Subject: NetBSD Security Advisory 2000-009
To: None <netbsd-announce@netbsd.org>
From: None <security-officer@netbsd.org>
List: tech-security
Date: 07/10/2000 12:16:35
  by mail.netbsd.org with SMTP; 10 Jul 2000 16:16:41 -0000
	id 182C32A43; Mon, 10 Jul 2000 12:16:41 -0400 (EDT)
	by orchard.arlington.ma.us (Postfix) with ESMTP
	id 0A0D81F98; Mon, 10 Jul 2000 12:16:41 -0400 (EDT)
From: security-officer@netbsd.org
To: netbsd-announce@netbsd.org
Cc: tech-security@netbsd.org, current-users@netbsd.org,
	bugtraq@securityfocus.com, cert@cert.org, auscert@auscert.org.au
Subject: NetBSD Security Advisory 2000-009
Organisation: The NetBSD Foundation, Inc.
Reply-To: security-officer@netbsd.org
Date: Mon, 10 Jul 2000 12:16:35 -0400
Message-Id: <20000710161641.182C32A43@orchard.arlington.ma.us>

-----BEGIN PGP SIGNED MESSAGE-----

                 NetBSD Security Advisory 2000-009
                 =================================

Topic:		ftpd setproctitle vulnerability.
Version:	All releases before 2000/07/08
Severity:	High: Potential remote root access.


Abstract
========

An improper use of the setproctitle() library function by ftpd may
allow a malicious remote ftp client to subvert an FTP server,
including possibly getting remote access to a system.


Technical Details
=================

The BSD setproctitle() function, like printf(), accepts a format
string and a variable number of arguments; the format string is
interpreted to determine how to display the other arguments to the
function.  

If the format string can contain arbitrary user-supplied data, it may
be possible to trick the program into reading or writing arbitrary
memory locations, resulting in a security compromise.

A more extensive audit of the NetBSD sources for problems of this form
is under way.


Solutions and Workarounds
=========================

This problem affects all versions of NetBSD.  Patches are available
for the NetBSD-1.4 series of releases.

If you're runing NetBSD 1.4, 1.4.1, or 1.4.2, fetch the following
patch, apply it to src/libexec/ftpd/ftpd.c using the patch(1) command,
rebuild and reinstall ftpd, and kill off any existing FTP daemons (to
ensure that any improperly granted access is revoked).

    ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/20000708-ftpd

If you're running a version of NetBSD-current or the NetBSD 1.5 branch
from before 2000/07/05, you should update to a newer version of
NetBSD-current.  Similarly, if you're running a version of
NetBSD-release (NetBSD 1.4 branch) from before 2000/07/08, you should
update to a newer version of NetBSD-release.

Thanks To
=========

Jun-ichiro Hagino <itojun@netbsd.org>


Revision History
================

	20000708	Initial version.


More Information
================

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2000, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2000-009.txt,v 1.1 2000/07/08 21:03:11 sommerfeld Exp $

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBOWnDfD5Ru2/4N2IFAQE7ZAP8CH2tz0srgbkJ05PEtc83EUG5FvMetSBC
OG45edFGtMRfpRkJWL30DoqCmvIzxRWa0sVgFfc/78gS1eW6R0SdunSDM3sQ39Vp
thpsj/+hqUnuwFpm+fdiIFsLQjsgaqZpceaWSogJxGLj6SCepNouED2XeI46PABR
pGowBD6r0gk=
=OXnj
-----END PGP SIGNATURE-----