[1934] in bugtraq
Re: SECURITY: problem with some wu-ftpd-2.4 binaries (fwd)
daemon@ATHENA.MIT.EDU (Rick Weldon)
Thu Jun 1 10:32:34 1995
Date: Thu, 1 Jun 1995 08:59:48 -0400 (EDT)
From: Rick Weldon <rick@hq.af.mil>
To: bugtraq@fc.net, Aleph One <aleph1@dfw.net>
In-Reply-To: <Pine.SUN.3.90.950531142301.21065A-100000@dfw.net>
Excerpts from Bugtraq: 31-May-95 SECURITY: problem with some.. Aleph
One@dfw.net (5673*)
> Hi all,
> There's a security hole in some Linux distributions involving
> wu-ftpd-2.4. Some ftpd binaries have been compiled with a set of
> defaults that allow anyone with an account on your machine to become the
> root user.
I don't think this is a linux specific problem. It is with wu-ftpd-2.4 I
didn't change the defaults when I installed it here.
On our ftp server, a sun sparc:
Name (foo:rick): rick
331 Password required for rick.
Password:
230 User rick logged in.
ftp> quote "site exec sh -c id"
200-sh -c id
200-uid=0(root) gid=0(wheel) euid=142(rick) egid=84(web)
groups=84(web),16(cando)
200 (end of 'sh -c id')
ftp>
> It appears that at least Slackware-2.0 and 2.2 are affected;
I'd guess anyone using wu-ftpd-2.4 is vulnerable assuming they have the
site exec dir configured. We don't use the site-exec feature here. I had
to copy a shell into the directory before running your test. Anyone
running version 2.4 that uses this feature should be warned though.
> The obvious fix is to obtain the source of wu-ftpd-2.4 and recompile
> it. The crucial part is the _PATH_EXECPATH define in src/pathnames.h.
> It should NOT be set to /bin or any other regular directory. By default,
> it is set to /bin/ftp-exec. Make sure this directory does not exist or
> contains only harmless commands you are absolutely sure you would want
> your users to execute as root.
Why is site-exec even on by default? Shouldn't this be something that
you have to "turn on" given it's ease of misuse?
> Thomas Lundquist <Thomas.Lundquist@hiof.no> has posted a small patch
> for src/ftpcmd.y that goes even further and disables the SITE EXEC
> command altogether. It is appended at the end of this message.
> All the fame goes to
> Michel an113354@anon.penet.fi
> Thomas Lundquist Thomas.Lundquist@hiof.no
> Aleph One aleph1@dfw.net
[...]
ObSoapBox :-)
Thankyou for posting the specifics. I for one am sick of the "I'll tell
you about the problem once some-big-vendor is notified" BS that seems to
be so prolific on this list. Hmmphh!
-----------------------------------------------------------------------------
| Rick Weldon I-NET Inc. | 'It is difficult to see a black cat in a |
| E-mail: rick@hq.af.mil(MIME) | dark room, especially when it's not there' |
| Phone: 703-695-0264 | --- Chinese Saying -- |
| | ...or when it is Schroedingers cat :-) |
-----------------------------------------------------------------------------
