The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Teun.Nijssen@kub.nl: S-97-06 ftpd race condition]

[Cc-ed to debian-private, because this could be relevant to the discussions
regarding the different manager positions]

Red Hat has had this problem. Is this problem relevant to Debian? If so,
is a fixed version available?

Also, how do you feel about a security page on the website, e.g. a list of
advisories, whether or not they are relevant to Debian, and if so, what the
fix is. I think Debian's biggest problem wrt security is that although
packages are mostly fixed quite fast, it is difficult for users to notice
this.

Greetings,
Ray
-- 
PATRIOTISM  A great British writer once said that if he had to choose 
between betraying his country and betraying a friend he hoped he would
have the decency to betray his country.                                      
- The Hipcrime Vocab by Chad C. Mulligan
--- Begin Message --- 
SSC's,

deze tekst gaat over dingen die beter niet op een ongelukkig moment ten 
opzichte van een andere gebeurtenis plaats mogen vinden; voorbeeld van zgn
race conditions.

cheers,

teun
-----BEGIN PGP SIGNED MESSAGE-----

===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : Teun Nijssen                                Index  :    S-97-06
Distribution  : World                                       Page   :          1
Classification: External                                    Version:          1
Subject       : ftpd race condition                         Date   :  29-Jan-97
===============================================================================

By courtesy of AUSCERT we received
information on a vulnerability in various implementations of the ftp daemon

CERT-NL recommends to check relevance of this advisory against ftp service
software.

==============================================================================
AA-97.03                        AUSCERT Advisory
                       ftpd Signal Handling Vulnerability
                                29 January 1997

Last Revised: --

 ---------------------------------------------------------------------------

AUSCERT has received information that there is a vulnerability in some
versions of ftpd distributed and installed under various Unix platforms.

This vulnerability may allow regular and anonymous ftp users to read or
write to arbitrary files with root privileges.

The vulnerabilities in ftpd affect various third party and vendor versions
of ftpd.  AUSCERT recommends that sites take the steps outlined in section
3 as soon as possible.

This advisory will be updated as more information becomes available.

 ---------------------------------------------------------------------------

1.  Description

    AUSCERT has received information concerning a vulnerability in some
    vendor and third party versions of the Internet File Transfer Protocol
    server, ftpd(8).

    This vulnerability is caused by a signal handling routine increasing
    process privileges to root, while still continuing to catch other
    signals.  This introduces a race condition which may allow regular,
    as well as anonymous ftp, users to access files with root privileges.
    Depending on the configuration of the ftpd server, this may allow
    intruders to read or write to arbitrary files on the server.

    This attack requires an intruder to be able to make a network
    connection to a vulnerable ftpd server.

    Sites should be aware that the ftp services are often installed by
    default.  Sites can check whether they are allowing ftp services by
    checking, for example, /etc/inetd.conf:

 # grep -i '^ftp' /etc/inetd.conf

    Note that on some systems the inetd configuration file may have a
    different name or be in a different location.  Please consult your
    documentation if the configuration file is not found in
    /etc/inetd.conf.

    If your site is offering ftp services, you may be able to determine
    the version of ftpd by checking the notice when first connecting.

    The vulnerability status of specific vendor and third party ftpd
    servers can be found in Section 3.

    Information involving this vulnerability has been made publicly
    available.

2.  Impact

    Regular and anonymous users may be able to access arbitrary files with
    root privileges.  Depending on the configuration, this may allow
    anonymous, as well as regular, users to read or write to arbitrary
    files on the server with root privileges.

3.  Workarounds/Solution

    AUSCERT recommends that sites prevent the possible exploitation of
    this vulnerability by immediately applying vendor patches if they are
    available.  Specific vendor information regarding this vulnerability
    is given in Section 3.1.

    If the ftpd supplied by your vendor is vulnerable and no patches are
    available, sites may wish to install a third party ftpd which does
    not contain the vulnerability described in this advisory (Section 3.2).

3.1 Vendor patches

    The following vendors have provided information concerning the
    vulnerability status of their ftpd distribution.  Detailed information
    has been appended in Appendix A.  If your vendor is not listed below,
    you should contact your vendor directly.

 Berkeley Software Design, Inc.
 Digital Equipment Corporation
 The FreeBSD Project
 Hewlett-Packard Corporation
 IBM Corporation
 The NetBSD Project
 The OpenBSD Project
 Red Hat Software

 Washington University ftpd (Academ beta version)
 Wietse Venema's logdaemon ftpd

3.2 Third party ftpd distributions

    AUSCERT has received information that the following third party ftpd
    distributions do not contain the signal handling vulnerability
    described in this advisory:

 wu-ftpd 2.4.2-beta-12
 logdaemon 5.6 ftpd

    Sites should ensure they are using the current version of this
    software.  Information on these distributions is contained in Appendix A.

    Sites should note that these third party ftpd distributions may offer
    some different functionality to vendor versions of ftpd.  AUSCERT
    advises sites to read the documentation provided with the above third
    party ftpd distributions before installing.

............................................................................

Appendix A

Berkeley Software Design, Inc. (BSDI)
=====================================

    BSD/OS 2.1 is vulnerable to the ftpd problem described in this
    advisory.  Patches have been issued and may be retrieved via the
    <patches@BSDI.COM> email server or from:

 ftp://ftp.bsdi.com/bsdi/patches/patches-2.1/U210-033


Digital Equipment Corporation
=============================

    At the time of writing this document, patches(binary kits) are in
    progress and final testing is expected to begin soon.  Digital will
    provide notice of the completion/availability of the kits through AES
    services (DIA, DSNlink FLASH) and be available from your normal Digital
    Support channel.


The FreeBSD Project
===================

    The FreeBSD Project has informed AUSCERT that the vulnerability
    described in this advisory has been fixed in FreeBSD-current (from
    January 27, 1997), and will be fixed in the upcoming FreeBSD 2.2
    release.  All previous versions of FreeBSD are vulnerable.


Hewlett-Packard Corporation
===========================

    Hewlett-Packard has informed AUSCERT that the ftpd distributed with
    HP-UX 9.x and 10.x are vulnerable to this problem.  Patches are
    currently in process.


IBM Corporation
===============

    The version of ftpd shipped with AIX is vulnerable to the conditions
    described in the advisory.  The following APARs will be available
    shortly:

       AIX 3.2:  APAR IX65536
       AIX 4.1:  APAR IX65537
       AIX 4.2:  APAR IX65538

    To Order
    --------
      APARs may be ordered using Electronic Fix Distribution (via FixDist)
      or from the IBM Support Center.  For more information on FixDist,
      reference URL:

         http://service.software.ibm.com/aixsupport/

      or send e-mail to aixserv@austin.ibm.com with a subject of "FixDist".


    IBM and AIX are registered trademarks of International Business Machines
    Corporation.


The NetBSD Project
===================

    NetBSD (all versions) have the ftpd vulnerability described in this
    advisory.  It has since been fixed in NetBSD-current.  NetBSD have
    also made patches available and they can be retrieved from:

 ftp://ftp.netbsd.org/pub/NetBSD/misc/security/19970123-ftpd


The OpenBSD Project
===================

    OpenBSD 2.0 did have the vulnerability described in this advisory,
    but has since been fixed in OpenBSD 2.0-current (from January 5, 1997).


Red Hat Software
================

    The signal handling code in wu-ftpd has some security problems which
    allows users to read all files on your system. A new version of wu-ftpd
    is now available for Red Hat 4.0 which Red Hat suggests installing on
    all of your systems.  This new version uses the same fix posted to
    redhat-list@redhat.com by Savochkin Andrey Vladimirovich.  Users of
    Red Hat Linux versions earlier then 4.0 should upgrade to 4.0 and then
    apply all available security packages.

    Users whose computers have direct internet connections may apply
    this update by using one of the following commands:

    Intel:
    rpm -Uvh ftp://ftp.redhat.com/updates/4.0/i386/wu-ftpd-2.4.2b11-9.i386.rpm

    Alpha:
    rpm -Uvh ftp://ftp.redhat.com/updates/4.0/axp/wu-ftpd-2.4.2b11-9.axp.rpm

    SPARC:
    rpm -Uvhftp://ftp.redhat.com/updates/4.0/sparc/wu-ftpd-2.4.2b11-9.sparc.rpm

    All of these packages have been signed with Red Hat's PGP key.


wu-ftpd Academ beta version
===========================

    The current version of wu-ftpd (Academ beta version), wu-ftpd
    2.4.2-beta-12, does not contain the vulnerability described in this
    advisory.  Sites using earlier versions should upgrade to the current
    version immediately.  At the time of writing, the current version can
    be retrieved from:

     ftp://ftp.academ.com/pub/wu-ftpd/private/


logdaemon Distribution
======================

    The current version of Wietse Venema's logdaemon (5.6) package contains
    an ftpd utility which addresses the vulnerability described in this
    advisory.  Sites using earlier versions of this package should
    upgrade immediately.  The current version of the logdaemon package
    can be retrieved from:

 ftp://ftp.win.tue.nl/pub/security/
 ftp://ftp.auscert.org.au/pub/mirrors/ftp.win.tue.nl/logdaemon/
 ftp://ftp.cert.dfn.de/pub/tools/net/logdaemon/

    The MD5 checksum for Version 5.6 of the logdaemon package is:

 MD5 (logdaemon-5.6.tar.gz) = 5068f4214024ae56d180548b96e9f368

 ---------------------------------------------------------------------------
AUSCERT thanks David Greenman, Wietse Venema (visiting IBM T.J. Watson 
Research)
and Stan Barber (Academ Consulting Services) for their contributions in finding
solutions to this vulnerability.  Thanks also to Dr Leigh Hume (Macquarie
University), CERT/CC, and DFNCERT for their assistance in this matter.  AUSCERT
also thanks those vendors that provided feedback and patch information 
contained
in this advisory. -
 ---------------------------------------------------------------------------

==============================================================================

CERT-NL is the Computer Emergency Response Team for SURFnet customers.
SURFnet is the Dutch network for educational, research and related institutes.
CERT-NL is a member of the Forum of Incident Response and Security Teams
(FIRST).

All CERT-NL material is available under:
  http://www.surfnet.nl/surfnet/security/cert-nl.html
  ftp://ftp.surfnet.nl/surfnet/net-security

In case of computer or network security problems please contact your
local CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet
customer please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).
   Email:     cert-nl@surfnet.nl
   Phone:     +31 302 305 305
   Fax:       +31 302 305 329
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands
   A 7 * 24 hours phone number is available to SURFnet SSC's and FIRST
   members on request.
==============================================================================


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: cp850

iQCVAgUBMu8c3EU5nQkWIq1FAQGLcAQAx99A80HW1f9mn99GmeuPMus4qogeF41b
2tRL1Xvm04K3jDC+4jXRe8cnZj274LKSzVR4MJyLNZGbWBqHfKEEquBQ8/wfOaxh
7M48BtVJDzy0TWotsZpz5F9/cpYHhIeh8bgIrcLjrluRjG59REZkoQw3xGLqYVXO
BLFgHfGh5BA=
=piHv
-----END PGP SIGNATURE-----

--- End Message ---