The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #352 [FTP holes in the head..] (1 message, 1291 bytes)
NOTICE: recognises the rights of all third-party works.


From: Eric S. Johnson <[email protected]>
To: phage
Date: Wed 19:28:49 07/12/1988 EST
Subject: FTP holes in the head..
References: [Thread Prev: 347] [Thread Next: 353] [Message Prev: 351] [Message Next: 353]

The recent NIC scare (and MILnet gateway shutdown, so I understand)
were caused by the recently (slightly before The Worm) discovered
security bugs in the FTP deamon. I'll give a description of what these
bugs can do, but I don't feel like telling ya how to exploit them. (I've
yet to convince all the other Admins on campus here to upgrade to the
NEW berkeley ftpd, though I personally ported it to all the arch. on
campus.. :-(  thus again proving the biggest security hole is

1. The anonymous FTP bug.
	Most stock 4.2 and 4.3 derived systems have this bug. I've seen
	it on BSD 4.3, Gould's UTX 2.0U6, Sun's (3.X and 4.0), PC/RT's
	running BSD 4.3, and pyramid's. It allows anyone to gain root
	FTP access on any system which has anonymous FTP. Thankfully,
	most (if not all) of the systems I anonymous ftp to have fixed
	this bug. This bug (and the fix) was posted to comp.bugs.4bsd.ucb-fixes
	right before The Worm hit.

2. The SunOS 3.X FTP bug.
	Systems which have ftpd's derived from 4.2 BSD are vulnerable.
	This includes SunOS 3.2, 3.4 and 3.5. It may include other
	systems of 4.2 derivation. This bug will allow any user who
	could normally get access via FTP (with their regular login/password)
	to get root access via FTP. This bug is slightly less well known
	but a bit less dangerous, since you have to have a valid login to
	exploit it. I dont think anonymous ftp is vulnerable, but I won't
	swear to it.

The cure for both of these bugs is to get the new ftpd from
(among other places) and port it to your machine. This port is pretty simple,
and I can provide email help if you need it.

Until you replace your ftpd with the new one, DO NOT run any sort of
anonymous FTP. If you have a 4.2 derived system, you may want to disable
incoming FTP completly.

These bugs DO NOT seem to affect TWG/TCP or CMU/TCP-IP on vms systems.
(but again, I won't swear to it...)

I plan to send off details of these bugs to Andrew Burt's security mailing
list after I make it through the end-of-semester madness, but I imagine
someone already has..