Package: wu-ftpd Version: 2.4-23 I don't know the exploit, but tar in the anon ftp area is the same as the normal one, so I think Debian systems may have this problem too. Two messages from the linux-security list (the second one includes a patch for tar - only for anon ftp, not for the normal one!) are attached below.
Marek From: Elliot Lee <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] cc: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: [linux-security] [linux-alert] SECURITY FIX/UPDATE: anonftp Date: Mon, 19 Aug 1996 18:57:03 -0400 (EDT) -----BEGIN PGP SIGNED MESSAGE----- There is a security hole in the anonftp package included with all versions of Red Hat Linux that allows an anonymous FTP user to execute arbitrary commands in the chroot FTP environment. Due to some options in GNU tar that are enabled by default, any program that exists (or can be uploaded to) an FTP server can be run. Severity is limited due to the chroot environment, but the problem still needs to be addressed. Updates are available on ftp.redhat.com now. If you are using a version prior to 3.0.3, an upgrade is recommended to solve other security holes. If you are using 3.0.3 on the Intel, get ftp://ftp.redhat.com/pub/redhat/redhat-3.0.3/i386/updates/RPMS/anonftp-2.0-2.i386.rpm and install it using 'rpm -Uvh [filename]' If you are using 3.0.3 on the Alpha, get ftp://ftp.redhat.com/pub/redhat/redhat-3.0.3/axp/updates/RPMS/anonftp-2.0-2.axp.rpm and install it using 'rpm -Uvh [filename]' If you are using 3.0.4 (Rembrandt BETA) on the Intel, get ftp://ftp.redhat.com/pub/redhat/rembrandt/i386/updates/RPMS/anonftp-2.2-2.i386.rpm and install it using 'rpm -Uvh [filename]' If you are using 3.0.4 (Rembrandt BETA) on the Sparc, get ftp://ftp.redhat.com/pub/redhat/rembrandt/sparc/updates/RPMS/anonftp-2.2-2.sparc.rpm and install it using 'rpm -Uvh [filename]' All packages are PGP signed. Source packages are available in the usual locations. MD5 checksums: ea1798199eb426695c6d4c2ad4106422 anonftp-2.0-2.axp.rpm 764ee004e25c3e278290820dbd58cc58 anonftp-2.0-2.i386.rpm cb0b1905ab8d389d64677519913346a5 anonftp-2.0-2.src.rpm c14af78ec7d5083b54e61f973ca7c6fb anonftp-2.2-2.i386.rpm 760cb3d5bb37c618f1b84f1aa0f5ea53 anonftp-2.2-2.sparc.rpm a2f3fb6e06fca1485e3f11e5e04f83d8 anonftp-2.2-2.src.rpm Thanks to Alan Cox for finding this problem. - -- Elliot Lee <[EMAIL PROTECTED]> Red Hat Software, http://www.redhat.com/ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMhjxQiaSlK8942+NAQEngAQAgQDpcY4zYyvegaYQrAx1pW9w2IEeHqE5 yyeRre2rUsWBKVjizDttz+JO130+/2cZjjG0bpDzKeZidkENZGkHzlIP+lQLDAuG jZ8rBqAdaEXmRUwZJzjwmEfBM218Z/W+fSrPj/w0CMqCn1THwJN4Vu6xaZ8TkxGf 2cI2lMO7XkQ= =qu3w -----END PGP SIGNATURE----- Date: Wed, 21 Aug 1996 10:05:52 -0400 (EDT) From: Elliot Lee <[EMAIL PROTECTED]> To: Roscinante <[EMAIL PROTECTED]> cc: [EMAIL PROTECTED] Subject: [linux-security] Re: Anon ftp pkg? On Wed, 21 Aug 1996, Roscinante wrote: > Does the updated anonftp pkg have a fixed version of tar? Yes, that's all that changed :-) > I've been trying all night to get rpm working on my slack system, am I > wasting my time (someone told me all thats in the updated anonftp pkg is > a config script)? No. > Are there options in tar that should be disabled at compile time? > What options are exploitable? Please cc me directly. I have attached a patch to tar that you can compile tar with to fix it. Hope this helps, --==== Elliot Lee = <[EMAIL PROTECTED]> == Red Hat Software ====-- "Usenet is like a herd of performing elephants with diarrhea; massive, difficult to redirect, awe-inspiring, entertaining, and a source of mind-boggling amounts of excrement when you least expect it." --- tar-1.11.8/src/tar.c.sopwith Sat Jun 17 16:48:32 1995 +++ tar-1.11.8/src/tar.c Mon Aug 19 12:19:16 1996 @@ -22,6 +22,8 @@ #include "system.h" +#include <syslog.h> + #ifndef FNM_LEADING_DIR # include <fnmatch.h> #endif @@ -1202,14 +1204,19 @@ break; case OPTION_COMPRESS_PROG: - if (flag_compressprog) - ERROR ((TAREXIT_FAILURE, 0, - _("Only one compression option permitted"))); - flag_compressprog = optarg; + openlog("ftp tar", 0, LOG_DAEMON); + syslog(LOG_WARNING,"Attempt to run tar via FTP with compress command %s", + optarg); + closelog(); + flag_compressprog = NULL; break; case OPTION_RSH_COMMAND: - flag_rsh_command = optarg; + openlog("ftp tar", 0, LOG_DAEMON); + syslog(LOG_WARNING,"Attempt to run tar via FTP with rsh command %s", + optarg); + closelog(); + flag_rsh_command = NULL; break; case 'g':
