Path: utzoo!attcan!uunet!pyrdc!jetson!decuac!felix!info-ultrix From: fuat@cunixc.cc.columbia.edu (Fuat C. Baran 10-Nov-88 1601 EST) Newsgroups: comp.unix.ultrix Subject: yet another security hole in ftpd Keywords: ftpd, security, BSD42 Message-ID: <71174@felix.UUCP> Date: 22 Nov 88 17:26:53 GMT Sender: info-ultrix@felix.UUCP Reply-To: fuat@cunixc.cc.columbia.edu (Fuat C. Baran 10-Nov-88 1601 EST) Organization: Columbia University Center for Computing Activities Lines: 125 Approved: zemon@felix.UUCP Reply-Path: I received the following message and confirmed that the bug exists in Ultrix 2.0 (probably in 2.2, 2.3 though I haven't confirmed this). It has been fixed in BSD 4.3 based ftpd's I believe. In any case, readers with sources should fix ftpd immediately. Binary sites may wish to get a patch from DEC. --Fuat Baran UNIX Systems Group P.S. Glad to see this list is alive again... ----- INTERNET: fuat@columbia.edu U.S. MAIL: Columbia University BITNET: fuat@cunixc.cc.columbia.edu Center for Computing Activities USENET: ...!rutgers!columbia!cunixc!fuat 712 Watson Labs, 612 W115th St. PHONE: (212) 854-5128 New York, NY 10025 =========================================================================== >From Sun-Nets-request@brillig.umd.edu Thu Nov 10 12:21:13 1988 Received: from columbia.edu by cunixc.cc.columbia.edu (5.54/5.10) id AA08804; Thu, 10 Nov 88 12:20:51 EST Received: from brillig.umd.edu by columbia.edu (5.54/1.14) id AA17663; Thu, 10 Nov 88 12:21:21 EST Received: by brillig.umd.edu (5.58/4.7) id AA08248; Thu, 10 Nov 88 10:45:59 EST Date: Thu, 10 Nov 88 10:46:00 EST From: steve@umiacs.umd.edu (Steven D. Miller) Message-Id: <8811101546.AA15999@fnord.umiacs.UMD.EDU> To: sun-nets@brillig.umd.edu, sun-spots@rice.edu Subject: BIG security hole (#2 of 2) in ftpd Sender: Sun-Nets-request@brillig.umd.edu [To Phil Rice: if this has already appeared in Sun-Spots, feel free just to drop it. I'm not shooting for unnecessary duplication, just wide coverage... SDM] As many of you know, a major bug in FTP was discovered, or at least first publicized, sometime last week or thereabouts. If you are providing anonymous FTP on any 4.[23]BSD-derived system, you need to apply the first patch. The second patch is necessary only on systems using the 4.2BSD ftpd (which means SunOS up through SunOs 3.5, but probably not 4.0.) Even if you're not providing anonymous ftp, you should apply these; I'm not certain off the top of my head how the second bug is invoked, but I don't think it requires anonymous FTP. These are *two separate bugs*. To head off potential flamage, let me point out that, since this is an unsecure list, I'm not going to blindly post information on how to take advantage of these bugs. All that I will tell you is that unless the first one is fixed, someone can become root on your system in a very short time. The second one is, I think, not quite that bad, but it does allow crackers to break into other people's accounts. You *really* need to deal with these fixes *soon*. If you really want to know how these bugs get triggered, drop me some email, and try to convince me that you need to know. If i am convinced that you're some system administrator, and not just J. Random Cracker (not that the two are distinct, necessarily), I'll let you know. No binary fixes are available. Sorry. Have fun, and good luck. -Steve Spoken: Steve Miller Domain: steve@mimsy.umd.edu UUCP: uunet!mimsy!steve Phone: +1-301-454-1808 USPS: UMIACS, Univ. of Maryland, College Park, MD 20742 P.S.: I've realized that this message is too big to go in one chunk, so I'm splitting it into two pieces. The first is the anonymous FTP patch, and the second is the more general patch. This is message #2 of 2. ----- Start of second message ----- Date: Mon, 7 Nov 88 16:22:45 EST From: Pete Cottrell To: phage@purdue.edu Subject: yet another ftpd hole (on Suns) We just discovered this on our machines, running SunOS 3.2. I'm sending it here because I figure we might as well get the word out to as many of the right people as possible. The hole doesn't exist in the Berkeley version posted last week, so if you replaced your Sun version with the Berkeley one, you should be fine. But if you only patched your Sun version with the Berkeley fix, you are still vulnerable to this one. Subject: Security hole in Sun FTP Index: /usr/src/usr.etc/ftpcmds.y SunOS 3.2 Description: The ftpd daemon in SunOS has a security hole in it, unrelated to the one involving anonymous login that Berkeley posted a fix for. In this one, once you log in to a machine as yourself, you can become anyone else (including root) on that machine and write files anywhere you like. This bug exists in SunOS 3.0, 3.2 and I'm told that it exists in 3.4; I have no idea if it is in further releases. You need to be able to log in first, to set a logged_in flag, so sites with this hole might not be vulnerable to a net attack, but I haven't checked this out for sure. Repeat-By: Haven't we had enough problems lately? Believe me, it's there. Fix: For sites lacking source, install the version Berkeley sent out. For sites with source, here is a context diff: [ballast 21] rcsdiff -c3 -r1.2 ftpcmd.y RCS file: RCS/ftpcmd.y,v retrieving revision 1.2 diff -c3 -r1.2 ftpcmd.y *** /tmp/,RCSt1a02935 Mon Nov 7 14:22:49 1988 --- ftpcmd.y Sun Nov 6 21:25:58 1988 *************** *** 69,78 **** --- 69,79 ---- = { extern struct passwd *sgetpwnam(); + logged_in = 0; if (strcmp($3, "ftp") == 0 || strcmp($3, "anonymous") == 0) { if ((pw = sgetpwnam("ftp")) != NULL) { ----- End of second message -----