Bugtraq mailing list archives
SECURITY: problem with some wu-ftpd-2.4 binaries (fwd)
From: aleph1 () dfw net (Aleph One)
Date: Wed, 31 May 1995 14:23:09 -0500 (CDT)
Aleph One / aleph1 () dfw net http://underground.org/ ---------- Forwarded message ---------- Date: Wed, 31 May 95 02:49 MET DST From: Olaf Kirch <okir () monad swb de> To: linux-alert () tarsier cv nrao edu Subject: SECURITY: problem with some wu-ftpd-2.4 binaries -----BEGIN PGP SIGNED MESSAGE----- Hi all, There's a security hole in some Linux distributions involving wu-ftpd-2.4. Some ftpd binaries have been compiled with a set of defaults that allow anyone with an account on your machine to become the root user. It appears that at least Slackware-2.0 and 2.2 are affected; I have no information about other distributions. Anonymous FTP should not be affected by this as long as you have only the `ls' command in To find out if your machine is affected, ftp to your own account, log in and enter this: quote "site exec bash -c id". If ftpd responds with a line that says something like "uid=0(root) euid=1234(your_login)... ", then your ftpd is vulnerable. The obvious fix is to obtain the source of wu-ftpd-2.4 and recompile it. The crucial part is the _PATH_EXECPATH define in src/pathnames.h. It should NOT be set to /bin or any other regular directory. By default, it is set to /bin/ftp-exec. Make sure this directory does not exist or contains only harmless commands you are absolutely sure you would want your users to execute as root. Thomas Lundquist <Thomas.Lundquist () hiof no> has posted a small patch for src/ftpcmd.y that goes even further and disables the SITE EXEC command altogether. It is appended at the end of this message. All the fame goes to Michel an113354 () anon penet fi Thomas Lundquist Thomas.Lundquist () hiof no Aleph One aleph1 () dfw net Have a nice day Olaf - -- Olaf Kirch | --- o --- Nous sommes du soleil we love when we play okir () monad swb de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax For my PGP public key, finger okir () brewhq swb de. - ------------------------------------------------------------------ table `!"#$%&'()*+,-./0123456789:;<=>? @ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_ begin 644 /tmp/DIFF M+2TM(&9T<&-M9"YY+F]R:6<)5V5D($UA>2`S,2`P,CHP,SHP-R`Q.3DU"BLKz M*R!F='!C;60N>0E7960@36%Y(#,Q(#`R.C`S.C4T(#$Y.34*0$`@+3$T,C<Ly M-3@@*S$T,C<L,C@@0$`*(`H@<VET95]E>&5C*&-M9"D*(&-H87(@*F-M9#L*x M*R`@("`O*B`**R`@("`@*B!4:&4@9&5C;&%R871I;VYS(&)E;&]V(&ET(&MEw M<'0@=&\@8F4@<W5R92!W92!D;VXG="!B<F5A:R!T;V\@;75C:"X**R`@("`@v M*B\*('L*("`@("!C:&%R(&)U9EM-05A0051(3$5.73L*("`@("!C:&%R("ISu M<"`]("AC:&%R("HI('-T<F-H<BAC;60L("<@)RDL("IS;&%S:"P@*G0["B`@t M("`@1DE,12`J8VUD9BP@*F9T<&1?<&]P96XH*3L*(`HM("`@("\J('-A;FETs M:7IE('1H92!C;VUM86YD+7-T<FEN9R`J+PHK("`@("\J($YO<&4A(%=E(&1Or M;B=T('=A;G0@=&\@15A%0R!A;GET:&EG+BX@"BL@("`@("H@4V\L('=E('=Iq M;&P@9&5N>2!T:&4@;6]R;VX@86YD(&QO9R!H:6TN"BL@("`@("H@5&AO;6%Sp M+DQU;F1Q=6ES=$!H:6]F+FYO($UA>2`G.34**R`@("`@*B\*("`@("`*+2`@o M("!I9B`H<W`@/3T@,"D@('L*+2`@("`@("`@=VAI;&4@*"AS;&%S:"`]('-Tn M<F-H<B`H8VUD+"`G+R<I*2`A/2`P*0HM("`@("`@("`@("`@8VUD(#T@<VQAm M<V@@*R`Q.PHM("`@('T@96QS92!["BT@("`@("`@('=H:6QE("AS<"`F)B`Hl M<VQA<V@@/2`H8VAA<B`J*2!S=')C:'(H8VUD+"`G+R<I*2`*+2`@("`@("`@k M("`@("`@("8F("AS;&%S:"`\('-P*2D*+2`@("`@("`@("`@(&-M9"`]('-Lj M87-H*S$["BT@("`@?0HM("`@(`HM("`@(&9O<B`H="`](&-M9#L@("IT("8Fi M("%I<W-P86-E*"IT*3L@('0K*RD@>PHM("`@("`@("!I9B`H:7-U<'!E<B@Jh M="DI('L*+2`@("`@("`@("`@("IT(#T@=&]L;W=E<B@J="D["BT@("`@("`@g M('T*+2`@("!]"BT*+2`@("`O*B!B=6EL9"!T:&4@8V]M;6%N9"`J+PHM("`@f M(&EF("AS=')L96XH7U!!5$A?15A%0U!!5$@I("L@<W1R;&5N*&-M9"D@*R`Qe M(#X@<VEZ96]F*&)U9BDI"BT@("`@("`@(')E='5R;CL*+2`@("!S<')I;G1Fd M*&)U9BP@(B5S+R5S(BP@7U!!5$A?15A%0U!!5$@L(&-M9"D["BT*+2`@("!Cc M;61F(#T@9G1P9%]P;W!E;BAB=68L(")R(BP@,"D["BT@("`@:68@*"%C;61Fb M*2!["BT@("`@("`@('!E<G)O<E]R97!L>2@U-3`L(&-M9"D["BT@("`@("`@a M(&EF("AL;V=?8V]M;6%N9',I"BT@("`@("`@("`@("!S>7-L;V<H3$]'7TE.z M1D\L(")3251%($5814,@*$9!24PZ("5M*3H@)7,B+"!C;60I.PHM("`@('T@y M96QS92!["BT@("`@("`@(&EN="!L:6YE<R`](#`["BL@("`@+RH@22!H879Ex M(&QO9V=E9"!I="!A<R!C<FET:6-A;"P@86YO=&AE<B!C:&]I8V4@;6%Y(&)Ew M('=A<FYI;F<N(`HK("`@("`J(%1H870@:7,@3$]'7U=!4DY)3D<@*'-E92!Sv M>7,O<WES;&]G+F@@9F]R('1H92!C:&]I<V5S+BD**R`@("`@*B\**R`@("!Su M>7-L;V<H3$]'7T-2250L(")!5%1%35!4.B!3251%($5814,L($-O;6UA;F0Zt M("5S("(L(&-M9"D["B`*+2`@("`@("`@;')E<&QY*#(P,"P@8VUD*3L*+2`@s M("`@("`@=VAI;&4@*&9G971S*&)U9BP@<VEZ96]F(&)U9BP@8VUD9BDI('L*r M+2`@("`@("`@("`@(&EN="!L96X@/2!S=')L96XH8G5F*3L**R`@("`O*B!4q M:&4@<F5P;'D@8V%N(&]F(&-O=7)S92!B92!C:&%N9V5D('1O(&$@;6]R92!Pp M;VQI=&4@9&5N:6%L+BXZ/2D**R`@("`@*B\**R`@("!R97!L>2@R,#`L(").o M;R!F<F5A:VEN9R!W87DA(BD["B`*+2`@("`@("`@("`@(&EF("AL96X^,"`Fn M)B!B=69;;&5N+3%=/3TG7&XG*0HM("`@("`@("`@("`@("`@(&)U9ELM+6QEm M;ET@/2`G7#`G.PHM("`@("`@("`@("`@;')E<&QY*#(P,"P@8G5F*3L*+2`@l M("`@("`@("`@(&EF("@K*VQI;F5S(#X](#(P*2!["BT@("`@("`@("`@("`@k M("`@;')E<&QY*#(P,"P@(BHJ*B!4<G5N8V%T960@*BHJ(BD["BT@("`@("`@j M("`@("`@("`@8G)E86L["BT@("`@("`@("`@("!]"BT@("`@("`@('T*+2`@i M("`@("`@<F5P;'DH,C`P+"`B("AE;F0@;V8@)R5S)RDB+"!C;60I.PHM("`@h M("`@("!I9B`H;&]G7V-O;6UA;F1S*0HM("`@("`@("`@("`@<WES;&]G*$Q/g M1U])3D9/+"`B4TE412!%6$5#("AL:6YE<SH@)60I.B`E<R(L(&QI;F5S+"!Cf M;60I.PHM("`@("`@("!F='!D7W!C;&]S92AC;61F*3L*+2`@("!]"B!]"B`*e +(&%L:6%S("AS*0H@d `c end -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAgUBL8u8tuFnVHXv40etAQHmkwP9F7FO8SNgNnIdGlMhEgORZhJfMwHE5dyw OdY40cLDjJ4zQ1qu1D9EyOLD7ApO5X9XTgci8YmXZbPM8UFb2gj4U5m9ZfFVk2e5 mkgO6lrLeDYTRANabXSs3BEduOpBHDDtoJuGIdVpWBfz53oTfVM93ZeJRO01+a2T ROXdHo7waVM= =IHou -----END PGP SIGNATURE----- P.S. (From Jeff Uphoff): Slackware 2.3 is also affected. Also, there is a typo at the end of Olaf's first paragraph; it should read: "Anonymous FTP should not be affected by this as long as you have only the `ls' command in ~ftp/bin." ^^^^^^^^
Current thread:
- Re: Solaris 2.x utmp hole, (continued)
- Re: Solaris 2.x utmp hole Neil Woods (May 21)
- Re: Solaris 2.x utmp hole Scott Barman (May 22)
- Re: Solaris 2.x utmp hole Oliver Friedrichs (May 22)
- Re: Solaris 2.x utmp hole Scott Barman (May 22)
- Re: Re: Solaris 2.x utmp hole Pete Hartman (May 26)
- Re: Re: Solaris 2.x utmp hole Karl Strickland (May 29)
- Re: Blonde Jokes Matthew Hannigan (May 29)
- [8lgm] Pub Crawl, Saturday 3rd June Neil Woods (May 30)
- no subject (file transmission) Dr. Frederick B. Cohen (May 31)
- blondes strat () ksu ksu edu (May 31)
- SECURITY: problem with some wu-ftpd-2.4 binaries (fwd) Aleph One (May 31)