• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: TNFTPD Multiple Signal Handler Remote Superuser Compromise Vulnerabilities

Severity: CRITICAL

Description:

TNFTPD is a port of the NetBSD FTP daemon to multiple other operating systems. It was originally called Lukemftpd. It is included in NetBSD, FreeBSD, Mac OS X, and other Unix-like systems.

It is reported that TNFTPD is susceptible to multiple remote superuser compromise vulnerabilities. These vulnerabilities are all derived from improper signal handler operations. Signals can be delivered to the vulnerable FTPD by a remote attacker via out-of-band TCP data (OOB).

These vulnerabilities depend on a signal handling flaw regarding the 'transflag' flag. The 'transflag' flag is used to determine if OOB data (SIGURG) is allowed to interrupt FTP commands. 'transflag' is only supposed to be set when a file transfer is taking place. If an attacker interrupts a transfer and issues a command other than ABOR, the 'transflag' flag remains set. This allows signals from OOB data to interrupt any further command, not just transfers.

The first vulnerability presents itself when FTPD attempts to switch user ids during a login operation. First, an FTP session is established, and an attacker issues USER/PASS commands to authenticate to the server. The server issues seteuid(user) and its effective user id is set to the authenticated user. If an attacker then issues another USER command while already logged in, the FTP server process clears the session context and calls seteuid(0), returning superuser privileges to the FTP process. The attacker then sends a valid PASS command. If the attacker can interrupt FTPD between setting 'logged_in' to 1, and calling seteuid(user), then seteuid is never called and the attacker is now considered logged in. The attacker can then read or write arbitrary files from the hosting computer as superuser. Due to the small amount of processing between the call setting 'logged_in' to 1, and the call to seteuid(user), it is likely very difficult to exploit this vulnerability over a network connection.

The second vulnerability exists during reentering libc functions that are not reentry-safe. By interrupting FTPD during a heap-management system call such as malloc(), free(), or others, further calls to these functions would be unpredictable. This issue is reportedly vulnerable to exploitation by both regular, and anonymously authenticated users.

The third vulnerability reportedly exists only on BSD derived systems, and could also be exploited by remote anonymous users to compromise the FTP server computer. By calling ABOR multiple times, the attacker would cause the longjmp() call to use the jmpbuf after the original setjmp() call returns. This is not allowed on BSD systems, and may result in a remote superuser compromise as well.

These vulnerabilities may allow an anonymous remote attacker to gain superuser privileges on computer hosting the affected software. Due to the ability to send OOB data at any time during a connection, it is conjectured that attackers may have the ability to exploit one or more of these vulnerabilities prior to authenticaiton.

TNFTPD versions prior to 10 Aug 2004 are reported vulnerable. All versions of Lukemftpd are reported vulnerable. NetBSD version 1.6.2 and prior, NetBSD-2.0 prior to 15 Aug 2004, as well as NetBSD-current prior to 10 Aug 2004 are reported vulnerable as well.

Affected Products:

• Apple Mac OS X 10.2.8
• Apple Mac OS X 10.3.4
• Apple Mac OS X 10.3.5
• Apple Mac OS X Server 10.2.8
• Apple Mac OS X Server 10.3.4
• Apple Mac OS X Server 10.3.5
• Debian Linux 3.0.0
• Debian Linux 3.0.0 alpha
• Debian Linux 3.0.0 arm
• Debian Linux 3.0.0 hppa
• Debian Linux 3.0.0 ia-32
• Debian Linux 3.0.0 ia-64
• Debian Linux 3.0.0 m68k
• Debian Linux 3.0.0 mips
• Debian Linux 3.0.0 mipsel
• Debian Linux 3.0.0 ppc
• Debian Linux 3.0.0 s/390
• Debian Linux 3.0.0 sparc
• Gentoo Linux 1.4.0
• Heimdal Heimdal 0.3.0 f
• Heimdal Heimdal 0.4.0 a
• Heimdal Heimdal 0.4.0 b
• Heimdal Heimdal 0.4.0 c
• Heimdal Heimdal 0.4.0 d
• Heimdal Heimdal 0.4.0 e
• Heimdal Heimdal 0.5.0 .0
• Heimdal Heimdal 0.5.1
• Heimdal Heimdal 0.5.2
• Heimdal Heimdal 0.5.3
• Heimdal Heimdal 0.6.0
• Heimdal Heimdal 0.6.1
• Heimdal Heimdal 0.6.2
• Luke Mewburn TNFTPD 20031217
• Luke Mewburn lukemftp 1.1.0
• Luke Mewburn lukemftp 1.5.0
• NetBSD NetBSD 1.3.0
• NetBSD NetBSD 1.3.1
• NetBSD NetBSD 1.3.2
• NetBSD NetBSD 1.3.3
• NetBSD NetBSD 1.4.0
• NetBSD NetBSD 1.4.0 Alpha
• NetBSD NetBSD 1.4.0 SPARC
• NetBSD NetBSD 1.4.0 arm32
• NetBSD NetBSD 1.4.0 x86
• NetBSD NetBSD 1.4.1
• NetBSD NetBSD 1.4.1 Alpha
• NetBSD NetBSD 1.4.1 SPARC
• NetBSD NetBSD 1.4.1 arm32
• NetBSD NetBSD 1.4.1 sh3
• NetBSD NetBSD 1.4.1 x86
• NetBSD NetBSD 1.4.2
• NetBSD NetBSD 1.4.2 Alpha
• NetBSD NetBSD 1.4.2 SPARC
• NetBSD NetBSD 1.4.2 arm32
• NetBSD NetBSD 1.4.2 x86
• NetBSD NetBSD 1.4.3
• NetBSD NetBSD 1.5.0
• NetBSD NetBSD 1.5.0 sh3
• NetBSD NetBSD 1.5.0 x86
• NetBSD NetBSD 1.5.1
• NetBSD NetBSD 1.5.2
• NetBSD NetBSD 1.5.3
• NetBSD NetBSD 1.6.0
• NetBSD NetBSD 1.6.0 Beta
• NetBSD NetBSD 1.6.1
• NetBSD NetBSD 1.6.2
• NetBSD NetBSD 2.0.0
• NetBSD NetBSD Current
• S.u.S.E. Firewall Adminhost VPN
• S.u.S.E. Linux 6.4.0
• S.u.S.E. Linux 7.0.0
• S.u.S.E. Linux 7.1.0
• S.u.S.E. Linux 7.2.0
• S.u.S.E. Linux 7.3.0
• S.u.S.E. Linux 8.0.0
• S.u.S.E. Linux Admin-CD for Firewall
• S.u.S.E. Linux Connectivity Server
• S.u.S.E. Linux Database Server
• S.u.S.E. Linux Enterprise Server 7
• S.u.S.E. Linux Enterprise Server for S/390
• S.u.S.E. Linux Live-CD for Firewall
• S.u.S.E. SuSE eMail Server III
• Sun Java Desktop System (JDS) 2.0.0
• Sun Java Desktop System (JDS) 2003

References:

• Gentoo: Bugzilla Bug 61412- app-crypt/heimdal ftpd Signal Handling Vulnerabilities
• Heimdal: 2004-09-13: ftpd root escalation
• Heimdal: Heimdal 0.6.3
• Heimdal: Heimdal Kerberos 5 Home Page
• Luke Mewburn: TNFTPD Home Page
• Przemyslaw Frasunek: Multiple vulnerabilities in lukemftpd/tnftpd
• Sun: Sun Alert ID: 57655

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.