http://www.bindview.com/security/advisory/palmetto_a.html Palmetto Technical Advisory Issue date: February 9, 1999 Contact: Adam Shostack Topic Remote buffer overflows in various FTP servers leads to potential root compromise. Affected Systems Any server running the latest version of ProFTPD (1.2.0pre1) or the latest version of Wuarchive ftpd (2.4.2-academ[BETA-18]). wu-ftpd is installed and enabled by default on most Linux variants such as RedHat and Slackware Linux. ProFTPD is new software recently adopted by many major internet companies for its improved performance and reliability. Investigation of this vulnerability is ongoing; the below lists software and operating systems for which Netect has definitive information. Overview Software that implements FTP is called an "ftp server", "ftp daemon", or "ftpd". On most vulnerable systems, the ftpd software is enabled and installed by default. There is a general class of vulnerability that exists in several popular ftp servers. Due to insufficient bounds checking, it is possible to subvert an ftp server by corrupting its internal stack space. By supplying carefully designed commands to the ftp server, intruders can force the the server to execute arbitrary commands with root privilege. On most vulnerable systems, the ftpd software is installed and enabled by default. Impact Intruders who are able to exploit this vulnerability can ultimately gain interactive access to the remote ftp server with root privilege. Solution Currently there are several ways to exploit the ftp servers in question. One temporary workaround against an anonymous attack is to disable any world writable directories the user may have access to by making them read only. This will prevent an attacker from building an unusually large path, which is required in order to execute these particular attacks. The permanent solution is to install a patch from your Vendor, or locate one provided by the Software's author or maintainer. See Appendices A and B for more specific information. Netect strongly encourages immediate upgrade and/or patching where available. Netect provides a strong software solution for the automatic detection and removal of security vulnerabilities. Current HackerShield customers can protect themselves from this vulnerability by either visiting the Netect website and downloading the latest RapidFire(tm) update, or by enabling automatic RapidFire(tm) updates (no user intervention required). Appendix A, Software Information ProFTPD Current version: 1.2.0pre1, released October 19, 1998. All versions prior to 1.2.0pre1: vulnerable. Fix: will be incorporated into 1.2.0pre2. Currently recommended action: upgrade to the new version when it becomes available, or apply the version 1.2.0pre1 patch found at: ftp://ftp.proftpd.org/patches/proftpd-1.2.0pre1-path_exploit.patch wu-ftpd Current version: 2.4.2 (beta 18), unknown release date. All versions through 2.4.2 (beta 18): vulnerability dependant upon target platform, probably vulnerable either due to OS-provided runtime vulnerability or through use of replacement code supplied with the source kit. No patches have been made available. Fix: unknown. Currently recommended action: Upgrade to wu-ftpd VR series. wu-ftpd VR series Current version: 2.4.2 (beta 18) VR13, released January 28, 1999. All versions prior to 2.4.2 (beta 18) VR10: vulnerable. Fix: incorporated into VR10, released November 1, 1998. Available from: ftp://ftp.vr.net/pub/wu-ftpd/ Filenames: wu-ftpd-2.4.2-beta-18-vr13.tar.Z wu-ftpd-2.4.2-beta-18-vr13.tar.gz BeroFTPD [NOT vulnerable] Current version: 1.3.3, released February 7, 1999. All versions prior to 1.2.0: vulnerable. Fix: incorporated into 1.2.0, released October 26, 1998. Available from: ftp://ftp.croftj.net/usr/bero/BeroFTPD/ ftp://ftp.sunet.se/pub/nir/ftp/servers/BeroFTPD/ ftp://sunsite.cnlab-switch.ch/mirror/BeroFTPD/ Filename: BeroFTPD-1.3.3.tar.gz NcFTPd [NOT vulnerable] Current version: 2.4.0, released February 6, 1999. All versions prior to 2.3.4: unknown. Available from: http://www.ncftp.com/download/ Notes: + NcFTPd 2.3.4 (libc5) ftp server has a remotely exploitable bug that results in the loss of the server's ability to log activity. + This bug cannot be exploited to gain unintended or privileged access to a system running the NcFTPd 2.3.4 (libc5) ftp server, as tested. + The bug was reproducible only on a libc5 Linux system. The Linux glibc version of NcFTPd 2.3.4 ftp server is NOT vulnerable. + The bug does not appear to be present in version NcFTPd 2.3.5 or later. Affected users may upgrade free of charge to the latest version. Thanks go to Gregory Lundberg for providing the information regarding wu-ftpd and BeroFTPD. Appendix B, Vendors RedHat Software, Inc. RedHat Version 5.2 and previous versions ARE vulnerable. Updates will be available from: ftp://updates.redhat.com/5.2// Filename: wu-ftpd-2.4.2b18-2.1..rpm Walnut Creek CDROM and Patrick Volkerding Slackware All versions ARE vulnerable. Updates will be available from: ftp://ftp.cdrom.com/pub/linux/slackware-3.6/slakware/n8/ ftp://ftp.cdrom.com/pub/linux/slackware-current/slakware/n8/ Filenames tcpip1.tgz (3.6) [971a5f57bec8894364c1e0d358ffbfd4] tcpip1.tgz (current) [e1e9a9a50ad65bab1e120a7bf60f6011] Notes: + The md5 checksums are current for the above mentioned Revision date only. Caldera Systems, Inc. OpenLinux Latest version IS vulnerable Updates will be available from: ftp://ftp.calderasystems.com/pub/OpenLinux/updates/ SCO UnixWare Version 7.0.1 and earlier (except 2.1.x) IS vulnerable. OpenServer Versions 5.0.5 and earlier IS vulnerable. CMW+ Version 3.0 is NOT vulnerable. Open Desktop/Server Version 3.0 is NOT vulnerable. Binary versions of ftpd will be available shortly from the SCO ftp site: ftp://ftp.sco.com/SSE/sse021.ltr- cover letter ftp://ftp.sco.com/SSE/sse021.tar.Z - replacement binaries Notes: This fix is a binary for the following SCO operating systems: + SCO UnixWare 7.0.1 and earlier releases (not UnixWare 2.1.x) + SCO OpenServer 5.0.5 and earlier releases For the latest security bulletins and patches for SCO products, please refer to http://www.sco.com/security/. IBM Corporation AIX Versions 4.1.x, 4.2.x, and 4.3.x ARE NOT vulnerable. Hewlett-Packard HPUX Versions 10.x and 11.x ARE NOT vulnerable. HP is continuing their investigation. Sun Microsystems, Inc. SunOS All versions ARE NOT vulnerable. Solaris All versions ARE NOT vulnerable. Microsoft, Inc. IIS Versions 3.0 and 4.0 ARE NOT vulnerable. Compaq Computer Corporation Digital UNIX V40b - V40e ARE NOT vulnerable. TCP/IP(UCX) for OpenVMS V4.1, V4.2, V5.0 ARE NOT vulnerable. Silicon Graphics, Inc. (SGI) IRIX and Unicos Currently, Silicon Graphics, Inc. is investigating and no further information is available for public release at this time. As further information becomes available, additional advisories will be issued via the normal SGI security information distribution method including the wiretap mailing list. Silicon Graphics Security Headquarters http://www.sgi.com/Support/security/ NetBSD NetBSD All versions ARE NOT vulnerable. Fujitsu UXP/V All versions ARE NOT vulnerable. BindView Development 3355 WEST ALABAMA * 12th FLOOR * HOUSTON , TEXAS * 77098 * USA * PHONE: 713.561.4000 FAX: 713.881.9200 * INTERNET: webmaster@bindview.com * COMPUSERVE: GO BINDVIEW