Note: This is an archival copy of Security Sun Alert 200538 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000410.1.
Article ID : 1000410.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2003-09-07
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in the Solaris 9 in.ftpd(1M) Server May Allow Unauthorized "root" Access

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System

Bug Id
4706072, 4705192

Date of Workaround Release
04-AUG-2003

Date of Resolved Release
08-SEP-2003

Impact

The Solaris 9 FTP Server, in.ftpd(1M), is based on WU-ftpd (Washington University ftpd) and is affected by a security vulnerability which may allow a local or remote unprivileged user to gain unauthorized root access.

This issue is described in iSEC Advisory isec-0011-wu-ftpd (please see http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt).


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 9 without patch 114564-02

x86 Platform

  • Solaris 9 without patch 114565-02

Note: Solaris 2.6, 7, and 8 are not affected by this issue.


Symptoms

There are no predictable symptoms that would show the described issue has been exploited to gain root privileges.


Workaround

There are three workarounds that are advised until patches are available:

1. Disable the in.ftpd(1M) daemon on all Solaris 9 systems with the following steps:

  • Edit the "/etc/inetd.conf" file and comment out the following line by adding the "#" symbol as follows: 
      #ftp stream      tcp6    nowait  root    /usr/sbin/in.ftpd       in.ftpd
  • Tell the inetd(1M) process to reread the newly modified "/etc/inetd.conf" file by sending it a hangup signal, SIGHUP: 
      # pkill -HUP inetd

This will disable in.ftpd(1M).

or,

2. Use TCP wrappers to restrict access to in.ftpd(1M) from trusted hosts if you can't disable it. Solaris 9 ships with TCP wrappers, see the inetd(1M), hosts_access(4), and hosts_options(4) man pages for further information.

or,

3. Block access to the control channel (by default, port 21/tcp) used by the in.ftpd(1M) daemon at all appropriate network perimeters.

This document refers to one or more preliminary temporary patches (T-Patches) which are designed to address the concerns identified herein. Sun has limited experience with these patches due to their preliminary nature. As such, you should only install the patches on systems meeting the configurations described above. Sun may release full patches at a later date, however, Sun is under no obligation whatsoever to create, release, or distribute any such patch.


Resolution

This issue is addressed in the following releases:

SPARC

  • Solaris 9 with patch 114564-02 or later

x86

  • Solaris 9 with patch 114565-02 or later


Modification History
Date: 15-AUG-2003
  • Updated Relief/Workaround section with Temporary Patch numbers

Date: 08-SEP-2003
  • State: Resolved
  • Updated Contributing Factors, Relief/Workaround and Resolution sections


References

114564-02
114565-02




Attachments
This solution has no attachment