-----BEGIN PGP SIGNED MESSAGE----- =============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : Rene Ritzen Index : S-97-24 Distribution : World Page : 1 Classification: External Version: 1 Subject : Vulnerability in FreeBSD sysinstall Date : 09-apr-97 =============================================================================== By courtesy of FreeBsd Inc., we received information on a vulnerability in sysinstall. This information is made publicly available by FreeBsd Inc. in FreeBSD-SA-97:03, dated 1997-04-07 CERT-NL recommends that sites apply the steps outlined in Section IV. Keywords: sysinstall, ftp setup =============================================================================== FreeBSD-SA-97:03 Security Advisory FreeBSD, Inc. Topic: sysinstall bug Category: core Module: sysinstall Announced: 1997-04-07 Affects: FreeBSD 2.1, FreeBSD 2.1.5, FreeBSD 2.1.6 and FreeBSD 2.1.7 FreeBSD 2.2 and FreeBSD 2.2.1. Corrected: all versions as of 1997-04-01. This includes the installation floppies for FreeBSD 2.2.1 found on: ftp://ftp.FreeBSD.org/pub/FreeBSD/2.2.1-RELEASE/floppies/newer/ Also the CDROM of FreeBSD 2.2.1 has this problem corrected. Source: FreeBSD FreeBSD only: yes Patches: ============================================================================= I. Background Sysinstall is used both for fresh installations of FreeBSD as well as post installation updates, like installing packages from CDROM or ftp sites. II. Problem Description One of the port installation options in sysinstall is to install an anonymous ftp setup on the system. In such a setup, an extra user needs to be created on the system, with username 'ftp'. This user is created with the shell equal to '/bin/date' and an empty password. III. Impact Under some circumstances, this will allow unauthorized access of system resources. IV. Solution(s) Change the entry of the ftp user such that is has an invalid password and an invalid shell. This can be done by becoming the superuser, and use the vipw command. Go to the line that starts with ftp:: and change ftp:: to ftp:*: Also change, on the same line, the shell from /bin/date to /nonexistent. If you have not yet used sysinstall to create an anonymous ftp setup, but are planning to, please apply one of the following patches: Patch for FreeBSD 2.1.5, 2.1.6, 2.2 and 2.2.1: --- anonFTP.c 1996/04/28 03:26:42 1.14 +++ anonFTP.c 1997/04/07 17:20:16 @@ -195,7 +195,7 @@ return (DITEM_SUCCESS); /* succeeds if already exists */ } - sprintf(pwline, "%s::%s:%d::0:0:%s:%s:/bin/date\n", FTP_NAME, tconf.uid, gid, tconf.comment, tconf.homedir); + sprintf(pwline, "%s:*:%s:%d::0:0:%s:%s:/nonexistent\n", FTP_NAME, tconf.uid, gid, tconf.comment, tconf.homedir); fptr = fopen(_PATH_MASTERPASSWD,"a"); if (! fptr) { Patch for FreeBSD 2.1: --- anonFTP.c 1995/11/12 07:27:55 1.6 +++ anonFTP.c 1997/04/03 19:29:21 @@ -201,7 +201,7 @@ return (RET_SUCCESS); /* succeeds if already exists */ } - sprintf(pwline, "%s::%s:%d::0:0:%s:%s:/bin/date\n", FTP_NAME, tconf.uid, gid, tconf.comment, tconf.homedir); + sprintf(pwline, "%s:*:%s:%d::0:0:%s:%s:/nonexistent\n", FTP_NAME, tconf.uid, gid, tconf.comment, tconf.homedir); fptr = fopen(_PATH_MASTERPASSWD,"a"); if (! fptr) { ============================================================================= FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officer@freebsd.org PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc Security notifications: security-notifications@freebsd.org Security public discussion: security@freebsd.org Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================= ============================================================================== CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet is the Dutch network for educational, research and related institutes. CERT-NL is a member of the Forum of Incident Response and Security Teams (FIRST). All CERT-NL material is available under: http://www.surfnet.nl/surfnet/security/cert-nl.html ftp://ftp.surfnet.nl/surfnet/net-security In case of computer or network security problems please contact your local CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer please address the appropriate (local) CERT/security-team). CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer, i.e. UTC+0100 in winter and UTC+0200 in summer (DST). Email: cert-nl@surfnet.nl Phone: +31 302 305 305 Fax: +31 302 305 329 Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands A 7 * 24 hours phone number is available to SURFnet SSC's and FIRST members on request. ============================================================================== -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBM0taokU5nQkWIq1FAQG7qAP5AXNySfeHTJi+LeFEnHMKeyOWQSrMULn/ 1BWXd7VvAdqTnh0TXa8iLg9rTcI+5Xezr9LrjOdlYuyX42OrSQ0EyyceTxd469lO 0Gyzl+bGO5QIpx88h4OJc38pRC0IdqazxN5+5e3LCIWBFaZ9Cs9aUthB+Qa2szct /ZC7Xozvmmw= =K1E5 -----END PGP SIGNATURE-----