NASIRC BULLETIN #94-12 April 6, 1994 UNIX: Security Vulnerabilities in WU-Archive FTPD =========================================================================== __ __ __ ___ ___ ____ ____ /_/\ /_/| /_/ / _/\ /_/| / __/ \ / __/\ | |\ \| || / \ \ | /\/ | || | /\ \/ | | \/ | ||\ \ || / /\ \ \ \ \ | || |_\/ /\ | | | || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\ |_|/ \_|//_/ \_\/ \/__/ |_|/ |_| \_\/ \___\/ NASA Automated Systems Incident Response Capability =========================================================================== NASIRC has learned that of a two-fold vulnerability with respect to recent versions of the Washington University Archive FTP daemon (wuarchive-ftpd). Because of its enhanced access-control and logging features, many UNIX sites within NASA run the wuarchive version of ftpd instead of the version shipped with the operating system. AFFECTED: All UNIX systems running wuarchive-ftpd that have changed the "default" installation/configuration parameters. DETAILS: A security vulnerability has been discovered in version 2.1f, wherein if certain configuration options are chosen and enabled during the installation process, a remote user could gain access to a root shell, causing the complete compromise of the system. This vulnerability is present in earlier versions of 2.1x also. Sites running the ftpd software with all of the DEFAULT configuration options chosen are *NOT VULNERABLE* to this particular security vulnerability. Before the original security vulnerability could be announced, the patched version (v2.2) developed to fix the problem was found to have been compromised at the primary Internet distribution site, and replaced with a version containing trojan horse code which if installed, would also compromise a host by allowing hackers unauthorized root access. All copies of wuarchive-ftpd version 2.2 should thus be considered compromised. FIX: NASIRC strongly recommends that all sites running these or older versions of wuarchive-ftpd retrieve and install version 2.3. If the new version cannot be installed in a timely manner, then the FTP daemon should be disabled, since this Trojan affects all systems that are running the wuarchive ftpd, whether or not the system provides anonymous ftp service. Sites can obtain version 2.3 via anonymous FTP from ftp.uu.net, in the file /networking/ftp.wuarchive-ftpd/wu-ftpd-2.3.tar.Z, or directly from the NASIRC online archives via ftp to nasirc.nasa.gov. Retrieve the file /toolkits/UNIX/WUftpd/wu-ftpd-2.3.tar.Z Be sure to verify the checksum information to confirm that you have retrieved a valid copy. The correct checksum information is as follows: BSD SVR4 Filename Checksum Checksum MD5 Digital Signature ----------------- -------- --------- -------------------------------- wu-ftpd-2.3.tar.Z 24416 181 30488 361 e58adc5ce0b6eae34f3f2389e9dc9197 The MD5 Checksum can be generated by using the TRIPWIRE utility also found in the NASIRC online archives. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= NASIRC ACKNOWLEDGES: The ARPA CERT for their coordination, and also Bryan O'Connor and Chris Myers of Washington University in St. Louis, and Neil Woods and Karl Strickland for working with CERT toward the resolution of this problem. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= =============================================================== For further assistance, please contact the NASIRC Helpdesk: Phone: 1-800-7-NASIRC Fax: 1-301-441-1853 Internet Email: nasirc@nasa.gov 24 Hour/Emergency Pager: 1-800-759-7243/Pin:2023056 STU III: 1-301-982-5480 =============================================================== This bulletin may be forwarded without restriction to sites and system administrators within the NASA community. The NASIRC online archive system is available via anonymous ftp. You will be required to enter your valid e-mail address as the "password". Once on the system, you can access the following information: ~/bulletins ! contains NASIRC bulletins ~/information ! contains various informational files ~/toolkits ! contains automated toolkit software Please note that the NASIRC FTP server will only allow connections from systems in the .nasa.gov domain and specific other NASA systems in other domains; please contact NASIRC if you have any questions. Information maintained in these directories is updated on a con- tinuous basis with relevant software and information. Contact the NASIRC Helpdesk for more information or assistance with tool- kits or security measures. ----------------- PLEASE NOTE: Users outside of the NASA community may receive NASIRC bulletins. If you are not part of the NASA community, please contact your agency's response team to report incidents. Your agency's team will coordinate with NASIRC, who will ensure the proper internal NASA team(s) are notified. NASIRC is a member of the Forum of Incident Response and Security Teams (FIRST), a world-wide organiza- tion which provides for coordination between incident response teams in handling computer-security-related issues. You can obtain a list of FIRST member organizations and their constituencies by sending email to docserver@first.org with an empty "subject" line and a message body containing the line "send first-contacts".