-----BEGIN PGP SIGNED MESSAGE-----
		 NetBSD Security Advisory 2004-009

		 =================================
Topic:		ftpd root escalation
Version:	NetBSD-current:	source prior to Aug 10, 2004

		NetBSD 2.0 branch: source prior to Aug 15, 2004

		NetBSD 1.6.2:	affected

		NetBSD 1.6.1:	affected

		NetBSD 1.6:	affected

		NetBSD-1.5.3:	affected

		NetBSD-1.5.2:	affected

		NetBSD-1.5.1:	affected

		NetBSD-1.5:	affected

		pkgsrc:		net/lukemftpd all versions

		pkgsrc:		net/tnftpd prior to tnftpd-20040810
Severity:	Remote root for systems providing ftpd service
Fixed:		NetBSD-current:		Aug 10, 2004

		NetBSD-2.0 branch:      Aug 15, 2004 (2.0 will include the fix)

		NetBSD-1.6 branch:	Pullups not yet issued.

					 See Solutions section.

					 (1.6.3 will include the fix)

		NetBSD-1.5 branch:	Pullups not yet issued.

					  See Solutions section.

		pkgsrc  net/lukemftpd:  Update pkgsrc, this package was

					  renamed to tnftpd

			net/tnftpd:	tnftpd-20040810 corrects this issue
Abstract

========
A set of flaws in the ftpd source code can be used together to

achieve root access within an ftp session. With root file manipulation

ability, mechanisms to gain a shell are numerous, so this issue

should be considered a remote root situation.
ftpd is disabled by default in NetBSD since NetBSD-1.5.3, however

many users might have reason to provide this popular service.
Technical Details

=================
Przemyslaw Frasunek is going to release a detailed analysis very

shortly. A URL will be provided here when available.
Since this serious issue affects many users, we won't share information

in this version of the advisory, as it would ease development of

exploits.
Solutions and Workarounds

=========================
Confirm that the host in question is running ftpd, by checking the ftp

entries in /etc/inetd.conf. By default, the entries look like this:
#ftp	stream	tcp	nowait	root	/usr/libexec/ftpd	ftpd -ll

#ftp	stream	tcp6	nowait	root	/usr/libexec/ftpd	ftpd -ll
If the comment character (#) has been removed from the start of the

lines, then ftp has been enabled on this host. Hosts not running ftpd

are not vulnerable, but ftpd should be updated to prevent future

exposure if ftpd is enabled at a later date.
If ftpd has been configured to run with the -r option, then your server

is not vulnerable. Adding -r may be an acceptable workaround for some

sites, until ftpd can be upgraded.
To determine if a host is running a vulnerable version of ftpd, compare

the version string in the login banner (if displayed).
Any version of lukemftpd,

any version of NetBSD-ftpd prior to 20040809, or

any version of tnftpd prior to 20040810 is vulnerable.
% ftp ftp.server.host

Connected to ftp.server.host.

220 ftp.server.host FTP server (tnftpd 20040810) ready.

                                ^^^^^^^^^^^^^^^

                                Patched ftp server.
* Workaround:	Disable ftpd

		As root, comment out the ftp lines in /etc/inetd.conf,

		and execute the following command to disable ftpd:
		% /etc/rc.d/inetd reload
		Even if you plan to update ftpd, it is worthwhile to

		disable ftpd until it is upgraded, in case you are

		distracted and do not complete the update in a timely

		fashion.
* Workaround:	Drop root privileges

		As root, add -r to the command line options for any

		ftp entry in /etc/inetd.conf. Then run:
		% /etc/rc.d/inetd reload
		This option may not be acceptable at all sites, since

		client compatibility issues are possible. See the

		ftpd manpage for more details about -r.
If all untrusted user accounts are listed in /etc/ftpchroot, then the

root file access gained will only be effective inside the chrooted

directory. This is not a guarantee against further privilege

escalation, especially in concert with social engineering.
If you have ftp servers that run in chrooted environments, make sure to

update ftpd binaries in chrooted copies of /usr/libexec or

/usr/pkg/libexec, and ensure that inetd.conf points to the correct

executable.
The following instructions describe how to upgrade your ftpd

binaries by updating your source tree and rebuilding and

installing a new version of ftpd.
* NetBSD-current:
	Systems running NetBSD-current dated from before 2004-08-09

	should be upgraded to NetBSD-current dated 2004-08-10 or later.
	The following directories need to be updated from the

	netbsd-current CVS branch (aka HEAD):

		src/libexec/ftpd
	To update from CVS, re-build, and re-install ftpd:

		# cd src

		# cvs update -d -P src/libexec/ftpd

		# cd src/libexec/ftpd
		# make USETOOLS=no cleandir dependall

		# make USETOOLS=no install
* NetBSD 2.0_BETA:
	The binary distribution of NetBSD 2.0_BETA is vulnerable.
	Systems running NetBSD 2.0_BETA dated from before 2004-08-14

	should be upgraded to NetBSD 2.0_BETA dated 2004-08-15 or later.
	The following directories need to be updated from the

	netbsd-2-0 CVS branch:

		src/libexec/ftpd
	To update from CVS, re-build, and re-install ftpd:

		# cd src

		# cvs update -d -P src/libexec/ftpd

		# cd src/libexec/ftpd
		# make USETOOLS=no cleandir dependall

		# make USETOOLS=no install
* NetBSD 1.6, 1.6.1, 1.6.2:

* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:

* NetBSD prior to 1.5:
	The binary distribution of NetBSD 1.6.2 and all prior releases

	are vulnerable.
	Pullups will be issued to the release branches of NetBSD-1-6,

	and NetBSD-1-5.
	Systems with these releases which need to run ftpd prior to

	those pullups should be updated from pkgsrc using

	net/tnftpd-20040810 or later.
	% rm /usr/libexec/ftpd

	% cd /usr/pkgsrc/net/tnftpd

	% cvs update -dP

	% make update
	Then modify the relevant lines in /etc/inetd.conf to refer to

	/usr/pkg/libexec/tnftpd instead of /usr/libexec/ftpd as follows:
#ftp	stream	tcp	nowait	root	/usr/pkg/libexec/tnftpd	ftpd -ll

#ftp	stream	tcp6	nowait	root	/usr/pkg/libexec/tnftpd	ftpd -ll
Thanks To

=========
Przemyslaw Frasunek for notification, analysis, and discussion
Luke Mewburn for patches
Revision History

================
	2004-08-17	Initial release

	2004-08-17	Clarify Workarounds
More Information

================
Advisories may be updated as new information becomes available.

The most recent version of this advisory (PGP signed) can be found at

  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2004-009.tx...
Information about NetBSD and NetBSD security can be found at

http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2004, The NetBSD Foundation, Inc.  All Rights Reserved.

Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2004-009.txt,v 1.4 2004/08/17 17:44:58 david Exp $
-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.2.4 (NetBSD)
iQCVAwUBQSJESj5Ru2/4N2IFAQHu0wP/UK9mVCL/sD4g3z/RrV23BeUiLxycGpTd

AtC2lEQz7lan6a5ampNQdEOQHymkmQXrnU738fGEanDOKk3AUdvKLgonzV9VthIc

FECBZMCOgPbu/FDUiEMWqKrZy14Fu70po7u3aXX9qiSbk3Uyz1Em19O/ZOCvYlWB

JEAkaXmC1dg=

=DltV

-----END PGP SIGNATURE-----