6419861 2001-04-26 18:31 -0500  /263 rader/ Progeny Security Team <security@PROGENY.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-27  09:22  av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: security@PROGENY.COM
Mottagare: Bugtraq (import) <16818>
Ärende: PROGENY-SA-2001-09: Vulnerabilities in FTP daemons
------------------------------------------------------------
From: Progeny Security Team <security@PROGENY.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010426233140.4CC1614143@albus.indy.progeny.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


 ---------------------------------------------------------------------------
 PROGENY SERVICE NETWORK -- SECURITY ADVISORY             PROGENY-SA-2001-09
 ---------------------------------------------------------------------------

    Synopsis:       Vulnerabilities in FTP daemons

    Software:       Some FTP servers (See PACKAGE SUMMARY below)

    History:
         2000-12-04 Off-by-one OpenBSD vulnerability announced
         2000-12-05 Debian bsd-ftpd fixed in unstable
         2000-12-07 Debian ftpd fixed in unstable
         2000-12-18 OpenBSD Security advisory for off-by-one
         2001-04-09 NAI COVERT Labs advisory for globbing
         2001-04-17 FreeBSD advisory for globbing
         2001-04-26 Progeny Service Network advisory and fix for
                    both issues

    Credits:        PGP Security/NAI COVERT Labs
                    John McDonald
                    Anthony Osborne
                    Kristian Vlaardingerbroek

    Affects:        Progeny Debian
                    Debian GNU/Linux

    Progeny Only:   NO

    Vendor-Status:  New Versions Released


    $Id: PROGENY-SA-2001-09,v 1.1 2001/04/26 23:26:23 jdaily Exp $

 ---------------------------------------------------------------------------

PACKAGE SUMMARY

This advisory discusses issues that could impact multiple FTP daemons
from multiple sources and vendors.  All related and similar software
in Progeny Debian is summarized here:

Package        Status                          Fix
- -------------- ------------------------------- ------------------------
atftpd         NOT vulnerable                  n/a
bsd-ftpd       IS vulnerable prior to 0.3.2-7  Install bsd-ftpd 0.3.2-7
ftpd           IS vulnerable prior to 0.17-2   Install ftpd 0.17-3
muddleftpd     NOT vulnerable                  n/a
proftpd        NOT vulnerable                  n/a
pyftpd         NOT vulnerable                  n/a
tftpd          NOT vulnerable                  n/a
wu-ftpd        NOT vulnerable                  n/a


PROBLEM SUMMARY

Recently, several bugs have been discovered in various FTP servers.
If your Progeny Debian system runs either bsd-ftpd or ftpd, you may be
vulnerable to a remote security bug.


DETAILED DESCRIPTION

Three problems exist with some FTP daemons on certain platforms:

1. Certain FTP daemons assume that input from the client will never
   exceed 512 bytes.  However, after expanding wildcards by using the
   glob() function, it is possible that input may exceed these values,
   leading to potential remote exploits.  Our analysis is that
   no FTP or TFTP daemon contained in Progeny Debian is vulnerable
   to this attack.

2. Some platforms' libc or FTP daemons have a buggy implementation of
   glob() that can lead to security issues on its own.  Our analysis
   shows that Progeny's C library, GNU libc, does not contain these
   bugs.  None of the FTP or TFTP daemons Progeny Debian contains
   has an implementation of glob() that is buggy in this fashion.

3. Some FTP daemons contain an off-by-one bug in pathname processing
   that could provide vulnerabilities.  Our analysis has discovered
   two packages in Progeny Debian that have the potential to be
   vulnerable to an attack exploiting this bug.


IMPACT

Unauthorized persons may be able to exploit this problem to gain root
access.

The third problem above is the one of potential concern to Progeny
Debian users.  This issue was first reported against OpenBSD and a
public exploit exists for that platform.  To date, we are not aware
of any exploit or incident related to this bug on a Linux platform.

An attacker will only be able to exploit the problem if writes to the
FTP server are permitted.  Therefore, we believe anonymous FTP sites
that carry no "incoming" directories are not vulnerable to this
attack.  However, we do suggest that anyone running ftpd or bsd-ftpd
upgrade as soon as possible.

To determine whether you have one of the affected packages, run the
following command:

   # dpkg -l '*ftpd'


SOLUTION (See also: UPDATING VIA APT-GET)

Upgrade to a fixed version of ftpd or bsd-ftpd.  ftpd 0.17-3 and
bsd-ftpd 0.3.2-7 both contain fixes for the problem documented in this
advisory.


UPDATING VIA APT-GET (RECOMMENDED)

 1. Ensure that your /etc/apt/sources.list file has a URI for Progeny's
    update repository:

        deb http://archive.progeny.com/progeny updates/newton/

 2. Update your cache of available packages for apt(8).

    Example:

        # apt-get update

 3. Using apt(8), install the new package. apt(8) will download the
    update, verify its integrity with md5, and then install the
    package on your system with dpkg(8).

    Examples:

        # apt-get install ftpd
        # apt-get install bsd-ftpd


UPDATING VIA DPKG

 1. Using your preferred FTP/HTTP client to retrieve one of the following
    updated files from Progeny's update archive at:

    http://archive.progeny.com/progeny/updates/newton/

    MD5 Checksum                     Filename
    -------------------------------- -------------------------------------
    5a8d2bbccc1612dd18c6478e5df63ebb bsd-ftpd_0.3.2-7_i386.deb
    a272fc4b83848144c7fb88b8254d9d5e ftpd_0.17-3_i386.deb

    You need only download the one package that is relevant to your
    situation.  In the examples that follow, we will illustrate with
    ftpd.

    Example:

        # wget \
        http://archive.progeny.com/progeny/updates/newton/ftpd_0.17-3_i386.deb

 2. Use the md5sum command on the retrieved files to verify that they
    match the md5sum provided in this advisory:

    Example:

        # md5sum ftpd_0.17-3_i386.deb

 3. Then install the replacement package(s) using the dpkg command.

    Example:

        # dpkg --install ftpd_0.17-3_i386.deb


WORKAROUND

If you prefer not to upgrade your ftpd or bsd-ftpd package, you may
instead install one of the other non-vulnerable FTP servers listed
above.  Or, you may remove the packages from your system with one of
the following:

 # dpkg --remove ftpd
 # dpkg --remove bsd-ftpd


MORE INFORMATION

NAI Advisory: http://www.pgp.com/research/covert/advisories/048.asp

FreeBSD Globbing Advisory:
http://archive.progeny.com/FreeBSD/CERT/advisories/FreeBSD-SA-01:33.ftpd-glob.asc

SecurityFocus summary: http://www.securityfocus.com/bid/2548

OpenBSD Advisory:
http://www.openbsd.org/advisories/ftpd_replydirname.txt

OpenBSD Bug Report:
http://www.geocrawler.com/lists/3/OpenBSD/254/75/4767480/

Debian bsd-ftpd bug report: http://bugs.debian.org/78786

Debian ftpd bug report: http://bugs.debian.org/78973

Progeny advisories can be found at http://www.progeny.com/security/.


 ---------------------------------------------------------------------------

pub  1024D/F92D4D1F 2001-04-04 Progeny Security Team
<security@progeny.com>

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

mQGiBDrKpVkRBACS4/hjUliUt9UGTHMUGSZpQlKfBk9OFHmyLHTdjyIBCWRMmOBn
RRhag0FgPicVIDndoQvYw3+ESC/RtbuPCBf6DZ7S0+NHhm1SHEbZyHFLkRXJm+IS
29oFmKrfXnXHckCrJFDZbOznRF6dVe7hV8CYi3FtoTjlRbuiHPQCMuy4ewCghAfv
eYxfB25AoTdBT7WiG8jd4w8D/iFweuqzTwcWtXEgDbDd21W9hNPLEELgguimCCdP
l3GHqw/MUJpIvdYfYhCzTaf4VpvkM5xlJGAcelCUL9qAufwyU8U8JI2YzlbqSlO8
qRwaiwq9qisTKEBb3IQadFqug+ihVdUeP8cuXPvbUEbFt7ILWyUD/kntgFdf1Apo
zZWlA/0SM45hV6yomcM7z08tyh4hZTrWX/RUJqe+U1niNAmzPg4P+r8SfXdIkjb2
fZT5h5cYLIiK+kUEkqyPmZwUlgMCCn4IYVd2pcKXKXWE8ympuf3E5wGYeiVpLBM/
th7qdEF87sViV8McfiRuXEonYrs1nSQZX+f4OxvTQqaP46u10rQsUHJvZ2VueSBT
ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBwcm9nZW55LmNvbT6IVwQTEQIAFwUCOsql
WQULBwoDBAMVAwIDFgIBAheAAAoJEEnBfSP5LU0f/sUAnjDpQs5SnFotNJ7GeIWx
Ftf7AvBBAJ0cygWS0XRXxJJq2PKbCbdln+i4d7kEDQQ6yqcjEBAA465SSuC/yvN7
WeZAN9XperqZtxLCVe8hLfrLZ+9/Xn2ysuEEe90rYe1X0HbsB/mInHF3VmT+XvHB
VdDQ7o0VMw7aeDgprt3jDQgT8gIesSOhZvulDujmLhykE+FT/V4lKpqO8prv7Ujs
AfuC7g/X2dcV1+imNOeivLaCM0+HrwUhdvifWFDwE97wBkrda/vhu9zs3NwMeBVN
UYfkRLPm+DGUSQVrteNiYJchhqfJB0mjrd+3FgnpCVgdU4c42epZ2ez/WTgTchoT
duMCd1sM9gzvQIih56KzxlGL82PVS2m0PNxSQ8iZpheMMGWregjpjpMRcrRbSXy+
WmPBacOiE/MyxXand+lGzig/9Srm6msUT5jE/lDcfySznJWH8B/fqD7KM5Z0ZM+b
3xV0PzGyMld+m3BfGolqsd5bpo8HaWCWsZVYfgdXjoDPYptsoPdLesN6WIAHA1kU
n2kckccz4xOoI/8MqKhkzZe0q5a9sv6RLBWDeVLxJnDuXZgcwCc4OvpcR4HnOE7c
U5VsyjYwTkzGWWuQxb8uxng3akHTK2PqeZAnC0tvtuwI7QFhOq/dzz+zHzVH2+Qh
55Aq6DjA9yEs3P7g31wb3duGdWtuIXn+N85GiJdZ1EmJESQCuOYOSHsV4bGxKcpg
PIpoSr5QBAUtUOTwN+xC8nNjZtC5OzsAAwYP/1OD/eiEraGpy7Z9scgXBjjb1kly
tgq06zGlSMWPEQoN3F87YeMiOsXSeDxJG+cnhvlys1Qoytp9/drsDLANi+Q61A/b
aka2IJLudiDu4iUDFb1rgRUERBciA31karPf2IwNjdU8lbulHfxQcjtjj7rbSWOG
gxzlPcLp2F5ee3h0qs+XW4UpD6K9f/u9gGT4nMr3owG06uNomlBAsGCVpk9XlRxG
x96161vrbmTPUx/o6NhqHNuf5Zh8ZmxQ3PYydywiE9njOtS04TTad24qbdPlVQh2
kjkTdsMCFRGaAB8EYImMT3F0ofon1Q/XWZrRlhkZpzuAKLhdSOW5G+tygNy2IqsH
wCYa/rDitYZeNN4EUb5At4HnSBCy86GFQgj+sDFO6yp+h7NLIMeTm0csaSbKEt6o
cbn0iMaRbLdHmAm0UHATPho+M2brf3mTztvAPONta2FC9TP1L1ojTDd4mtO9IcdM
hjOVqNbuyLXkWgPcSmwhhjB61p3/1M1Y/zfXxLOsi/XJlstYzzKzHa68F1e9dTEz
kgeYo1hG5TqMKv1sXfPJHw4N/QVcLoUlpUJZ/kI2OQD5mAhCCZ9PbT2fT4gLhy7U
sn0blh/R/0HFSFDwHgmx8mNfw7w0qFbba9/FEE8D5qhyyCx5KTk0OkvRL9OpzO7E
jzjdcfb6B2XpgSC8iEYEGBECAAYFAjrKpyMACgkQScF9I/ktTR90vgCggiX108DO
S3rhSkmfFuHey8w4RlIAn3nD+uCe+sjCFqVwb+LY2jO3ybjB
=6dRm
- -----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjrorvEACgkQScF9I/ktTR94IACdFJPmdGyRqwUhX38FbIzxs4G6
5PUAnj2TI4U2wia5Ae/w5cv2zKygo9+9
=dQ0S
-----END PGP SIGNATURE-----
(6419861) /Progeny Security Team <security@PROGENY.COM>/(Ombruten)