============================================================================= SA-94.01 SERT Advisory 18-Apr-1994 ftpd configuration advice ----------------------------------------------------------------------------- The Security Emergency Response Team has received information that certain configurations for the Washington University ftpd may leave the system open to compromise. This vulnerability may also exist for other versions of ftp. 1. Description . The vulnerability is not enabled by default. . The default configuration must be changed to cause the vulnerability. . You must explicitly enable the SITE EXEC facility with the modified configuration to cause the vulnerability. . The vulnerability may exist even if you do not offer anonymous ftp services. . The potential for the vulnerability is platform independant. . Although this Advisory mentions the wu-ftpd specifically, the vulnerability may also be present in similar form in other versions of ftp. If you enable the SITE EXEC commands and allow files from ~ftp/bin, ~ftp/usr/bin, ~ftp/sbin, or similar directory configurations to be executed, then you may have the vulnerability. If the pathname for SITE EXEC commands relative to ~ftp is a directory that contains system commands or includes a shell (e.g., ~ftp/bin -> /bin), then it is possible for local users to gain root access. The exact directory configurations that cause the vulnerability are dependant on the platform and local configuration. The rest of this Advisory is specifically targeted at the Washington University archive ftp daemon configuration (wu-ftpd), although the vulnerability may exist in other versions of ftp which use similar configurations for the SITE EXEC facility. In the configuration file src/pathnames.h, if you have modified the _PATH_EXECPATH definition from its default setting of "/bin/ftp-exec" to point to "/bin" or any other system directory containing executable images, then you may have the vulnerability. The documentation states that this directory is relative to ~ftp. This is misleading. The pathname is relative to ~ftp for anonymous users only, and is relative to "/" for normal user sessions. Some ftp service administrators change their configuration to "/bin" to allow commands such as "/bin/ls" to be executed. For this example we assume that _PATH_EXECPATH has been changed to point to "/bin" on a SunOS 4.x system. To test your configuration to see if you are vulnerable, you can execute the following commands: srchost> ftp ftphost Connected to ftphost 220 ftphost FTP server (Version wu-2.4(2) Mon Apr 18 09:12:35 GMT+1000 1994) ready. Name (srchost:user): 331 Password required for user. Password: 230 User user logged in. ftp> quote site exec echo problem 200-echo problem 200-problem 200 (end of 'echo problem') ftp> quit 221 Goodbye. srchost> If you receive the line "200-problem", then your site is vulnerable. Note that this does not work for anonymous ftp access. If you have the vulnerability and you are unsure how to rectify it immediately, you should disable your ftp daemon until the configuration can be corrected. 2. Impact Anyone who has a local account on the system offering ftp services with the vulnerable configuration may gain root access. Support for anonymous ftp access is not required to exploit this vulnerability. 3. Solution Ensure that you do not allow files stored in standard system directories to be executed by the SITE EXEC command. If you wish to enable the SITE EXEC facility, then you should create a configuration similar to the following: a) Ensure that the _PATH_EXECPATH definition in pathnames.h is "/bin/ftp-exec" and not "/bin" or any other system directory containing a shell b) Create ~ftp/bin/ftp-exec c) Copy the statically linked binaries that you want available for execution by SITE EXEC into the ~ftp/bin/ftp-exec directory d) If you want the DIR ftp command, you will need a hard link from ~ftp/bin/ls to ~ftp/bin/ftp-exec/ls or a copy of ls in ~ftp/bin This much enables SITE EXEC commands for anonymous users only. e) If you want SITE EXEC facilities to be available to normal ftp users, create a symbolic link from /bin/ftp-exec to ~ftp/bin/ftp-exec You should follow file ownership, group membership and permissions strictly according to your documentation. SERT recommends that you stay with the default configuration of wu-ftpd for the SITE EXEC facility. The INSTALL documentation indicates (by **) that the _PATH_EXECPATH is relative to ~ftp. This is misleading and only correct for anonymous ftp access. The path is relative to "/" for normal user access. ---------------------------------------------------------------------------- The SERT team wishes to thank Jeff Aitken of Virginia Tech and Rob McMillan from Griffith University for their advice and cooperation in this matter. ---------------------------------------------------------------------------- If you believe that your system has been compromised, contact SERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: sert@sert.edu.au Facsimile: (07) 365 4477 SERT Hotline: (07) 365 4417 SERT personnel answer during business hours (AEST - GMT+10:00). (On call after hours for emergencies). Security Emergency Response Team c/- Prentice Centre The University of Queensland Qld. 4072. Australia.