fuat@cunixc.cc.columbia.edu (Fuat C. Baran 10-Nov-88 1601 EST) (11/23/88)
I received the following message and confirmed that the bug exists in
Ultrix 2.0 (probably in 2.2, 2.3 though I haven't confirmed this). It
has been fixed in BSD 4.3 based ftpd's I believe. In any case,
readers with sources should fix ftpd immediately. Binary sites may
wish to get a patch from DEC.
--Fuat Baran
UNIX Systems Group
P.S. Glad to see this list is alive again...
-----
INTERNET: fuat@columbia.edu U.S. MAIL: Columbia University
BITNET: fuat@cunixc.cc.columbia.edu Center for Computing Activities
USENET: ...!rutgers!columbia!cunixc!fuat 712 Watson Labs, 612 W115th St.
PHONE: (212) 854-5128 New York, NY 10025
===========================================================================
>From Sun-Nets-request@brillig.umd.edu Thu Nov 10 12:21:13 1988
Received: from columbia.edu by cunixc.cc.columbia.edu (5.54/5.10) id AA08804; Thu, 10 Nov 88 12:20:51 EST
Received: from brillig.umd.edu by columbia.edu (5.54/1.14)
id AA17663; Thu, 10 Nov 88 12:21:21 EST
Received: by brillig.umd.edu (5.58/4.7)
id AA08248; Thu, 10 Nov 88 10:45:59 EST
Date: Thu, 10 Nov 88 10:46:00 EST
From: steve@umiacs.umd.edu (Steven D. Miller)
Message-Id: <8811101546.AA15999@fnord.umiacs.UMD.EDU>
To: sun-nets@brillig.umd.edu, sun-spots@rice.edu
Subject: BIG security hole (#2 of 2) in ftpd
Sender: Sun-Nets-request@brillig.umd.edu
[To Phil Rice: if this has already appeared in Sun-Spots, feel free just
to drop it. I'm not shooting for unnecessary duplication, just wide
coverage... SDM]
As many of you know, a major bug in FTP was discovered, or at least first
publicized, sometime last week or thereabouts. If you are providing
anonymous FTP on any 4.[23]BSD-derived system, you need to apply the first
patch. The second patch is necessary only on systems using the 4.2BSD ftpd
(which means SunOS up through SunOs 3.5, but probably not 4.0.) Even if
you're not providing anonymous ftp, you should apply these; I'm not certain
off the top of my head how the second bug is invoked, but I don't think it
requires anonymous FTP. These are *two separate bugs*.
To head off potential flamage, let me point out that, since this is an
unsecure list, I'm not going to blindly post information on how to take
advantage of these bugs. All that I will tell you is that unless the first
one is fixed, someone can become root on your system in a very short time.
The second one is, I think, not quite that bad, but it does allow crackers
to break into other people's accounts. You *really* need to deal with these
fixes *soon*. If you really want to know how these bugs get triggered, drop
me some email, and try to convince me that you need to know. If i am
convinced that you're some system administrator, and not just J. Random
Cracker (not that the two are distinct, necessarily), I'll let you know.
No binary fixes are available. Sorry. Have fun, and good luck.
-Steve
Spoken: Steve Miller Domain: steve@mimsy.umd.edu UUCP: uunet!mimsy!steve
Phone: +1-301-454-1808 USPS: UMIACS, Univ. of Maryland, College Park, MD 20742
P.S.: I've realized that this message is too big to go in one chunk, so
I'm splitting it into two pieces. The first is the anonymous FTP patch, and
the second is the more general patch. This is message #2 of 2.
----- Start of second message -----
Date: Mon, 7 Nov 88 16:22:45 EST
From: Pete Cottrell <pete@brillig.umd.edu>
To: phage@purdue.edu
Subject: yet another ftpd hole (on Suns)
We just discovered this on our machines, running SunOS 3.2. I'm
sending it here because I figure we might as well get the word out to
as many of the right people as possible. The hole doesn't exist in the
Berkeley version posted last week, so if you replaced your Sun version
with the Berkeley one, you should be fine. But if you only patched
your Sun version with the Berkeley fix, you are still vulnerable to this
one.
Subject: Security hole in Sun FTP
Index: /usr/src/usr.etc/ftpcmds.y SunOS 3.2
Description:
The ftpd daemon in SunOS has a security hole in it, unrelated to
the one involving anonymous login that Berkeley posted a fix for.
In this one, once you log in to a machine as yourself, you can
become anyone else (including root) on that machine and write files
anywhere you like. This bug exists in SunOS 3.0, 3.2 and I'm told
that it exists in 3.4; I have no idea if it is in further releases.
You need to be able to log in first, to set a logged_in flag, so
sites with this hole might not be vulnerable to a net attack, but
I haven't checked this out for sure.
Repeat-By:
Haven't we had enough problems lately? Believe me, it's there.
Fix:
For sites lacking source, install the version Berkeley sent out.
For sites with source, here is a context diff:
[ballast 21] rcsdiff -c3 -r1.2 ftpcmd.y
RCS file: RCS/ftpcmd.y,v
retrieving revision 1.2
diff -c3 -r1.2 ftpcmd.y
*** /tmp/,RCSt1a02935 Mon Nov 7 14:22:49 1988
--- ftpcmd.y Sun Nov 6 21:25:58 1988
***************
*** 69,78 ****
--- 69,79 ----
= {
extern struct passwd *sgetpwnam();
+ logged_in = 0;
if (strcmp($3, "ftp") == 0 ||
strcmp($3, "anonymous") == 0) {
if ((pw = sgetpwnam("ftp")) != NULL) {
----- End of second message -----