oss-sec mailing list archives
FW: CVE-2008-1668 - ftpd 2.4 - unauthorized root access - patch details
From: "Morris, John R. (SSRT)" <john.morris () hp com>
Date: Wed, 20 Aug 2008 18:08:19 +0000
Re-send. oss-security () lists openwall com truncated for some reason. -----Original Message----- From: Morris, John R. (SSRT) Sent: Wednesday, August 20, 2008 2:05 PM To: oss- Cc: Steven M. Christey Subject: CVE-2008-1668 - ftpd 2.4 - unauthorized root access - patch details -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This security vulnerability was reported in the HP Security Bulletin, HPSBUX02356 SSRT080051 rev.1 - HP-UX Running ftpd, Remote Privileged Access. http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID =c01525562 We believe the vulnerability exists in the latest wu-ftpd 2.4 code. Code diff ========== 111,113d110 < /* CVE-2008-1668: Introduced to track errno set by getpwnam() */ < int getpwnam_err=0; < 1299,1301d1295 < < /* CVE-2008-1668 : Setting ernno to zero to get the errno details of getpwnam() */ < errno = 0; 1314,1315c1308 < if ((p = getpwnam(name)) == NULL){ < getpwnam_err = errno; /* CVE-2008-1668 */ - ---
if ((p = getpwnam(name)) == NULL)
1317d1309 < } 2455,2464c2447,2452 < /* CVE-2008-1668: pw check is introduced to avoid unauthorised access */ < if (((status = pam_process_pass(passwd, &pw) ) != PAM_SUCCESS) || ( pw == NULL)) { < reply(530, "Login incorrect."); < if (logging){ < if ( pw == NULL && getpwnam_err ) < syslog(LOG_ERR,"getpwnam failed : %s",strerror(getpwnam_err)); < else < syslog(LOG_INFO, "User %s: Login incorrect", the_user); < } < if (++login_attempts >= lgi_failure_threshold){ - ---
if ((status = pam_process_pass (passwd, &pw)) != PAM_SUCCESS) { reply(530, "Login incorrect."); if (logging) syslog(LOG_INFO, "User %s: Login incorrect", the_user); if (++login_attempts >= lgi_failure_threshold) {
Problem description ==================== SSRT080051 (CVE-2008-1668): WU-FTP2.4 Security issue problem setting up user environment Problem Statement: WU-FTPD2.4 allows a user to login even if the user does not have an entry in the passwd(4) file. The user incorrectly gets 'root' access. Detail Analysis: This issue occurs when LDAP is used for pam(3) authentication and the nsswitch.conf(4) file does not include 'ldap' as a source for the 'passwd' database. When a client tries to FTP LOGIN as a user included in an LDAP directory, where the FTP server machine is not configured correctly (i.e. pam(3) is configured to use LDAP but nsswitch.conf(4) has no entry for ldap against 'passwd') then the pam authentication passes (because pam(3) is using ldap for authentication) but getpwnam(3C) fails to get the users details (as nsswitch.conf(4) has no entry for ldap). In this situation user is incorrectly given root privileges thus causing a Security issue. In short, ftpd allows a user to login as root if pam(3) authentication passes and getpwnam(3C) returns NULL. Note1: getpwnam(3C) gets an entry from the databases listed in nsswitch.conf(4) and if no entry for the user present is present getpwnam(3C) will return NULL. Note2: This problem may also occur when using database sources other than LDAP (LDAP was used in all our testing). The primary factor is successful pam(3) authentication followed by a failure to retrieve user details. Note3: It is possible to see this problem where an ldapclientd hang occurs, such that the correct nsswitch.conf(4) configuration is in place but the ldap client does not return correctly. To get the security-alert PGP keys, please send an e-mail message as follows: To: security-alert () hp com Subject: get key Yours truly, John john.morris () hp com HP Software Security Response Team (SSRT) -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBSKxbTOAfOvwtKn1ZEQICFgCfXF1ZGFfiv6IWyj2G9y8qoVL8V8UAn04p tw+XG57pY4RqsxjkAEDtwNtg =tsWs -----END PGP SIGNATURE-----
Attachment:
SB2356r1.txt
Description: SB2356r1.txt
Current thread:
- FW: CVE-2008-1668 - ftpd 2.4 - unauthorized root access - patch details Morris, John R. (SSRT) (Aug 20)