYMOUS")) {
                IF (CHECKUSER("FTP") || CHECKUSER("ANONYMOUS")) {
                        REPLY(530, "USER %S ACCESS DENIED.", NAME);
3.  POINT OF CONTACT:  ASSIST POINT OF CONTACT FOR THIS MATTER IS
PETE HAMMES, COMM (703) 696-1924/5/6 OR DSN 226-1924/5/6.  ASSIST CAN
BE REACHED 24 HOURS PER DAY, COMMERCIAL PAGER (800) SKY-PAGE (800-
759-7243), PIN NUMBER 2133937.  WHEN CALLING THE PAGER SERVICE,
FOLLOW THE AUTOMATED VOICE INSTRUCTIONS AND ENTER THE CALL BACK
NUMBER AFTER THE PROMPT.  THE ASSIST DUTY OFFICER WILL CALL YOU BACK
WITHIN 30 MINUTES.  IF FASTER SERVICE IS REQUIRED, PREFIX YOUR
TELEPHONE NUMBER WITH "999", AND THE ASSIST DUTY OFFICER WILL CALL
BACK WITHIN 5 MINUTES.  ASSIST CAN ALSO BE REACHED VIA E-MAIL AT
"DOD-CERT(AT-SIGN)DDN-CONUS.DDN.MIL", BY DIALING INTO THE ASSIST
ELECTRNOIC BULLETIN BOARD AT (703) 696-8729, DSN 226, AND LEAVING A
MESSAGE FOR THE SYSOP, OR BY LEAVING A VOICE MAIL MESSAGE FOR THE
ASSIST TEAM AT (703) 696-1904 (SELECT '9').
BT