Published:
07 April 1997
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-97.041 -- FreeBSD sysinstall bug
8 April 1997
===========================================================================
FreeBSD have issued the following advisory describing a bug in the
sysinstall utility. Under some circumstances, this will allow unauthorised
access of system resources.
This following security bulletin is provided as a service to AUSCERT's
members. As AUSCERT did not write this document, AUSCERT has had no
control over its content. As such, the decision to use any or all of this
information is the responsibility of each user or organisation, and should
be done so in accordance with site policies and procedures.
Contact information for FreeBSD is included in the Security Bulletin
below. If you have any questions or need further information, please
contact them directly.
If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-97:03 Security Advisory
FreeBSD, Inc.
Topic: sysinstall bug
Category: core
Module: sysinstall
Announced: 1997-04-07
Affects: FreeBSD 2.1, FreeBSD 2.1.5, FreeBSD 2.1.6 and FreeBSD 2.1.7
FreeBSD 2.2 and FreeBSD 2.2.1.
Corrected: all versions as of 1997-04-01. This includes the installation floppies for FreeBSD 2.2.1 found on:
ftp://ftp.FreeBSD.org/pub/FreeBSD/2.2.1-RELEASE/floppies/newer/
Also the CDROM of FreeBSD 2.2.1 has this problem corrected.
Source: FreeBSD
FreeBSD only: yes
Patches:
=============================================================================
I. Background
Sysinstall is used both for fresh installations of FreeBSD as
well as post installation updates, like installing packages
from CDROM or ftp sites.
II. Problem Description
One of the port installation options in sysinstall is to install
an anonymous ftp setup on the system. In such a setup, an extra
user needs to be created on the system, with username 'ftp'.
This user is created with the shell equal to '/bin/date' and an
empty password.
III. Impact
Under some circumstances, this will allow unauthorized access
of system resources.
IV. Solution(s)
Change the entry of the ftp user such that is has an invalid password
and an invalid shell. This can be done by becoming the superuser,
and use the vipw command. Go to the line that starts with ftp::
and change ftp:: to ftp:*:
Also change, on the same line, the shell from /bin/date to /nonexistent.
If you have not yet used sysinstall to create an anonymous ftp setup,
but are planning to, please apply one of the following patches:
Patch for FreeBSD 2.1.5, 2.1.6, 2.2 and 2.2.1:
--- anonFTP.c 1996/04/28 03:26:42 1.14
+++ anonFTP.c 1997/04/07 17:20:16
@@ -195,7 +195,7 @@
return (DITEM_SUCCESS); /* succeeds if already exists */
}
- sprintf(pwline, "%s::%s:%d::0:0:%s:%s:/bin/date
", FTP_NAME, tconf.uid, gid, tconf.comment, tconf.homedir);
+ sprintf(pwline, "%s:*:%s:%d::0:0:%s:%s:/nonexistent
", FTP_NAME, tconf.uid, gid, tconf.comment, tconf.homedir);
fptr = fopen(_PATH_MASTERPASSWD,"a");
if (! fptr) {
Patch for FreeBSD 2.1:
--- anonFTP.c 1995/11/12 07:27:55 1.6
+++ anonFTP.c 1997/04/03 19:29:21
@@ -201,7 +201,7 @@
return (RET_SUCCESS); /* succeeds if already exists */
}
- sprintf(pwline, "%s::%s:%d::0:0:%s:%s:/bin/date
", FTP_NAME, tconf.uid, gid, tconf.comment, tconf.homedir);
+ sprintf(pwline, "%s:*:%s:%d::0:0:%s:%s:/nonexistent
", FTP_NAME, tconf.uid, gid, tconf.comment, tconf.homedir);
fptr = fopen(_PATH_MASTERPASSWD,"a");
if (! fptr) {
=============================================================================
FreeBSD, Inc.
Web Site: http://www.freebsd.org/
Confidential contacts: security-officer@freebsd.org
PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc
Security notifications: security-notifications@freebsd.org
Security public discussion: security@freebsd.org
Notice: Any patches in this document may not apply cleanly due to
modifications caused by digital signature or mailer software.
Please reference the URL listed at the top of this document
for original copies of all patches if necessary.
=============================================================================
- -----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBM0kvaFUuHi5z0oilAQHzVgP/TwmyRgBAF1Hs/jSihpAzFTRfHXdX/8+r
7mO7OHtM8vBTX1SPaYOr+DdSI2PkcSU4Y8O2OsdR3O4asV52LT5d/qWqJVQbN8bM
majL9ufeH3WotZHEJAo6nHf0/Cw+Aml2MytnaBiOHhvtiiY9aAEiYQve5TEwVbhE
92/GUaLo3uY=
=VjRL
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBM04koih9+71yA2DNAQGLewQAlAjJA/ZZLtJAhyx6yMwFI/i/M905KRJX
KTXuQp2efoCjEcGVHvwTXzHhkaodDwQP21RCp4QMlwLmJEvkxfVjxZ0L2KWLSKx9
K+aBtKFn41fS1Jlr45IbYUvOuTvdUg0oTvRFHiB8GbP6vkiGug+0IabwCBT3NbVR
rnEmwtHHsQ8=
=A/NU
-----END PGP SIGNATURE-----