__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Microsoft Texas Imperial Software WFTPD 3.0Pro Vulnerability December 4, 2000 18:00 GMT Number L-024 ______________________________________________________________________________ PROBLEM: Administrator user control option is flawed and could allow root access, through a malformed command. PLATFORM: Texas Imperial Software WFTPD 3.0Pro - Microsoft Windows NT 4.0 - Microsoft Windows NT 3.5 - Microsoft Windows NT 2000 Texas Imperial Software WFTPD 2.41RC14 Pro - Microsoft Windows 3.11WfW - Microsoft Windows 3.1 - Microsoft Windows 98 - Microsoft Windows 95 - Microsoft Windows NT 4.0 - Microsoft Windows NT 3.5 - Microsoft Windows NT 2000 Texas Imperial Software WFTPD 2.41RC14 - Microsoft Windows 3.11WfW - Microsoft Windows 3.1 - Microsoft Windows 98 - Microsoft Windows 95 - Microsoft Windows NT 4.0 - Microsoft Windows NT 3.5 - Microsoft Windows NT 2000 DAMAGE: A remote attacker could compromise the system if Winsock FTPd has been installed on the same partition/drive as root. SOLUTION: Apply the upgrades as specified. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. The vulnerability has been been publicly ASSESSMENT: announced. ______________________________________________________________________________ [****** Begin SecurityFocus Advisory ******] bugtraq id 2005 class Access Validation Error cve GENERIC-MAP-NOMATCH remote Yes local Yes published November 27, 2000 updated November 29, 2000 vulnerable Texas Imperial Software WFTPD 3.0Pro - Microsoft Windows NT 4.0 - Microsoft Windows NT 3.5 - Microsoft Windows NT 2000 Texas Imperial Software WFTPD 2.41RC14 Pro - Microsoft Windows 3.11WfW - Microsoft Windows 3.1 - Microsoft Windows 98 - Microsoft Windows 95 - Microsoft Windows NT 4.0 - Microsoft Windows NT 3.5 - Microsoft Windows NT 2000 Texas Imperial Software WFTPD 2.41RC14 - Microsoft Windows 3.11WfW - Microsoft Windows 3.1 - Microsoft Windows 98 - Microsoft Windows 95 - Microsoft Windows NT 4.0 - Microsoft Windows NT 3.5 - Microsoft Windows NT 2000 Winsock FTPd is a popular FTP server from Texas Imperial Software. A vulnerability exists in Winsock FTPd that could allow an unauthorized user to browse the root directory of the drive where Winsock FTPd has been installed. During install, Winsock FTPd allows the administrator to "Restrict to home directory and below" effectively creating a chroot jail for users. Upon logging in, a user can pass a the server a malformed change directory request that will allow any user (including anonymous) to browse the root directory and possibly retrieve/write files to the root directory on which Winsock FTPd resides. Upon connecting to the Winsock FTPd server, a user could issue the command: cd ../../ This will normally result in the message "User is not allowed to ../../" and will be returned to their chroot jail directory. If the user issues the following command: cd /../.. they will not receive the "User is not allowed to" message and will change directory to root on the drive or partition where Winsock FTPd has been installed. If the administrator has installed Winsock FTPd on the same drive or partition that contains the operating system, a remote attacker could gain access to systems files, password files, etc. that could lead to a complete system compromise. The vendor has issued the following upgrades that fix this vulnerability: Texas Imperial Software WFTPD 3.0Pro: Texas Imperial Software upgrade protr300.zip http://www.wftpd.com/downloads/protr300.zip Texas Imperial Software WFTPD 2.41RC14 Pro: Texas Imperial Software upgrade 32wfd241.zip http://www.wftpd.com/downloads/32wfd241.zip Texas Imperial Software WFTPD 2.41RC14: Texas Imperial Software upgrade wftpd241.zip http://www.wftpd.com/downloads/wftpd241.zip credit This vulnerability was first reported to Bugtraq on November 27, 2000 by Interstellar Overdrive reference message: Vulnerability in Winsock FTPD 2.41/3.00 (Pro) (Interstellar Overdrive ) web page: Texas Imperial Software Downloads (Texas Imperial Software) < http://www.securityfocus.com/bid/2005 > disclaimer Privacy Statement Copyright © 1999-2000 SecurityFocus.com [****** End SecurityFocus Advisory ******] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of SecurityFocus for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), use one of the following methods to contact CIAC: 1. Call the CIAC voice number 925-422-8193 and leave a message, or 2. Call 888-449-8369 to send a Sky Page to the CIAC duty person or 3. Send e-mail to 4498369@skytel.com, or 4. Call 800-201-9288 for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) Modem access: +1 (925) 423-4753 (28.8K baud) +1 (925) 423-3331 (28.8K baud) PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) L-014: AIX Format String Vulnerability L-015: Tcpdump Remote Buffer Overflows L-016: Microsoft Netmon Protocol Parsing L-017: HP-UX dtterm misuse L-018: Microsoft "Web Server File Request Parsing" Vulnerability L-019: ISC BIND Vulnerabilities L-020:.Red Hat Linux modutils Vulnerability L-021: IBM AIX Locale and BIND Fixes L-022: Red Hat Linux Netscape HTML Buffer Overflow l-023: Microsoft Incomplete TCP/IP Packet Vulnerability