From:	SMTP%"PROBLEMS@TDR.COM"  9-APR-1994 10:43:47.77
To:	EVERHART
CC:	
Subj:	0020 - Unauthorized Root Access from FTP daemon

Date: Thu, 07 Apr 1994 23:20:35 -0500 (EST) 
Message-Id: <94-0020.PROBLEMS@TDR.COM>
Organization: Tansin A. Darcos & Company, Silver Spring, MD USA
From: Problem Reporting Service <PROBLEMS@TDR.COM>
Subject: 0020 - Unauthorized Root Access from FTP daemon
Errors-To: MAIL-ERRORS@TDR.COM
To: Recipients of list Problems <PROBLEMS@TDR.COM>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

Organization: Tansin A. Darcos & Company, Silver Spring, MD USA
-----
System:       Any system providing FTP service

Summary:      Bugs in the FTP daemon (FTPD) can give someone root
              priveleges.

Reported-By:  Various sources including bugtraq and CIAC

Interest-To:  Persons running ANY FTPD daemon

Capsule:      CIAC reported that the sources to the FTPD daemon from
              wuarchive contain a trapdoor in versions 2.1f and 2.2.
              While the error is reported in the FTPD sources from
              wuarchive.wustl.edu ("Wuarchive") versions 2.1f and 2.2
              they can equally apply to ANY FTPD daemon.

Explanation of what is happening:  The CIAC reports don't say why (as
                                   usual) but apparently what happened
                                   is that the FTPD daemon would allow
                                   a null password as valid.  So all 
                                   someone has to do is use the username
                                   of 'root' with a null password, and
                                   guess what account the user will have
                                   read and write access to.  Can you 
                                   say 'all files on the system' boys
                                   and girls?  I knew you could!

Repair or Correction:  Check the source you have, the password checking
                       should compare it against the constant 'NULL' 
                       (that's NULL in all caps.)  If you have the 
                       wuarchive FTPD, be sure it's version 2.3.

                       Also, I would suggest, if you have the source to
                       an FTPD, to modify it to check for 'root' as the 
                       username, and unless you think it's necessary for 
                       root to log on to FTP at your site, to cause use 
                       of 'root' as the account to create a simulated 
                       login, perhaps logging the offender's connection, 
                       pretending to accept a password, then severing 
                       the connection,  e.g. any use of 'root' will cause 
                       the connection to fail.

------
Feel free to circulate this or other PROBLEMS messages.
To Reply to this message, write to <PROBLEMS@TDR.COM>; to subscribe use
newsgroup <tdr.problems> or write <PROBLEMS-REQUEST@TDR.COM>.