Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SECURITY: problem with some wu-ftpd-2.4 binaries (fwd)

From: rick () hq af mil (Rick Weldon)
Date: Thu, 1 Jun 1995 08:59:48 -0400 (EDT)

Excerpts from Bugtraq: 31-May-95 SECURITY: problem with some.. Aleph
One () dfw net (5673*)


Hi all,



There's a security hole in some Linux distributions involving
wu-ftpd-2.4. Some ftpd binaries have been compiled with a set of
defaults that allow anyone with an account on your machine to become the
root user.


I don't think this is a linux specific problem. It is with wu-ftpd-2.4 I
didn't change the defaults when I installed it here.
On our ftp server, a sun sparc:

Name (foo:rick): rick
331 Password required for rick.
Password:
230 User rick logged in.
ftp> quote "site exec sh -c id"
200-sh -c id
200-uid=0(root) gid=0(wheel) euid=142(rick) egid=84(web)
groups=84(web),16(cando)
200  (end of 'sh -c id')
ftp> 



 It appears that at least Slackware-2.0 and 2.2 are affected;


I'd guess anyone using wu-ftpd-2.4 is vulnerable assuming they have the
site exec dir configured. We don't use the site-exec feature here. I had
to copy a shell into the directory before running your test. Anyone
running version 2.4 that uses this feature should be warned though. 


The obvious fix is to obtain the source of wu-ftpd-2.4 and recompile
it. The crucial part is the _PATH_EXECPATH define in src/pathnames.h.
It should NOT be set to /bin or any other regular directory. By default,
it is set to /bin/ftp-exec. Make sure this directory does not exist or
contains only harmless commands you are absolutely sure you would want
your users to execute as root.


Why is site-exec even on by default?  Shouldn't this be something that
you have to "turn on" given it's ease of misuse?


Thomas Lundquist <Thomas.Lundquist () hiof no> has posted a small patch 
for src/ftpcmd.y that goes even further and disables the SITE EXEC
command altogether. It is appended at the end of this message.



All the fame goes to



      Michel                  an113354 () anon penet fi
      Thomas Lundquist        Thomas.Lundquist () hiof no
      Aleph One               aleph1 () dfw net


[...] 

ObSoapBox:-)  
Thankyou for posting the specifics. I for one am sick of the "I'll tell
you about the problem once some-big-vendor is notified" BS that seems to
be so prolific on this list.  Hmmphh!
-----------------------------------------------------------------------------
| Rick Weldon  I-NET Inc.       | 'It is difficult to see a black cat in a   |
| E-mail: rick () hq af mil(MIME)  | dark room, especially when it's not there' |
| Phone:  703-695-0264          |                    --- Chinese Saying --   |
|                               | ...or when it is Schroedingers cat :-)     |  
-----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: