[Advisory] Zwei Schwachstellen in FTP Daemons - CA-2000-13

win-sec-ssc at cert.dfn.de win-sec-ssc at cert.dfn.de
Mon Jul 10 16:50:33 CEST 2000


-----BEGIN PGP SIGNED MESSAGE-----

Liebe Kolleginnen und Kollegen,
 
soeben erreichte uns das nachfolgende Advisory des CERT Coordination
Centers. Wir geben diese Informationen unveraendert an Sie weiter.
 
Beschrieben werden zwei Schwachstellen in der Auswertung von Client
Eingaben in verschiedenen FTP-Servern. In beiden Faellen koennen
Angreifer ueber das Netz Root-Rechte erlangen.
 
1) SITE EXEC

   Durch einen Buffer Overflow bei der Auswertung des SITE EXEC
   Befehls ist ein Angreifer ueber das Netz in der Lage, beliebige
   Kommandos auf dem System des FTP Servers mit den Rechten desjenigen
   Nutzers auszufuehren, der den ftpd gestartet hat (i.d.R. root).
   Voraussetzung zur Ausbeutung dieser Schwachstelle ist eine
   FTP-Benutzerkennung (auch als anoynmous User).
 
   Auf diese Schwachstelle in den FreeBSD und Linux Versionen von
   Wu-FTPD hatten wir sie bereits am 26./28. 6 und 6. 7. 2000
   hingewiesen. Bitte beachten Sie, das auch andere FTP Daemons und
   Betriebssysteme von dieser Schwachstelle betroffen sind.
 
2) setprotitle()
 
   Durch einen Buffer Overflow in der setprotitle() Funktion ist ein
   Angreifer ueber das Netz in der Lage, beliebige Kommandos auf dem
   System des FTP Servers mit den Rechten desjenigen Nutzers
   auszufuehren, der den ftpd gestartet hat (i.d.R. root).
   Voraussetzung zur Ausbeutung dieser Schwachstelle ist auch hier
   eine FTP-Benutzerkennung (auch als anoynmous User).
 
Welche Versionen welcher FTP Daemons im einzelnen betroffen sind,
entnehmen sie bitte dem angefuegten Advisory.
 
Mit freundlichen Gruessen,
		Klaus Moeller, DFN-CERT

- --
Klaus Moeller            |                    mailto:moeller at cert.dfn.de
DFN-CERT GmbH            |          http://www.cert.dfn.de/team/moeller/
Vogt-Koelln-Str. 30      |                      Phone: +49(40)42883-2262
D-22527 Hamburg          |                        FAX: +49(40)42883-2241
Germany	                 |       PGP-Key: finger moeller at ftp.cert.dfn.de


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CERT Advisory CA-2000-13 Two Input Validation Problems In FTPD

   Original release date: July 7, 2000
   Last revised: --
   Source: CERT/CC
   
   A complete revision history is at the end of this file.
   
Systems Affected

     * Any system running wu-ftpd 2.6.0 or earlier
     * Any system running ftpd derived from wu-ftpd 2.0 or later
     * Some systems running ftpd derived from BSD ftpd 5.51 or BSD ftpd
       5.60 (the final BSD release)
       
Overview

   A vulnerability involving an input validation error in the "site exec"
   command has recently been identified in the Washington University ftpd
   (wu-ftpd) software package. Sites running affected systems are advised
   to update their wu-ftpd software as soon as possible.
   
   A similar but distinct vulnerability has also been identified that
   involves a missing format string in several setproctitle() calls. It
   affects a broader number of ftp daemons. Please see Appendix A of this
   document for specific information about the status of specific ftpd
   implementations and solutions.
   
I. Description

"Site exec" Vulnerability

   A vulnerability has been identified in wu-ftpd and other ftp daemons
   based on the wu-ftpd source code. Wu-ftpd is a common package used to
   provide file transfer protocol (ftp) services. This vulnerability is
   being discussed as the wu-ftpd "site exec" or "lreply" vulnerability
   in various public forums. Incidents involving the exploitation of this
   vulnerability-which enables remote users to gain root privileges-have
   been reported to the CERT Coordination Center.
   
   The problem is described in AUSCERT Advisory AA-2000.02, "wu-ftpd
   'site exec' Vulnerability," which is available from
   
   ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-2000.02
          
   The wu-ftpd "site exec" vulnerability is the result of missing
   character-formatting argument in several function calls that implement
   the "site exec" command functionality. Normally if "site exec" is
   enabled, a user logged into an ftp server (including the 'ftp' or
   'anonymous' user) may execute a restricted subset of quoted commands
   on the server itself. However, if a malicious user can pass character
   format strings consisting of carefully constructed *printf()
   conversion characters (%f, %p, %n, etc) while executing a "site exec"
   command, the ftp daemon may be tricked into executing arbitrary code
   as root.
   
   The "site exec" vulnerability appears to have been in the wu-ftpd code
   since the original wu-ftpd 2.0 came out in 1993. Any vendors who have
   based their own ftpd distributions on this vulnerable code are also
   likely to be vulnerable.
   
   The vulnerability appears to be exploitable if a local user account
   can be used for ftp login. Also, if the "site exec" command
   functionality is enabled, then anonymous ftp login allows sufficient
   access for an attack.
   
setproctitle() Vulnerability

   A separate vulnerability involving a missing character-formatting
   argument in setproctitle(), a call which sets the string used to
   display process identifier information, is also present in wu-ftpd.
   Other ftpd implementations have been found to have vulnerable
   setproctitle() calls as well, including those from proftpd and
   OpenBSD.
   
   The setproctitle() vulnerability appears to have been present in
   various ftpd implementations since at least BSD ftpd 5.51 (which
   predates wuarchive-ftpd 1.0). It has also been confirmed to be present
   in BSD ftpd 5.60 (the final BSD release). Any vendors who have based
   their own ftpd distributions on this vulnerable code are also likely
   to be vulnerable.
   
   It should be noted that many operating systems do not support
   setproctitle() calls. However, other software engineering defects
   involving the same type of missing character-formatting argument may
   be present.
   
Intruder Activity

   One possible indication you are being attacked with either of these
   vulnerabilities may be the appearance of syslog entries similar to the
   following:
   
Jul  4 17:43:25 victim ftpd[3408]: USER ftp
Jul  4 17:43:25 victim ftpd[3408]: PASS [malicious shellcode]
Jul  4 17:43:26 victim ftpd[3408]: ANONYMOUS FTP LOGIN FROM
attacker.example.com [10.29.23.19], [malicious shellcode]
Jul  4 17:43:28 victim-site ftpd[3408]: SITE EXEC (lines: 0):
%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%
.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.
f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f
%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%
.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.
f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f
%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%.f%c%c%c%.f|%p
Jul  4 17:43:28 victim ftpd[3408]: FTP session closed

   Details and exploits for both the "site exec" and setproctitle()
   vulnerabilities have been posted in various public forums. Please see
   
   http://www.securityfocus.com/vdb/bottom.html?section=discussion&vid=1387
   http://www.securityfocus.com/vdb/bottom.html?section=discussion&vid=1438
   http://ciac.llnl.gov/ciac/bulletins/k-054.shtml
          
   The CERT/CC has received reports of both of these vulnerabilities
   being successfully exploited on the Internet. Please check our Current
   Activity page for updates regarding intruder activity involving these
   vulnerabilities.
   
II. Impact

   By exploiting any of these input validation problems, local or remote
   users logged into the ftp daemon may be able execute arbitrary code as
   root. An anonymous ftp user may also be able to execute arbitrary code
   as root.
   
III. Solution

Upgrade your version of ftpd

   Please see Appendix A of this advisory for more information about the
   availability of updated ftpd packages specific for your system.
   
Apply a patch from your vendor

   If you are running vulnerable ftpd implementations and cannot upgrade,
   you need to apply the appropriate vendor patches and recompile and/or
   reinstall the ftpd server software.
   
   Appendix A contains information provided by vendors for this advisory.
   We will update the appendix as we receive more information. If you do
   not see your vendor's name, the CERT/CC did not hear from that vendor.
   Please contact your vendor directly.
   
Disable ftp services

   If neither an upgrade nor a patch can be applied, the CERT/CC
   recommends disabling all vulnerable wu-ftpd and proftpd servers. While
   disabling "site exec" command functionality or anonymous ftp access
   minimizes exposure to the "site exec" vulnerability, neither is a
   complete solution and may not mitigate against the risks involved with
   exposure to the setproctitle() vulnerability.
   
Appendix A. Vendor Information

BSDI

   Current versions of BSD/OS do not include any version of wu-ftpd. The
   BSDI ftpd is not vulnerable to the reported problems; it is not based
   on the wu-ftpd code.
   
   The version of ftpd in modern versions of BSD/OS is not vulnerable to
   the generic setproctitle() vulnerabilities.
   
Caldera Systems, Inc

   Please see CSSA-2000-020.0 regarding the wu-ftpd issue and OpenLinux:
   
   ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-2000-020.0.txt
          
   Copyright © 2000 Caldera Systems, Inc.
   
Conectiva S.A.

   Please see:
   
   http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000623212826.A13925@conectiva.com.br
          
Debian GNU/Linux

   Please see the following regarding the wu-ftpd "site exec" issue:
   
   http://www.debian.org/security/2000/20000623
          
   Copyright © 1997-2000 SPI
   
FreeBSD, Inc.

   Please see FreeBSD-SA-00:29, Security Advisory for wu-ftpd in the
   ports collection, for complete information. In part it states:
   
     The wu-ftpd port is not installed by default, nor is it "part of
     FreeBSD" as such: it is part of the FreeBSD ports collection,
     which contains over 3400 third-party applications in a
     ready-to-install format. The ports collections shipped with
     FreeBSD 3.5 and 4.0 contains this problem since it was
     discovered after the release. FreeBSD makes no claim about the
     security of these third-party applications, although an effort
     is underway to provide a security audit of the most
     security-critical ports.
          
   [With respect to setproctitle()] it turns out that FreeBSD fixed this
   bug in the system ftpd back in 1996, so it is not present in all
   versions of FreeBSD since 2.2.0.
   
   We also ship optional third-party ftpds in the ports collection: we
   had patched wu-ftpd and believed it to be fixed (it was the subject of
   advisory SA-00:29), but in light of the other recent email from CERT.
   We will re-check to make sure all of the vulnerabilities were patched.
   Proftpd is also currently vulnerable but [has been patched]. Other
   third-party ftpds may or may not be vulnerable at this time (we advise
   users to install ports at their own risk), and we will release
   security advisories as they are discovered and fixed.
   
Hewlett-Packard Company

   HP is vulnerable, patches in process, watch for the HP security
   bulletin to be issued.
   
MandrakeSoft Inc.

   Please see the MANDRAKE 7.1 update section for wu-ftpd information at:
   
   http://www.linux-mandrake.com/en/fupdates.php3
          
Microsoft Coporation

   The IIS FTP service is not is not affected by these issues.
   
MIT Kerberos Development Team

   It seems that the MIT Kerberos ftpd is based on BSD ftpd revision
   5.40, and has never contained any serious format string related bugs
   for some reason. It is possible that by defining an undocumented CPP
   macro SETPROCTITLE, calls to setproctitle() can be made, however,
   there is an internally declared setproctitle() function that does not
   take a format string as its argument, and is hence not vulnerable.
   
ProFTPD Project

   Upgrade to ProFTPD 1.2.0
   
   Please see the discussion concerning setproctitle() at
   
   http://www.proftpd.org/proftpd-l-archive/00-07/msg00059.html
   http://www.proftpd.org/proftpd-l-archive/00-07/msg00060.html
   http://bugs.proftpd.net/show_bug.cgi?id=121
   http://www.proftpd.net/security.html
          
OpenBSD

   The setproctitle bug is in OpenBSD. Please see:
   
   http://www.openbsd.org/errata.html#ftpd
          
Redhat

   Please see RHSA-2000-039-02 regarding the wu-ftpd issue:
   
   http://www.redhat.com/support/errata/RHSA-2000-039-02.html
          
   Copyright © 2000 Red Hat, Inc. All rights reserved.
   
Slackware Linux Project

   Please see the patches made available regarding the wu-ftpd issue, at:
   
   ftp://ftp.slackware.com/pub/slackware/slackware-7.1/patches/wu-ftpd-patch.README
          
Sun Microsystems

   [...] Our engineering team and they do not feel that Solaris is
   vulnerable.
   
SuSE Ltd.

   Please see SuSE Security Announcement #53 regarding the wu-ftpd issue,
   at:
   
   http://www.suse.de/de/support/security/suse_security_announce_53.txt
          
WU-FTPD Development Group

   The WU-FTPD Development Group's primary distribution site is mirrored
   world-wide. A list of mirrors is available from:
   
   http://www.wu-ftpd.org/mirrors.txt
          
   If possible, please use a mirror to obtain patches or the latest
   version.
   
Upgrade your version of wu-ftpd

   The latest release of wu-ftpd, version 2.6.1, has been released to
   address these and several other security issues:
   
   ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.gz
   ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.gz.asc
   ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.Z
   ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.Z.asc
          
Apply a patch

   The wu-ftpd developers have published the following patch for wu-ftpd
   2.6.0:
   
   ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_2.6.0/lreply-buffer-overflow.patch
   _________________________________________________________________
   
   The CERT Coordination Center thanks Gregory Lundberg and Theo de Raadt
   for their help in developing this advisory.
   _________________________________________________________________
   
   Author: Jeffrey S. Havrilla
   ______________________________________________________________________
   
   This document is available from:
   http://www.cert.org/advisories/CA-2000-13.html
   ______________________________________________________________________
   
CERT/CC Contact Information

   Email: cert at cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.
          
   CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
   Monday through Friday; they are on call for emergencies during other
   hours, on U.S. holidays, and on weekends.
   
Using encryption

   We strongly urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   
   http://www.cert.org/CERT_PGP.key
       
   If you prefer to use DES, please call the CERT hotline for more
   information.
   
Getting security information

   CERT publications and other security information are available from
   our web site
   
   http://www.cert.org/
       
   To be added to our mailing list for advisories and bulletins, send
   email to cert-advisory-request at cert.org and include SUBSCRIBE
   your-email-address in the subject of your message.
   
   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________
   
   NO WARRANTY
   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
   _________________________________________________________________
   
   Conditions for use, disclaimers, and sponsorship information
   
   Copyright 2000 Carnegie Mellon University
   
   Revision History
July  7, 2000:  Initial release

- -----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQA/AwUBOWYdxVr9kb5qlZHQEQJRpgCfZA2ep1eMkg5B4aqBZbZOtKeXWDoAnRSe
ct12Oprnm91UvyxUJv9gdW1v
=Cs9w
- -----END PGP SIGNATURE-----


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
Comment: Processed by Mailcrypt 3.5.5, an Emacs/PGP interface

iQEVAwUBOWnitYrEggYLt8j5AQGrfggAkow1YgSlxcj0k2EmEMfxDHVWz2qLUBFe
+XAQ3C9TAh7ioctT7ex6VznYUT4JOpROo1Lrv0FrUksOB/akwbjzmP8yipoOYsc7
2riK7aWtxqqNBsx/c+KYAHNhUJcdVeSwxyloXl6sHu6YrwCfUGB39gu8waTW088Q
OSiMboxV75eyVDIvNkvfIeV0z4erJSsDSpr8QlyJvyaMa+OnO/w5w8AXSZ+nvZf6
Oo6o/UMVuoX04+y01OABylWf86l9OWroz0fhxWhs/H6w3Lt3OaquTLATn7s9oNAn
dTROLINGwwJ6b02heo3P+9xYs1i9jGIHJ45AVXQqc80whz0xv1ZkTg==
=jBvV
-----END PGP SIGNATURE-----