CIAC INFORMATION BULLETIN

E-17: FTP Daemon Vulnerabilities

April 14, 1994 1130 PDT

PROBLEM: Vulnerabilities in several implementations of the FTP daemon. PLATFORM: Unix systems with the following implementations of the FTP daemon: DECWRL ftpd versions before 5.93, wuarchive ftpd versions 2.0-2.3, and BSDI ftpd version 1.1. prior to patch 5. DAMAGE: Anyone (remote or local) can gain root access on a host running a vulnerable daemon. SOLUTION: Upgrade to a secure version of the FTP daemon.
VULNERABILITY Details of these vulnerabilities are being actively discussed ASSESSMENT: on several Internet mailing lists. CIAC urges affected sites to upgrade immediately.

Critical Information about FTP Daemon Vulnerabilities

CIAC has received information concerning the existence of two vulnerabilities in FTP daemons derived from the DECWRL ftpd source code. The following FTP daemons are known to be vulnerable:

  
   - DECWRL ftpd versions before 5.93
   - wuarchive ftpd versions 2.0-2.3
   - BSDI ftpd version 1.1 prior to patch 5

The first vulnerability involves the SITE EXEC command feature of these FTP daemons. It only affects those daemons in which the SITE EXEC functions have been explicitly activated; they are not enabled by default. The vulnerability allows any user, remote or local, to execute commands as root on the system running the FTP daemon. The second vulnerability is the result of a race condition in the daemon. It allows the creation of setuid root files on the FTP server, permitting unauthorized access to the system.

There is no known workaround to remove both vulnerabilities; therefore, CIAC strongly advises affected sites to upgrade to one of the versions of the daemon listed below. If an upgrade cannot be completed in a timely manner, FTP service should be disabled by commenting out the ftp configuration line in /etc/inetd.conf and restarting inetd. Disabling only anonymous FTP does not remove the vulnerabilities.

Upgrade Information

Version 2.4 of wuarchive ftpd is available via anonymous FTP from wuarchive.wustl.edu in the directory /packages/wuarchive-ftpd. A patch to upgrade from version 2.3 to 2.4 is also available:

                        BSD        SVR4         
   File               Checksum   Checksum   MD5 Digital Signature
   -----------------  ---------  ---------  --------------------------------
   wu-ftpd-2.4.tar.Z  38213 181  20337 362  cdcb237b71082fa23706429134d8c32e
   patch_2.3-2.4.Z    09291   8  51092  16  5558a04d9da7cdb1113b158aff89be8f

Version 5.93 of DECWRL ftpd is available via anonymous FTP from gatekeeper.dec.com in the directory /pub/misc/vixie:

                         BSD        SVR4         
   File               Checksum   Checksum   MD5 Digital Signature
   -----------------  ---------  ---------  --------------------------------
   ftpd.tar.gz        38443 60   1710 119   ae624eb607b4ee90e318b857e6573500

For BSDI systems, patch 005 should be applied to version 1.1 of the BSD/386 software. The patch file is available via anonymous FTP from ftp.bsdi.com in the directory /bsdi/patches-1.1:

   
                      BSD        SVR4         
   File               Checksum   Checksum   MD5 Digital Signature
   -----------------  ---------  ---------  --------------------------------
   BU110-005          35337 272  54935 543  1f454d4d9d3e1397d1eff0432bd383cf


CIAC wishes to thank the CERT Coordination Center for their response to this problem.

For additional information or assistance, please contact CIAC:

    Voice:   510-422-8193
    FAX:     510-423-8002
    STU-III: 510-423-2604
    E-mail:  ciac@llnl.gov

UCRL-MI-119788
[Bulletin Index] [Subscribe] [CIAC Home Page] [Disclaimer]
Last modified: Sunday, 11-Dec-94 18:34:03 PST
CIAC Bulletins and Advisories / CIAC / webmaster@ciac.llnl.gov