Bugtraq archives for 2nd quarter (Apr-Jun) 1995: SECURITY: problem with some wu-ftpd-2.4 binaries (fwd)
SECURITY: problem with some wu-ftpd-2.4 binaries (fwd)
Aleph One (
aleph1
dfw.net)
Wed, 31 May 1995 14:23:09 -0500 (CDT)
Aleph One / aleph1dfw.net
http://underground.org/
---------- Forwarded message ----------
Date: Wed, 31 May 95 02:49 MET DST
From: Olaf Kirch <okirmonad.swb.de>
To: linux-alerttarsier.cv.nrao.edu
Subject: SECURITY: problem with some wu-ftpd-2.4 binaries
-----BEGIN PGP SIGNED MESSAGE-----
Hi all,
There's a security hole in some Linux distributions involving
wu-ftpd-2.4. Some ftpd binaries have been compiled with a set of
defaults that allow anyone with an account on your machine to become the
root user. It appears that at least Slackware-2.0 and 2.2 are affected;
I have no information about other distributions. Anonymous FTP should
not be affected by this as long as you have only the `ls' command in
To find out if your machine is affected, ftp to your own account, log in
and enter this: quote "site exec bash -c id". If ftpd responds with
a line that says something like "uid=0(root) euid=1234(your_login)... ",
then your ftpd is vulnerable.
The obvious fix is to obtain the source of wu-ftpd-2.4 and recompile
it. The crucial part is the _PATH_EXECPATH define in src/pathnames.h.
It should NOT be set to /bin or any other regular directory. By default,
it is set to /bin/ftp-exec. Make sure this directory does not exist or
contains only harmless commands you are absolutely sure you would want
your users to execute as root.
Thomas Lundquist <Thomas.Lundquisthiof.no> has posted a small patch
for src/ftpcmd.y that goes even further and disables the SITE EXEC
command altogether. It is appended at the end of this message.
All the fame goes to
Michel an113354anon.penet.fi
Thomas Lundquist Thomas.Lundquisthiof.no
Aleph One aleph1dfw.net
Have a nice day
Olaf
- --
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okirmonad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
For my PGP public key, finger okirbrewhq.swb.de.
- ------------------------------------------------------------------
table
`!"#$%&'()*+,-./0123456789:;<=>?
ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_
begin 644 /tmp/DIFF
M+2TM(&9T<&-M9"YY+F]R:6<)5V5D($UA>2`S,2`P,CHP,SHP-R`Q.3DU"BLKz
M*R!F='!C;60N>0E796036%Y(#,Q(#`R.C`S.C4T(#$Y.34*0$`+3$T,C<Ly
M-3*S$T,C<L,C0$`*(`H<VET95]E>&5C*&-M9"D*(&-H87(*F-M9#L*x
M*R`("`O*B`**R`("`*B!4:&49&5C;&%R871I;VYS(&)E;&]V(&ET(&MEw
M<'0=&\8F4<W5R92!W92!D;VXG="!B<F5A:R!T;V\;75C:"X**R`("`v
M*B\*('L*("`("!C:&%R(&)U9EM-05A0051(3$5.73L*("`("!C:&%R("ISu
M<"`]("AC:&%R("HI('-T<F-H<BAC;60L("<)RDL("IS;&%S:"P*G0["B`t
M("`1DE,12`J8VUD9BP*F9T<&1?<&]P96XH*3L*(`HM("`("\J('-A;FETs
M:7IE('1H92!C;VUM86YD+7-T<FEN9R`J+PHK("`("\J($YO<&4A(%=E(&1Or
M;B=T('=A;G0=&\15A%0R!A;GET:&EG+BX"BL("`("H4V\L('=E('=Iq
M;&P9&5N>2!T:&4;6]R;VX86YD(&QO9R!H:6TN"BL("`("H5&AO;6%Sp
M+DQU;F1Q=6ES=$!H:6]F+FYO($UA>2`G.34**R`("`*B\*("`("`*+2`o
M("!I9B`H<W`/3T,"D('L*+2`("`("`=VAI;&4*"AS;&%S:"`]('-Tn
M<F-H<B`H8VUD+"`G+R<I*2`A/2`P*0HM("`("`("`("`8VUD(#T<VQAm
M<V*R`Q.PHM("`('T96QS92!["BT("`("`('=H:6QE("AS<"`F)B`Hl
M<VQA<V/2`H8VAA<B`J*2!S=')C:'(H8VUD+"`G+R<I*2`*+2`("`("`k
M("`("`("8F("AS;&%S:"`\('-P*2D*+2`("`("`("`(&-M9"`]('-Lj
M87-H*S$["BT("`?0HM("`(`HM("`(&9O<B`H="`](&-M9#L("IT("8Fi
M("%I<W-P86-E*"IT*3L('0K*RD>PHM("`("`("!I9B`H:7-U<'!E<BJh
M="DI('L*+2`("`("`("`("IT(#T=&]L;W=E<BJ="D["BT("`("`g
M('T*+2`("!]"BT*+2`("`O*B!B=6EL9"!T:&48V]M;6%N9"`J+PHM("`f
M(&EF("AS=')L96XH7U!!5$A?15A%0U!!5$I("L<W1R;&5N*&-M9"D*R`Qe
M(#X<VEZ96]F*&)U9BDI"BT("`("`(')E='5R;CL*+2`("!S<')I;G1Fd
M*&)U9BP(B5S+R5S(BP7U!!5$A?15A%0U!!5$L(&-M9"D["BT*+2`("!Cc
M;61F(#T9G1P9%]P;W!E;BAB=68L(")R(BP,"D["BT("`:68*"%C;61Fb
M*2!["BT("`("`('!E<G)O<E]R97!L>2U-3`L(&-M9"D["BT("`("`a
M(&EF("AL;V=?8V]M;6%N9',I"BT("`("`("`("!S>7-L;V<H3$]'7TE.z
M1D\L(")3251%($5814,*$9!24PZ("5M*3H)7,B+"!C;60I.PHM("`('Ty
M96QS92!["BT("`("`(&EN="!L:6YE<R`](#`["BL("`+RH22!H879Ex
M(&QO9V=E9"!I="!A<R!C<FET:6-A;"P86YO=&AE<B!C:&]I8V4;6%Y(&)Ew
M('=A<FYI;F<N(`HK("`("`J(%1H870:7,3$]'7U=!4DY)3D<*'-E92!Sv
M>7,O<WES;&]G+F9F]R('1H92!C:&]I<V5S+BD**R`("`*B\**R`("!Su
M>7-L;V<H3$]'7T-2250L(")!5%1%35!4.B!3251%($5814,L($-O;6UA;F0Zt
M("5S("(L(&-M9"D["B`*+2`("`("`;')E<&QY*#(P,"P8VUD*3L*+2`s
M("`("`=VAI;&4*&9G971S*&)U9BP<VEZ96]F(&)U9BP8VUD9BDI('L*r
M+2`("`("`("`(&EN="!L96X/2!S=')L96XH8G5F*3L**R`("`O*B!4q
M:&4<F5P;'D8V%N(&]F(&-O=7)S92!B92!C:&%N9V5D('1O(&$;6]R92!Pp
M;VQI=&49&5N:6%L+BXZ/2D**R`("`*B\**R`("!R97!L>2R,#`L(").o
M;R!F<F5A:VEN9R!W87DA(BD["B`*+2`("`("`("`(&EF("AL96X^,"`Fn
M)B!B=69;;&5N+3%=/3TG7&XG*0HM("`("`("`("`("`(&)U9ELM+6QEm
M;ET/2`G7#`G.PHM("`("`("`("`;')E<&QY*#(P,"P8G5F*3L*+2`l
M("`("`("`(&EF("K*VQI;F5S(#X](#(P*2!["BT("`("`("`("`k
M("`;')E<&QY*#(P,"P(BHJ*B!4<G5N8V%T960*BHJ(BD["BT("`("`j
M("`("`("`8G)E86L["BT("`("`("`("!]"BT("`("`('T*+2`i
M("`("`<F5P;'DH,C`P+"`B("AE;F0;V8)R5S)RDB+"!C;60I.PHM("`h
M("`("!I9B`H;&]G7V-O;6UA;F1S*0HM("`("`("`("`<WES;&]G*$Q/g
M1U])3D9/+"`B4TE412!%6$5#("AL:6YE<SH)60I.B`E<R(L(&QI;F5S+"!Cf
M;60I.PHM("`("`("!F='!D7W!C;&]S92AC;61F*3L*+2`("!]"B!]"B`*e
+(&%L:6%S("AS*0Hd
`c
end
-----BEGIN PGP SIGNATURE-----
Version: 2.6
iQCVAgUBL8u8tuFnVHXv40etAQHmkwP9F7FO8SNgNnIdGlMhEgORZhJfMwHE5dyw
OdY40cLDjJ4zQ1qu1D9EyOLD7ApO5X9XTgci8YmXZbPM8UFb2gj4U5m9ZfFVk2e5
mkgO6lrLeDYTRANabXSs3BEduOpBHDDtoJuGIdVpWBfz53oTfVM93ZeJRO01+a2T
ROXdHo7waVM=
=IHou
-----END PGP SIGNATURE-----
P.S. (From Jeff Uphoff): Slackware 2.3 is also affected. Also, there is
a typo at the end of Olaf's first paragraph; it should read: "Anonymous
FTP should not be affected by this as long as you have only the `ls'
command in ~ftp/bin."
^^^^^^^^
