LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: October 27th, 2014
Linux Advisory Watch: October 24th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
NetBSD: ftpd Privilege escalation vulnerability Print E-mail
User Rating:      How can I rate this item?
Posted by LinuxSecurity.com Team   
NetBSD A set of flaws in the ftpd source code can be used together to achieve root access within an ftp session.

NetBSD Security Advisory 2004-009
		 =================================

Topic:		ftpd root escalation

Version:	NetBSD-current:	source prior to Aug 10, 2004
		NetBSD 2.0 branch: source prior to Aug 15, 2004
		NetBSD 1.6.2:	affected
		NetBSD 1.6.1:	affected
		NetBSD 1.6:	affected
		NetBSD-1.5.3:	affected
		NetBSD-1.5.2:	affected
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	affected
		pkgsrc:		net/lukemftpd all versions
		pkgsrc:		net/tnftpd prior to tnftpd-20040810

Severity:	Remote root for systems providing ftpd service

Fixed:		NetBSD-current:		Aug 10, 2004
		NetBSD-2.0 branch:      Aug 15, 2004 (2.0 will include the fix)
		NetBSD-1.6 branch:	Pullups not yet issued.
					 See Solutions section.
					 (1.6.3 will include the fix)
		NetBSD-1.5 branch:	Pullups not yet issued.
					  See Solutions section.
		pkgsrc  net/lukemftpd:  Update pkgsrc, this package was
					  renamed to tnftpd
			net/tnftpd:	tnftpd-20040810 corrects this issue


Abstract
========

A set of flaws in the ftpd source code can be used together to
achieve root access within an ftp session. With root file manipulation
ability, mechanisms to gain a shell are numerous, so this issue
should be considered a remote root situation.

ftpd is disabled by default in NetBSD since NetBSD-1.5.3, however
many users might have reason to provide this popular service.


Technical Details
=================

Przemyslaw Frasunek is going to release a detailed analysis very
shortly. A URL will be provided here when available.

Since this serious issue affects many users, we won't share information
in this version of the advisory, as it would ease development of
exploits.


Solutions and Workarounds
=========================

Confirm that the host in question is running ftpd, by checking the ftp
entries in /etc/inetd.conf. By default, the entries look like this:

#ftp	stream	tcp	nowait	root	/usr/libexec/ftpd	ftpd -ll
#ftp	stream	tcp6	nowait	root	/usr/libexec/ftpd	ftpd -ll

If the comment character (#) has been removed from the start of the
lines, then ftp has been enabled on this host. Hosts not running ftpd
are not vulnerable, but ftpd should be updated to prevent future
exposure if ftpd is enabled at a later date.

If ftpd has been configured to run with the -r option, then your server
is not vulnerable. Adding -r may be an acceptable workaround for some
sites, until ftpd can be upgraded.

To determine if a host is running a vulnerable version of ftpd, compare
the version string in the login banner (if displayed).

Any version of lukemftpd,
any version of NetBSD-ftpd prior to 20040809, or
any version of tnftpd prior to 20040810 is vulnerable.

% ftp ftp.server.host
Connected to ftp.server.host.
220 ftp.server.host FTP server (tnftpd 20040810) ready.
                                ^^^^^^^^^^^^^^^
                                Patched ftp server.

* Workaround:	Disable ftpd
		As root, comment out the ftp lines in /etc/inetd.conf,
		and execute the following command to disable ftpd:

		% /etc/rc.d/inetd reload

		Even if you plan to update ftpd, it is worthwhile to
		disable ftpd until it is upgraded, in case you are
		distracted and do not complete the update in a timely
		fashion.

* Workaround:	Drop root privileges
		As root, add -r to the command line options for any
		ftp entry in /etc/inetd.conf. Then run:

		% /etc/rc.d/inetd reload

		This option may not be acceptable at all sites, since
		client compatibility issues are possible. See the
		ftpd manpage for more details about -r.

If all untrusted user accounts are listed in /etc/ftpchroot, then the
root file access gained will only be effective inside the chrooted
directory. This is not a guarantee against further privilege
escalation, especially in concert with social engineering.

If you have ftp servers that run in chrooted environments, make sure to
update ftpd binaries in chrooted copies of /usr/libexec or
/usr/pkg/libexec, and ensure that inetd.conf points to the correct
executable.


The following instructions describe how to upgrade your ftpd 
binaries by updating your source tree and rebuilding and
installing a new version of ftpd.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2004-08-09
	should be upgraded to NetBSD-current dated 2004-08-10 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		src/libexec/ftpd

	To update from CVS, re-build, and re-install ftpd:
		# cd src
		# cvs update -d -P src/libexec/ftpd
		# cd src/libexec/ftpd

		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


* NetBSD 2.0_BETA:

	The binary distribution of NetBSD 2.0_BETA is vulnerable.

	Systems running NetBSD 2.0_BETA dated from before 2004-08-14
	should be upgraded to NetBSD 2.0_BETA dated 2004-08-15 or later.

	The following directories need to be updated from the
	netbsd-2-0 CVS branch:
		src/libexec/ftpd

	To update from CVS, re-build, and re-install ftpd:
		# cd src
		# cvs update -d -P src/libexec/ftpd
		# cd src/libexec/ftpd

		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


* NetBSD 1.6, 1.6.1, 1.6.2:
* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:
* NetBSD prior to 1.5:

	The binary distribution of NetBSD 1.6.2 and all prior releases
	are vulnerable.

	Pullups will be issued to the release branches of NetBSD-1-6,
	and NetBSD-1-5.

	Systems with these releases which need to run ftpd prior to
	those pullups should be updated from pkgsrc using
	net/tnftpd-20040810 or later.

	% rm /usr/libexec/ftpd
	% cd /usr/pkgsrc/net/tnftpd
	% cvs update -dP
	% make update

	Then modify the relevant lines in /etc/inetd.conf to refer to
	/usr/pkg/libexec/tnftpd instead of /usr/libexec/ftpd as follows:

#ftp	stream	tcp	nowait	root	/usr/pkg/libexec/tnftpd	ftpd -ll
#ftp	stream	tcp6	nowait	root	/usr/pkg/libexec/tnftpd	ftpd -ll



Thanks To
=========

Przemyslaw Frasunek for notification, analysis, and discussion

Luke Mewburn for patches


Revision History
================

	2004-08-17	Initial release
	2004-08-17	Clarify Workarounds


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
   ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2004-009.txt.asc

Information about NetBSD and NetBSD security can be found at 
http://www.NetBSD.org/ and  http://www.NetBSD.org/Security/.


Copyright 2004, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2004-009.txt,v 1.4 2004/08/17 17:44:58 david Exp $

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Pirate Bay founder guilty in historic hacker case
Parallels CTO: Linux container security is not the problem
Advisory says to assume all Drupal 7 websites are compromised
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.