-----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2004-009 ================================= Topic: ftpd root escalation Version: NetBSD-current: source prior to Aug 10, 2004 NetBSD 2.0 branch: source prior to Aug 15, 2004 NetBSD 1.6.2: affected NetBSD 1.6.1: affected NetBSD 1.6: affected NetBSD-1.5.3: affected NetBSD-1.5.2: affected NetBSD-1.5.1: affected NetBSD-1.5: affected pkgsrc: net/lukemftpd all versions pkgsrc: net/tnftpd prior to tnftpd-20040810 Severity: Remote root for systems providing ftpd service Fixed: NetBSD-current: Aug 10, 2004 NetBSD-2.0 branch: Aug 15, 2004 (2.0 will include the fix) NetBSD-1.6 branch: Aug 31, 2004 (1.6.3 will include the fix) NetBSD-1.5 branch: Aug 27, 2004 pkgsrc net/lukemftpd: Update pkgsrc, this package was renamed to tnftpd net/tnftpd: tnftpd-20040810 corrects this issue Abstract ======== A set of flaws in the ftpd source code can be used together to achieve root access within an ftp session. With root file manipulation ability, mechanisms to gain a shell are numerous, so this issue should be considered a remote root situation. ftpd is disabled by default in NetBSD since NetBSD-1.5.3, however many users might have reason to provide this popular service. Technical Details ================= Przemyslaw Frasunek has provided a detailed analysis. http://www.frasunek.com/lukemftpd.txt CVE: CAN-2004-0794 Solutions and Workarounds ========================= Confirm that the host in question is running ftpd, by checking the ftp entries in /etc/inetd.conf. By default, the entries look like this: #ftp stream tcp nowait root /usr/libexec/ftpd ftpd -ll #ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -ll If the comment character (#) has been removed from the start of the lines, then ftp has been enabled on this host. Hosts not running ftpd are not vulnerable, but ftpd should be updated to prevent future exposure if ftpd is enabled at a later date. If ftpd has been configured to run with the -r option, then your server is not vulnerable. Adding -r may be an acceptable workaround for some sites, until ftpd can be upgraded. To determine if a host is running a vulnerable version of ftpd, compare the version string in the login banner (if displayed). Any version of lukemftpd, any version of NetBSD-ftpd prior to 20040809, or any version of tnftpd prior to 20040810 is vulnerable. % ftp ftp.server.host Connected to ftp.server.host. 220 ftp.server.host FTP server (tnftpd 20040810) ready. ^^^^^^^^^^^^^^^ Patched ftp server. * Workaround: Disable ftpd As root, comment out the ftp lines in /etc/inetd.conf, and execute the following command to disable ftpd: % /etc/rc.d/inetd reload Even if you plan to update ftpd, it is worthwhile to disable ftpd until it is upgraded, in case you are distracted and do not complete the update in a timely fashion. * Workaround: Drop root privileges As root, add -r to the command line options for any ftp entry in /etc/inetd.conf. Then run: % /etc/rc.d/inetd reload This option may not be acceptable at all sites, since client compatibility issues are possible. See the ftpd manpage for more details about -r. If all untrusted user accounts are listed in /etc/ftpchroot, then the root file access gained will only be effective inside the chrooted directory. This is not a guarantee against further privilege escalation, especially in concert with social engineering. If you have ftp servers that run in chrooted environments, make sure to update ftpd binaries in chrooted copies of /usr/libexec or /usr/pkg/libexec, and ensure that inetd.conf points to the correct executable. The following instructions describe how to upgrade your ftpd binaries by updating your source tree and rebuilding and installing a new version of ftpd. * NetBSD-current: Systems running NetBSD-current dated from before 2004-08-09 should be upgraded to NetBSD-current dated 2004-08-10 or later. The following directories need to be updated from the netbsd-current CVS branch (aka HEAD): libexec/ftpd To update from CVS, re-build, and re-install ftpd: # cd src # cvs update -d -P libexec/ftpd # cd libexec/ftpd # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 2.0_BETA: The binary distribution of NetBSD 2.0_BETA is vulnerable. Systems running NetBSD 2.0_BETA dated from before 2004-08-14 should be upgraded to NetBSD 2.0_BETA dated 2004-08-15 or later. The following directories need to be updated from the netbsd-2-0 CVS branch: libexec/ftpd To update from CVS, re-build, and re-install ftpd: # cd src # cvs update -d -P libexec/ftpd # cd libexec/ftpd # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD-1-6: The binary distribution of NetBSD 1.6, 1.6.1 and 1.6.2 is vulnerable. Systems running NetBSD-1-6 dated from before 2004-08-30 should be upgraded to NetBSD 2.0_BETA dated 2004-08-31 or later. The following directories need to be updated from the netbsd-1-6 CVS branch: libexec/ftpd To update from CVS, re-build, and re-install ftpd: # cd src # cvs update -d -P libexec/ftpd # cd libexec/ftpd # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD-1-5: The binary distribution of NetBSD 1.5, 1.5.1, 1.5.2 and 1.5.3 is vulnerable. Systems running NetBSD-1-5 dated from before 2004-08-26 should be upgraded to NetBSD 2.0_BETA dated 2004-08-27 or later. The following directories need to be updated from the netbsd-1-5 CVS branch: libexec/ftpd To update from CVS, re-build, and re-install ftpd: # cd src # cvs update -d -P libexec/ftpd # cd libexec/ftpd # make USETOOLS=no cleandir dependall # make USETOOLS=no install * Optional upgrade from pkgsrc: * NetBSD 1.6, 1.6.1, 1.6.2: * NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3: * NetBSD prior to 1.5: The binary distribution of NetBSD 1.6.2 and all prior releases are vulnerable. Pullups will be issued to the release branches of NetBSD-1-6, and NetBSD-1-5. Systems with these releases which need to run ftpd prior to those pullups should be updated from pkgsrc using net/tnftpd-20040810 or later. % rm /usr/libexec/ftpd % cd /usr/pkgsrc/net/tnftpd % cvs update -dP % make update Then modify the relevant lines in /etc/inetd.conf to refer to /usr/pkg/libexec/tnftpd instead of /usr/libexec/ftpd as follows: #ftp stream tcp nowait root /usr/pkg/libexec/tnftpd ftpd -ll #ftp stream tcp6 nowait root /usr/pkg/libexec/tnftpd ftpd -ll Thanks To ========= Przemyslaw Frasunek for notification, analysis, and discussion Luke Mewburn for patches Revision History ================ 2004-08-17 Initial release 2004-08-17 Clarify Workarounds 2004-08-17 Add Przemyslaw's analysis URL 2004-08-18 Path correction from Gilbert Fernandes 2004-08-19 Add CVE id 2004-08-31 Note pullups to 1-5, 1-6. More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2004-009.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2004, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2004-009.txt,v 1.8 2004/08/31 16:46:05 david Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (NetBSD) iQCVAwUBQTSrgj5Ru2/4N2IFAQHChwP8Djy0hIp28I7l68SKWBhhokKgHjbHLUCN mOsUJUC/By0yY+VZm5IEi5fL8GS/I6aBlwifmZpve16xLlanFqfm437mXySgGaS/ 6x68iI52zgJz2J3rkJ/LlIWR13KY+lgQM1bVAIBHLGEgNXpcxzxchbfl80pES8De WntXpRM60OI= =P64N -----END PGP SIGNATURE-----