

Debian bug report logs - #1013
This isn't fixed yet?

Package: wu-ftpd ; Reported by: rdr@legislate.com (Raul Miller); Done:
tobias@server.et-inf.fho-emden.de (Peter Tobias).
-----------------------------------------------------------------------

Message received at debian-bugs-done:


From legislate.com!rdr Sat Jun 17 04:51:07 1995
Return-Path: <rdr@legislate.com>
Received: from pixar.com by mongo.pixar.com with smtp
        (Smail3.1.28.1 #15) id m0sMwP4-0005z9C; Sat, 17 Jun 95 04:51 PDT
Received: from hydra.legislate.com ([192.77.155.4]) by pixar.com with 
SMTP id AA22398
  (5.67b/IDA-1.5 for debian-bugs-done-pipe@mongo.pixar.com); Sat, 17 Jun 
1995 04:49:37 -0700
Received: by hydra.legislate.com
        id <m0sMsgD-0004hfC@legislate.com>
        (Debian /\oo/\ Smail3.1.29.1 #29.32); Sat, 17 Jun 95 07:52 GMT
Message-Id: <m0sMsgD-0004hfC@hydra.legislate.com>
Date: Sat, 17 Jun 95 07:52 GMT
From: rdr@legislate.com (Raul Miller)
To: tobias@et-inf.fho-emden.de
Cc: debian-bugs@pixar.com, debian-bugs-done@pixar.com
In-Reply-To: <9506170815.AA11598@server.et-inf.fho-emden.de> 
(tobias@server.et-inf.fho-emden.de)
Subject: Re: Bug#1013: This isn't fixed yet?

On closer investigation, even though I thought I'd installed version
9, I hadn't.  [re-?] installation fixed the problem.

Sorry about the noise,

Raul
-----------------------------------------------------------------------

Message received at debian-bugs:


From legislate.com!rdr Sat Jun 17 04:51:07 1995
Return-Path: <rdr@legislate.com>
Received: from pixar.com by mongo.pixar.com with smtp
        (Smail3.1.28.1 #15) id m0sMwP4-0005z9C; Sat, 17 Jun 95 04:51 PDT
Received: from hydra.legislate.com ([192.77.155.4]) by pixar.com with 
SMTP id AA22398
  (5.67b/IDA-1.5 for debian-bugs-done-pipe@mongo.pixar.com); Sat, 17 Jun 
1995 04:49:37 -0700
Received: by hydra.legislate.com
        id <m0sMsgD-0004hfC@legislate.com>
        (Debian /\oo/\ Smail3.1.29.1 #29.32); Sat, 17 Jun 95 07:52 GMT
Message-Id: <m0sMsgD-0004hfC@hydra.legislate.com>
Date: Sat, 17 Jun 95 07:52 GMT
From: rdr@legislate.com (Raul Miller)
To: tobias@et-inf.fho-emden.de
Cc: debian-bugs@pixar.com, debian-bugs-done@pixar.com
In-Reply-To: <9506170815.AA11598@server.et-inf.fho-emden.de> 
(tobias@server.et-inf.fho-emden.de)
Subject: Re: Bug#1013: This isn't fixed yet?

On closer investigation, even though I thought I'd installed version
9, I hadn't.  [re-?] installation fixed the problem.

Sorry about the noise,

Raul
-----------------------------------------------------------------------
Acknowledgement sent to rdr@legislate.com (Raul Miller) :
Extra info received and forwarded. Full text available.
-----------------------------------------------------------------------
Information forwarded to debian-devel@pixar.com :
Bug#1013 ; Package wu-ftpd . Full text available.
-----------------------------------------------------------------------

Message received at debian-bugs:


From server.et-inf.fho-emden.de!tobias Sat Jun 17 01:19:32 1995
Return-Path: <tobias@server.et-inf.fho-emden.de>
Received: from pixar.com by mongo.pixar.com with smtp
        (Smail3.1.28.1 #15) id m0sMt6I-0005z9C; Sat, 17 Jun 95 01:19 PDT
Received: from server.et-inf.fho-emden.de by pixar.com with SMTP id 
AA16490
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 17 Jun 1995 
01:18:01 -0700
Received: by server.et-inf.fho-emden.de (5.65/DEC-Ultrix/4.3)
        id AA11598; Sat, 17 Jun 1995 10:15:41 +0200
From: tobias@server.et-inf.fho-emden.de (Peter Tobias)
Message-Id: <9506170815.AA11598@server.et-inf.fho-emden.de>
Subject: Re: Bug#1013: This isn't fixed yet?
To: rdr@legislate.com, debian-bugs@pixar.com
Date: Sat, 17 Jun 1995 10:15:40 +0000 (GMT-1:00)
Cc: debian-bugs-done@pixar.com
In-Reply-To: <m0sMj30-0004ioC@hydra.legislate.com> from "Raul Miller" at 
Jun 16, 95 09:35:00 pm
Reply-To: tobias@et-inf.fho-emden.de
X-Mailer: ELM [version 2.4 PL17]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
Content-Length: 935       

Raul Miller wrote:
> Package: wu-ftpd
[...]
> On June 2, 1995, the Australian Computer Emergency Response Team 
published
> an advisory about the security hole in some binaries of the wu.ftpd 
2.4
> (Washington University FTP Server) in major Linux distributions. This 
Linux
> Security FAQ Update is an attempt to provide more detailed information 
about
> the vulnerability of the Washington University FTP Server and methods 
of
> fixing it.
[...]
> OBTAINING A FIX:
> ================
> 
> 
>       Debian/GNU Linux:
> 
>               Users of Debian Linux Distribution can obtain fixed 
binary
>               from the primary Debian distribution site.

The fixed version (2.4-9) is available since May 31, 1995.


Peter

-- 
 Peter Tobias                                EMail:
 Fachhochschule Ostfriesland                 tobias@et-inf.fho-emden.de
 Fachbereich Elektrotechnik und Informatik   tobias@perseus.fho-emden.de
 Constantiaplatz 4, 26723 Emden, Germany
-----------------------------------------------------------------------
Acknowledgement sent to tobias@et-inf.fho-emden.de :
Extra info received and forwarded. Full text available.
-----------------------------------------------------------------------
Information forwarded to debian-devel@pixar.com :
Bug#1013 ; Package wu-ftpd . Full text available.
-----------------------------------------------------------------------

Message received at debian-bugs-done:


From server.et-inf.fho-emden.de!tobias Sat Jun 17 01:19:32 1995
Return-Path: <tobias@server.et-inf.fho-emden.de>
Received: from pixar.com by mongo.pixar.com with smtp
        (Smail3.1.28.1 #15) id m0sMt6I-0005z9C; Sat, 17 Jun 95 01:19 PDT
Received: from server.et-inf.fho-emden.de by pixar.com with SMTP id 
AA16490
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Sat, 17 Jun 1995 
01:18:01 -0700
Received: by server.et-inf.fho-emden.de (5.65/DEC-Ultrix/4.3)
        id AA11598; Sat, 17 Jun 1995 10:15:41 +0200
From: tobias@server.et-inf.fho-emden.de (Peter Tobias)
Message-Id: <9506170815.AA11598@server.et-inf.fho-emden.de>
Subject: Re: Bug#1013: This isn't fixed yet?
To: rdr@legislate.com, debian-bugs@pixar.com
Date: Sat, 17 Jun 1995 10:15:40 +0000 (GMT-1:00)
Cc: debian-bugs-done@pixar.com
In-Reply-To: <m0sMj30-0004ioC@hydra.legislate.com> from "Raul Miller" at 
Jun 16, 95 09:35:00 pm
Reply-To: tobias@et-inf.fho-emden.de
X-Mailer: ELM [version 2.4 PL17]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit
Content-Length: 935       

Raul Miller wrote:
> Package: wu-ftpd
[...]
> On June 2, 1995, the Australian Computer Emergency Response Team 
published
> an advisory about the security hole in some binaries of the wu.ftpd 
2.4
> (Washington University FTP Server) in major Linux distributions. This 
Linux
> Security FAQ Update is an attempt to provide more detailed information 
about
> the vulnerability of the Washington University FTP Server and methods 
of
> fixing it.
[...]
> OBTAINING A FIX:
> ================
> 
> 
>       Debian/GNU Linux:
> 
>               Users of Debian Linux Distribution can obtain fixed 
binary
>               from the primary Debian distribution site.

The fixed version (2.4-9) is available since May 31, 1995.


Peter

-- 
 Peter Tobias                                EMail:
 Fachhochschule Ostfriesland                 tobias@et-inf.fho-emden.de
 Fachbereich Elektrotechnik und Informatik   tobias@perseus.fho-emden.de
 Constantiaplatz 4, 26723 Emden, Germany
-----------------------------------------------------------------------
Notification sent to rdr@legislate.com (Raul Miller) :
Bug acknowledged by developer. Full text available.
-----------------------------------------------------------------------
Reply sent to tobias@et-inf.fho-emden.de :
You have taken responsibility. Full text available.
-----------------------------------------------------------------------

Message received at debian-bugs:


From simons-rock.edu!jimr Fri Jun 16 19:19:40 1995
Return-Path: <jimr@simons-rock.edu>
Received: from pixar.com by mongo.pixar.com with smtp
        (Smail3.1.28.1 #15) id m0sMnU4-0005z9C; Fri, 16 Jun 95 19:19 PDT
Received: from plato.simons-rock.edu by pixar.com with SMTP id AA29989
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Fri, 16 Jun 1995 
19:16:58 -0700
Received: from simons-rock.edu by plato.simons-rock.edu with smtp
        (Smail3.1.29.1 #3) id m0sMnSb-000017C; Fri, 16 Jun 95 22:18 EDT
Message-Id: <m0sMnSb-000017C@plato.simons-rock.edu>
To: rdr@legislate.com (Raul Miller), debian-bugs@pixar.com
Subject: Re: Bug#1013: This isn't fixed yet? 
In-Reply-To: Message from rdr@legislate.com (Raul Miller) 
   of "Fri, 16 Jun 1995 21:35:00 GMT." 
<m0sMj30-0004ioC@hydra.legislate.com> 
Date: Fri, 16 Jun 1995 22:18:09 -0400
From: "James A. Robinson" <jimr@simons-rock.edu>


I believe Peter released a fixed version in v 2.4-9.


Jim
-----------------------------------------------------------------------
Acknowledgement sent to "James A. Robinson" <jimr@simons-rock.edu> :
Extra info received and forwarded. Full text available.
-----------------------------------------------------------------------
Information forwarded to debian-devel@pixar.com :
Bug#1013 ; Package wu-ftpd . Full text available.
-----------------------------------------------------------------------

Message received at debian-bugs:


From legislate.com!rdr Fri Jun 16 18:33:50 1995
Return-Path: <rdr@legislate.com>
Received: from pixar.com by mongo.pixar.com with smtp
        (Smail3.1.28.1 #15) id m0sMmlh-0005lbC; Fri, 16 Jun 95 18:33 PDT
Received: from hydra.legislate.com ([192.77.155.4]) by pixar.com with 
SMTP id AA27480
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Fri, 16 Jun 1995 
18:32:19 -0700
Received: by hydra.legislate.com
        id <m0sMj30-0004ioC@legislate.com>
        (Debian /\oo/\ Smail3.1.29.1 #29.32); Fri, 16 Jun 95 21:35 GMT
Message-Id: <m0sMj30-0004ioC@hydra.legislate.com>
Date: Fri, 16 Jun 95 21:35 GMT
From: rdr@legislate.com (Raul Miller)
To: debian-bugs@pixar.com
Subject: This isn't fixed yet?

Package: wu-ftpd

From: alex <alex@bach.cis.temple.edu>
Newsgroups: comp.os.linux.announce
Followup-To: comp.os.linux.setup
Date: 16 Jun 1995 15:59:33 +0300
Organization: ?
Lines: 202
Keywords: FAQ, update

- - - - - - - LSF Update#4 - - - - - - - - - - - - - - - - - - - - - -

                Washington University FTP Server Version 2.4
                          LINUX SECURITY FAQ UPDATE
                           June 3, 1995  11:37 EST

                    Last Update: June 7, 1995  20:38 EST

                   Copyright (C) 1995 Alexander O. Yuriev
                     CIS Laboratories, TEMPLE UNIVERSITY
                         <alex@bach.cis.temple.edu>

-----------------------------------------------------------------------------
 This is an update to Linux Security FAQ. The FAQ itself is not 
completely
 written yet and currently covers only Slackware Linux distribution. If 
you
   use a different Linux distribution and the location name of some 
files
    differ from the ones used in this update, please drop me a note at 
at
                         <alex@bach.cis.temple.edu>. 

      If you create your own Linux distributions that are being placed 
on
                   FTP sites or CDs, please contact me!

    Linux FAQ WWW is http://bach.cis.temple.edu/linux/linux-security
-----------------------------------------------------------------------------


On June 2, 1995, the Australian Computer Emergency Response Team 
published
an advisory about the security hole in some binaries of the wu.ftpd 2.4
(Washington University FTP Server) in major Linux distributions. This 
Linux
Security FAQ Update is an attempt to provide more detailed information 
about
the vulnerability of the Washington University FTP Server and methods of
fixing it. 



ABSTRACT:
=========


        The default configuration of the Washington University FTP 
Server
        version 2.4 in major Linux distributions including Slackware 
2.0,
        2.1, 2.2, 2.3, Yggdrasil Plug&Play Fall'94 and Debian 
Distribution
        has a configuration problem which allows any user with an 
account on
        a system to gain the root access.



DETECTION:
==========


        The following set of commands can be used to determine if your 
ftp
        server is affected (source host's name is viper. The name of a
        system being checked is devnull)

        [jru@viper]:~> ftp devnull
        Connected to devnull
        220 ftphost FTP server (Version wu-2.4(3) Wed May 31 04:11:15 
EDT 1995)
        Name (devnull:jru): jru
        331 Password required for jru
        Password: 
        230 User user logged in.
        ftp> quote site exec echo Joe Random User
        200-echo Joe Random User
        200-Joe Random User
        200  (end of 'echo Joe Random User')
        ftp> quit
        221 Goodbye.

        If you see the phrase you specified in echo command is displayed 
on
        the screen, then the configuration of the ftp server on the host 
is
        probably vulnerable and you will need to obtain a fix for it.


QUICK FIX:
==========


        Unfortunately, the fix is more than a one step process. We 
advise you 
        to start by shutting down the ftp server using the command:

                ftpshut now

        This command blocks all connections to the ftp server. 


ANONYMOUS FTP:
==============


        Unfortunately, it is not possible to be 100% sure if the 
anonymous
        ftp is affected. In theory, if all of the following conditions 
        are true an anonymous ftp user can exploit the hole:

                1) Uploads are allowed
                2) Anonymous users are allowed to use chmod.
                3) GNU tar is present in the SITE EXECable directory

        In practice, we could not reconstruct an attack that can be used 
by
        the anonymous user to exploit the hole. [Olaf Kirch managed to 
open
        a non-root xterm(1) window from as an anonymous user] 
Nevertheless,
        please close it just to be safe. We would also like to mention 
that
        there should be absolutely no reason to allow an anonymous user 
to
        change access permissions of files from your ftp server. To 
block
        it, edit the ftpaccess file which is usually located in the /etc
        directory (/etc/ftpaccess) and the add line.

                chmod   no      guest, anonymous


OBTAINING A FIX:
================


        Debian/GNU Linux:

                Users of Debian Linux Distribution can obtain fixed 
binary
                from the primary Debian distribution site.

        wu-ftpd 2.4 source code:

                The correctly configured wu-ftpd 2.4 server for Linux 
can be
                obtained at the following URLs:

                ftp://linux.nrao.edu/pub/people/alex/wu-ftpd-2.4-fix/

                ftp://linux.nrao.edu/pub/people/alex/wu-ftpd-2.4-fix/

                ftp://sunsite.unc.edu/pub/Linux/ (I don't know where it 
will 
                                                  end up)

                In addition to the source code of patched wu-ftpd 2.4 
you
                can get the patch that would create a "fixed" tree from 
the
                original wu-ftpd 2. and the wu-ftpd 2.4 itself. All 
files 
                have their MD5 checksums in the file CHECKSUMS in the 
same 
                directory.



LIST OF AFFECTED DISTRIBUTIONS:
==============================

        As of today, we are aware that the following distributions are
        affected and have to be patched:


                Slackware Linux 2.0
                Slackware Linux 2.1
                Slackware Linux 2.2
                Slackware Linux 2.3
                Debian/GNU Linux 
                Yggdrasil Plug&Play'94
                Boggus 1.01


        Authors of Red Hat Linux distributions claim that their
        distributions are not affected. Unfortunately, we were unable to
        verify this claim as apparently neither Olaf Kirch nor Jeff 
Uphoff
        nor I have access to it, although we do hope that it is true. 
The 
        Red Hat Linux Distributions are known to have the latest fixes
        included.


        We would like users of other Linux distributions to inform us if
        their version of wu-ftpd was affected. If you are a user or a
        maintainer of one of the following distributions, please contact 
us.

                Mini Linux Distribution
                TAMU
                SLS
                MCC


"OUR THANK YOU"
===============

        I would like to thank the following people for their help in 
researching
        this problem and providing a solution:

                Olaf Kirch (okir@monad.swb.de), Wolfgang Ley
                (ley@cert.dfn.de), Jeff Uphoff (juphoff@linux.nrao.edu) 
                and last, but not least, Scott Weinstein 
(SWEIN@ALBNYVMS.BITNET)
                who within a day from the original time I posted the 
update 
                informed us about a problem with Bogus Linux 
distribution

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
- -


============================================================================
Alexander O. Yuriev                         Email: 
alex@bach.cis.temple.edu
CIS Labs, TEMPLE UNIVERSITY   WWW: 
http://bach.cis.temple.edu/personal/alex
Philadelphia, PA, USA           

   PGP Key: 1024/ADF3EE95  Fingerprint: AB4FE7382C3627BC 
6934EC2A2C05AB62

Unless otherwise stated, everything above is my personal opinion and not 
an
               opinion of any organisation affiliated with me.
=============================================================================

--
Send submissions for comp.os.linux.announce to: 
linux-announce@news.ornl.gov
PLEASE remember Keywords: and a short description of the software.

-----------------------------------------------------------------------
Acknowledgement sent to rdr@legislate.com (Raul Miller) :
New bug report received and forwarded. Full text available.
-----------------------------------------------------------------------
Report forwarded to debian-devel@pixar.com :
Bug#1013 ; Package wu-ftpd . Full text available.
-----------------------------------------------------------------------
Ian Jackson / iwj10@thor.cam.ac.uk , with the debian-bugs tracking
mechanism
This page last modified 06:43:02 GMT Wed 21 Jun