Excerpts from Bugtraq: 31-May-95 SECURITY: problem with some.. Aleph One@dfw.net (5673*) > Hi all, > There's a security hole in some Linux distributions involving > wu-ftpd-2.4. Some ftpd binaries have been compiled with a set of > defaults that allow anyone with an account on your machine to become the > root user. I don't think this is a linux specific problem. It is with wu-ftpd-2.4 I didn't change the defaults when I installed it here. On our ftp server, a sun sparc: Name (foo:rick): rick 331 Password required for rick. Password: 230 User rick logged in. ftp> quote "site exec sh -c id" 200-sh -c id 200-uid=0(root) gid=0(wheel) euid=142(rick) egid=84(web) groups=84(web),16(cando) 200 (end of 'sh -c id') ftp> > It appears that at least Slackware-2.0 and 2.2 are affected; I'd guess anyone using wu-ftpd-2.4 is vulnerable assuming they have the site exec dir configured. We don't use the site-exec feature here. I had to copy a shell into the directory before running your test. Anyone running version 2.4 that uses this feature should be warned though. > The obvious fix is to obtain the source of wu-ftpd-2.4 and recompile > it. The crucial part is the _PATH_EXECPATH define in src/pathnames.h. > It should NOT be set to /bin or any other regular directory. By default, > it is set to /bin/ftp-exec. Make sure this directory does not exist or > contains only harmless commands you are absolutely sure you would want > your users to execute as root. Why is site-exec even on by default? Shouldn't this be something that you have to "turn on" given it's ease of misuse? > Thomas Lundquist <Thomas.Lundquist@hiof.no> has posted a small patch > for src/ftpcmd.y that goes even further and disables the SITE EXEC > command altogether. It is appended at the end of this message. > All the fame goes to > Michel an113354@anon.penet.fi > Thomas Lundquist Thomas.Lundquist@hiof.no > Aleph One aleph1@dfw.net [...] ObSoapBox :-) Thankyou for posting the specifics. I for one am sick of the "I'll tell you about the problem once some-big-vendor is notified" BS that seems to be so prolific on this list. Hmmphh! ----------------------------------------------------------------------------- | Rick Weldon I-NET Inc. | 'It is difficult to see a black cat in a | | E-mail: rick@hq.af.mil(MIME) | dark room, especially when it's not there' | | Phone: 703-695-0264 | --- Chinese Saying -- | | | ...or when it is Schroedingers cat :-) | -----------------------------------------------------------------------------