Bugtraq mailing list archives
NetBSD Security Advisory 2000-009
From: security-officer () NETBSD ORG (security-officer () NETBSD ORG)
Date: Mon, 10 Jul 2000 12:16:35 -0400
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2000-009
=================================
Topic: ftpd setproctitle vulnerability.
Version: All releases before 2000/07/08
Severity: High: Potential remote root access.
Abstract
========
An improper use of the setproctitle() library function by ftpd may
allow a malicious remote ftp client to subvert an FTP server,
including possibly getting remote access to a system.
Technical Details
=================
The BSD setproctitle() function, like printf(), accepts a format
string and a variable number of arguments; the format string is
interpreted to determine how to display the other arguments to the
function.
If the format string can contain arbitrary user-supplied data, it may
be possible to trick the program into reading or writing arbitrary
memory locations, resulting in a security compromise.
A more extensive audit of the NetBSD sources for problems of this form
is under way.
Solutions and Workarounds
=========================
This problem affects all versions of NetBSD. Patches are available
for the NetBSD-1.4 series of releases.
If you're runing NetBSD 1.4, 1.4.1, or 1.4.2, fetch the following
patch, apply it to src/libexec/ftpd/ftpd.c using the patch(1) command,
rebuild and reinstall ftpd, and kill off any existing FTP daemons (to
ensure that any improperly granted access is revoked).
ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/20000708-ftpd
If you're running a version of NetBSD-current or the NetBSD 1.5 branch
from before 2000/07/05, you should update to a newer version of
NetBSD-current. Similarly, if you're running a version of
NetBSD-release (NetBSD 1.4 branch) from before 2000/07/08, you should
update to a newer version of NetBSD-release.
Thanks To
=========
Jun-ichiro Hagino <itojun () netbsd org>
Revision History
================
20000708 Initial version.
More Information
================
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
Copyright 2000, The NetBSD Foundation, Inc. All Rights Reserved.
$NetBSD: NetBSD-SA2000-009.txt,v 1.1 2000/07/08 21:03:11 sommerfeld Exp $
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBOWnDfD5Ru2/4N2IFAQE7ZAP8CH2tz0srgbkJ05PEtc83EUG5FvMetSBC
OG45edFGtMRfpRkJWL30DoqCmvIzxRWa0sVgFfc/78gS1eW6R0SdunSDM3sQ39Vp
thpsj/+hqUnuwFpm+fdiIFsLQjsgaqZpceaWSogJxGLj6SCepNouED2XeI46PABR
pGowBD6r0gk=
=OXnj
-----END PGP SIGNATURE-----
Current thread:
- Microsoft Security Bulletin (MS00-048) Microsoft Product Security (Jul 07)
- Re: Microsoft Security Bulletin (MS00-048) Jenik (Jul 08)
- LPRng lpd should not be SETUID root Patrick Powell (Jul 09)
- NetBSD Security Advisory 2000-009 security-officer () NETBSD ORG (Jul 10)
- Re: LPRng lpd should not be SETUID root Cy Schubert - ITSD Open Systems Group (Jul 10)
- NetBSD Security Advisory 2000-010 security-officer () NETBSD ORG (Jul 10)
- <Possible follow-ups>
- Re: Microsoft Security Bulletin (MS00-048) Richard Waymire (Jul 10)
- Re: Microsoft Security Bulletin (MS00-048) Mikael Olsson (Jul 11)
- FreeBSD Ports Security Advisory: FreeBSD-SA-00:29.wu-ftpd [REVISED] FreeBSD Security Advisories (Jul 11)
- Re: Microsoft Security Bulletin (MS00-048) Richard Waymire (Jul 11)
- Remote Denial Of Service -- NetWare 5.0 with SP 5 Dimuthu Parussalla (Jul 10)
- Re: Remote Denial Of Service -- NetWare 5.0 with SP 5 Conrad Wood (Jul 13)
- Re: Microsoft Security Bulletin (MS00-048) Mikael Olsson (Jul 11)
- Remote Denial Of Service -- NetWare 5.0 with SP 5 Dimuthu Parussalla (Jul 10)