Subject: NetBSD Security Advisory 2002-027: ftpd STAT output non-conformance can deceive firewall devices
To: None <tech-security@netbsd.org, current-users@netbsd.org>
From: NetBSD Security Officer <security-officer@netbsd.org>
List: tech-security
Date: 11/20/2002 02:20:36
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2002-027
=================================
Topic: ftpd STAT output non-conformance can deceive firewall devices
Version: NetBSD-current: source prior to Oct 26, 2002
NetBSD 1.6: affected
NetBSD-1.5.3: affected
NetBSD-1.5.2: affected
NetBSD-1.5.1: affected
NetBSD-1.5: affected
Severity: Malicious parties can corrupt state tables in
intermediate firewall devices and trick them into making
unexpected TCP connections.
Fixed: NetBSD-current: Oct 26, 2002
NetBSD-1.6 branch: Nov 2, 2002
NetBSD-1.5 branch: Oct 26, 2002
Abstract
========
NetBSD's ftpd responds to the STAT command in a way that is not
standards conformant, when a filename that contains "\n[0-9]" is
specified. This could be used by a malicious party to corrupt state
tables in firewall devices between an FTP client and a NetBSD FTP
server.
Technical Details
=================
According to RFC959 (page 36), if a non-response digit appears in an
FTP control stream, it must be escaped by inserting a space before it.
NetBSD's ftpd did not obey this requirement.
See also: http://www.kb.cert.org/vuls/id/328867
Solutions and Workarounds
=========================
Upgrading libexec/ftpd is required to eliminate this problem.
The following instructions describe how to upgrade your ftpd
binaries by updating your source tree and rebuilding and
installing a new version of ftpd.
* NetBSD-current:
Systems running NetBSD-current dated from before 2002-10-26
should be upgraded to NetBSD-current dated 2002-10-26 or later.
The following directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
libexec/ftpd
To update from CVS, re-build, and re-install ftpd:
# cd src
# cvs update -d -P libexec/ftpd
# cd libexec/ftpd
# make cleandir dependall
# make install
* NetBSD 1.6:
Systems running NetBSD 1.6 sources dated from before 2002-11-02 should
be upgraded from NetBSD 1.6.* sources dated 2002-11-02 or later.
The following directories need to be updated from the
netbsd-1-6 CVS branch:
libexec/ftpd
To update from CVS, re-build, and re-install ftpd:
# cd src
# cvs update -d -P -r netbsd-1-6 libexec/ftpd
# cd libexec/ftpd
# make cleandir dependall
# make install
* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:
Systems running NetBSD 1.5, 1.5.1, 1.5.2, or 1.5.3 sources dated
from before 2002-10-26 should be upgraded from NetBSD 1.5.*
sources dated 2002-10-26 or later.
The following directories need to be updated from the
netbsd-1-5 CVS branch:
libexec/ftpd
To update from CVS, re-build, and re-install ftpd:
# cd src
# cvs update -d -P -r netbsd-1-5 libexec/ftpd
# cd libexec/ftpd
# make cleandir dependall
# make install
Thanks To
=========
Internet Initiative Japan Inc.
Revision History
==============
2002-11-20 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-027.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved.
$NetBSD: NetBSD-SA2002-027.txt,v 1.6 2002/11/19 16:43:05 david Exp $
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBPdpxej5Ru2/4N2IFAQF2nQP9FueZtoqqmDq4BGBVXrkB22cPMYCYQnbd
NlOe0jQnos8rTv+UqW4PDix7AX5qrbPQCXonNqbbKe2ZRzMZx69zHm/yfImMF72D
QPrlq3rlN7bQSyrlrt9e3D4IHPY9NqU1HFxnqYKE64JO+vM88YfNAqCivqP3Gokb
c7xwGPxmBo4=
=OlD7
-----END PGP SIGNATURE-----