Note: This is an archival copy of Security Sun Alert 200538 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000410.1.
Solaris 9 Operating System
Date of Workaround Release
Date of Resolved Release
The Solaris 9 FTP Server, in.ftpd(1M), is based on WU-ftpd (Washington University ftpd) and is affected by a security vulnerability which may allow a local or remote unprivileged user to gain unauthorized root access.
This issue is described in iSEC Advisory isec-0011-wu-ftpd (please see http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt).
This issue can occur in the following releases:
Note: Solaris 2.6, 7, and 8 are not affected by this issue.
There are no predictable symptoms that would show the described issue has been exploited to gain root privileges.
There are three workarounds that are advised until patches are available:
1. Disable the in.ftpd(1M) daemon on all Solaris 9 systems with the following steps:
#ftp stream tcp6 nowait root /usr/sbin/in.ftpd in.ftpd
# pkill -HUP inetd
This will disable in.ftpd(1M).
2. Use TCP wrappers to restrict access to in.ftpd(1M) from trusted hosts if you can't disable it. Solaris 9 ships with TCP wrappers, see the inetd(1M), hosts_access(4), and hosts_options(4) man pages for further information.
3. Block access to the control channel (by default, port 21/tcp) used by the in.ftpd(1M) daemon at all appropriate network perimeters.
This document refers to one or more preliminary temporary patches (T-Patches) which are designed to address the concerns identified herein. Sun has limited experience with these patches due to their preliminary nature. As such, you should only install the patches on systems meeting the configurations described above. Sun may release full patches at a later date, however, Sun is under no obligation whatsoever to create, release, or distribute any such patch.
This issue is addressed in the following releases:
This solution has no attachment