Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Unix :: General :: ciacj029.txt

Buffer Overflows FTP Servers



                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___

                             INFORMATION BULLETIN

                    Buffer Overflows in Various FTP Servers

February 16, 1999 19:00 GMT                                       Number J-029
PROBLEM:       Vulnerabilities have been identified in various FTP servers.
PLATFORM:      Any server running ProFTPD (1.2.Opre1) or Wuarchive ftpd
DAMAGE:        If exploited, a buffer overflow may occur which can lead to a
               root compromise.
SOLUTION:      Check below to see if there are patches, updates, or workaround
               from your software vendor.
VULNERABILITY  The risk is high since the buffer overflow condition can lead
ASSESSMENT:    to root compromise.

[  Start Netect, Inc. Advisory  ]

Netect, Inc.
General Public Security Advisory

% Advisory: palmetto.ftpd
% Issue date: February 9, 1999
% Contact: Jordan Ritter
% Revision: February 11, 1999
  % Update: Appendices A and B corrected.


Remote buffer overflows in various FTP servers leads to potential root

[Affected Systems]

Any server running the latest version of ProFTPD (1.2.0pre1) or the
latest version of Wuarchive ftpd (2.4.2-academ[BETA-18]).  wu-ftpd is
installed and enabled by default on most Linux variants such as RedHat
and Slackware Linux.  ProFTPD is new software recently adopted by many
major internet companies for its improved performance and reliability.

Investigation of this vulnerability is ongoing; the below lists
software and operating systems for which Netect has definitive


Software that implements FTP is called an "ftp server", "ftp daemon",
or "ftpd".  On most vulnerable systems, the ftpd software is enabled
and installed by default.

There is a general class of vulnerability that exists in several
popular ftp servers.  Due to insufficient bounds checking, it is
possible to subvert an ftp server by corrupting its internal stack
space.  By supplying carefully designed commands to the ftp server,
intruders can force the the server to execute arbitrary commands with
root privilege.

On most vulnerable systems, the ftpd software is installed and enabled
by default.


Intruders who are able to exploit this vulnerability can ultimately
gain interactive access to the remote ftp server with root privilege.


Currently there are several ways to exploit the ftp servers in
question.  One temporary workaround against an anonymous attack is to
disable any world writable directories the user may have access to by
making them read only.  This will prevent an attacker from building an
unusually large path, which is required in order to execute these
particular attacks.

The permanent solution is to install a patch from your Vendor, or
locate one provided by the Software's author or maintainer.  See
Appendices A and B for more specific information.

Netect strongly encourages immediate upgrade and/or patching where

Netect provides a strong software solution for the automatic detection
and removal of security vulnerabilities.  Current HackerShield
customers can protect themselves from this vulnerability by either
visiting the Netect website and downloading the latest RapidFire(tm)
update, or by enabling automatic RapidFire(tm) updates (no user
intervention required).

Interested in protecting your network today?  Visit the Netect website
at and download a FREE 30 day copy of
HackerShield, complete with all the latest RapidFire(tm) updates to
safeguard your network from hackers.

[Appendix A, Software Information]


  Current version: 1.2.0pre1, released October 19, 1998.
  All versions prior to 1.2.0pre1: vulnerable.
  Fix: will be incorporated into 1.2.0pre2.

  Currently recommended action: upgrade to the new version when it
    becomes available, or apply the version 1.2.0pre1 patch found at:

% wu-ftpd

  Current version: 2.4.2 (beta 18), unknown release date.
  All versions through 2.4.2 (beta 18): vulnerability dependant upon
    target platform, probably vulnerable either due to OS-provided
    runtime vulnerability or through use of replacement code supplied
    with the source kit.  No patches have been made available.
  Fix: unknown.

  Currently recommended action: Upgrade to wu-ftpd VR series.

  % wu-ftpd VR series

    Current version: 2.4.2 (beta 18) VR13, released January 28, 1999.
    All versions prior to 2.4.2 (beta 18) VR10: vulnerable.
    Fix: incorporated into VR10, released November 1, 1998.

    Available from:

% BeroFTPD [NOT vulnerable]

  Current version: 1.3.3, released February 7, 1999.
  All versions prior to 1.2.0: vulnerable.
  Fix: incorporated into 1.2.0, released October 26, 1998.

  Available from:

% NcFTPd [NOT vulnerable]

  Current version: 2.4.0, released February 6, 1999.
  All versions prior to 2.3.4: unknown.

  Available from:


    % NcFTPd 2.3.4 (libc5) ftp server has a remotely exploitable bug
       that results in the loss of the server's ability to log

    % This bug cannot be exploited to gain unintended or privileged
       access to a system running the NcFTPd 2.3.4 (libc5) ftp
       server, as tested.

    % The bug was reproducible only on a libc5 Linux system.  The
       Linux glibc version of NcFTPd 2.3.4 ftp server is NOT

    % The bug does not appear to be present in version NcFTPd 2.3.5 or
       later.  Affected users may upgrade free of charge to the latest

Thanks go to Gregory Lundberg for providing the information regarding
wu-ftpd and BeroFTPD.

[Appendix B, Vendors]

% RedHat Software, Inc.

  % RedHat      Version 5.2 and previous versions ARE vulnerable.

  Updates will be available from:

% Walnut Creek CDROM and Patrick Volkerding

  % Slackware   All versions ARE vulnerable.

  Updates will be available from:
      tcpip1.tgz (3.6)     [971a5f57bec8894364c1e0d358ffbfd4]
      tcpip1.tgz (current) [e1e9a9a50ad65bab1e120a7bf60f6011]


    % The md5 checksums are current for the above mentioned Revision
     date only.

% Caldera Systems, Inc.

  % OpenLinux   Latest version IS vulnerable

  Updates will be available from:


  % UnixWare    Version 7.0.1 and earlier (except 2.1.x) IS vulnerable.
  % OpenServer  Versions 5.0.5 and earlier IS vulnerable.
  % CMW+                  Version 3.0 is NOT vulnerable.
  % Open Desktop/Server   Version 3.0 is NOT vulnerable.

  Binary versions of ftpd will be available shortly from the SCO ftp
  site: - cover letter - replacement binaries


   This fix is a binary for the following SCO operating systems:

      % SCO UnixWare 7.0.1 and earlier releases (not UnixWare 2.1.x)
      % SCO OpenServer 5.0.5 and earlier releases

   For the latest security bulletins and patches for SCO products,
   please refer to

% IBM Corporation

  % AIX         Versions 4.1.x, 4.2.x, and 4.3.x ARE NOT vulnerable.

% Hewlett-Packard

  % HPUX        Versions 10.x and 11.x ARE NOT vulnerable.

  HP is continuing their investigation.

% Sun Microsystems, Inc.

  % SunOS       All versions ARE NOT vulnerable.
  % Solaris     All versions ARE NOT vulnerable.

% Microsoft, Inc.

  % IIS         Versions 3.0 and 4.0 ARE NOT vulnerable.

% Compaq Computer Corporation

  % Digital UNIX                V40b - V40e ARE NOT vulnerable.
  % TCP/IP(UCX) for OpenVMS     V4.1, V4.2, V5.0 ARE NOT vulnerable.

% Silicon Graphics, Inc. (SGI)

  % IRIX and Unicos

     Currently, Silicon Graphics, Inc. is investigating and no further
     information is available for public release at this time.

     As further information becomes available, additional advisories
     will be issued via the normal SGI security information distribution
     method including the wiretap mailing list.

     Silicon Graphics Security Headquarters

% NetBSD

  % NetBSD      All versions ARE NOT vulnerable.

[Appendix C, Netect Contact Information]

Copyright (c) 1999 by Netect, Inc.

The information contained herein is the property of Netect, Inc.

The contact for this advisory is Jordan Ritter .  PGP
signed/encrypted email is preferred.

Visit for more information.

[  End Netect, Inc. Advisory  ]

CIAC wishes to acknowledge the contributions of Netect, Inc. for the
information contained in this bulletin.

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 925-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:
                        (or -- they're the same machine)
   Anonymous FTP:
                        (or -- they're the same machine)
   Modem access:        +1 (925) 423-4753 (28.8K baud)
                        +1 (925) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
1. CIAC-BULLETIN for Advisories, highest priority - time critical
   information and Bulletins, important computer security information;
2. SPI-ANNOUNCE for official news about Security Profile Inspector
   (SPI) software updates, new features, distribution and
3. SPI-NOTES, for discussion of problems and solutions regarding the
   use of SPI products.

Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, spi-announce OR spi-notes for list-name:

E-mail to or
        subscribe list-name
  e.g., subscribe ciac-bulletin

You will receive an acknowledgment email immediately with a confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email.  This is a partial protection to make sure
you are really the one who asked to be signed up for the list in question.

If you include the word 'help' in the body of an email to the above address,
it will also send back an information file on how to subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

J-019: Intelligent Peripherals Create Security Risk
J-020: SGI IRIX fcagent daemon Vulnerability
J-021: Sun Solaris Vulnerabilities ( dtmail, passwd )
J-022: HP-UX Vulnerabilities ( snmp, sendmail, remote network command )
J-023: Cisco IOS Syslog Denial-of-Service Vulnerability
J-024: Windows NT Remote Explorer
J-025: W97M.Footprint Macro Virus Detected
J-026: HP-UX rpc.pcnfsd Vulnerability
J-027: Digital Unix  Vulnerabilities ( at , inc  )
J-028: Sun Solaris Vulnerabilities (sdtcm_convert, man/catman, CDE)

Version: 4.0 Business Edition


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH