Re: SECURITY: problem with some wu-ftpd-2.4 binaries (fwd)

Rick Weldon (rick@hq.af.mil)
Thu, 1 Jun 1995 08:59:48 -0400 (EDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: andy@btc.uwe.ac.uk: "[8lgm]-Advisory-17.UNIX.sendmail and Sun's lack of urgency"
Previous message: David H. Brierley: "re: "Bonde" Jokes from Karl Strickland"
In reply to: Aleph One: "SECURITY: problem with some wu-ftpd-2.4 binaries (fwd)"
Next in thread: Alexander L. Haiut: "Re: SECURITY: problem with some wu-ftpd-2.4 binaries (fwd)"

Excerpts from Bugtraq: 31-May-95 SECURITY: problem with some.. Aleph
One@dfw.net (5673*)

> Hi all,

> There's a security hole in some Linux distributions involving
> wu-ftpd-2.4. Some ftpd binaries have been compiled with a set of
> defaults that allow anyone with an account on your machine to become the
> root user.

I don't think this is a linux specific problem. It is with wu-ftpd-2.4 I
didn't change the defaults when I installed it here.
On our ftp server, a sun sparc:

Name (foo:rick): rick
331 Password required for rick.
Password:
230 User rick logged in.
ftp> quote "site exec sh -c id"
200-sh -c id
200-uid=0(root) gid=0(wheel) euid=142(rick) egid=84(web)
groups=84(web),16(cando)
200  (end of 'sh -c id')
ftp> 


>  It appears that at least Slackware-2.0 and 2.2 are affected;

I'd guess anyone using wu-ftpd-2.4 is vulnerable assuming they have the
site exec dir configured. We don't use the site-exec feature here. I had
to copy a shell into the directory before running your test. Anyone
running version 2.4 that uses this feature should be warned though. 

> The obvious fix is to obtain the source of wu-ftpd-2.4 and recompile
> it. The crucial part is the _PATH_EXECPATH define in src/pathnames.h.
> It should NOT be set to /bin or any other regular directory. By default,
> it is set to /bin/ftp-exec. Make sure this directory does not exist or
> contains only harmless commands you are absolutely sure you would want
> your users to execute as root.

Why is site-exec even on by default?  Shouldn't this be something that
you have to "turn on" given it's ease of misuse?

> Thomas Lundquist <Thomas.Lundquist@hiof.no> has posted a small patch 
> for src/ftpcmd.y that goes even further and disables the SITE EXEC
> command altogether. It is appended at the end of this message.

> All the fame goes to

> 	Michel			an113354@anon.penet.fi
> 	Thomas Lundquist	Thomas.Lundquist@hiof.no
> 	Aleph One		aleph1@dfw.net

[...] 

ObSoapBox :-)  
Thankyou for posting the specifics. I for one am sick of the "I'll tell
you about the problem once some-big-vendor is notified" BS that seems to
be so prolific on this list.  Hmmphh!
-----------------------------------------------------------------------------
| Rick Weldon  I-NET Inc.       | 'It is difficult to see a black cat in a   |
| E-mail: rick@hq.af.mil(MIME)  | dark room, especially when it's not there' |
| Phone:  703-695-0264          |                    --- Chinese Saying --   |
|				| ...or when it is Schroedingers cat :-)     |	
-----------------------------------------------------------------------------

Next message: andy@btc.uwe.ac.uk: "[8lgm]-Advisory-17.UNIX.sendmail and Sun's lack of urgency"
Previous message: David H. Brierley: "re: "Bonde" Jokes from Karl Strickland"
In reply to: Aleph One: "SECURITY: problem with some wu-ftpd-2.4 binaries (fwd)"
Next in thread: Alexander L. Haiut: "Re: SECURITY: problem with some wu-ftpd-2.4 binaries (fwd)"