Subject: NetBSD Security Advisory 2002-027: ftpd STAT output non-conformance can deceive firewall devices
To: None <netbsd-announce@netbsd.org>
From: NetBSD Security Officer <security-officer@netbsd.org>
List: netbsd-announce
Date: 11/20/2002 02:20:48
-----BEGIN PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2002-027
		 =================================

Topic:		ftpd STAT output non-conformance can deceive firewall devices

Version:	NetBSD-current:	source prior to Oct 26, 2002
		NetBSD 1.6:	affected
		NetBSD-1.5.3:	affected
		NetBSD-1.5.2:	affected
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	affected

Severity:       Malicious parties can corrupt state tables in
		intermediate firewall devices and trick them into making
		unexpected TCP connections.

Fixed:		NetBSD-current:		Oct 26, 2002
		NetBSD-1.6 branch:	Nov 2, 2002
		NetBSD-1.5 branch:	Oct 26, 2002


Abstract
========

NetBSD's ftpd responds to the STAT command in a way that is not
standards conformant, when a filename that contains "\n[0-9]" is
specified.  This could be used by a malicious party to corrupt state
tables in firewall devices between an FTP client and a NetBSD FTP
server.


Technical Details
=================

According to RFC959 (page 36), if a non-response digit appears in an
FTP control stream, it must be escaped by inserting a space before it.
NetBSD's ftpd did not obey this requirement.

See also: http://www.kb.cert.org/vuls/id/328867


Solutions and Workarounds
=========================

Upgrading libexec/ftpd is required to eliminate this problem.

The following instructions describe how to upgrade your ftpd
binaries by updating your source tree and rebuilding and
installing a new version of ftpd.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2002-10-26
	should be upgraded to NetBSD-current dated 2002-10-26 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		libexec/ftpd

	To update from CVS, re-build, and re-install ftpd:
		# cd src
		# cvs update -d -P libexec/ftpd
		# cd libexec/ftpd

		# make cleandir dependall
		# make install


* NetBSD 1.6:

	Systems running NetBSD 1.6 sources dated from before 2002-11-02 should
	be upgraded from NetBSD 1.6.* sources dated 2002-11-02 or later.

	The following directories need to be updated from the
	netbsd-1-6 CVS branch:
		libexec/ftpd

	To update from CVS, re-build, and re-install ftpd:

		# cd src
		# cvs update -d -P -r netbsd-1-6 libexec/ftpd
		# cd libexec/ftpd

		# make cleandir dependall
		# make install


* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:

	Systems running NetBSD 1.5, 1.5.1, 1.5.2, or 1.5.3 sources dated
	from before 2002-10-26 should be upgraded from NetBSD 1.5.*
	sources dated 2002-10-26 or later.

	The following directories need to be updated from the
	netbsd-1-5 CVS branch:
		libexec/ftpd

	To update from CVS, re-build, and re-install ftpd:

		# cd src
		# cvs update -d -P -r netbsd-1-5 libexec/ftpd
		# cd libexec/ftpd

		# make cleandir dependall
		# make install


Thanks To
=========

Internet Initiative Japan Inc.


Revision History
==============

	2002-11-20	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-027.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2002, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2002-027.txt,v 1.6 2002/11/19 16:43:05 david Exp $


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBPdpxej5Ru2/4N2IFAQF2nQP9FueZtoqqmDq4BGBVXrkB22cPMYCYQnbd
NlOe0jQnos8rTv+UqW4PDix7AX5qrbPQCXonNqbbKe2ZRzMZx69zHm/yfImMF72D
QPrlq3rlN7bQSyrlrt9e3D4IHPY9NqU1HFxnqYKE64JO+vM88YfNAqCivqP3Gokb
c7xwGPxmBo4=
=OlD7
-----END PGP SIGNATURE-----