Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections: Developer - High Performance - Infrastructure - IT Management - Security - Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs

Partner Sites
JustLinux.com
Linux Planet
PHPBuilder
Technology Jobs

Top White Papers

Current Newswire:

More on LinuxToday

Applications Management Engineer Sr (NYC)
Next Step Systems
US-NY-New York

Justtechjobs.com Post A Job | Post A Resume

Progeny Security Advisory: Vulnerabilities in FTP daemons

Apr 27, 2001, 02:13 (0 Talkback[s]) 
From:   Progeny Security Team <security@progeny.com>
Subject:        PROGENY-SA-2001-09: Vulnerabilities in FTP daemons
Date:   26 Apr 2001 18:31:40 -0500



PROGENY SERVICE NETWORK -- SECURITY ADVISORY             PROGENY-SA-2001-09

    Synopsis:       Vulnerabilities in FTP daemons

    Software:       Some FTP servers (See PACKAGE SUMMARY below)

    History:
         2000-12-04 Off-by-one OpenBSD vulnerability announced
         2000-12-05 Debian bsd-ftpd fixed in unstable
         2000-12-07 Debian ftpd fixed in unstable
         2000-12-18 OpenBSD Security advisory for off-by-one
         2001-04-09 NAI COVERT Labs advisory for globbing
         2001-04-17 FreeBSD advisory for globbing
         2001-04-26 Progeny Service Network advisory and fix for
                    both issues

    Credits:        PGP Security/NAI COVERT Labs
                    John McDonald
                    Anthony Osborne
                    Kristian Vlaardingerbroek



    Affects:        Progeny Debian
                    Debian GNU/Linux



    Progeny Only:   NO



    Vendor-Status:  New Versions Released




    $Id: PROGENY-SA-2001-09,v 1.1 2001/04/26 23:26:23 jdaily Exp $

PACKAGE SUMMARY

This advisory discusses issues that could impact multiple FTP daemons from multiple sources and vendors. All related and similar software in Progeny Debian is summarized here:

Package        Status                          Fix

atftpd         NOT vulnerable                  n/a
bsd-ftpd       IS vulnerable prior to 0.3.2-7  Install bsd-ftpd 0.3.2-7
ftpd           IS vulnerable prior to 0.17-2   Install ftpd 0.17-3
muddleftpd     NOT vulnerable                  n/a
proftpd        NOT vulnerable                  n/a
pyftpd         NOT vulnerable                  n/a
tftpd          NOT vulnerable                  n/a
wu-ftpd        NOT vulnerable                  n/a

PROBLEM SUMMARY

Recently, several bugs have been discovered in various FTP servers. If your Progeny Debian system runs either bsd-ftpd or ftpd, you may be vulnerable to a remote security bug.

DETAILED DESCRIPTION

Three problems exist with some FTP daemons on certain platforms:

  1. Certain FTP daemons assume that input from the client will never exceed 512 bytes. However, after expanding wildcards by using the glob() function, it is possible that input may exceed these values, leading to potential remote exploits. Our analysis is that no FTP or TFTP daemon contained in Progeny Debian is vulnerable to this attack.
  2. Some platforms' libc or FTP daemons have a buggy implementation of glob() that can lead to security issues on its own. Our analysis shows that Progeny's C library, GNU libc, does not contain these bugs. None of the FTP or TFTP daemons Progeny Debian contains has an implementation of glob() that is buggy in this fashion.
  3. Some FTP daemons contain an off-by-one bug in pathname processing that could provide vulnerabilities. Our analysis has discovered two packages in Progeny Debian that have the potential to be vulnerable to an attack exploiting this bug.

IMPACT

Unauthorized persons may be able to exploit this problem to gain root access.

The third problem above is the one of potential concern to Progeny Debian users. This issue was first reported against OpenBSD and a public exploit exists for that platform. To date, we are not aware of any exploit or incident related to this bug on a Linux platform.

An attacker will only be able to exploit the problem if writes to the FTP server are permitted. Therefore, we believe anonymous FTP sites that carry no "incoming" directories are not vulnerable to this attack. However, we do suggest that anyone running ftpd or bsd-ftpd upgrade as soon as possible.

To determine whether you have one of the affected packages, run the following command:

# dpkg -l '*ftpd'

SOLUTION (See also: UPDATING VIA APT-GET)

Upgrade to a fixed version of ftpd or bsd-ftpd. ftpd 0.17-3 and bsd-ftpd 0.3.2-7 both contain fixes for the problem documented in this advisory.

UPDATING VIA APT-GET (RECOMMENDED)

  1. Ensure that your /etc/apt/sources.list file has a URI for Progeny's update repository:

deb http://archive.progeny.com/progeny updates/newton/

2. Update your cache of available packages for apt(8).

Example:

# apt-get update

3. Using apt(8), install the new package. apt(8) will download the update, verify its integrity with md5, and then install the package on your system with dpkg(8).

Examples:

# apt-get install ftpd
# apt-get install bsd-ftpd

UPDATING VIA DPKG

  1. Using your preferred FTP/HTTP client to retrieve one of the following updated files from Progeny's update archive at:

http://archive.progeny.com/progeny/updates/newton/

    MD5 Checksum                     Filename                             
    -------------------------------- ------------------------------------- 
    5a8d2bbccc1612dd18c6478e5df63ebb ftp bsd-ftpd_0.3.2-7_i386.deb
    a272fc4b83848144c7fb88b8254d9d5e ftp ftpd_0.17-3_i386.deb

You need only download the one package that is relevant to your situation. In the examples that follow, we will illustrate with ftpd.

Example:

# wget http://archive.progeny.com/progeny/updates/newton/ftpd_0.17-3_i386.deb

2. Use the md5sum command on the retrieved files to verify that they match the md5sum provided in this advisory:

Example:

# md5sum ftp ftpd_0.17-3_i386.deb

3. Then install the replacement package(s) using the dpkg command.

Example:

# dpkg --install ftp ftpd_0.17-3_i386.deb

WORKAROUND

If you prefer not to upgrade your ftpd or bsd-ftpd package, you may instead install one of the other non-vulnerable FTP servers listed above. Or, you may remove the packages from your system with one of the following:

# dpkg --remove ftpd
# dpkg --remove bsd-ftpd

MORE INFORMATION

NAI Advisory: http://www.pgp.com/research/covert/advisories/048.asp

FreeBSD Globbing Advisory: http://archive.progeny.com/FreeBSD/CERT/advisories/FreeBSD-SA-01:33.ftpd-glob.asc

SecurityFocus summary: http://www.securityfocus.com/bid/2548

OpenBSD Advisory: http://www.openbsd.org/advisories/ftpd_replydirname.txt

OpenBSD Bug Report: http://www.geocrawler.com/lists/3/OpenBSD/254/75/4767480/

Debian bsd-ftpd bug report: http://bugs.debian.org/78786

Debian ftpd bug report: http://bugs.debian.org/78973

Progeny advisories can be found at http://www.progeny.com/security/.

pub 1024D/F92D4D1F 2001-04-04 Progeny Security Team <security@progeny.com>