6419861 2001-04-26 18:31 -0500 /263 rader/ Progeny Security Team <security@PROGENY.COM> Sänt av: joel@lysator.liu.se Importerad: 2001-04-27 09:22 av Brevbäraren Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: security@PROGENY.COM Mottagare: Bugtraq (import) <16818> Ärende: PROGENY-SA-2001-09: Vulnerabilities in FTP daemons ------------------------------------------------------------ From: Progeny Security Team <security@PROGENY.COM> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <20010426233140.4CC1614143@albus.indy.progeny.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 --------------------------------------------------------------------------- PROGENY SERVICE NETWORK -- SECURITY ADVISORY PROGENY-SA-2001-09 --------------------------------------------------------------------------- Synopsis: Vulnerabilities in FTP daemons Software: Some FTP servers (See PACKAGE SUMMARY below) History: 2000-12-04 Off-by-one OpenBSD vulnerability announced 2000-12-05 Debian bsd-ftpd fixed in unstable 2000-12-07 Debian ftpd fixed in unstable 2000-12-18 OpenBSD Security advisory for off-by-one 2001-04-09 NAI COVERT Labs advisory for globbing 2001-04-17 FreeBSD advisory for globbing 2001-04-26 Progeny Service Network advisory and fix for both issues Credits: PGP Security/NAI COVERT Labs John McDonald Anthony Osborne Kristian Vlaardingerbroek Affects: Progeny Debian Debian GNU/Linux Progeny Only: NO Vendor-Status: New Versions Released $Id: PROGENY-SA-2001-09,v 1.1 2001/04/26 23:26:23 jdaily Exp $ --------------------------------------------------------------------------- PACKAGE SUMMARY This advisory discusses issues that could impact multiple FTP daemons from multiple sources and vendors. All related and similar software in Progeny Debian is summarized here: Package Status Fix - -------------- ------------------------------- ------------------------ atftpd NOT vulnerable n/a bsd-ftpd IS vulnerable prior to 0.3.2-7 Install bsd-ftpd 0.3.2-7 ftpd IS vulnerable prior to 0.17-2 Install ftpd 0.17-3 muddleftpd NOT vulnerable n/a proftpd NOT vulnerable n/a pyftpd NOT vulnerable n/a tftpd NOT vulnerable n/a wu-ftpd NOT vulnerable n/a PROBLEM SUMMARY Recently, several bugs have been discovered in various FTP servers. If your Progeny Debian system runs either bsd-ftpd or ftpd, you may be vulnerable to a remote security bug. DETAILED DESCRIPTION Three problems exist with some FTP daemons on certain platforms: 1. Certain FTP daemons assume that input from the client will never exceed 512 bytes. However, after expanding wildcards by using the glob() function, it is possible that input may exceed these values, leading to potential remote exploits. Our analysis is that no FTP or TFTP daemon contained in Progeny Debian is vulnerable to this attack. 2. Some platforms' libc or FTP daemons have a buggy implementation of glob() that can lead to security issues on its own. Our analysis shows that Progeny's C library, GNU libc, does not contain these bugs. None of the FTP or TFTP daemons Progeny Debian contains has an implementation of glob() that is buggy in this fashion. 3. Some FTP daemons contain an off-by-one bug in pathname processing that could provide vulnerabilities. Our analysis has discovered two packages in Progeny Debian that have the potential to be vulnerable to an attack exploiting this bug. IMPACT Unauthorized persons may be able to exploit this problem to gain root access. The third problem above is the one of potential concern to Progeny Debian users. This issue was first reported against OpenBSD and a public exploit exists for that platform. To date, we are not aware of any exploit or incident related to this bug on a Linux platform. An attacker will only be able to exploit the problem if writes to the FTP server are permitted. Therefore, we believe anonymous FTP sites that carry no "incoming" directories are not vulnerable to this attack. However, we do suggest that anyone running ftpd or bsd-ftpd upgrade as soon as possible. To determine whether you have one of the affected packages, run the following command: # dpkg -l '*ftpd' SOLUTION (See also: UPDATING VIA APT-GET) Upgrade to a fixed version of ftpd or bsd-ftpd. ftpd 0.17-3 and bsd-ftpd 0.3.2-7 both contain fixes for the problem documented in this advisory. UPDATING VIA APT-GET (RECOMMENDED) 1. Ensure that your /etc/apt/sources.list file has a URI for Progeny's update repository: deb http://archive.progeny.com/progeny updates/newton/ 2. Update your cache of available packages for apt(8). Example: # apt-get update 3. Using apt(8), install the new package. apt(8) will download the update, verify its integrity with md5, and then install the package on your system with dpkg(8). Examples: # apt-get install ftpd # apt-get install bsd-ftpd UPDATING VIA DPKG 1. Using your preferred FTP/HTTP client to retrieve one of the following updated files from Progeny's update archive at: http://archive.progeny.com/progeny/updates/newton/ MD5 Checksum Filename -------------------------------- ------------------------------------- 5a8d2bbccc1612dd18c6478e5df63ebb bsd-ftpd_0.3.2-7_i386.deb a272fc4b83848144c7fb88b8254d9d5e ftpd_0.17-3_i386.deb You need only download the one package that is relevant to your situation. In the examples that follow, we will illustrate with ftpd. Example: # wget \ http://archive.progeny.com/progeny/updates/newton/ftpd_0.17-3_i386.deb 2. Use the md5sum command on the retrieved files to verify that they match the md5sum provided in this advisory: Example: # md5sum ftpd_0.17-3_i386.deb 3. Then install the replacement package(s) using the dpkg command. Example: # dpkg --install ftpd_0.17-3_i386.deb WORKAROUND If you prefer not to upgrade your ftpd or bsd-ftpd package, you may instead install one of the other non-vulnerable FTP servers listed above. Or, you may remove the packages from your system with one of the following: # dpkg --remove ftpd # dpkg --remove bsd-ftpd MORE INFORMATION NAI Advisory: http://www.pgp.com/research/covert/advisories/048.asp FreeBSD Globbing Advisory: http://archive.progeny.com/FreeBSD/CERT/advisories/FreeBSD-SA-01:33.ftpd-glob.asc SecurityFocus summary: http://www.securityfocus.com/bid/2548 OpenBSD Advisory: http://www.openbsd.org/advisories/ftpd_replydirname.txt OpenBSD Bug Report: http://www.geocrawler.com/lists/3/OpenBSD/254/75/4767480/ Debian bsd-ftpd bug report: http://bugs.debian.org/78786 Debian ftpd bug report: http://bugs.debian.org/78973 Progeny advisories can be found at http://www.progeny.com/security/. --------------------------------------------------------------------------- pub 1024D/F92D4D1F 2001-04-04 Progeny Security Team <security@progeny.com> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDrKpVkRBACS4/hjUliUt9UGTHMUGSZpQlKfBk9OFHmyLHTdjyIBCWRMmOBn RRhag0FgPicVIDndoQvYw3+ESC/RtbuPCBf6DZ7S0+NHhm1SHEbZyHFLkRXJm+IS 29oFmKrfXnXHckCrJFDZbOznRF6dVe7hV8CYi3FtoTjlRbuiHPQCMuy4ewCghAfv eYxfB25AoTdBT7WiG8jd4w8D/iFweuqzTwcWtXEgDbDd21W9hNPLEELgguimCCdP l3GHqw/MUJpIvdYfYhCzTaf4VpvkM5xlJGAcelCUL9qAufwyU8U8JI2YzlbqSlO8 qRwaiwq9qisTKEBb3IQadFqug+ihVdUeP8cuXPvbUEbFt7ILWyUD/kntgFdf1Apo zZWlA/0SM45hV6yomcM7z08tyh4hZTrWX/RUJqe+U1niNAmzPg4P+r8SfXdIkjb2 fZT5h5cYLIiK+kUEkqyPmZwUlgMCCn4IYVd2pcKXKXWE8ympuf3E5wGYeiVpLBM/ th7qdEF87sViV8McfiRuXEonYrs1nSQZX+f4OxvTQqaP46u10rQsUHJvZ2VueSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBwcm9nZW55LmNvbT6IVwQTEQIAFwUCOsql WQULBwoDBAMVAwIDFgIBAheAAAoJEEnBfSP5LU0f/sUAnjDpQs5SnFotNJ7GeIWx Ftf7AvBBAJ0cygWS0XRXxJJq2PKbCbdln+i4d7kEDQQ6yqcjEBAA465SSuC/yvN7 WeZAN9XperqZtxLCVe8hLfrLZ+9/Xn2ysuEEe90rYe1X0HbsB/mInHF3VmT+XvHB VdDQ7o0VMw7aeDgprt3jDQgT8gIesSOhZvulDujmLhykE+FT/V4lKpqO8prv7Ujs AfuC7g/X2dcV1+imNOeivLaCM0+HrwUhdvifWFDwE97wBkrda/vhu9zs3NwMeBVN UYfkRLPm+DGUSQVrteNiYJchhqfJB0mjrd+3FgnpCVgdU4c42epZ2ez/WTgTchoT duMCd1sM9gzvQIih56KzxlGL82PVS2m0PNxSQ8iZpheMMGWregjpjpMRcrRbSXy+ WmPBacOiE/MyxXand+lGzig/9Srm6msUT5jE/lDcfySznJWH8B/fqD7KM5Z0ZM+b 3xV0PzGyMld+m3BfGolqsd5bpo8HaWCWsZVYfgdXjoDPYptsoPdLesN6WIAHA1kU n2kckccz4xOoI/8MqKhkzZe0q5a9sv6RLBWDeVLxJnDuXZgcwCc4OvpcR4HnOE7c U5VsyjYwTkzGWWuQxb8uxng3akHTK2PqeZAnC0tvtuwI7QFhOq/dzz+zHzVH2+Qh 55Aq6DjA9yEs3P7g31wb3duGdWtuIXn+N85GiJdZ1EmJESQCuOYOSHsV4bGxKcpg PIpoSr5QBAUtUOTwN+xC8nNjZtC5OzsAAwYP/1OD/eiEraGpy7Z9scgXBjjb1kly tgq06zGlSMWPEQoN3F87YeMiOsXSeDxJG+cnhvlys1Qoytp9/drsDLANi+Q61A/b aka2IJLudiDu4iUDFb1rgRUERBciA31karPf2IwNjdU8lbulHfxQcjtjj7rbSWOG gxzlPcLp2F5ee3h0qs+XW4UpD6K9f/u9gGT4nMr3owG06uNomlBAsGCVpk9XlRxG x96161vrbmTPUx/o6NhqHNuf5Zh8ZmxQ3PYydywiE9njOtS04TTad24qbdPlVQh2 kjkTdsMCFRGaAB8EYImMT3F0ofon1Q/XWZrRlhkZpzuAKLhdSOW5G+tygNy2IqsH wCYa/rDitYZeNN4EUb5At4HnSBCy86GFQgj+sDFO6yp+h7NLIMeTm0csaSbKEt6o cbn0iMaRbLdHmAm0UHATPho+M2brf3mTztvAPONta2FC9TP1L1ojTDd4mtO9IcdM hjOVqNbuyLXkWgPcSmwhhjB61p3/1M1Y/zfXxLOsi/XJlstYzzKzHa68F1e9dTEz kgeYo1hG5TqMKv1sXfPJHw4N/QVcLoUlpUJZ/kI2OQD5mAhCCZ9PbT2fT4gLhy7U sn0blh/R/0HFSFDwHgmx8mNfw7w0qFbba9/FEE8D5qhyyCx5KTk0OkvRL9OpzO7E jzjdcfb6B2XpgSC8iEYEGBECAAYFAjrKpyMACgkQScF9I/ktTR90vgCggiX108DO S3rhSkmfFuHey8w4RlIAn3nD+uCe+sjCFqVwb+LY2jO3ybjB =6dRm - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjrorvEACgkQScF9I/ktTR94IACdFJPmdGyRqwUhX38FbIzxs4G6 5PUAnj2TI4U2wia5Ae/w5cv2zKygo9+9 =dQ0S -----END PGP SIGNATURE----- (6419861) /Progeny Security Team <security@PROGENY.COM>/(Ombruten)