[674] in linux-announce channel archive
Linux Security FAQ Update#4: Washington University FTP Server
daemon@ATHENA.MIT.EDU (Lars Wirzenius)
Fri Jun 16 21:43:15 1995
Date: Fri, 16 Jun 1995 15:59:36 +0300
From: Lars Wirzenius <wirzeniu@cc.helsinki.fi>
To: linux-activists@niksula.hut.fi, linux-announce@vger.rutgers.edu
X-Mn-Key: announce
From: alex <alex@bach.cis.temple.edu>
Subject: Linux Security FAQ Update#4: Washington University FTP Server
Newsgroups: comp.os.linux.announce
Keywords: FAQ, update
Organization: ?
Approved: linux-announce@news.ornl.gov (Lars Wirzenius)
Followup-to: comp.os.linux.setup
- - - - - - - LSF Update#4 - - - - - - - - - - - - - - - - - - - - - -
Washington University FTP Server Version 2.4
LINUX SECURITY FAQ UPDATE
June 3, 1995 11:37 EST
Last Update: June 7, 1995 20:38 EST
Copyright (C) 1995 Alexander O. Yuriev
CIS Laboratories, TEMPLE UNIVERSITY
<alex@bach.cis.temple.edu>
-----------------------------------------------------------------------------
This is an update to Linux Security FAQ. The FAQ itself is not completely
written yet and currently covers only Slackware Linux distribution. If you
use a different Linux distribution and the location name of some files
differ from the ones used in this update, please drop me a note at at
<alex@bach.cis.temple.edu>.
If you create your own Linux distributions that are being placed on
FTP sites or CDs, please contact me!
Linux FAQ WWW is http://bach.cis.temple.edu/linux/linux-security
-----------------------------------------------------------------------------
On June 2, 1995, the Australian Computer Emergency Response Team published
an advisory about the security hole in some binaries of the wu.ftpd 2.4
(Washington University FTP Server) in major Linux distributions. This Linux
Security FAQ Update is an attempt to provide more detailed information about
the vulnerability of the Washington University FTP Server and methods of
fixing it.
ABSTRACT:
=========
The default configuration of the Washington University FTP Server
version 2.4 in major Linux distributions including Slackware 2.0,
2.1, 2.2, 2.3, Yggdrasil Plug&Play Fall'94 and Debian Distribution
has a configuration problem which allows any user with an account on
a system to gain the root access.
DETECTION:
==========
The following set of commands can be used to determine if your ftp
server is affected (source host's name is viper. The name of a
system being checked is devnull)
[jru@viper]:~> ftp devnull
Connected to devnull
220 ftphost FTP server (Version wu-2.4(3) Wed May 31 04:11:15 EDT 1995)
Name (devnull:jru): jru
331 Password required for jru
Password:
230 User user logged in.
ftp> quote site exec echo Joe Random User
200-echo Joe Random User
200-Joe Random User
200 (end of 'echo Joe Random User')
ftp> quit
221 Goodbye.
If you see the phrase you specified in echo command is displayed on
the screen, then the configuration of the ftp server on the host is
probably vulnerable and you will need to obtain a fix for it.
QUICK FIX:
==========
Unfortunately, the fix is more than a one step process. We advise you
to start by shutting down the ftp server using the command:
ftpshut now
This command blocks all connections to the ftp server.
ANONYMOUS FTP:
==============
Unfortunately, it is not possible to be 100% sure if the anonymous
ftp is affected. In theory, if all of the following conditions
are true an anonymous ftp user can exploit the hole:
1) Uploads are allowed
2) Anonymous users are allowed to use chmod.
3) GNU tar is present in the SITE EXECable directory
In practice, we could not reconstruct an attack that can be used by
the anonymous user to exploit the hole. [Olaf Kirch managed to open
a non-root xterm(1) window from as an anonymous user] Nevertheless,
please close it just to be safe. We would also like to mention that
there should be absolutely no reason to allow an anonymous user to
change access permissions of files from your ftp server. To block
it, edit the ftpaccess file which is usually located in the /etc
directory (/etc/ftpaccess) and the add line.
chmod no guest, anonymous
OBTAINING A FIX:
================
Debian/GNU Linux:
Users of Debian Linux Distribution can obtain fixed binary
from the primary Debian distribution site.
wu-ftpd 2.4 source code:
The correctly configured wu-ftpd 2.4 server for Linux can be
obtained at the following URLs:
ftp://linux.nrao.edu/pub/people/alex/wu-ftpd-2.4-fix/
ftp://linux.nrao.edu/pub/people/alex/wu-ftpd-2.4-fix/
ftp://sunsite.unc.edu/pub/Linux/ (I don't know where it will
end up)
In addition to the source code of patched wu-ftpd 2.4 you
can get the patch that would create a "fixed" tree from the
original wu-ftpd 2. and the wu-ftpd 2.4 itself. All files
have their MD5 checksums in the file CHECKSUMS in the same
directory.
LIST OF AFFECTED DISTRIBUTIONS:
==============================
As of today, we are aware that the following distributions are
affected and have to be patched:
Slackware Linux 2.0
Slackware Linux 2.1
Slackware Linux 2.2
Slackware Linux 2.3
Debian/GNU Linux
Yggdrasil Plug&Play'94
Boggus 1.01
Authors of Red Hat Linux distributions claim that their
distributions are not affected. Unfortunately, we were unable to
verify this claim as apparently neither Olaf Kirch nor Jeff Uphoff
nor I have access to it, although we do hope that it is true. The
Red Hat Linux Distributions are known to have the latest fixes
included.
We would like users of other Linux distributions to inform us if
their version of wu-ftpd was affected. If you are a user or a
maintainer of one of the following distributions, please contact us.
Mini Linux Distribution
TAMU
SLS
MCC
"OUR THANK YOU"
===============
I would like to thank the following people for their help in researching
this problem and providing a solution:
Olaf Kirch (okir@monad.swb.de), Wolfgang Ley
(ley@cert.dfn.de), Jeff Uphoff (juphoff@linux.nrao.edu)
and last, but not least, Scott Weinstein (SWEIN@ALBNYVMS.BITNET)
who within a day from the original time I posted the update
informed us about a problem with Bogus Linux distribution
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
============================================================================
Alexander O. Yuriev Email: alex@bach.cis.temple.edu
CIS Labs, TEMPLE UNIVERSITY WWW: http://bach.cis.temple.edu/personal/alex
Philadelphia, PA, USA
PGP Key: 1024/ADF3EE95 Fingerprint: AB4FE7382C3627BC 6934EC2A2C05AB62
Unless otherwise stated, everything above is my personal opinion and not an
opinion of any organisation affiliated with me.
=============================================================================
--
Send submissions for comp.os.linux.announce to: linux-announce@news.ornl.gov
PLEASE remember Keywords: and a short description of the software.
