=============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : CERT-NL (Erik-Jan Bos) Index : S-93-11 Distribution : World Page : 1 Classification: External Version: Final Subject : wuarchive ftpd Vulnerability Date : 11-Apr-93 =============================================================================== CERT-NL received information from CERT Coordination Center who has received information concerning a vulnerability in versions of wuarchive ftpd available before April 8, 1993. Vulnerable wuarchive ftpd versions were available from wuarchive.wustl.edu:/packages/ftpd.wuarchive.shar and many other anonymous FTP sites. We strongly recommend that any site using versions of wuarchive ftpd dating prior to April 8, 1993, immediately take corrective action or remove this service. --------------------------------------------------------------------------- I. Description A vulnerability exists in the access control mechanism in this version of ftpd. II. Impact Anyone (remote or local) can potentially gain access to any account including root on a host running this version of ftpd. III. Solution Affected sites may choose to disable anonymous FTP service until they have corrected this problem. Affected sites can correct this problem through one of the following two procedures: A. A new version of ftpd has been released that provides new features and also fixes this security problem. Sites can obtain this new version via anonymous FTP from wuarchive.wustl.edu (128.252.135.4). The files are located in: Size Checksum /packages/wuarchive-ftpd/wu-ftpd-2.0.shar 421953 08786 /packages/wuarchive-ftpd/wu-ftpd-2.0.tar 491520 27466 B. Make modifications to your existing wuarchive ftpd sources using the diff output provided below, recompile and install according to the instructions provided. *** ftpd.c.orig --- ftpd.c *************** *** 413,418 **** --- 413,420 ---- end_login(); } + anonymous = 0; + if (!strcasecmp(name, "ftp") || !strcasecmp(name, "anonymous")) { if (checkuser("ftp") || checkuser("anonymous")) { reply(530, "User %s access denied.", name); --------------------------------------------------------------------------- The CERT Coordination Center wishes to thank Scott Paisley, Computer Systems Support Manager, Factory Automated Systems Division, N.I.S.T., for informing us of this vulnerability. We would also like to thank Chris Myers, Washington University, for his quick response to this problem. CERT-NL wishes to thank CERT Coordination Center for bringing the information regarding this vulnerability to our attention. --------------------------------------------------------------------------- ============================================================================== CERT-NL is the Computer Emergency Response Team, located in The Netherlands. CERT-NL is a Full Member of the Forum of Incident Response and Security Teams (FIRST). The constituency of CERT-NL are the SURFnet connected institutions. Past CERT-NL Security Bulletins and other CERT-NL related material can be found on the anonymous FTP server of SURFnet bv: "ftp.nic.surfnet.nl" [192.87.46.3], in the directory "netman/cert-nl". This information is also available using email. Send an email saying "help" to "mailserv@nic.surfnet.nl". In case of computer or network security problems please contact CERT-NL or the CERT of your own constituency. Please be aware of the fact that we are are one hour ahead of Universal Time Coordinated (i.e. UTC+0100). Email: cert-nl@surfnet.nl Phone: +31 30 310290 Fax: +31 30 340903 Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands A 7*24h phonenumber is available to SURFnet SSC's and FIRST members on request ============================================================================== --- End of Advisory __ Erik-Jan.