SECURITY: problem with some wu-ftpd-2.4 binaries (fwd)

[aleph1 () dfw net (Aleph One)]

Aleph One / aleph1 () dfw net
http://underground.org/

---------- Forwarded message ----------
Date: Wed, 31 May 95 02:49 MET DST
From: Olaf Kirch <okir () monad swb de>
To: linux-alert () tarsier cv nrao edu
Subject: SECURITY: problem with some wu-ftpd-2.4 binaries

-----BEGIN PGP SIGNED MESSAGE-----


Hi all,

There's a security hole in some Linux distributions involving
wu-ftpd-2.4. Some ftpd binaries have been compiled with a set of
defaults that allow anyone with an account on your machine to become the
root user. It appears that at least Slackware-2.0 and 2.2 are affected;
I have no information about other distributions. Anonymous FTP should
not be affected by this as long as you have only the `ls' command in

To find out if your machine is affected, ftp to your own account, log in
and enter this: quote "site exec bash -c id". If ftpd responds with
a line that says something like "uid=0(root) euid=1234(your_login)... ",
then your ftpd is vulnerable.

The obvious fix is to obtain the source of wu-ftpd-2.4 and recompile
it. The crucial part is the _PATH_EXECPATH define in src/pathnames.h.
It should NOT be set to /bin or any other regular directory. By default,
it is set to /bin/ftp-exec. Make sure this directory does not exist or
contains only harmless commands you are absolutely sure you would want
your users to execute as root.

Thomas Lundquist <Thomas.Lundquist () hiof no> has posted a small patch 
for src/ftpcmd.y that goes even further and disables the SITE EXEC
command altogether. It is appended at the end of this message.

All the fame goes to

        Michel                  an113354 () anon penet fi
        Thomas Lundquist        Thomas.Lundquist () hiof no
        Aleph One               aleph1 () dfw net


Have a nice day
Olaf
- -- 
Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okir () monad swb de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
             For my PGP public key, finger okir () brewhq swb de.
- ------------------------------------------------------------------
table
`!"#$%&'()*+,-./0123456789:;<=>?
@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_
begin 644 /tmp/DIFF
M+2TM(&9T<&-M9"YY+F]R:6<)5V5D($UA>2`S,2`P,CHP,SHP-R`Q.3DU"BLKz
M*R!F='!C;60N>0E7960@36%Y(#,Q(#`R.C`S.C4T(#$Y.34*0$`@+3$T,C<Ly
M-3@@*S$T,C<L,C@@0$`*(`H@<VET95]E>&5C*&-M9"D*(&-H87(@*F-M9#L*x
M*R`@("`O*B`**R`@("`@*B!4:&4@9&5C;&%R871I;VYS(&)E;&]V(&ET(&MEw
M<'0@=&\@8F4@<W5R92!W92!D;VXG="!B<F5A:R!T;V\@;75C:"X**R`@("`@v
M*B\*('L*("`@("!C:&%R(&)U9EM-05A0051(3$5.73L*("`@("!C:&%R("ISu
M<"`]("AC:&%R("HI('-T<F-H<BAC;60L("<@)RDL("IS;&%S:"P@*G0["B`@t
M("`@1DE,12`J8VUD9BP@*F9T<&1?<&]P96XH*3L*(`HM("`@("\J('-A;FETs
M:7IE('1H92!C;VUM86YD+7-T<FEN9R`J+PHK("`@("\J($YO<&4A(%=E(&1Or
M;B=T('=A;G0@=&\@15A%0R!A;GET:&EG+BX@"BL@("`@("H@4V\L('=E('=Iq
M;&P@9&5N>2!T:&4@;6]R;VX@86YD(&QO9R!H:6TN"BL@("`@("H@5&AO;6%Sp
M+DQU;F1Q=6ES=$!H:6]F+FYO($UA>2`G.34**R`@("`@*B\*("`@("`*+2`@o
M("!I9B`H<W`@/3T@,"D@('L*+2`@("`@("`@=VAI;&4@*"AS;&%S:"`]('-Tn
M<F-H<B`H8VUD+"`G+R<I*2`A/2`P*0HM("`@("`@("`@("`@8VUD(#T@<VQAm
M<V@@*R`Q.PHM("`@('T@96QS92!["BT@("`@("`@('=H:6QE("AS<"`F)B`Hl
M<VQA<V@@/2`H8VAA<B`J*2!S=')C:'(H8VUD+"`G+R<I*2`*+2`@("`@("`@k
M("`@("`@("8F("AS;&%S:"`\('-P*2D*+2`@("`@("`@("`@(&-M9"`]('-Lj
M87-H*S$["BT@("`@?0HM("`@(`HM("`@(&9O<B`H="`](&-M9#L@("IT("8Fi
M("%I<W-P86-E*"IT*3L@('0K*RD@>PHM("`@("`@("!I9B`H:7-U<'!E<B@Jh
M="DI('L*+2`@("`@("`@("`@("IT(#T@=&]L;W=E<B@J="D["BT@("`@("`@g
M('T*+2`@("!]"BT*+2`@("`O*B!B=6EL9"!T:&4@8V]M;6%N9"`J+PHM("`@f
M(&EF("AS=')L96XH7U!!5$A?15A%0U!!5$@I("L@<W1R;&5N*&-M9"D@*R`Qe
M(#X@<VEZ96]F*&)U9BDI"BT@("`@("`@(')E='5R;CL*+2`@("!S<')I;G1Fd
M*&)U9BP@(B5S+R5S(BP@7U!!5$A?15A%0U!!5$@L(&-M9"D["BT*+2`@("!Cc
M;61F(#T@9G1P9%]P;W!E;BAB=68L(")R(BP@,"D["BT@("`@:68@*"%C;61Fb
M*2!["BT@("`@("`@('!E<G)O<E]R97!L>2@U-3`L(&-M9"D["BT@("`@("`@a
M(&EF("AL;V=?8V]M;6%N9',I"BT@("`@("`@("`@("!S>7-L;V<H3$]'7TE.z
M1D\L(")3251%($5814,@*$9!24PZ("5M*3H@)7,B+"!C;60I.PHM("`@('T@y
M96QS92!["BT@("`@("`@(&EN="!L:6YE<R`](#`["BL@("`@+RH@22!H879Ex
M(&QO9V=E9"!I="!A<R!C<FET:6-A;"P@86YO=&AE<B!C:&]I8V4@;6%Y(&)Ew
M('=A<FYI;F<N(`HK("`@("`J(%1H870@:7,@3$]'7U=!4DY)3D<@*'-E92!Sv
M>7,O<WES;&]G+F@@9F]R('1H92!C:&]I<V5S+BD**R`@("`@*B\**R`@("!Su
M>7-L;V<H3$]'7T-2250L(")!5%1%35!4.B!3251%($5814,L($-O;6UA;F0Zt
M("5S("(L(&-M9"D["B`*+2`@("`@("`@;')E<&QY*#(P,"P@8VUD*3L*+2`@s
M("`@("`@=VAI;&4@*&9G971S*&)U9BP@<VEZ96]F(&)U9BP@8VUD9BDI('L*r
M+2`@("`@("`@("`@(&EN="!L96X@/2!S=')L96XH8G5F*3L**R`@("`O*B!4q
M:&4@<F5P;'D@8V%N(&]F(&-O=7)S92!B92!C:&%N9V5D('1O(&$@;6]R92!Pp
M;VQI=&4@9&5N:6%L+BXZ/2D**R`@("`@*B\**R`@("!R97!L>2@R,#`L(").o
M;R!F<F5A:VEN9R!W87DA(BD["B`*+2`@("`@("`@("`@(&EF("AL96X^,"`Fn
M)B!B=69;;&5N+3%=/3TG7&XG*0HM("`@("`@("`@("`@("`@(&)U9ELM+6QEm
M;ET@/2`G7#`G.PHM("`@("`@("`@("`@;')E<&QY*#(P,"P@8G5F*3L*+2`@l
M("`@("`@("`@(&EF("@K*VQI;F5S(#X](#(P*2!["BT@("`@("`@("`@("`@k
M("`@;')E<&QY*#(P,"P@(BHJ*B!4<G5N8V%T960@*BHJ(BD["BT@("`@("`@j
M("`@("`@("`@8G)E86L["BT@("`@("`@("`@("!]"BT@("`@("`@('T*+2`@i
M("`@("`@<F5P;'DH,C`P+"`B("AE;F0@;V8@)R5S)RDB+"!C;60I.PHM("`@h
M("`@("!I9B`H;&]G7V-O;6UA;F1S*0HM("`@("`@("`@("`@<WES;&]G*$Q/g
M1U])3D9/+"`B4TE412!%6$5#("AL:6YE<SH@)60I.B`E<R(L(&QI;F5S+"!Cf
M;60I.PHM("`@("`@("!F='!D7W!C;&]S92AC;61F*3L*+2`@("!]"B!]"B`*e
+(&%L:6%S("AS*0H@d
`c
end

-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQCVAgUBL8u8tuFnVHXv40etAQHmkwP9F7FO8SNgNnIdGlMhEgORZhJfMwHE5dyw
OdY40cLDjJ4zQ1qu1D9EyOLD7ApO5X9XTgci8YmXZbPM8UFb2gj4U5m9ZfFVk2e5
mkgO6lrLeDYTRANabXSs3BEduOpBHDDtoJuGIdVpWBfz53oTfVM93ZeJRO01+a2T
ROXdHo7waVM=
=IHou
-----END PGP SIGNATURE-----

P.S. (From Jeff Uphoff): Slackware 2.3 is also affected.  Also, there is
a typo at the end of Olaf's first paragraph; it should read: "Anonymous
FTP should not be affected by this as long as you have only the `ls'
command in ~ftp/bin."
           ^^^^^^^^