Bugtraq mailing list archives

Security Advisory: REMOTE ROOT VULNERABILITY IN GSSFTP DAEMON

From: tlyu () MIT EDU (Tom Yu)
Date: Wed, 14 Jun 2000 18:36:03 -0400


-----BEGIN PGP SIGNED MESSAGE-----

              REMOTE ROOT VULNERABILITY IN GSSFTP DAEMON

2000-06-14

SUMMARY:

A remote user may execute certain FTP commands without authorization.

IMPACT:

A remote user may perform denial of service attacks.

An attacker with access to a local account may gain unauthorized root
access.

VULNERABLE DISTRIBUTIONS:

Source distributions which may contain vulnerable code include:

        MIT Kerberos 5 releases krb5-1.1 and krb5-1.1.1

The beta releases krb5-1.1.2-beta1 and krb5-1.2-beta2 are also
vulnerable.

NON-VULNERABLE DISTRIBUTIONS:

        MIT Kerberos 5 releases krb5-1.0.x

FIXES:

If you are running a vulnerable FTP daemon, disable it immediately,
usually by commenting it out of your inetd.conf and sending a SIGHUP
to the inetd process.

To correct the bug, apply the following patch, rebuild, and reinstall
ftpd on the affected machines.

The upcoming krb5-1.2 release will correct this problem.  There will
be a krb5-1.2-beta3 release later this week that will correct this
problem.

PATCHES:

These patches will apply against krb5-1.1.1, krb5-1.1.2-beta1, and
krb5-1.2-beta2.  They will be made available on the web site at:

        http://web.mit.edu/kerberos/www/advisories/ftpd_111_patch.txt

The MIT Kerberos security advisories page is at:

        http://web.mit.edu/kerberos/www/advisories/index.html

Patches for other security problems as well as archives of security
advisory postings are located on that page.

Index: ftpcmd.y
===================================================================
RCS file: /cvs/krbdev/krb5/src/appl/gssftp/ftpd/ftpcmd.y,v
retrieving revision 1.14
diff -c -r1.14 ftpcmd.y
*** ftpcmd.y    1999/03/24 22:14:02     1.14
- --- ftpcmd.y  2000/06/14 17:35:19
***************
*** 865,871 ****
                          $$ = 0;
                  }
                  else
!                       $$ = 1;
          }
          ;
  %%
- --- 865,871 ----
                          $$ = 0;
                  }
                  else
!                       $$ = $1;
          }
          ;
  %%

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBOUgGcabDgE/zdoE9AQF6EgP6Ay7pKAcq/nQ1w2fzKQPuvNcfWuKiCVR7
ZxHTljdhz6hI1COPsZQzEswqd2odkh1xJ0m8Tab1Ked1G569WZPLQt1LreFDnyKh
Vvy1mgwPg/EEMVvw6d7MRdgrIy7vlQswHbrAYyGMaibTSR1Rwx5Gc5cJFedP+o7M
95IoVsXNnPs=
=HCTV
-----END PGP SIGNATURE-----

Current thread:

Sendmail local root exploit on linux 2.2.x Florian Heinz (Jun 08)
- Snort 1.6 and nmap 2.54beta1 Galileo (May 12)
  - Re: Snort 1.6 and nmap 2.54beta1 Simple Nomad (Jun 14)
  - Security Advisory: REMOTE ROOT VULNERABILITY IN GSSFTP DAEMON Tom Yu (Jun 14)
  - Security Advisory: local ROOT exploit in BRU Technical Support (Jun 14)
  - Re: Snort 1.6 and nmap 2.54beta1 Martin Roesch (Jun 14)
- Re: Sendmail local root exploit on linux 2.2.x Mark K. Pettit (Jun 08)
- Reporting Security Issues to Microsoft Microsoft Security Response Center (Jun 08)
- Re: Sendmail local root exploit on linux 2.2.x Christophe GRENIER (Jun 08)
- arprelay: a tool to edit TCP connections in a LAN Felix von Leitner (Jun 09)
- Re: Sendmail local root exploit on linux 2.2.x Alan Iwi (Jun 12)
- Splitvt exploit syzop (Jun 14)
  - Re: Splitvt exploit Joey Hess (Jun 14)
    - Re: Splitvt exploit Andrey Savochkin (Jun 16)

(Thread continues...)