Debian bug report logs - #1013
This isn't fixed yet?
Package: wu-ftpd; Reported by: rdr@legislate.com (Raul Miller); Done: tobias@server.et-inf.fho-emden.de (Peter Tobias).
Message received at debian-bugs-done:
From legislate.com!rdr Sat Jun 17 04:51:07 1995
Return-Path: <rdr@legislate.com>
Received: from pixar.com by mongo.pixar.com with smtp
(Smail3.1.28.1 #15) id m0sMwP4-0005z9C; Sat, 17 Jun 95 04:51 PDT
Received: from hydra.legislate.com ([192.77.155.4]) by pixar.com with SMTP id AA22398
(5.67b/IDA-1.5 for debian-bugs-done-pipe@mongo.pixar.com); Sat, 17 Jun 1995 04:49:37 -0700
Received: by hydra.legislate.com
id <m0sMsgD-0004hfC@legislate.com>
(Debian /\oo/\ Smail3.1.29.1 #29.32); Sat, 17 Jun 95 07:52 GMT
Message-Id: <m0sMsgD-0004hfC@hydra.legislate.com>
Date: Sat, 17 Jun 95 07:52 GMT
From: rdr@legislate.com (Raul Miller)
To: tobias@et-inf.fho-emden.de
Cc: debian-bugs@pixar.com, debian-bugs-done@pixar.com
In-Reply-To: <9506170815.AA11598@server.et-inf.fho-emden.de> (tobias@server.et-inf.fho-emden.de)
Subject: Re: Bug#1013: This isn't fixed yet?
On closer investigation, even though I thought I'd installed version
9, I hadn't. [re-?] installation fixed the problem.
Sorry about the noise,
Raul
Message received at debian-bugs:
From legislate.com!rdr Sat Jun 17 04:51:07 1995
Return-Path: <rdr@legislate.com>
Received: from pixar.com by mongo.pixar.com with smtp
(Smail3.1.28.1 #15) id m0sMwP4-0005z9C; Sat, 17 Jun 95 04:51 PDT
Received: from hydra.legislate.com ([192.77.155.4]) by pixar.com with SMTP id AA22398
(5.67b/IDA-1.5 for debian-bugs-done-pipe@mongo.pixar.com); Sat, 17 Jun 1995 04:49:37 -0700
Received: by hydra.legislate.com
id <m0sMsgD-0004hfC@legislate.com>
(Debian /\oo/\ Smail3.1.29.1 #29.32); Sat, 17 Jun 95 07:52 GMT
Message-Id: <m0sMsgD-0004hfC@hydra.legislate.com>
Date: Sat, 17 Jun 95 07:52 GMT
From: rdr@legislate.com (Raul Miller)
To: tobias@et-inf.fho-emden.de
Cc: debian-bugs@pixar.com, debian-bugs-done@pixar.com
In-Reply-To: <9506170815.AA11598@server.et-inf.fho-emden.de> (tobias@server.et-inf.fho-emden.de)
Subject: Re: Bug#1013: This isn't fixed yet?
On closer investigation, even though I thought I'd installed version
9, I hadn't. [re-?] installation fixed the problem.
Sorry about the noise,
Raul
Acknowledgement sent to rdr@legislate.com (Raul Miller):
Extra info received and forwarded.
Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1013; Package wu-ftpd.
Full text available.
Message received at debian-bugs:
From server.et-inf.fho-emden.de!tobias Sat Jun 17 01:19:32 1995
Return-Path: <tobias@server.et-inf.fho-emden.de>
Received: from pixar.com by mongo.pixar.com with smtp
(Smail3.1.28.1 #15) id m0sMt6I-0005z9C; Sat, 17 Jun 95 01:19 PDT
Received: from server.et-inf.fho-emden.de by pixar.com with SMTP id AA16490
(5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 17 Jun 1995 01:18:01 -0700
Received: by server.et-inf.fho-emden.de (5.65/DEC-Ultrix/4.3)
id AA11598; Sat, 17 Jun 1995 10:15:41 +0200
From: tobias@server.et-inf.fho-emden.de (Peter Tobias)
Message-Id: <9506170815.AA11598@server.et-inf.fho-emden.de>
Subject: Re: Bug#1013: This isn't fixed yet?
To: rdr@legislate.com, debian-bugs@pixar.com
Date: Sat, 17 Jun 1995 10:15:40 +0000 (GMT-1:00)
Cc: debian-bugs-done@pixar.com
In-Reply-To: <m0sMj30-0004ioC@hydra.legislate.com> from "Raul Miller" at Jun 16, 95 09:35:00 pm
Reply-To: tobias@et-inf.fho-emden.de
X-Mailer: ELM [version 2.4 PL17]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
Content-Length: 935
Raul Miller wrote:
> Package: wu-ftpd
[...]
> On June 2, 1995, the Australian Computer Emergency Response Team published
> an advisory about the security hole in some binaries of the wu.ftpd 2.4
> (Washington University FTP Server) in major Linux distributions. This Linux
> Security FAQ Update is an attempt to provide more detailed information about
> the vulnerability of the Washington University FTP Server and methods of
> fixing it.
[...]
> OBTAINING A FIX:
> ================
>
>
> Debian/GNU Linux:
>
> Users of Debian Linux Distribution can obtain fixed binary
> from the primary Debian distribution site.
The fixed version (2.4-9) is available since May 31, 1995.
Peter
--
Peter Tobias EMail:
Fachhochschule Ostfriesland tobias@et-inf.fho-emden.de
Fachbereich Elektrotechnik und Informatik tobias@perseus.fho-emden.de
Constantiaplatz 4, 26723 Emden, Germany
Acknowledgement sent to tobias@et-inf.fho-emden.de:
Extra info received and forwarded.
Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1013; Package wu-ftpd.
Full text available.
Message received at debian-bugs-done:
From server.et-inf.fho-emden.de!tobias Sat Jun 17 01:19:32 1995
Return-Path: <tobias@server.et-inf.fho-emden.de>
Received: from pixar.com by mongo.pixar.com with smtp
(Smail3.1.28.1 #15) id m0sMt6I-0005z9C; Sat, 17 Jun 95 01:19 PDT
Received: from server.et-inf.fho-emden.de by pixar.com with SMTP id AA16490
(5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 17 Jun 1995 01:18:01 -0700
Received: by server.et-inf.fho-emden.de (5.65/DEC-Ultrix/4.3)
id AA11598; Sat, 17 Jun 1995 10:15:41 +0200
From: tobias@server.et-inf.fho-emden.de (Peter Tobias)
Message-Id: <9506170815.AA11598@server.et-inf.fho-emden.de>
Subject: Re: Bug#1013: This isn't fixed yet?
To: rdr@legislate.com, debian-bugs@pixar.com
Date: Sat, 17 Jun 1995 10:15:40 +0000 (GMT-1:00)
Cc: debian-bugs-done@pixar.com
In-Reply-To: <m0sMj30-0004ioC@hydra.legislate.com> from "Raul Miller" at Jun 16, 95 09:35:00 pm
Reply-To: tobias@et-inf.fho-emden.de
X-Mailer: ELM [version 2.4 PL17]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
Content-Length: 935
Raul Miller wrote:
> Package: wu-ftpd
[...]
> On June 2, 1995, the Australian Computer Emergency Response Team published
> an advisory about the security hole in some binaries of the wu.ftpd 2.4
> (Washington University FTP Server) in major Linux distributions. This Linux
> Security FAQ Update is an attempt to provide more detailed information about
> the vulnerability of the Washington University FTP Server and methods of
> fixing it.
[...]
> OBTAINING A FIX:
> ================
>
>
> Debian/GNU Linux:
>
> Users of Debian Linux Distribution can obtain fixed binary
> from the primary Debian distribution site.
The fixed version (2.4-9) is available since May 31, 1995.
Peter
--
Peter Tobias EMail:
Fachhochschule Ostfriesland tobias@et-inf.fho-emden.de
Fachbereich Elektrotechnik und Informatik tobias@perseus.fho-emden.de
Constantiaplatz 4, 26723 Emden, Germany
Notification sent to rdr@legislate.com (Raul Miller):
Bug acknowledged by developer.
Full text available.
Reply sent to tobias@et-inf.fho-emden.de:
You have taken responsibility.
Full text available.
Message received at debian-bugs:
From simons-rock.edu!jimr Fri Jun 16 19:19:40 1995
Return-Path: <jimr@simons-rock.edu>
Received: from pixar.com by mongo.pixar.com with smtp
(Smail3.1.28.1 #15) id m0sMnU4-0005z9C; Fri, 16 Jun 95 19:19 PDT
Received: from plato.simons-rock.edu by pixar.com with SMTP id AA29989
(5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Fri, 16 Jun 1995 19:16:58 -0700
Received: from simons-rock.edu by plato.simons-rock.edu with smtp
(Smail3.1.29.1 #3) id m0sMnSb-000017C; Fri, 16 Jun 95 22:18 EDT
Message-Id: <m0sMnSb-000017C@plato.simons-rock.edu>
To: rdr@legislate.com (Raul Miller), debian-bugs@pixar.com
Subject: Re: Bug#1013: This isn't fixed yet?
In-Reply-To: Message from rdr@legislate.com (Raul Miller)
of "Fri, 16 Jun 1995 21:35:00 GMT." <m0sMj30-0004ioC@hydra.legislate.com>
Date: Fri, 16 Jun 1995 22:18:09 -0400
From: "James A. Robinson" <jimr@simons-rock.edu>
I believe Peter released a fixed version in v 2.4-9.
Jim
Acknowledgement sent to "James A. Robinson" <jimr@simons-rock.edu>:
Extra info received and forwarded.
Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1013; Package wu-ftpd.
Full text available.
Message received at debian-bugs:
From legislate.com!rdr Fri Jun 16 18:33:50 1995
Return-Path: <rdr@legislate.com>
Received: from pixar.com by mongo.pixar.com with smtp
(Smail3.1.28.1 #15) id m0sMmlh-0005lbC; Fri, 16 Jun 95 18:33 PDT
Received: from hydra.legislate.com ([192.77.155.4]) by pixar.com with SMTP id AA27480
(5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Fri, 16 Jun 1995 18:32:19 -0700
Received: by hydra.legislate.com
id <m0sMj30-0004ioC@legislate.com>
(Debian /\oo/\ Smail3.1.29.1 #29.32); Fri, 16 Jun 95 21:35 GMT
Message-Id: <m0sMj30-0004ioC@hydra.legislate.com>
Date: Fri, 16 Jun 95 21:35 GMT
From: rdr@legislate.com (Raul Miller)
To: debian-bugs@pixar.com
Subject: This isn't fixed yet?
Package: wu-ftpd
From: alex <alex@bach.cis.temple.edu>
Newsgroups: comp.os.linux.announce
Followup-To: comp.os.linux.setup
Date: 16 Jun 1995 15:59:33 +0300
Organization: ?
Lines: 202
Keywords: FAQ, update
- - - - - - - LSF Update#4 - - - - - - - - - - - - - - - - - - - - - -
Washington University FTP Server Version 2.4
LINUX SECURITY FAQ UPDATE
June 3, 1995 11:37 EST
Last Update: June 7, 1995 20:38 EST
Copyright (C) 1995 Alexander O. Yuriev
CIS Laboratories, TEMPLE UNIVERSITY
<alex@bach.cis.temple.edu>
-----------------------------------------------------------------------------
This is an update to Linux Security FAQ. The FAQ itself is not completely
written yet and currently covers only Slackware Linux distribution. If you
use a different Linux distribution and the location name of some files
differ from the ones used in this update, please drop me a note at at
<alex@bach.cis.temple.edu>.
If you create your own Linux distributions that are being placed on
FTP sites or CDs, please contact me!
Linux FAQ WWW is http://bach.cis.temple.edu/linux/linux-security
-----------------------------------------------------------------------------
On June 2, 1995, the Australian Computer Emergency Response Team published
an advisory about the security hole in some binaries of the wu.ftpd 2.4
(Washington University FTP Server) in major Linux distributions. This Linux
Security FAQ Update is an attempt to provide more detailed information about
the vulnerability of the Washington University FTP Server and methods of
fixing it.
ABSTRACT:
=========
The default configuration of the Washington University FTP Server
version 2.4 in major Linux distributions including Slackware 2.0,
2.1, 2.2, 2.3, Yggdrasil Plug&Play Fall'94 and Debian Distribution
has a configuration problem which allows any user with an account on
a system to gain the root access.
DETECTION:
==========
The following set of commands can be used to determine if your ftp
server is affected (source host's name is viper. The name of a
system being checked is devnull)
[jru@viper]:~> ftp devnull
Connected to devnull
220 ftphost FTP server (Version wu-2.4(3) Wed May 31 04:11:15 EDT 1995)
Name (devnull:jru): jru
331 Password required for jru
Password:
230 User user logged in.
ftp> quote site exec echo Joe Random User
200-echo Joe Random User
200-Joe Random User
200 (end of 'echo Joe Random User')
ftp> quit
221 Goodbye.
If you see the phrase you specified in echo command is displayed on
the screen, then the configuration of the ftp server on the host is
probably vulnerable and you will need to obtain a fix for it.
QUICK FIX:
==========
Unfortunately, the fix is more than a one step process. We advise you
to start by shutting down the ftp server using the command:
ftpshut now
This command blocks all connections to the ftp server.
ANONYMOUS FTP:
==============
Unfortunately, it is not possible to be 100% sure if the anonymous
ftp is affected. In theory, if all of the following conditions
are true an anonymous ftp user can exploit the hole:
1) Uploads are allowed
2) Anonymous users are allowed to use chmod.
3) GNU tar is present in the SITE EXECable directory
In practice, we could not reconstruct an attack that can be used by
the anonymous user to exploit the hole. [Olaf Kirch managed to open
a non-root xterm(1) window from as an anonymous user] Nevertheless,
please close it just to be safe. We would also like to mention that
there should be absolutely no reason to allow an anonymous user to
change access permissions of files from your ftp server. To block
it, edit the ftpaccess file which is usually located in the /etc
directory (/etc/ftpaccess) and the add line.
chmod no guest, anonymous
OBTAINING A FIX:
================
Debian/GNU Linux:
Users of Debian Linux Distribution can obtain fixed binary
from the primary Debian distribution site.
wu-ftpd 2.4 source code:
The correctly configured wu-ftpd 2.4 server for Linux can be
obtained at the following URLs:
ftp://linux.nrao.edu/pub/people/alex/wu-ftpd-2.4-fix/
ftp://linux.nrao.edu/pub/people/alex/wu-ftpd-2.4-fix/
ftp://sunsite.unc.edu/pub/Linux/ (I don't know where it will
end up)
In addition to the source code of patched wu-ftpd 2.4 you
can get the patch that would create a "fixed" tree from the
original wu-ftpd 2. and the wu-ftpd 2.4 itself. All files
have their MD5 checksums in the file CHECKSUMS in the same
directory.
LIST OF AFFECTED DISTRIBUTIONS:
==============================
As of today, we are aware that the following distributions are
affected and have to be patched:
Slackware Linux 2.0
Slackware Linux 2.1
Slackware Linux 2.2
Slackware Linux 2.3
Debian/GNU Linux
Yggdrasil Plug&Play'94
Boggus 1.01
Authors of Red Hat Linux distributions claim that their
distributions are not affected. Unfortunately, we were unable to
verify this claim as apparently neither Olaf Kirch nor Jeff Uphoff
nor I have access to it, although we do hope that it is true. The
Red Hat Linux Distributions are known to have the latest fixes
included.
We would like users of other Linux distributions to inform us if
their version of wu-ftpd was affected. If you are a user or a
maintainer of one of the following distributions, please contact us.
Mini Linux Distribution
TAMU
SLS
MCC
"OUR THANK YOU"
===============
I would like to thank the following people for their help in researching
this problem and providing a solution:
Olaf Kirch (okir@monad.swb.de), Wolfgang Ley
(ley@cert.dfn.de), Jeff Uphoff (juphoff@linux.nrao.edu)
and last, but not least, Scott Weinstein (SWEIN@ALBNYVMS.BITNET)
who within a day from the original time I posted the update
informed us about a problem with Bogus Linux distribution
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
============================================================================
Alexander O. Yuriev Email: alex@bach.cis.temple.edu
CIS Labs, TEMPLE UNIVERSITY WWW: http://bach.cis.temple.edu/personal/alex
Philadelphia, PA, USA
PGP Key: 1024/ADF3EE95 Fingerprint: AB4FE7382C3627BC 6934EC2A2C05AB62
Unless otherwise stated, everything above is my personal opinion and not an
opinion of any organisation affiliated with me.
=============================================================================
--
Send submissions for comp.os.linux.announce to: linux-announce@news.ornl.gov
PLEASE remember Keywords: and a short description of the software.
Acknowledgement sent to rdr@legislate.com (Raul Miller):
New bug report received and forwarded.
Full text available.
Report forwarded to debian-devel@pixar.com:
Bug#1013; Package wu-ftpd.
Full text available.
Ian Jackson /
iwj10@thor.cam.ac.uk,
with the debian-bugs tracking mechanism