Netect, Inc.
General Public Security Advisory

% Advisory: palmetto.ftpd 
% Issue date: February 9, 1999
% Revision: February 8, 1999
% Contact: Jordan Ritter <jpr5@netect.com>

    
[Topic] 

Remote buffer overflows in various FTP servers leads to potential root 
compromise.


[Affected Systems]

Any server running the latest version of ProFTPD (1.2.0pre1) or the
latest version of Wuarchive ftpd (2.4.2-academ[BETA-18]).  wu-ftpd is
installed and enabled by default on most Linux variants such as RedHat
and Slackware Linux.  ProFTPD is new software recently adopted by many
major internet companies for its improved performance and reliability.

Investigation of this vulnerability is ongoing; the below lists
software and operating systems for which Netect has definitive
information.


[Overview]

Software that implements FTP is called an "ftp server", "ftp daemon",
or "ftpd".  On most vulnerable systems, the ftpd software is enabled
and installed by default.

There is a general class of vulnerability that exists in several
popular ftp servers.  Due to insufficient bounds checking, it is
possible to subvert an ftp server by corrupting its internal stack
space.  By supplying carefully designed commands to the ftp server,
intruders can force the the server to execute arbitrary commands with
root privilege.

On most vulnerable systems, the ftpd software is installed and enabled
by default.


[Impact]

Intruders who are able to exploit this vulnerability can ultimately
gain interactive access to the remote ftp server with root privelege.


[Solution]

Currently there are several ways to exploit the ftp servers in
question.  One temporary workaround against an anonymous attack is to
disable any world writable directories the user may have access to by
making them read only.  This will prevent an attacker from building an
unusually large path, which is required in order to execute these
particular attacks.

The permanent solution is to install a patch from your Vendor, or
locate one provided by the Software's author or maintainer.  See
Appendices A and B for more specific information.  

Netect strongly encourages immediate upgrade and/or patching where
available. 

Netect provides a strong software solution for the automatic detection
and removal of security vulnerabilities.  Current HackerShield
customers can protect themselves from this vulnerability by either
visiting the Netect website and downloading the latest RapidFire(tm)
update, or by enabling automatic RapidFire(tm) updates (no user
intervention required).

<a href="https://www.netect.com/hsblform.htm"><font color=Blue>Click here to download a FREE 30 day copy of HackerShield</a></font>, complete
with all the latest RapidFire(tm)updates.


[Appendix A, Software Information]

% ProFTPD

  Current version: 1.2.0pre1, released October 19, 1998.
  All versions prior to 1.2.0pre1: vulnerable.
  Fix: will be incorporated into 1.2.0pre2.

  Currently recommended action: upgrade to the new version when it
    becomes available, or apply the version 1.2.0pre1 patch found at:

  <a href="ftp://ftp.proftpd.org/patches/proftpd-1.2.0pre1-path_exploit.patch"><font color="Blue">ftp://ftp.proftpd.org/patches/proftpd-1.2.0pre1-path_exploit.patch</a></font>

% wu-ftpd 

  Current version: 2.4.2 (beta 18), unknown release date.
  All versions through 2.4.2 (beta 18): vulnerability dependant upon
    target platform, probably vulnerable either due to OS-provided
    runtime vulnerability or through use of replacement code supplied
    with the source kit.  No patches have been made available.
  Fix: unknown.

  Currently recommended action: Upgrade to wu-ftpd VR series.

  % wu-ftpd VR series

    Current version: 2.4.2 (beta 18) VR12, released January 1, 1999.
    All versions prior to 2.4.2 (beta 18) VR10: vulnerable.
    Fix: incorporated into VR10, released November 1, 1998.

    Available from: 
        <a href="ftp://ftp.vr.net/pub/wu-ftpd/"><font color="Blue">ftp://ftp.vr.net/pub/wu-ftpd/</a></font><br>
    Filenames:
	wu-ftpd-2.4.2-beta-18-vr12.tar.Z
	wu-ftpd-2.4.2-beta-18-vr12.tar.gz

% BeroFTPD [NOT vulnerable]

  Current version: 1.3.1, released December 20, 1998.
  All versions prior to 1.2.0: vulnerable.
  Fix: incorporated into 1.2.0, released October 26, 1998.

  Available from: 
     <a href="ftp://ftp.beroftpd.unix.eu.org/pub/BeroFTPD/"><font color="Blue">ftp://ftp.beroftpd.unix.eu.org/pub/BeroFTPD/</a></font>
     <a href="ftp://ftp.croftj.net/usr/bero/BeroFTPD/"><font color="Blue">ftp://ftp.croftj.net/usr/bero/BeroFTPD/</a></font>
     <a href="ftp://ftp.sunet.se/pub/nir/ftp/servers/BeroFTPD/"><font color="Blue">ftp://ftp.sunet.se/pub/nir/ftp/servers/BeroFTPD/</a></font>
     <a href="ftp://sunsite.cnlab-switch.ch/mirror/BeroFTPD/"><font color="Blue">ftp://sunsite.cnlab-switch.ch/mirror/BeroFTPD/</a></font>
  Filename: 
     BeroFTPD-1.3.1.tar.gz

% NcFTPd [NOT vulnerable]

  Current version: 2.3.5, released January 6, 1999.
  All versions prior to 2.3.4: unknown.
  
  Available from: 
     <a href="http://www.ncftp.com/download/"><font color="Blue">http://www.ncftp.com/download/</a></font>

  Notes:

    % NcFTPd 2.3.4 (libc5) ftp server has a remotely exploitable bug
       that results in the loss of the server's ability to log
       activity.

    % This bug cannot be exploited to gain unintended or priveleged
       access to a system running the NcFTPd 2.3.4 (libc5) ftp
       server, as tested.

    % The bug was reproducible only on a libc5 Linux system.  The
       Linux glibc version of NcFTPd 2.3.4 ftp server is NOT
       vulnerable.

    % The bug does not appear to be present in the latest version,
       NcFTPd 2.3.5.  Affected users may upgrade free of charge
       to the latest version.


Thanks go to Gregory Lundberg for providing the information regarding
wu-ftpd and BeroFTPD.


[Appendix B, Vendors]

% RedHat Software, Inc. 

  % RedHat	Version 5.2 and previous versions ARE vulnerable.

  Updates will be available from:
     ftp://updates.redhat.com/5.2/<arch>/
  Filename: 
      wu-ftpd-2.4.2b18-2.1.<arch>.rpm

% Walnut Creek CDROM and Patrick Volkerding

  % Slackware	All versions ARE vulnerable.

  Updates will be available from:
      <a href="ftp://ftp.cdrom.com/pub/linux/slackware-3.6/slakware/n8/"><font color=Blue>ftp://ftp.cdrom.com/pub/linux/slackware-3.6/slakware/n8/</a></font>
      <a href="ftp://ftp.cdrom.com/pub/linux/slackware-current/slakware/n8/"><font color=Blue>ftp://ftp.cdrom.com/pub/linux/slackware-current/slakware/n8/</a></font>
  Filenames
      tcpip1.tgz (3.6)     [971a5f57bec8894364c1e0d358ffbfd4]
      tcpip1.tgz (current) [c7460a456fcbf19afb49af8c8422ecbc]

% Caldera Systems, Inc.

  % OpenLinux	Latest version IS vulnerable

  Updates will be available from:
      <a href="ftp://ftp.calderasystems.com/pub/OpenLinux/updates/"><font color=Blue>ftp://ftp.calderasystems.com/pub/OpenLinux/updates/</a></font>

% SCO 

  % UnixWare	Version 7.0.1 and earlier (except 2.1.x) IS vulnerable. 
  % OpenServer	Versions 5.0.5 and earlier IS vulnerable.
  % CMW+		  Version 3.0 is NOT vulnerable.
  % Open Desktop/Server	  Version 3.0 is NOT vulnerable.

  Binary versions of ftpd will be available shortly from the SCO ftp
  site: 
      <a href="ftp://ftp.sco.com/SSE/sse021.ltr"><font color=Blue>ftp://ftp.sco.com/SSE/sse021.ltr</a></font> - cover letter
      <a href="ftp://ftp.sco.com/SSE/sse021.tar.Z"><font color=Blue>ftp://ftp.sco.com/SSE/sse021.tar.Z</a></font> - replacement binaries

  Notes:

   This fix is a binary for the following SCO operating systems:

      % SCO UnixWare 7.0.1 and earlier releases (not UnixWare 2.1.x) 
      % SCO OpenServer 5.0.5 and earlier releases

   For the latest security bulletins and patches for SCO products,
   please refer to <a href="http://www.sco.com/security/"><font color=Blue>http://www.sco.com/security/</a></font>.

% IBM Corporation

  % AIX		Versions 4.1.x, 4.2.x, and 4.3.x ARE NOT vulnerable. 

% Hewlett-Packard

  % HPUX	Versions 10.x and 11.x ARE NOT vulnerable.

  HP is continuing their investigation.

% Sun Microsystems, Inc.

  % SunOS	All versions ARE NOT vulnerable.
  % Solaris	All versions ARE NOT vulnerable.

% Microsoft, Inc.

  % IIS		Versions 3.0 and 4.0 ARE NOT vulnerable.

% Compaq Computer Corporation

  % Digital UNIX		V40b - V40e ARE NOT vulnerable.
  % TCP/IP(UCX) for OpenVMS	V4.1, V4.2, V5.0 ARE NOT vulnerable.

% Silicon Graphics, Inc. (SGI)

  % IRIX and Unicos

     Currently, Silicon Graphics, Inc. is investigating and no further
     information is available for public release at this time.

     As further information becomes available, additional advisories
     will be issued via the normal SGI security information distribution
     method including the wiretap mailing list.

     Silicon Graphics Security Headquarters
     <a href="http://www.sgi.com/Support/security/"><font color=Blue>http://www.sgi.com/Support/security/</a></font>

% NetBSD

  % NetBSD	All versions ARE NOT vulnerable.

[Appendix C, Netect Contact Information]

Copyright (c) 1999 by Netect, Inc. 

The information contained herein is the property of Netect, Inc.

-------------------------------------------------------------------------

Date: Fri, 12 Feb 1999 15:49:05 -0500
From: Jordan Ritter <jpr5@NETECT.COM>
Subject: palmetto.ftpd vulnerability clarification.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Folks,

        I have received several emails from various engineering groups
with concerns over ambiguity in Appendix B's (OS Vendors) vulnerability
information.  Specifically, some find it unclear as to whether or not
machines are vulnerable running wu-ftpd or proftpd even though their
Vendor reported the operating system as not vulnerable.

To clarify, the specific versions of wu-ftpd and ProFTPD described in the
advisory ARE vulnerable to the palmetto bug on any operating system.  The
Vendor responses detailed in Appendix B were essentially verification of
whether or not the vulnerable software in question was packaged by default
with their operating system.

Any OS listed in Appendix B as NOT vulnerable indicates that:

   1. an installation of the OS does not include the vulnerable software
       in question, and
   2. the default FTP server that _is_ included in the installation is not
       vulnerable to this large pathname attack.



Regards,


Jordan Ritter
Network Security Engineer
Netect, Inc.  Boston, MA

"Quis custodiet ipsos custodes?"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v0.9.2 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE2xJPE+siuashk00ERArWIAJ4ppDvEFF9TAxyJMowBcjJGtiPmewCgiNzS
CDsX44Zpierz7f2f0BR81Bs=
=fxYQ
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------

Bodo Bauer says: 

 Dear SuSE Linux user, 

 Netect Inc. informed the public on February, 9th 1999 about remote buffer overflows in various FTP servers that could lead to
 potential root compromise. 

 Affected are systems running the latest version of ProFTPD (1.2.0pre1) or the latest version of Wuarchive ftpd
 (2.4.2-academ[BETA-18]). wu-ftpd is installed and enabled by default on SuSE Linux, if you are running inetd. One temporary
 workaround against an anonymous attack is to disable any world writable directories the user may have access to by making them
 read only. If you do not need ftp services, you can safely disable it in /etc/inetd.conf and restarting inetd. 

 More information about this issue can be found at the following WWW-pages:
 http://www.netect.com/news19.html
 http://www.cert.org/advisories/CA-99-03-FTP-Buffer-Overflows.html

 Security-updates of these packages can be found on our ftp-Server and it's mirrors (see http://www.suse.de/e/ftp.html for a list of
 mirror sites): 

 for S.u.S.E. Linux 5.x (libc5): 

 ftp://ftp.suse.com/pub/suse_update/S.u.S.E.-5.3/n1/proftpd.rpm
 ftp://ftp.suse.com/pub/suse_update/S.u.S.E.-5.3/n1/wuftpd.rpm

 for SuSE Linux 6.0 (glibc2): 

 ftp://ftp.suse.com/pub/suse_update/SuSE-6.0/n1/proftpd.rpm
 ftp://ftp.suse.com/pub/suse_update/SuSE-6.0/n1/wuftpd.rpm

 -- 
 Bodo Bauer                S.u.S.E., Inc              fon +1-510-835 7873
 bb@suse.com               458 Santa Clara Avenue     fax +1-510-835 7875
 http://www.suse.com/~bb   Oakland CA, 94610  USA     http://www.suse.com