The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #196 [yet another ftpd hole (on Suns)] (1 message, 1131 bytes)
NOTICE: recognises the rights of all third-party works.


From: Pete Cottrell <[email protected]>
To: phage
Date: Mon 16:22:45 07/11/1988 EST
Subject: yet another ftpd hole (on Suns)
References: [Thread Prev: 131] [Thread Next: 197] [Message Prev: 120] [Message Next: 123]

	We just discovered this on our machines, running SunOS 3.2. I'm
sending it here because I figure we might as well get the word out to
as many of the right people as possible. The hole doesn't exist in the
Berkeley version posted last week, so if you replaced your Sun version
with the Berkeley one, you should be fine. But if you only patched
your Sun version with the Berkeley fix, you are still vulnerable to this

Subject: Security hole in Sun FTP
Index:	/usr/src/usr.etc/ftpcmds.y SunOS 3.2

	The ftpd daemon in SunOS has a security hole in it, unrelated to
	the one involving anonymous login that Berkeley posted a fix for.
	In this one, once you log in to a machine as yourself, you can
	become anyone else (including root) on that machine and write files
	anywhere you like. This bug exists in SunOS 3.0, 3.2 and I'm told
	that it exists in 3.4; I have no idea if it is in further releases.
	You need to be able to log in first, to set a logged_in flag, so
	sites with this hole might not be vulnerable to a net attack, but
	I haven't checked this out for sure.


	Haven't we had enough problems lately? Believe me, it's there.

	For sites lacking source, install the version Berkeley sent out.
	For sites with source, here is a context diff:

[ballast 21] rcsdiff -c3 -r1.2 ftpcmd.y
RCS file: RCS/ftpcmd.y,v
retrieving revision 1.2
diff -c3 -r1.2 ftpcmd.y
*** /tmp/,RCSt1a02935   Mon Nov  7 14:22:49 1988
--- ftpcmd.y    Sun Nov  6 21:25:58 1988
*** 69,78 ****
--- 69,79 ----
                = {
                        extern struct passwd *sgetpwnam();
+                       logged_in = 0;
                        if (strcmp($3, "ftp") == 0 ||
                          strcmp($3, "anonymous") == 0) {
                                if ((pw = sgetpwnam("ftp")) != NULL) {