
             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                      FTPSERV.NLM Abend and Security fixes
                        [Novell Document ID TID2965109]

June 24, 2005 18:00 GMT                                           Number P-235
______________________________________________________________________________
PROBLEM:       Two security weaknesses for anonymous user access have been 
               eliminated. For the protection of systems that may not yet be 
               patched, these security problems will not be discussed in 
               detail. 
PLATFORM:      FTPSERV.NLM v10.31 in this download supersedes FTPSERV.NLM in 
               NetWare 4 Support Pack 9, NetWare 5.0 Support Pack 6, and 
               FTPSERVK.EXE. It was only officially tested on NetWare 4.2, 
               because NetWare 4.11 and 5.0 were discontinued at the time this 
               patch was made. Use of this file requires UNIX Print Services 
               2.3x (2.31 comes with NW 4.2), NFS Services 2.3, or NFS 
               Services 2.4. 
DAMAGE:        These weaknesses could allow the anonymous user to access areas 
               outside the anonymous home directory structure, in certain very 
               specific circumstances. 
SOLUTION:      Upgrade to the appropriate version. 
______________________________________________________________________________
VULNERABILITY  The risk is Low. For the protection of systems that may not yet 
ASSESSMENT:    be patched, these security problems will not be discussed in 
               detail. Please see Novell Bulletin.
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/p-235.shtml 
 ORIGINAL BULLETIN:                                                           
                     http://support.novell.com/cgi-bin/search/searchtid.cgi?/2965109.htm 
 CVE/CAN:         
______________________________________________________________________________
[***** Start Novell Document ID TID2965109 *****]

 	
Technical Information Document
FTPSERV.NLM Abend and Security fixes - TID2965109 (last modified 23JUN2005)
	printer friendly 		tell a friend
Click here if this does not solve your problem
	associated file
	

Click filename to download:
ftpservl.exe; 156855 bytes; Date/Time: 06-23-2005/11:04AM

	abstract
	

FTPSERV.NLM v10.31 in this download supersedes FTPSERV.NLM in NetWare 4 Support Pack 9, 
NetWare 5.0 Support Pack 6, and FTPSERVK.EXE. It was only officially tested on NetWare 4.2, 
because NetWare 4.11 and 5.0 were discontinued at the time this patch was made. Use of this 
file requires UNIX Print Services 2.3x (2.31 comes with NW 4.2), NFS Services 2.3, or NFS 
Services 2.4.

This download was rebuilt on June 23, 2005, to change the status from beta to full release. 
Only this readme was altered.

installation
	

(1) Rename SYS:SYSTEM\FTPSERV.NLM to FTPSERV.OLD (or any name preferred).
(2) Rename SYS:SYSTEM\NLS\4\FTPSERV.MSG to FTPSERV.OLD (or any name preferred).
(If either of the above rename commands fail, it may be necessary to flag the files Read-Write.)
(3) Copy the new FTPSERV.NLM to SYS:SYSTEM and the new FTPSERV.MSG to SYS:SYSTEM\NLS\4.
(4) If the FTP service was already running, and assuming no FTP sessions are active, go to the server 
console and UNLOAD FTPSERV.NLM. The new FTPSERV.NLM will automatically load again upon the 
next attempted FTP connection.
(5) If FTP service was not already running, it can be started with the following steps:
a. Run UNISTART.NCF to launch the UNIX Print Services or NFS product.
b. Load UNICON. Login as admin.
c. Select "Stop/Start Services".
d. If FTP Server is not already on the list, press <insert>, highlight FTP Server, 
and press <enter>.

issue
	

FTPSERV.NLM v 10.31 includes the same security fixes from v10.30, plus the addition of a abend fix:

- FTPSERV.NLM could experience a Page Fault abend when certain FTP clients attempt to 
abort a FTP operation. Windows DOS-based clients send an unexpected NULL (00h) value as 
part of their ABORT (ABOR) sequence. FTPSERV was not able to handle this. The pointer to 
the command in memory would become invalid, which sometimes would result in a Page Fault. 
FTPSERV.NLM has been modified to remove the NULL value before processing the command.

Other fixes, previously included in FTPSERV.NLM v10.30:

-Two security weaknesses for anonymous user access have been eliminated. For the protection of 
systems that may not yet be patched, these security problems will not be discussed in detail. 
These weaknesses could allow the anonymous user to access areas outside the anonymous home directory 
structure, in certain very specific circumstances.

-Fixed a problem which had been previously introduced in FTPSERV 10.19, whereby FTPSERV.NLM could 
stop functioning. The most common trigger for this failure was a user who attempted to GET a 
non-existant (or misspelled) file. After that, other FTP connections would fail and the following 
error would appear on the system console:
CLib-4.11-005: Unable to open standard consoles new thread group. There may not be enough server 
memory, or server memory may be corrupted.

-Removed a previous fix involving the ability to rename files when the FTP session is using 
LONG namespace. The previous fix enabled the rename ability in LONG name space. However, the 
new filename did not take effect in any of the other name spaces (DOS, MAC, NFS). That fix was 
removed. To rename with FTPSERV.NLM, you must use DOS or NFS name space.

Sidenote: FTPSERV.NLM originally only supported DOS and NFS name space. Support for LONG name 
space was added as an enhancement in FTPSERV.NLM 9.x, but numerous issues such as the renaming 
problem above were discovered. To completely fix the issues with FTPSERV.NLM and LONG namespace, 
FTP had to be redesigned. The fully redesigned FTP Server is part of NetWare 5.1 and NetWare 6.0.

Simply as reference, below are some noteworthy prior fixes (which already existed in the last 
NW 4 and NW 5.0 support packs):

-GET or PUT commands which make use of a full, remote server path might fail. 
(i.e. PUT //SERVER2/VOL1/DIR1 ). These failure only occurred in FTP sessions defaulting 
to LONG namespace, and sometimes only between certain NetWare OS version combinations. 
These failures have been corrected.

-When using LONG name space, the FTP Server would not list files containing 3 or more dots 
in their names. FTPSERV.NLM will now display files with up to 9 dots in their names.

-During an ASCII type PUT operation, FTPSERV.NLM would strip out any bytes of hex 1A. 
This has been corrected.

-Various abend fixes were made, including a common abend in FTPSERV.NLM, code offset 10523h.
	contents
	

Self-Extracting File Name:  ftpservl.exe

Files Included       Size   Date         Time    Version   Checksum

\
   FTPSERV.MSG      17121   03-06-2003   06:52PM
   FTPSERV.NLM     152591   03-06-2003   06:53PM
  FTPSERVL.TXT       5731   06-23-2005   11:04AM

	
Document Title: 	FTPSERV.NLM Abend and Security fixes
Document ID: 	2965109
Creation Date: 	07MAR2003
Modified Date: 	23JUN2005
Document Revision: 	3
Novell Product Class: 	Connectivity Products
Novell Product and Version: 	UNIX Connectivity
	

	
Disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all 
reasonable efforts to verify this information. However, the information provided in this 
document is for your information only. Novell makes no explicit or implied claims to the 
validity of this information.

Any trademarks referenced in this document are the property of their respective owners. 
Consult your product manuals for complete trademark information. 
[***** End Novell Document ID TID2965109 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Novell for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

P-226: Outlook Express Cumulative Update
P-227: Step-by-Step Interactive Training Vulnerability
P-228: ISA Server 2000 Cumulative Update
P-229: Vulnerability in Microsoft Agent Could Allow Spoofing (890046)
P-230: Vulnerability in Telnet Client Could Allow Information Disclosure (896428)
P-231: Security Vulnerability in the lpadmin(1M) Utility
P-232:  VERITAS Security Updates
P-233: RealNetworks Security Update
P-234: RealPlayer SMIL File Vulnerability