SECURITY: problem with some wu-ftpd-2.4 binaries (fwd)
Aleph One (aleph1@dfw.net)
Wed, 31 May 1995 14:23:09 -0500 (CDT)
Aleph One / aleph1@dfw.net
http://underground.org/
---------- Forwarded message ----------
Date: Wed, 31 May 95 02:49 MET DST
From: Olaf Kirch <okir@monad.swb.de>
To: linux-alert@tarsier.cv.nrao.edu
Subject: SECURITY: problem with some wu-ftpd-2.4 binaries
-----BEGIN PGP SIGNED MESSAGE-----
Hi all,
There's a security hole in some Linux distributions involving
wu-ftpd-2.4. Some ftpd binaries have been compiled with a set of
defaults that allow anyone with an account on your machine to become the
root user. It appears that at least Slackware-2.0 and 2.2 are affected;
I have no information about other distributions. Anonymous FTP should
not be affected by this as long as you have only the `ls' command in
To find out if your machine is affected, ftp to your own account, log in
and enter this: quote "site exec bash -c id". If ftpd responds with
a line that says something like "uid=0(root) euid=1234(your_login)... ",
then your ftpd is vulnerable.
The obvious fix is to obtain the source of wu-ftpd-2.4 and recompile
it. The crucial part is the _PATH_EXECPATH define in src/pathnames.h.
It should NOT be set to /bin or any other regular directory. By default,
it is set to /bin/ftp-exec. Make sure this directory does not exist or
contains only harmless commands you are absolutely sure you would want
your users to execute as root.
Thomas Lundquist <Thomas.Lundquist@hiof.no> has posted a small patch
for src/ftpcmd.y that goes even further and disables the SITE EXEC
command altogether. It is appended at the end of this message.
All the fame goes to
Michel an113354@anon.penet.fi
Thomas Lundquist Thomas.Lundquist@hiof.no
Aleph One aleph1@dfw.net
Have a nice day
Olaf
- --
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
For my PGP public key, finger okir@brewhq.swb.de.
- ------------------------------------------------------------------
table
`!"#$%&'()*+,-./0123456789:;<=>?
@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_
begin 644 /tmp/DIFF
M+2TM(&9T<&-M9"YY+F]R:6<)5V5D($UA>2`S,2`P,CHP,SHP-R`Q.3DU"BLKz
M*R!F='!C;60N>0E7960@36%Y(#,Q(#`R.C`S.C4T(#$Y.34*0$`@+3$T,C<Ly
M-3@@*S$T,C<L,C@@0$`*(`H@<VET95]E>&5C*&-M9"D*(&-H87(@*F-M9#L*x
M*R`@("`O*B`**R`@("`@*B!4:&4@9&5C;&%R871I;VYS(&)E;&]V(&ET(&MEw
M<'0@=&\@8F4@<W5R92!W92!D;VXG="!B<F5A:R!T;V\@;75C:"X**R`@("`@v
M*B\*('L*("`@("!C:&%R(&)U9EM-05A0051(3$5.73L*("`@("!C:&%R("ISu
M<"`]("AC:&%R("HI('-T<F-H<BAC;60L("<@)RDL("IS;&%S:"P@*G0["B`@t
M("`@1DE,12`J8VUD9BP@*F9T<&1?<&]P96XH*3L*(`HM("`@("\J('-A;FETs
M:7IE('1H92!C;VUM86YD+7-T<FEN9R`J+PHK("`@("\J($YO<&4A(%=E(&1Or
M;B=T('=A;G0@=&\@15A%0R!A;GET:&EG+BX@"BL@("`@("H@4V\L('=E('=Iq
M;&P@9&5N>2!T:&4@;6]R;VX@86YD(&QO9R!H:6TN"BL@("`@("H@5&AO;6%Sp
M+DQU;F1Q=6ES=$!H:6]F+FYO($UA>2`G.34**R`@("`@*B\*("`@("`*+2`@o
M("!I9B`H<W`@/3T@,"D@('L*+2`@("`@("`@=VAI;&4@*"AS;&%S:"`]('-Tn
M<F-H<B`H8VUD+"`G+R<I*2`A/2`P*0HM("`@("`@("`@("`@8VUD(#T@<VQAm
M<V@@*R`Q.PHM("`@('T@96QS92!["BT@("`@("`@('=H:6QE("AS<"`F)B`Hl
M<VQA<V@@/2`H8VAA<B`J*2!S=')C:'(H8VUD+"`G+R<I*2`*+2`@("`@("`@k
M("`@("`@("8F("AS;&%S:"`\('-P*2D*+2`@("`@("`@("`@(&-M9"`]('-Lj
M87-H*S$["BT@("`@?0HM("`@(`HM("`@(&9O<B`H="`](&-M9#L@("IT("8Fi
M("%I<W-P86-E*"IT*3L@('0K*RD@>PHM("`@("`@("!I9B`H:7-U<'!E<B@Jh
M="DI('L*+2`@("`@("`@("`@("IT(#T@=&]L;W=E<B@J="D["BT@("`@("`@g
M('T*+2`@("!]"BT*+2`@("`O*B!B=6EL9"!T:&4@8V]M;6%N9"`J+PHM("`@f
M(&EF("AS=')L96XH7U!!5$A?15A%0U!!5$@I("L@<W1R;&5N*&-M9"D@*R`Qe
M(#X@<VEZ96]F*&)U9BDI"BT@("`@("`@(')E='5R;CL*+2`@("!S<')I;G1Fd
M*&)U9BP@(B5S+R5S(BP@7U!!5$A?15A%0U!!5$@L(&-M9"D["BT*+2`@("!Cc
M;61F(#T@9G1P9%]P;W!E;BAB=68L(")R(BP@,"D["BT@("`@:68@*"%C;61Fb
M*2!["BT@("`@("`@('!E<G)O<E]R97!L>2@U-3`L(&-M9"D["BT@("`@("`@a
M(&EF("AL;V=?8V]M;6%N9',I"BT@("`@("`@("`@("!S>7-L;V<H3$]'7TE.z
M1D\L(")3251%($5814,@*$9!24PZ("5M*3H@)7,B+"!C;60I.PHM("`@('T@y
M96QS92!["BT@("`@("`@(&EN="!L:6YE<R`](#`["BL@("`@+RH@22!H879Ex
M(&QO9V=E9"!I="!A<R!C<FET:6-A;"P@86YO=&AE<B!C:&]I8V4@;6%Y(&)Ew
M('=A<FYI;F<N(`HK("`@("`J(%1H870@:7,@3$]'7U=!4DY)3D<@*'-E92!Sv
M>7,O<WES;&]G+F@@9F]R('1H92!C:&]I<V5S+BD**R`@("`@*B\**R`@("!Su
M>7-L;V<H3$]'7T-2250L(")!5%1%35!4.B!3251%($5814,L($-O;6UA;F0Zt
M("5S("(L(&-M9"D["B`*+2`@("`@("`@;')E<&QY*#(P,"P@8VUD*3L*+2`@s
M("`@("`@=VAI;&4@*&9G971S*&)U9BP@<VEZ96]F(&)U9BP@8VUD9BDI('L*r
M+2`@("`@("`@("`@(&EN="!L96X@/2!S=')L96XH8G5F*3L**R`@("`O*B!4q
M:&4@<F5P;'D@8V%N(&]F(&-O=7)S92!B92!C:&%N9V5D('1O(&$@;6]R92!Pp
M;VQI=&4@9&5N:6%L+BXZ/2D**R`@("`@*B\**R`@("!R97!L>2@R,#`L(").o
M;R!F<F5A:VEN9R!W87DA(BD["B`*+2`@("`@("`@("`@(&EF("AL96X^,"`Fn
M)B!B=69;;&5N+3%=/3TG7&XG*0HM("`@("`@("`@("`@("`@(&)U9ELM+6QEm
M;ET@/2`G7#`G.PHM("`@("`@("`@("`@;')E<&QY*#(P,"P@8G5F*3L*+2`@l
M("`@("`@("`@(&EF("@K*VQI;F5S(#X](#(P*2!["BT@("`@("`@("`@("`@k
M("`@;')E<&QY*#(P,"P@(BHJ*B!4<G5N8V%T960@*BHJ(BD["BT@("`@("`@j
M("`@("`@("`@8G)E86L["BT@("`@("`@("`@("!]"BT@("`@("`@('T*+2`@i
M("`@("`@<F5P;'DH,C`P+"`B("AE;F0@;V8@)R5S)RDB+"!C;60I.PHM("`@h
M("`@("!I9B`H;&]G7V-O;6UA;F1S*0HM("`@("`@("`@("`@<WES;&]G*$Q/g
M1U])3D9/+"`B4TE412!%6$5#("AL:6YE<SH@)60I.B`E<R(L(&QI;F5S+"!Cf
M;60I.PHM("`@("`@("!F='!D7W!C;&]S92AC;61F*3L*+2`@("!]"B!]"B`*e
+(&%L:6%S("AS*0H@d
`c
end
-----BEGIN PGP SIGNATURE-----
Version: 2.6
iQCVAgUBL8u8tuFnVHXv40etAQHmkwP9F7FO8SNgNnIdGlMhEgORZhJfMwHE5dyw
OdY40cLDjJ4zQ1qu1D9EyOLD7ApO5X9XTgci8YmXZbPM8UFb2gj4U5m9ZfFVk2e5
mkgO6lrLeDYTRANabXSs3BEduOpBHDDtoJuGIdVpWBfz53oTfVM93ZeJRO01+a2T
ROXdHo7waVM=
=IHou
-----END PGP SIGNATURE-----
P.S. (From Jeff Uphoff): Slackware 2.3 is also affected. Also, there is
a typo at the end of Olaf's first paragraph; it should read: "Anonymous
FTP should not be affected by this as long as you have only the `ls'
command in ~ftp/bin."
^^^^^^^^