Aleph One / aleph1@dfw.net http://underground.org/ ---------- Forwarded message ---------- Date: Wed, 31 May 95 02:49 MET DST From: Olaf Kirch <okir@monad.swb.de> To: linux-alert@tarsier.cv.nrao.edu Subject: SECURITY: problem with some wu-ftpd-2.4 binaries -----BEGIN PGP SIGNED MESSAGE----- Hi all, There's a security hole in some Linux distributions involving wu-ftpd-2.4. Some ftpd binaries have been compiled with a set of defaults that allow anyone with an account on your machine to become the root user. It appears that at least Slackware-2.0 and 2.2 are affected; I have no information about other distributions. Anonymous FTP should not be affected by this as long as you have only the `ls' command in To find out if your machine is affected, ftp to your own account, log in and enter this: quote "site exec bash -c id". If ftpd responds with a line that says something like "uid=0(root) euid=1234(your_login)... ", then your ftpd is vulnerable. The obvious fix is to obtain the source of wu-ftpd-2.4 and recompile it. The crucial part is the _PATH_EXECPATH define in src/pathnames.h. It should NOT be set to /bin or any other regular directory. By default, it is set to /bin/ftp-exec. Make sure this directory does not exist or contains only harmless commands you are absolutely sure you would want your users to execute as root. Thomas Lundquist <Thomas.Lundquist@hiof.no> has posted a small patch for src/ftpcmd.y that goes even further and disables the SITE EXEC command altogether. It is appended at the end of this message. All the fame goes to Michel an113354@anon.penet.fi Thomas Lundquist Thomas.Lundquist@hiof.no Aleph One aleph1@dfw.net Have a nice day Olaf - -- Olaf Kirch | --- o --- Nous sommes du soleil we love when we play okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax For my PGP public key, finger okir@brewhq.swb.de. - ------------------------------------------------------------------ table `!"#$%&'()*+,-./0123456789:;<=>? @ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_ begin 644 /tmp/DIFF M+2TM(&9T<&-M9"YY+F]R:6<)5V5D($UA>2`S,2`P,CHP,SHP-R`Q.3DU"BLKz M*R!F='!C;60N>0E7960@36%Y(#,Q(#`R.C`S.C4T(#$Y.34*0$`@+3$T,C<Ly M-3@@*S$T,C<L,C@@0$`*(`H@<VET95]E>&5C*&-M9"D*(&-H87(@*F-M9#L*x M*R`@("`O*B`**R`@("`@*B!4:&4@9&5C;&%R871I;VYS(&)E;&]V(&ET(&MEw M<'0@=&\@8F4@<W5R92!W92!D;VXG="!B<F5A:R!T;V\@;75C:"X**R`@("`@v M*B\*('L*("`@("!C:&%R(&)U9EM-05A0051(3$5.73L*("`@("!C:&%R("ISu M<"`]("AC:&%R("HI('-T<F-H<BAC;60L("<@)RDL("IS;&%S:"P@*G0["B`@t M("`@1DE,12`J8VUD9BP@*F9T<&1?<&]P96XH*3L*(`HM("`@("\J('-A;FETs M:7IE('1H92!C;VUM86YD+7-T<FEN9R`J+PHK("`@("\J($YO<&4A(%=E(&1Or M;B=T('=A;G0@=&\@15A%0R!A;GET:&EG+BX@"BL@("`@("H@4V\L('=E('=Iq M;&P@9&5N>2!T:&4@;6]R;VX@86YD(&QO9R!H:6TN"BL@("`@("H@5&AO;6%Sp M+DQU;F1Q=6ES=$!H:6]F+FYO($UA>2`G.34**R`@("`@*B\*("`@("`*+2`@o M("!I9B`H<W`@/3T@,"D@('L*+2`@("`@("`@=VAI;&4@*"AS;&%S:"`]('-Tn M<F-H<B`H8VUD+"`G+R<I*2`A/2`P*0HM("`@("`@("`@("`@8VUD(#T@<VQAm M<V@@*R`Q.PHM("`@('T@96QS92!["BT@("`@("`@('=H:6QE("AS<"`F)B`Hl M<VQA<V@@/2`H8VAA<B`J*2!S=')C:'(H8VUD+"`G+R<I*2`*+2`@("`@("`@k M("`@("`@("8F("AS;&%S:"`\('-P*2D*+2`@("`@("`@("`@(&-M9"`]('-Lj M87-H*S$["BT@("`@?0HM("`@(`HM("`@(&9O<B`H="`](&-M9#L@("IT("8Fi M("%I<W-P86-E*"IT*3L@('0K*RD@>PHM("`@("`@("!I9B`H:7-U<'!E<B@Jh M="DI('L*+2`@("`@("`@("`@("IT(#T@=&]L;W=E<B@J="D["BT@("`@("`@g M('T*+2`@("!]"BT*+2`@("`O*B!B=6EL9"!T:&4@8V]M;6%N9"`J+PHM("`@f M(&EF("AS=')L96XH7U!!5$A?15A%0U!!5$@I("L@<W1R;&5N*&-M9"D@*R`Qe M(#X@<VEZ96]F*&)U9BDI"BT@("`@("`@(')E='5R;CL*+2`@("!S<')I;G1Fd M*&)U9BP@(B5S+R5S(BP@7U!!5$A?15A%0U!!5$@L(&-M9"D["BT*+2`@("!Cc M;61F(#T@9G1P9%]P;W!E;BAB=68L(")R(BP@,"D["BT@("`@:68@*"%C;61Fb M*2!["BT@("`@("`@('!E<G)O<E]R97!L>2@U-3`L(&-M9"D["BT@("`@("`@a M(&EF("AL;V=?8V]M;6%N9',I"BT@("`@("`@("`@("!S>7-L;V<H3$]'7TE.z M1D\L(")3251%($5814,@*$9!24PZ("5M*3H@)7,B+"!C;60I.PHM("`@('T@y M96QS92!["BT@("`@("`@(&EN="!L:6YE<R`](#`["BL@("`@+RH@22!H879Ex M(&QO9V=E9"!I="!A<R!C<FET:6-A;"P@86YO=&AE<B!C:&]I8V4@;6%Y(&)Ew M('=A<FYI;F<N(`HK("`@("`J(%1H870@:7,@3$]'7U=!4DY)3D<@*'-E92!Sv M>7,O<WES;&]G+F@@9F]R('1H92!C:&]I<V5S+BD**R`@("`@*B\**R`@("!Su M>7-L;V<H3$]'7T-2250L(")!5%1%35!4.B!3251%($5814,L($-O;6UA;F0Zt M("5S("(L(&-M9"D["B`*+2`@("`@("`@;')E<&QY*#(P,"P@8VUD*3L*+2`@s M("`@("`@=VAI;&4@*&9G971S*&)U9BP@<VEZ96]F(&)U9BP@8VUD9BDI('L*r M+2`@("`@("`@("`@(&EN="!L96X@/2!S=')L96XH8G5F*3L**R`@("`O*B!4q M:&4@<F5P;'D@8V%N(&]F(&-O=7)S92!B92!C:&%N9V5D('1O(&$@;6]R92!Pp M;VQI=&4@9&5N:6%L+BXZ/2D**R`@("`@*B\**R`@("!R97!L>2@R,#`L(").o M;R!F<F5A:VEN9R!W87DA(BD["B`*+2`@("`@("`@("`@(&EF("AL96X^,"`Fn M)B!B=69;;&5N+3%=/3TG7&XG*0HM("`@("`@("`@("`@("`@(&)U9ELM+6QEm M;ET@/2`G7#`G.PHM("`@("`@("`@("`@;')E<&QY*#(P,"P@8G5F*3L*+2`@l M("`@("`@("`@(&EF("@K*VQI;F5S(#X](#(P*2!["BT@("`@("`@("`@("`@k M("`@;')E<&QY*#(P,"P@(BHJ*B!4<G5N8V%T960@*BHJ(BD["BT@("`@("`@j M("`@("`@("`@8G)E86L["BT@("`@("`@("`@("!]"BT@("`@("`@('T*+2`@i M("`@("`@<F5P;'DH,C`P+"`B("AE;F0@;V8@)R5S)RDB+"!C;60I.PHM("`@h M("`@("!I9B`H;&]G7V-O;6UA;F1S*0HM("`@("`@("`@("`@<WES;&]G*$Q/g M1U])3D9/+"`B4TE412!%6$5#("AL:6YE<SH@)60I.B`E<R(L(&QI;F5S+"!Cf M;60I.PHM("`@("`@("!F='!D7W!C;&]S92AC;61F*3L*+2`@("!]"B!]"B`*e +(&%L:6%S("AS*0H@d `c end -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAgUBL8u8tuFnVHXv40etAQHmkwP9F7FO8SNgNnIdGlMhEgORZhJfMwHE5dyw OdY40cLDjJ4zQ1qu1D9EyOLD7ApO5X9XTgci8YmXZbPM8UFb2gj4U5m9ZfFVk2e5 mkgO6lrLeDYTRANabXSs3BEduOpBHDDtoJuGIdVpWBfz53oTfVM93ZeJRO01+a2T ROXdHo7waVM= =IHou -----END PGP SIGNATURE----- P.S. (From Jeff Uphoff): Slackware 2.3 is also affected. Also, there is a typo at the end of Olaf's first paragraph; it should read: "Anonymous FTP should not be affected by this as long as you have only the `ls' command in ~ftp/bin." ^^^^^^^^