home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Forum of Incident Response & Security Teams
/
Forum_of_Incident_Response_and_Security_Teams_FIRST_October_1994.iso
/
teaminfo
/
nasirc
/
nasa9412.txt
< prev
next >
Wrap
Text File
|
1994-07-02
|
6KB
|
131 lines
NASIRC BULLETIN #94-12 April 6, 1994
UNIX: Security Vulnerabilities in WU-Archive FTPD
===========================================================================
__ __ __ ___ ___ ____ ____
/_/\ /_/| /_/ / _/\ /_/| / __/ \ / __/\
| |\ \| || / \ \ | /\/ | || | /\ \/ | | \/
| ||\ \ || / /\ \ \ \ \ | || |_\/ /\ | |
| || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\
|_|/ \_|//_/ \_\/ \/__/ |_|/ |_| \_\/ \___\/
NASA Automated Systems Incident Response Capability
===========================================================================
NASIRC has learned that of a two-fold vulnerability with respect to recent
versions of the Washington University Archive FTP daemon (wuarchive-ftpd).
Because of its enhanced access-control and logging features, many UNIX
sites within NASA run the wuarchive version of ftpd instead of the
version shipped with the operating system.
AFFECTED:
All UNIX systems running wuarchive-ftpd that have changed the "default"
installation/configuration parameters.
DETAILS:
A security vulnerability has been discovered in version 2.1f, wherein
if certain configuration options are chosen and enabled during the
installation process, a remote user could gain access to a root shell,
causing the complete compromise of the system. This vulnerability is
present in earlier versions of 2.1x also.
Sites running the ftpd software with all of the DEFAULT configuration
options chosen are *NOT VULNERABLE* to this particular security
vulnerability.
Before the original security vulnerability could be announced, the
patched version (v2.2) developed to fix the problem was found to
have been compromised at the primary Internet distribution site,
and replaced with a version containing trojan horse code which if
installed, would also compromise a host by allowing hackers
unauthorized root access. All copies of wuarchive-ftpd version 2.2
should thus be considered compromised.
FIX:
NASIRC strongly recommends that all sites running these or older
versions of wuarchive-ftpd retrieve and install version 2.3.
If the new version cannot be installed in a timely manner, then the
FTP daemon should be disabled, since this Trojan affects all systems
that are running the wuarchive ftpd, whether or not the system provides
anonymous ftp service.
Sites can obtain version 2.3 via anonymous FTP from ftp.uu.net, in the
file /networking/ftp.wuarchive-ftpd/wu-ftpd-2.3.tar.Z, or directly
from the NASIRC online archives via ftp to nasirc.nasa.gov. Retrieve
the file /toolkits/UNIX/WUftpd/wu-ftpd-2.3.tar.Z
Be sure to verify the checksum information to confirm that you have
retrieved a valid copy. The correct checksum information is as follows:
BSD SVR4
Filename Checksum Checksum MD5 Digital Signature
----------------- -------- --------- --------------------------------
wu-ftpd-2.3.tar.Z 24416 181 30488 361 e58adc5ce0b6eae34f3f2389e9dc9197
The MD5 Checksum can be generated by using the TRIPWIRE utility also
found in the NASIRC online archives.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
NASIRC ACKNOWLEDGES: The ARPA CERT for their coordination, and also
Bryan O'Connor and Chris Myers of Washington University in St. Louis,
and Neil Woods and Karl Strickland for working with CERT toward the
resolution of this problem.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
===============================================================
For further assistance, please contact the NASIRC Helpdesk:
Phone: 1-800-7-NASIRC Fax: 1-301-441-1853
Internet Email: nasirc@nasa.gov
24 Hour/Emergency Pager: 1-800-759-7243/Pin:2023056
STU III: 1-301-982-5480
===============================================================
This bulletin may be forwarded without restriction to sites and
system administrators within the NASA community.
The NASIRC online archive system is available via anonymous ftp.
You will be required to enter your valid e-mail address as the
"password". Once on the system, you can access the following
information:
~/bulletins ! contains NASIRC bulletins
~/information ! contains various informational files
~/toolkits ! contains automated toolkit software
Please note that the NASIRC FTP server will only allow
connections from systems in the .nasa.gov domain and specific
other NASA systems in other domains; please contact NASIRC if
you have any questions.
Information maintained in these directories is updated on a con-
tinuous basis with relevant software and information. Contact
the NASIRC Helpdesk for more information or assistance with tool-
kits or security measures.
-----------------
PLEASE NOTE: Users outside of the NASA community may receive NASIRC
bulletins. If you are not part of the NASA community, please contact
your agency's response team to report incidents. Your agency's team
will coordinate with NASIRC, who will ensure the proper internal
NASA team(s) are notified. NASIRC is a member of the Forum of
Incident Response and Security Teams (FIRST), a world-wide organiza-
tion which provides for coordination between incident response teams
in handling computer-security-related issues. You can obtain a list
of FIRST member organizations and their constituencies by sending
email to docserver@first.org with an empty "subject" line and a
message body containing the line "send first-contacts".