-----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2002-027 ================================= Topic: ftpd STAT output non-conformance can deceive firewall devices Version: NetBSD-current: source prior to Oct 26, 2002 NetBSD 1.6: affected NetBSD-1.5.3: affected NetBSD-1.5.2: affected NetBSD-1.5.1: affected NetBSD-1.5: affected Severity: Malicious parties can corrupt state tables in intermediate firewall devices and trick them into making unexpected TCP connections. Fixed: NetBSD-current: Oct 26, 2002 NetBSD-1.6 branch: Nov 2, 2002 NetBSD-1.5 branch: Oct 26, 2002 Abstract ======== NetBSD's ftpd responds to the STAT command in a way that is not standards conformant, when a filename that contains "\n[0-9]" is specified. This could be used by a malicious party to corrupt state tables in firewall devices between an FTP client and a NetBSD FTP server. Technical Details ================= According to RFC959 (page 36), if a non-response digit appears in an FTP control stream, it must be escaped by inserting a space before it. NetBSD's ftpd did not obey this requirement. See also: http://www.kb.cert.org/vuls/id/328867 Solutions and Workarounds ========================= Upgrading libexec/ftpd is required to eliminate this problem. The following instructions describe how to upgrade your ftpd binaries by updating your source tree and rebuilding and installing a new version of ftpd. * NetBSD-current: Systems running NetBSD-current dated from before 2002-10-26 should be upgraded to NetBSD-current dated 2002-10-26 or later. The following directories need to be updated from the netbsd-current CVS branch (aka HEAD): libexec/ftpd To update from CVS, re-build, and re-install ftpd: # cd src # cvs update -d -P libexec/ftpd # cd libexec/ftpd # make cleandir dependall # make install * NetBSD 1.6: Systems running NetBSD 1.6 sources dated from before 2002-11-02 should be upgraded from NetBSD 1.6.* sources dated 2002-11-02 or later. The following directories need to be updated from the netbsd-1-6 CVS branch: libexec/ftpd To update from CVS, re-build, and re-install ftpd: # cd src # cvs update -d -P -r netbsd-1-6 libexec/ftpd # cd libexec/ftpd # make cleandir dependall # make install * NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3: Systems running NetBSD 1.5, 1.5.1, 1.5.2, or 1.5.3 sources dated from before 2002-10-26 should be upgraded from NetBSD 1.5.* sources dated 2002-10-26 or later. The following directories need to be updated from the netbsd-1-5 CVS branch: libexec/ftpd To update from CVS, re-build, and re-install ftpd: # cd src # cvs update -d -P -r netbsd-1-5 libexec/ftpd # cd libexec/ftpd # make cleandir dependall # make install Thanks To ========= Internet Initiative Japan Inc. Revision History ============== 2002-11-20 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-027.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2002-027.txt,v 1.6 2002/11/19 16:43:05 david Exp $ -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBPdpxej5Ru2/4N2IFAQF2nQP9FueZtoqqmDq4BGBVXrkB22cPMYCYQnbd NlOe0jQnos8rTv+UqW4PDix7AX5qrbPQCXonNqbbKe2ZRzMZx69zHm/yfImMF72D QPrlq3rlN7bQSyrlrt9e3D4IHPY9NqU1HFxnqYKE64JO+vM88YfNAqCivqP3Gokb c7xwGPxmBo4= =OlD7 -----END PGP SIGNATURE-----